LB1294 LB1294
2024 2024
LEGISLATURE OF NEBRASKA
ONE HUNDRED EIGHTH LEGISLATURE
SECOND SESSION
LEGISLATIVE BILL 1294
Introduced by Bostar, 29; Aguilar, 35; Ballard, 21; Jacobson, 42; von Gillern, 4.
Read first time January 16, 2024
Committee: Banking, Commerce and Insurance
1 A BILL FOR AN ACT relating to data privacy; to amend sections 71-605.02
2 and 71-616, Reissue Revised Statutes of Nebraska, section 84-712.05,
3 Revised Statutes Cumulative Supplement, 2022, and section 71-612,
4 Revised Statutes Supplement, 2023; to adopt the Data Privacy Act; to
5 change provisions relating to the preservation and use of certain
6 certificates and information relating to vital records; to provide
7 for certain records to be exempt from public disclosure; to provide
8 an operative date; to provide severability; and to repeal the
9 original sections.
10 Be it enacted by the people of the State of Nebraska,
-1-
LB1294 LB1294
2024 2024
1 Section 1. Sections 1 to 30 of this act shall be known and may be
2 cited as the Data Privacy Act.
3 Sec. 2. For purposes of the Data Privacy Act:
4 (1) Affiliate means a legal entity that controls, is controlled by,
5 or is under common control with another legal entity or shares common
6 branding with another legal entity. For purposes of this subdivision,
7 control or controlled means:
8 (a) The ownership of, or power to vote, more than fifty percent of
9 the outstanding shares of any class of voting security of a company;
10 (b) The control in any manner over the election of a majority of the
11 directors or of individuals exercising similar functions; or
12 (c) The power to exercise controlling influence over the management
13 of a company;
14 (2) Authenticate means to verify through reasonable means that the
15 consumer who is entitled to exercise the consumer's rights under sections
16 7 to 11 of this act is the same consumer exercising those consumer rights
17 with respect to the personal data at issue;
18 (3)(a) Biometric data means data that is used to identify a specific
19 individual through an automatic measurement of a biological
20 characteristic of an individual and includes any:
21 (i) Fingerprint;
22 (ii) Voice print;
23 (iii) Retina image;
24 (iv) Iris image;
25 (v) Information derived from wastewater; or
26 (vi) Unique biological pattern or characteristic; and
27 (b) Biometric data does not include a physical or digital
28 photograph; a video or audio recording or data generated from a physical
29 or digital photograph; or information collected, used, or stored for
30 health care treatment, payment, or operations under the Health Insurance
31 Portability and Accountability Act;
-2-
LB1294 LB1294
2024 2024
1 (4) Business associate has the meaning assigned to the term by the
2 Health Insurance Portability and Accountability Act;
3 (5) Child means an individual younger than thirteen years of age;
4 (6)(a) Consent means, when referring to a consumer, a clear and
5 affirmative act signifying a consumer's freely given, specific, informed,
6 and unambiguous agreement to process personal data relating to the
7 consumer, and includes a written statement, including a statement written
8 by electronic means, or any other unambiguous affirmative action.
9 (b) Consent, when referring to a consumer, does not include:
10 (i) Acceptance of a general or broad term of use or similar document
11 that contains a description of personal data processing along with other,
12 unrelated information;
13 (ii) Hovering over, muting, pausing, or closing a given piece of
14 content; or
15 (iii) Agreement obtained through the use of a dark pattern;
16 (7)(a) Consumer means an individual who is a resident of this state
17 acting only in an individual or household context.
18 (b) Consumer does not include an individual acting in a commercial
19 or employment context;
20 (8) Controller means an individual or other person that, alone or
21 jointly with others, determines the purpose and means of processing
22 personal data;
23 (9) Covered entity has the same meaning as defined in 45 C.F.R.
24 160.103, as such regulation existed on January 1, 2024;
25 (10) Dark pattern means a user interface designed or manipulated
26 with the effect of substantially subverting or impairing user autonomy,
27 decision-making, or choice, and includes any practice determined by the
28 Federal Trade Commission to be a dark pattern as of January 1, 2024;
29 (11) Decision that produces a legal or similarly significant effect
30 concerning a consumer means a decision made by the controller that
31 results in the provision or denial by the controller of:
-3-
LB1294 LB1294
2024 2024
1 (a) Financial and lending services;
2 (b) Housing, insurance, or health care services;
3 (c) Education enrollment;
4 (d) Employment opportunities;
5 (e) Criminal justice; or
6 (f) Access to basic necessities, such as food and water;
7 (12) Deidentified data means data that cannot reasonably be linked
8 to an identified or identifiable individual, or a device linked to that
9 individual;
10 (13) Health care provider has the same meaning as in the Health
11 Insurance Portability and Accountability Act;
12 (14) Health Insurance Portability and Accountability Act means the
13 federal Health Insurance Portability and Accountability Act of 1996, as
14 such act existed on January 1, 2024;
15 (15) Health record means any written, printed, or electronically
16 recorded material maintained by a health care provider in the course of
17 providing health care services to an individual that concerns the
18 individual and the services provided to such individual, and includes:
19 (a) The substance of any communication made by an individual to a
20 health care provider in confidence during or in connection with the
21 provision of health care services; or
22 (b) Information otherwise acquired by the health care provider about
23 an individual in confidence and in connection with health care services
24 provided to the individual;
25 (16) Identified or identifiable individual means a consumer who can
26 be directly or indirectly readily identified;
27 (17) Institution of higher education means any postsecondary
28 institution or private postsecondary institution as such terms are
29 defined in section 85-2403;
30 (18) Known child means a child under circumstances where a
31 controller has actual knowledge of, or willfully disregards, the child's
-4-
LB1294 LB1294
2024 2024
1 age;
2 (19) Nonprofit organization means any corporation organized under
3 the Nebraska Nonprofit Corporation Act, any organization exempt from
4 taxation under section 501(c)(3), 501(c)(6), or 501(c)(12) of the
5 Internal Revenue Code, any organization exempt from taxation under
6 section 501(c)(4) of the Internal Revenue Code that is established to
7 detect or prevent insurance-related crime or fraud, and any subsidiary or
8 affiliate of a cooperative corporation organized in this state;
9 (20)(a) Personal data means any information, including sensitive
10 data, that is linked or reasonably linkable to an identified or
11 identifiable individual, and includes pseudonymous data when the data is
12 used by a controller or processor in conjunction with additional
13 information that reasonably links the data to an identified or
14 identifiable individual.
15 (b) Personal data does not include deidentified data or publicly
16 available information;
17 (21) Political organization means a party, committee, association,
18 fund, or other organization, regardless of whether incorporated, that is
19 organized and operated primarily for the purpose of influencing or
20 attempting to influence:
21 (a) The selection, nomination, election, or appointment of an
22 individual to a federal, state, or local public office or an office in a
23 political organization, regardless of whether the individual is selected,
24 nominated, elected, or appointed; or
25 (b) The election of a presidential or vice-presidential elector,
26 regardless of whether the elector is selected, nominated, elected, or
27 appointed;
28 (22)(a) Precise geolocation data means information derived from
29 technology, including global positioning system level latitude and
30 longitude coordinates or other mechanisms, that directly identifies the
31 specific location of an individual with precision and accuracy within a
-5-
LB1294 LB1294
2024 2024
1 radius of one thousand seven hundred fifty feet.
2 (b) Precise geolocation data does not include the content of
3 communications or any data generated by or connected to an advanced
4 utility metering infrastructure system or to equipment for use by a
5 utility;
6 (23) Process or processing means an operation or set of operations
7 performed, whether by manual or automated means, on personal data or on
8 sets of personal data, such as the collection, use, storage, disclosure,
9 analysis, deletion, or modification of personal data;
10 (24) Processor means a person that processes personal data on behalf
11 of a controller;
12 (25) Profiling means any form of solely automated processing
13 performed on personal data to evaluate, analyze, or predict personal
14 aspects related to an identified or identifiable individual's economic
15 situation, health, personal preferences, interests, reliability,
16 behavior, location, or movements;
17 (26) Protected health information has the same meaning as in the
18 Health Insurance Portability and Accountability Act;
19 (27) Pseudonymous data means any information that cannot be
20 attributed to a specific individual without the use of additional
21 information, provided that the additional information is kept separately
22 and is subject to appropriate technical and organizational measures to
23 ensure that the personal data is not attributed to an identified or
24 identifiable individual;
25 (28) Publicly available information means information that is
26 lawfully made available through government records, or information that a
27 business has a reasonable basis to believe is lawfully made available to
28 the general public through widely distributed media, by a consumer, or by
29 a person to whom a consumer has disclosed the information, unless the
30 consumer has restricted the information to a specific audience;
31 (29)(a) Sale of personal data means the sharing, disclosing, or
-6-
LB1294 LB1294
2024 2024
1 transferring of personal data for monetary or other valuable
2 consideration by the controller to a third party.
3 (b) Sale of personal data does not include:
4 (i) The disclosure of personal data to a processor that processes
5 the personal data on the controller's behalf;
6 (ii) The disclosure of personal data to a third party for purposes
7 of providing a product or service requested by the consumer;
8 (iii) The disclosure or transfer of personal data to an affiliate of
9 the controller;
10 (iv) The disclosure of information that the consumer:
11 (A) Intentionally made available to the general public through a
12 mass media channel; and
13 (B) Did not restrict to a specific audience; or
14 (v) The disclosure or transfer of personal data to a third party as
15 an asset that is part of a merger or acquisition;
16 (30) Sensitive data means a category of personal data, and includes:
17 (a) Personal data revealing racial or ethnic origin, religious
18 beliefs, mental or physical health diagnosis, sexuality, or citizenship
19 or immigration status;
20 (b) Genetic or biometric data that is processed for the purpose of
21 uniquely identifying an individual;
22 (c) Personal data collected from a known child; or
23 (d) Precise geolocation data;
24 (31) State agency means a department, commission, board, office,
25 council, authority, or other agency in any branch of state government
26 that is created by the constitution or a statute of this state, including
27 any university system or any postsecondary institution as defined in
28 section 85-2403;
29 (32)(a) Targeted advertising means displaying to a consumer an
30 advertisement that is selected based on personal data obtained from that
31 consumer's activities over time and across nonaffiliated websites or
-7-
LB1294 LB1294
2024 2024
1 online applications to predict the consumer's preferences or interests.
2 (b) Targeted advertising does not include:
3 (i) An advertisement that:
4 (A) Is based on activities within a controller's own websites or
5 online applications;
6 (B) Is based on the context of a consumer's current search query,
7 visit to a website, or online application; or
8 (C) Is directed to a consumer in response to the consumer's request
9 for information or feedback; or
10 (ii) The processing of personal data solely for measuring or
11 reporting advertising performance, reach, or frequency;
12 (33) Third party means a person, other than the consumer, the
13 controller, the processor, or an affiliate of the controller or
14 processor;
15 (34) Trade secret means all forms and types of information,
16 including business, scientific, technical, economic, or engineering
17 information, and any formula, design, prototype, pattern, plan,
18 compilation, program device, program, code, device, method, technique,
19 process, procedure, financial data, or list of actual or potential
20 customers or suppliers, whether tangible or intangible and whether or how
21 stored, compiled, or memorialized physically, electronically,
22 graphically, photographically, or in writing if:
23 (a) The owner of the trade secret has taken reasonable measures
24 under the circumstances to keep the information secret; and
25 (b) The information derives independent economic value, actual or
26 potential, from not being generally known to, and not being readily
27 ascertainable through proper means by, another person who can obtain
28 economic value from the disclosure or use of the information.
29 Sec. 3. (1) The Data Privacy Act applies only to a person that:
30 (a) Conducts business in this state or produces a product or service
31 consumed by residents of this state;
-8-
LB1294 LB1294
2024 2024
1 (b) Processes or engages in the sale of persona