LB1074 LB1074
2024 2024
LEGISLATIVE BILL 1074
Approved by the Governor April 17, 2024
Introduced by Slama, 1.
A BILL FOR AN ACT relating to banking and finance; to amend sections 8-1116,
8-1120, 8-1726, 8-2504, 8-2729, 8-2730, 8-2735, 13-609, 21-1701, 21-1702,
21-1705, 21-1729, 21-1736, 21-1743, 21-1749, 21-1767, 21-17,102,
21-17,109, 30-3801, 45-346, 45-346.01, 45-354, 45-737, 45-905.01, 45-912,
45-1005, 45-1018, 45-1033.01, 71-605.02, 71-616, 77-2341, and 81-118.01,
Reissue Revised Statutes of Nebraska, section 84-712.05, Revised Statutes Cumulative Supplement, 2022, sections 8-135, 8-141, 8-143.01, 8-157.01,
8-183.04, 8-1,140, 8-318, 8-355, 8-1101, 8-1101.01, 8-1704, 8-1707,
8-2724, 8-2903, 8-3005, 8-3007, 21-17,115, 59-1722, 69-2103, 69-2104,
69-2112, and 71-612, Revised Statutes Supplement, 2023, and section
4A-108, Uniform Commercial Code, Revised Statutes Supplement, 2023; to adopt the Data Privacy Act; to adopt the Public Entities Pooled Investment Act; to adopt updates to federal law and change provisions relating to
banking and finance; to change provisions of the Securities Act of
Nebraska, the Commodity Code, the Credit Union Act, and the Nebraska Uniform Trust Code; to change provisions relating to breaches of security relating to computerized data and criminal history record information checks; to change provisions relating to the preservation and use of
certain certificates and information relating to vital records; to provide for certain records to be exempt from public disclosure; to eliminate obsolete provisions; to harmonize provisions; to provide operative dates;
to provide for severability; to repeal the original sections; and to
declare an emergency.
Be it enacted by the people of the State of Nebraska,
Section 1. Sections 1 to 30 of this act shall be known and may be cited as the Data Privacy Act.
Sec. 2. For purposes of the Data Privacy Act:
(1) Affiliate means a legal entity that controls, is controlled by, or is
under common control with another legal entity or shares common branding with another legal entity. For purposes of this subdivision, control or controlled means:
(a) The ownership of, or power to vote, more than fifty percent of the outstanding shares of any class of voting security of a company;
(b) The control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or
(c) The power to exercise controlling influence over the management of a company;
(2) Authenticate means to verify through reasonable means that the consumer who is entitled to exercise the consumer's rights under sections 7 to
11 of this act, or a person on behalf of such consumer, is the same consumer exercising those consumer rights with respect to the personal data at issue;
(3)(a) Biometric data means data that is generated to identify a specific individual through an automatic measurement of a biological characteristic of
such individual and includes any:
(i) Fingerprint;
(ii) Voice print;
(iii) Retina image;
(iv) Iris image; or
(v) Unique biological pattern or characteristic.
(b) Biometric data does not include:
(i) Except when generated to identify a specific individual, any physical or digital photograph, video or audio recording, or data generated from a physical or digital photograph; or
(ii) Information collected, used, or stored for health care treatment,
payment, or operations under the Health Insurance Portability and Accountability Act;
(4) Business associate has the meaning assigned to the term by the Health Insurance Portability and Accountability Act;
(5) Child means an individual younger than thirteen years of age;
(6)(a) Consent means, when referring to a consumer, a clear and affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer,
including a statement written by electronic means or any other unambiguous affirmative action by the consumer.
(b) Consent, when referring to a consumer, does not include:
(i) Acceptance of a general or broad term of use or similar document that contains a description of personal data processing along with other, unrelated information;
(ii) Hovering over, muting, pausing, or closing a given piece of content;
or
(iii) Agreement obtained through the use of a dark pattern;
(7)(a) Consumer means an individual who is a resident of this state acting
-1-
LB1074 LB1074
2024 2024
only in an individual or household context.
(b) Consumer does not include an individual acting in a commercial or
employment context;
(8) Controller means an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data;
(9) Covered entity has the same meaning as defined in 45 C.F.R. 160.103,
as such regulation existed on January 1, 2024;
(10) Dark pattern means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making,
or choice, and includes any practice determined by the Federal Trade Commission to be a dark pattern as of January 1, 2024;
(11) Decision that produces a legal or similarly significant effect concerning a consumer means a decision made by the controller that results in
the provision or denial by the controller of:
(a) Financial and lending services;
(b) Housing, insurance, or health care services;
(c) Education enrollment;
(d) Employment opportunities;
(e) Criminal justice; or
(f) Access to basic necessities, such as food and water;
(12) Deidentified data means data that cannot reasonably be linked to an identified or identifiable individual, or a device linked to that individual;
(13) Health care provider has the same meaning as in the Health Insurance Portability and Accountability Act;
(14) Health Insurance Portability and Accountability Act means the federal Health Insurance Portability and Accountability Act of 1996, as such act existed on January 1, 2024;
(15) Health record means any written, printed, or electronically recorded material maintained by a health care provider in the course of providing health care services to an individual that concerns the individual and the services provided to such individual, and includes:
(a) The substance of any communication made by an individual to a health care provider in confidence during or in connection with the provision of
health care services; or
(b) Information otherwise acquired by the health care provider about an
individual in confidence and in connection with health care services provided to the individual;
(16) Identified or identifiable individual means a consumer who can be
directly or indirectly readily identified;
(17) Institution of higher education means any postsecondary institution or private postsecondary institution as such terms are defined in section
85-2403;
(18) Known child means a child under circumstances where a controller has actual knowledge of, or willfully disregards, the child's age;
(19) Nonprofit organization means any corporation organized under the Nebraska Nonprofit Corporation Act, any organization exempt from taxation under section 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal Revenue Code, any organization exempt from taxation under section 501(c)(4) of the Internal Revenue Code that is established to detect or prevent insurance-related crime or fraud, and any subsidiary or affiliate of a cooperative corporation organized in this state;
(20)(a) Personal data means any information, including sensitive data,
that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
(b) Personal data does not include deidentified data or publicly available information;
(21) Political organization means a party, committee, association, fund,
or other organization, regardless of whether incorporated, that is organized and operated primarily for the purpose of influencing or attempting to
influence:
(a) The selection, nomination, election, or appointment of an individual to a federal, state, or local public office or an office in a political organization, regardless of whether the individual is selected, nominated,
elected, or appointed; or
(b) The election of a presidential or vice-presidential elector,
regardless of whether the elector is selected, nominated, elected, or appointed;
(22)(a) Precise geolocation data means information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of one thousand seven hundred fifty feet.
(b) Precise geolocation data does not include the content of
communications or any data generated by or connected to an advanced utility metering infrastructure system or to equipment for use by a utility;
(23) Process or processing means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of
personal data, such as the collection, use, storage, disclosure, analysis,
deletion, or modification of personal data;
(24) Processor means a person that processes personal data on behalf of a controller;
-2-
LB1074 LB1074
2024 2024
(25) Profiling means any form of solely automated processing performed on
personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;
(26) Protected health information has the same meaning as in the Health Insurance Portability and Accountability Act;
(27) Pseudonymous data means any personal information that cannot be
attributed to a specific individual without the use of additional information,
provided that the additional information is kept separately and is subject to
appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual;
(28) Publicly available information means information that is lawfully made available through government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience;
(29)(a) Sale of personal data means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
(b) Sale of personal data does not include:
(i) The disclosure of personal data to a processor that processes the personal data on the controller's behalf;
(ii) The disclosure of personal data to a third party for purposes of
providing a product or service requested by the consumer;
(iii) The disclosure or transfer of personal data to an affiliate of the controller;
(iv) The disclosure of information that the consumer:
(A) Intentionally made available to the general public through a mass media channel; and
(B) Did not restrict to a specific audience; or
(v) The disclosure or transfer of personal data to a third party as an asset in which the third party assumes control of all or part of the controller's assets that is part of a proposed or actual:
(A) Merger;
(B) Acquisition;
(C) Bankruptcy; or
(D) Other transaction;
(30) Sensitive data means a category of personal data, and includes:
(a) Personal data revealing racial or ethnic origin, religious beliefs,
mental or physical health diagnosis, sexual orientation, or citizenship or
immigration status;
(b) Genetic or biometric data that is processed for the purpose of
uniquely identifying an individual;
(c) Personal data collected from a known child; or
(d) Precise geolocation data;
(31) State agency means a department, commission, board, office, council,
authority, or other agency in any branch of state government that is created by
the constitution or a statute of this state, including any university system or
any postsecondary institution as defined in section 85-2403;
(32)(a) Targeted advertising means displaying to a consumer an
advertisement that is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests.
(b) Targeted advertising does not include:
(i) An advertisement that:
(A) Is based on activities within a controller's own websites or online applications;
(B) Is based on the context of a consumer's current search query, visit to
a website, or online application; or
(C) Is directed to a consumer in response to the consumer's request for information or feedback; or
(ii) The processing of personal data solely for measuring or reporting advertising performance, reach, or frequency;
(33) Third party means a person, other than the consumer, the controller,
the processor, or an affiliate of the controller or processor; and
(34) Trade secret has the same meaning as in section 87-502.
Sec. 3. (1) The Data Privacy Act applies only to a person that:
(a) Conducts business in this state or produces a product or service consumed by residents of this state;
(b) Processes or engages in the sale of personal data; and
(c) Is not a small business as determined under the federal Small Business Act, as such act existed on January 1, 2024, except to the extent that section
18 of this act applies to a person described by this subdivision.
(2) The Data Privacy Act does not apply to any:
(a) State agency or political subdivision of this state;
(b) Financial institution, affiliate of a financial institution, or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., as such title existed on January 1, 2024;
(c) Covered entity or business associate governed by the privacy,
security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. parts 160 and 164, as such parts existed on January 1, 2024, and Division A, Title XIII, and Division B, Title IV, of the federal Health Information Technology for Economic and Clinical
-3-
LB1074 LB1074
2024 2024
Health Act, Public Law No. 111-5, as such act existed on January 1, 2024;
(d) Nonprofit organization;
(e) Institution of higher education;
(f) Electric supplier or supplier of electricity as defined in section
70-1001.01;
(g) Natural gas public utility as defined in section 66-1802; or
(h) Natural gas utility owned or operated by a city or a metropolitan utilities district.
Sec. 4. The Data Privacy Act does not apply to the following:
(1) Protected health information under the Health Insurance Portability and Accountability Act;
(2) Health records;
(3) Patient identifying information for purposes of 42 U.S.C. 290dd-2, as such section existed on January 1, 2024;
(4) Identifiable private information:
(a) For purposes of the federal policy for the protection of human subjects under 45 C.F.R. part 46, as such part existed on January 1, 2024;
(b) Collected as part of human subjects research under the good clinical practice guidelines issued by the International Council for Harmonisation of
Technical Requirements for Pharmaceuticals for Human Use, as such guidelines existed on January 1, 2024, or of the protection of human subjects under 21
C.F.R. parts 50 and 56, as such parts existed on January 1, 2024; or
(c) That is personal data used or shared in research conducted pursuant to
the Data Privacy Act or other research conducted in accordance with applicable Nebraska law;
(5) Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986, 42 U.S.C. 11101 et seq., as such act existed on January 1, 2024;
(6) Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act of 2005, 42 U.S.C. 299b-21 et seq., as such act existed on January 1, 2024;
(7) Information derived from any of the health care-related information listed in this section that is deidentified in accordance with the requirements for deidentification under the Health Insurance Portability and Accountability Act;
(8) Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this section that is maintained by a covered entity or business associate as
defined by the Health Insurance Portability and Accountability Act or by a program or a qualified service organization as defined by 42 U.S.C. 290dd-2, as such section existed on January 1, 2024;
(9) Information that is included in a limited data set as described by 45
C.F.R. 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified by 45 C.F.R. 164.514(e), as such regulation existed on January 1, 2024;
(10) Information collected or used only for public health activities and purposes as authorized by the Health Insurance Portability and Accountability Act;
(11) The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation,