Maureen Fulton of Omaha: The Data Privacy Attorney Behind Nebraska’s NDPA Compliance Work

Who Is Maureen Fulton?

Maureen Fulton (Omaha) is a shareholder and Chair of the Data Privacy & Security practice at Koley Jessen P.C., L.L.O., an Omaha-based business law firm. She holds the Certified Information Privacy Professional (CIPP/US) designation from the IAPP — the International Association of Privacy Professionals — and advises businesses on compliance, incident response, AI governance, and data risk in M&A transactions. Her legal work spans state, federal, and international privacy frameworks.

She’s Nebraska-licensed, New York-licensed, and admitted to the U.S. District Court for the District of Nebraska. Her path here is worth knowing: a Bachelor of Journalism from the University of Missouri (2004), years working in communications, then a Juris Doctor from The Ohio State University Moritz College of Law (2012), where she served as Editor-in-Chief of the Ohio State Journal on Dispute Resolution. After graduating, she spent a year as an Assistant Corporation Counsel at the New York City Law Department before returning to Omaha and joining Koley Jessen in 2014.

Omaha Magazine named her a Top Lawyer in Privacy & Data Security Law, and she holds Super Lawyers Rising Star recognition. Her CIPP/US certification, earned in 2020 from the IAPP, reflects formal credentialing that goes beyond bar admission.

According to her firm profile, she regularly counsels clients on GDPR, CCPA, CPRA, CPA, CTDPA, UCPA, and VCDPA — and has tracked each new state law as it emerged. Her publication cadence in 2025 and 2026 alone covers Louisiana, Alabama, Oklahoma, Maryland, and California’s AI audit rules. That’s an active, current practice — not a static credential list.

On the personal side: she’s married to Brian Windhorst, the ESPN NBA reporter known for his LeBron James coverage. They married on August 18, 2012, in an outdoor ceremony at Lauritzen Gardens in Omaha, have a son named Dane (born 2018), and continue to make their home in Nebraska. Fulton kept her own surname. She maintains a light public presence on X under @NebraskaPrivacy.

What the Chair of Data Privacy at Koley Jessen Actually Does

Here’s the thing: “data privacy attorney” means something different depending on who you hire.

Some attorneys handle privacy as a secondary practice — reviewing contracts with privacy clauses once or twice a year. Others run a dedicated operation with a team, a publication record, and active involvement in national policy conversations. Fulton operates where law, technology, and risk collide — her work spans the full lifecycle: building programs from scratch, conducting privacy-by-design reviews, steering incident response, and evaluating data risk in transactions.

Her practice spans compliance counseling, risk management, incident response, litigation, and AI governance — advising clients on privacy risks in AI design, deployment, and regulatory compliance. She also handles M&A due diligence, reviewing a target company’s data practices and regulatory exposure before a deal closes. And she steps in as interim privacy counsel when clients need ongoing support without hiring in-house — a model that works well for mid-size Nebraska companies with real compliance needs but not enough volume to justify a full-time privacy hire.

Her most recent published work (as of mid-2026) covers California’s final AI and cybersecurity audit rules, the FTC’s enforcement action in the OkCupid case, and privacy risk management in post-M&A cleanup. Practical guidance, not theoretical.

Why a Journalism Degree Actually Matters in Data Privacy Law

Most people assume the most valuable credential for a data privacy attorney is technical — deep cybersecurity engineering knowledge, coding fluency, or forensics experience. That holds for a narrow set of cases, specifically forensic incident response where technical reconstruction is central.

But for the work most Nebraska businesses actually need — compliance counseling, privacy policy drafting, breach management, and M&A review — communication ability matters at least as much as technical fluency. Or maybe I should say it this way: the ability to translate a 200-page privacy regulation into a four-point action plan for a CEO who’s never thought about data governance is a skill almost no technical background teaches.

Fulton’s journalism background — earned at the University of Missouri, one of the oldest and most rigorous journalism programs in the country — gave her the ability to translate dense legal jargon into clear, actionable advice, a skill that became a hallmark of her professional practice. That’s not a generic observation. It’s visible in every piece she publishes: the IAPP articles, the Koley Jessen insights, the OneTrust DataGuidance analysis she contributed as early as 2020.

What most attorney profiles skip is any explanation of how their advice is delivered — only that credentials exist. Her background is one documented reason why her guidance tends to land as actionable rather than academic.

To evaluate whether any data privacy attorney is the right fit for your Nebraska business, follow these steps:

1. Confirm active bar admission in Nebraska. (Fulton: Nebraska-licensed since 2012.)
2. Verify IAPP certification — CIPP/US is the U.S. benchmark for privacy professionals. (Fulton: CIPP/US, certified 2020.)
3. Check whether they’ve published NDPA-specific analysis, not just general privacy content. (Fulton: published NDPA guidance before the law’s effective date.)
4. Ask whether they’ve handled incident response in your industry vertical. (Fulton: active incident response practice across industries.)
5. Ask for a reference from a similarly-sized Nebraska company they’ve advised. (Koley Jessen client referrals available on request.)

Nebraska’s Data Privacy Act — and the Compliance Window That Closed January 1, 2025

Look — if you’re a Nebraska business owner who hasn’t reviewed your data practices since the NDPA took effect, the grace period is over. The law is live. The Nebraska Attorney General’s enforcement authority is active.

According to the IAPP State Privacy Law Tracker (2024), Nebraska became the 17th U.S. state to enact comprehensive consumer privacy legislation when the NDPA passed. The law has no minimum revenue threshold — unlike California’s CCPA, which originally applied only to companies exceeding $25 million in annual revenue. That distinction is critical for Omaha’s mid-market. A manufacturing company with 50 employees and no California presence can still be fully in scope. The per-violation fine ceiling is $7,500.

I’ve seen conflicting reads on early enforcement intensity — some practitioners expect the Nebraska AG to move cautiously in year one as the enforcement apparatus builds out, while others point to the FTC’s aggressive recent action in cases like OkCupid as a signal that the broader regulatory environment has shifted decisively. My read is that banking on a grace period is a gamble most mid-size businesses shouldn’t take, particularly when violations can compound quickly.

Quick Comparison: Key Privacy Laws Applicable to Nebraska Businesses

NDPA vs. CCPA — Quick Read

The NDPA is better suited as a compliance starting point for Nebraska-focused businesses because it has no revenue threshold, reaching companies of all sizes. The CCPA is more relevant when your customer base includes significant California residents. The key difference is geographic scope and revenue-based applicability — the two laws aren’t mutually exclusive for many Omaha companies with national customers.

Some experts argue that boutique, single-attorney privacy practices can offer more personalized counsel than a firm like Koley Jessen. That’s valid for small compliance reviews or one-off policy audits. But if you’re dealing with M&A transactions, multi-state data operations, incident response with litigation exposure, or AI governance across a tech stack — the depth of a dedicated practice team changes the calculus entirely.

Awards, Boards, and the Person Behind the Firm Bio

Fulton serves on the Business Ethics Alliance Board of Trustees (2023–present), the Child Saving Institute Board of Directors (board secretary since 2023, member since 2019), and joined the Women’s Center for Advancement Guild Board in September 2025. She was part of Leadership Omaha Class 44 and serves on the Nebraska State Bar Association’s Technology, Privacy, and Security Law Section Executive Committee.

She’s been rooted in Omaha for essentially her entire life — born and raised here, educated here (Westside High School), returned after a year in New York, and built her entire legal career in Nebraska. That level of community accountability matters when you’re evaluating long-term legal counsel.

Frequently Asked Questions

What’s the best way to reach Maureen Fulton for a consultation?

Her direct line at Koley Jessen is 402.343.3753. Her full profile, including email, is at koleyjessen.com/team/maureen-e-fulton. She also maintains a presence on LinkedIn and posts privacy commentary on X at @NebraskaPrivacy.

How do I know if Maureen Fulton handles my company’s specific privacy issue?

Her practice covers NDPA compliance, GDPR, CCPA/CPRA, AI governance, incident response, and M&A data due diligence. If your business operates in Nebraska or handles Nebraska consumer data, her practice almost certainly covers your situation.

Should I hire Fulton specifically or another Koley Jessen data privacy attorney?

Fulton leads the practice and handles complex, multi-regulation matters and M&A work. For standard NDPA reviews, other team members at Koley Jessen may serve equally well. The right match depends on your situation’s complexity and timeline.

Why does Maureen Fulton have a journalism degree if she’s a privacy attorney?

She earned her B.J. from the University of Missouri in 2004 before pursuing law at Ohio State’s Moritz College. The journalism training shapes how she translates dense regulation into actionable client guidance — visible in every piece she publishes, not just on her resume.

When did the Nebraska Data Privacy Act take effect, and is Maureen Fulton qualified to advise on it?

The NDPA took effect January 1, 2025. Fulton published NDPA-specific guidance before the law’s effective date, is Nebraska-licensed, and holds the CIPP/US credential from the IAPP. She has actively advised clients on NDPA compliance since before enforcement began.