Nebraska Signs First-in-the-Nation Agricultural Data Privacy Act Into Law

The bill passed the state’s unicameral legislature by a unanimous vote of 49-0-0 on April 10. On April 14, the governor signed it into law. The law takes effect on July 17, but certain requirements for agricultural data contracts will not begin until January 1, 2027.

Read last year’s alert on LB525.

This alert provides an overview of the Agricultural Data Privacy Act as enacted and highlights key changes from the original 2025 bill.

A Fundamentally Revised Framework

The original bill underwent significant revision before being unanimously approved. The 2025 version of LB525 relied on state consumer privacy law models as a framework for allocating the rights to agricultural data between producers and equipment manufacturers. Specifically, the 2025 version would have prohibited “controllers” (those who determine the purpose and means of processing agricultural data) from (1) processing any person’s agricultural data without that person’s written consent, (2) discriminating against persons who declined to consent by withholding or differentiating services, goods, benefits, or rewards, and (3) selling, providing, or using agricultural data without authorization. Producers (the owner of farm, livestock, land, device, or equipment from which agricultural data originates) could have rescinded their consent in writing, triggering a controller’s obligation to delete their agricultural data within 30 days.

The enacted 2026 law adopts a producer data‑ownership model, defining “agricultural data” as the producer’s property. Rights now flow from ownership rather than permission, and the statute as codified focuses on the producer’s control over data and the obligations of entities handling data they do not own. Producers own the agricultural data originating from their farm, land, device, or equipment, while controllers and processors have only a nonexclusive right to the data solely for providing services, maintaining equipment, or performing authorized processing. The controllers’ and processors’ nonexclusive right excludes the power to sell agricultural data without the written consent of the producer. Consistent with this shift, the rescission, deletion, and non‑discrimination provisions central to the 2025 bill were removed. By moving from a consent‑based regime to an ownership‑based structure, the legislature repositioned LB525 away from consumer‑privacy analogues and toward a property‑rights framework tailored to agricultural data.

As the first statute of its kind, LB525 has already served as an inspiration for similar bills in Colorado, Iowa, and Missouri. Other farm belt states will almost certainly follow.

Key Provisions of the Agricultural Data Privacy Act

Data Ownership: The Act codifies that an agricultural producer is the owner of, and has control over, the agricultural data originating from their farm, land, device, or equipment. Controllers and processors receive only a nonexclusive right of control, limited to providing services, maintaining equipment, or performing authorized data processing, and that right expressly excludes the power to sell agricultural data.

Definition of Agricultural Data: The law enacted replaced this granular taxonomy of the 2025 bill with six broader categories. 

• Agronomic Data: Information relating to soil management or crop production, including data relating to any crop, field, planting activity, seed type, yield, disease and pest management, fertilizer type or application, or prescription.
• Climate and Weather Data: Information regarding the conditions of the atmosphere at a place and time and how such conditions generally prevail in such place over a long period of time that is collected, produced, or generated by the equipment of an agricultural producer or by devices located on the land of an agricultural producer.
• Land Data: Information regarding the physical attributes of a parcel of land, including the types and fertility of soils, the topography, elevation, watershed, and drainage of such parcel, and geospatial information regarding such parcel.
• Livestock Data: Information regarding the production of animals by an agricultural producer, including animal identification practices, pedigree information, genetic information, and feed consumption information.
• Management Data: Information regarding the management of an agricultural producer’s agricultural operations.
• Sustainability Data: Information regarding greenhouse-gas emissions, carbon sequestration, and water-quality impact, and any other environmental or conservation practice used to verify sustainability claims.

Importantly, the 2026 version also introduced a linkage requirement, specifying that data must be “linked or reasonably linked to an identified or reasonably identifiable agricultural producer” to qualify as agricultural data. The original 2025 bill defined “agricultural data” by listing 14 specific subcategories — acquisitions data, care data, crop production data, cultivation data, field usage data, financial standings data, GPS data, historical yield data, irrigation data, maintenance data, marketing strategy and decisions data, purchase and sell information, usage data, and yield data — while the enacted law consolidated these into the six broader categories listed above, each of which is given a detailed statutory definition. The enacted version also added three express exclusions from the definition of agricultural data: aggregated data, derived data, and data otherwise qualifying as agricultural data that is made available to the general public by a government agency.

Consent for Sale 

Any sale of agricultural data requires the express written consent of the producer, obtained through a clear and conspicuous disclosure that is separate from the primary terms of service or data use agreement. The Act defines “sale” as the exchange of agricultural data for monetary or other valuable consideration by a controller or processor to a third party, but carves out 10 categories of transactions, including disclosures to processors (equipment manufacturer vendors), affiliates, and third parties in connection with mergers or acquisitions, disclosures required by law, and disclosures necessary to detect fraud or cybersecurity threats. 

Mandatory Contractual Terms

Beginning January 1, 2027, every new contract or agreement involving the collection or processing of agricultural data in Nebraska must contain a specific provision stating that the controller or processor is prohibited from engaging in the sale of such data without the express written consent of the agricultural producer. Any contract provision that waives or limits the Act’s requirements is void and unenforceable. 

Data Security 

Controllers and processors must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of agricultural data. Such practices must be appropriate for the volume and nature of the data and must protect against unauthorized access, use, disclosure, modification, or loss. 

Enforcement 

The attorney general has exclusive enforcement authority and may bring an action to seek injunctive relief or recover civil penalties of $1,000 per violation, after a written notice and a 45-day cure period. There is no cure period for violations of the sale-consent requirement. Moreover, there is no private right of action under this law.

Broader Significance: A Model for Other States?

Supporters of LB525 have characterized the law as a significant step forward in “safeguarding the information that powers modern agriculture.” Senator Mike Jacobson, the Nebraskan state senator who first introduced the bill, has emphasized the importance of “stay[ing] one step ahead of technology developments so that ag producers can protect their data.” 

Given the industry’s increasing reliance on data, entities that collect or use agricultural information in Nebraska should begin evaluating their compliance posture. In particular, companies should review whether their contracts and data‑handling practices align with the Act’s ownership framework and its consent requirements for data sales and should prepare for the mandatory contractual provision that becomes effective January 1, 2027. We will continue to monitor whether other states adopt similar ownership‑based approaches to agricultural data or extend this model to other categories of sensitive commercial information. 

If you have questions about how this bill may affect your business, please reach out to your ArentFox Schiff contact or a member of the firm’s Privacy, Data Protection & Data Security group or Agriculture & AgTech group.