87-1102.

Terms, defined.

For purposes of the Data Privacy Act:

(1) Affiliate means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. For purposes of this subdivision, control or controlled means:

(a) The ownership of, or power to vote, more than fifty percent of the outstanding shares of any class of voting security of a company;

(b) The control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or

(c) The power to exercise controlling influence over the management of a company;

(2) Authenticate means to verify through reasonable means that the consumer who is entitled to exercise the consumer's rights under sections 87-1107 to 87-1111, or a person on behalf of such consumer, is the same consumer exercising those consumer rights with respect to the personal data at issue;

(3)(a) Biometric data means data that is generated to identify a specific individual through an automatic measurement of a biological characteristic of such individual and includes any:

(i) Fingerprint;

(ii) Voice print;

(iii) Retina image;

(iv) Iris image; or

(v) Unique biological pattern or characteristic.

(b) Biometric data does not include:

(i) Except when generated to identify a specific individual, any physical or digital photograph, video or audio recording, or data generated from a physical or digital photograph; or

(ii) Information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act;

(4) Business associate has the meaning assigned to the term by the Health Insurance Portability and Accountability Act;

(5) Child means an individual younger than thirteen years of age;

(6)(a) Consent means, when referring to a consumer, a clear and affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, including a statement written by electronic means or any other unambiguous affirmative action by the consumer.

(b) Consent, when referring to a consumer, does not include:

(i) Acceptance of a general or broad term of use or similar document that contains a description of personal data processing along with other, unrelated information;

(ii) Hovering over, muting, pausing, or closing a given piece of content; or

(iii) Agreement obtained through the use of a dark pattern;

(7)(a) Consumer means an individual who is a resident of this state acting only in an individual or household context.

(b) Consumer does not include an individual acting in a commercial or employment context;

(8) Controller means an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data;

(9) Covered entity has the same meaning as defined in 45 C.F.R. 160.103, as such regulation existed on January 1, 2024;

(10) Dark pattern means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, and includes any practice determined by the Federal Trade Commission to be a dark pattern as of January 1, 2024;

(11) Decision that produces a legal or similarly significant effect concerning a consumer means a decision made by the controller that results in the provision or denial by the controller of:

(a) Financial and lending services;

(b) Housing, insurance, or health care services;

(c) Education enrollment;

(d) Employment opportunities;

(e) Criminal justice; or

(f) Access to basic necessities, such as food and water;

(12) Deidentified data means data that cannot reasonably be linked to an identified or identifiable individual, or a device linked to that individual;

(13) Health care provider has the same meaning as in the Health Insurance Portability and Accountability Act;

(14) Health Insurance Portability and Accountability Act means the federal Health Insurance Portability and Accountability Act of 1996, as such act existed on January 1, 2024;

(15) Health record means any written, printed, or electronically recorded material maintained by a health care provider in the course of providing health care services to an individual that concerns the individual and the services provided to such individual, and includes:

(a) The substance of any communication made by an individual to a health care provider in confidence during or in connection with the provision of health care services; or

(b) Information otherwise acquired by the health care provider about an individual in confidence and in connection with health care services provided to the individual;

(16) Identified or identifiable individual means a consumer who can be directly or indirectly readily identified;

(17) Institution of higher education means any postsecondary institution or private postsecondary institution as such terms are defined in section 85-2403;

(18) Known child means a child under circumstances where a controller has actual knowledge of, or willfully disregards, the child's age;

(19) Nonprofit organization means any corporation organized under the Nebraska Nonprofit Corporation Act, any organization exempt from taxation under section 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal Revenue Code, any organization exempt from taxation under section 501(c)(4) of the Internal Revenue Code that is established to detect or prevent insurance-related crime or fraud, and any subsidiary or affiliate of a cooperative corporation organized in this state;

(20)(a) Personal data means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.

(b) Personal data does not include deidentified data or publicly available information;

(21) Political organization means a party, committee, association, fund, or other organization, regardless of whether incorporated, that is organized and operated primarily for the purpose of influencing or attempting to influence:

(a) The selection, nomination, election, or appointment of an individual to a federal, state, or local public office or an office in a political organization, regardless of whether the individual is selected, nominated, elected, or appointed; or

(b) The election of a presidential or vice-presidential elector, regardless of whether the elector is selected, nominated, elected, or appointed;

(22)(a) Precise geolocation data means information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of one thousand seven hundred fifty feet.

(b) Precise geolocation data does not include the content of communications or any data generated by or connected to an advanced utility metering infrastructure system or to equipment for use by a utility;

(23) Process or processing means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data;

(24) Processor means a person that processes personal data on behalf of a controller;

(25) Profiling means any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;

(26) Protected health information has the same meaning as in the Health Insurance Portability and Accountability Act;

(27) Pseudonymous data means any personal information that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual;

(28) Publicly available information means information that is lawfully made available through government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience;

(29)(a) Sale of personal data means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

(b) Sale of personal data does not include:

(i) The disclosure of personal data to a processor that processes the personal data on the controller's behalf;

(ii) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;

(iii) The disclosure or transfer of personal data to an affiliate of the controller;

(iv) The disclosure of information that the consumer:

(A) Intentionally made available to the general public through a mass media channel; and

(B) Did not restrict to a specific audience; or

(v) The disclosure or transfer of personal data to a third party as an asset in which the third party assumes control of all or part of the controller's assets that is part of a proposed or actual:

(A) Merger;

(B) Acquisition;

(C) Bankruptcy; or

(D) Other transaction;

(30) Sensitive data means a category of personal data, and includes:

(a) Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;

(b) Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;

(c) Personal data collected from a known child; or

(d) Precise geolocation data;

(31) State agency means a department, commission, board, office, council, authority, or other agency in any branch of state government that is created by the constitution or a statute of this state, including any university system or any postsecondary institution as defined in section 85-2403;

(32)(a) Targeted advertising means displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests.

(b) Targeted advertising does not include:

(i) An advertisement that:

(A) Is based on activities within a controller's own websites or online applications;

(B) Is based on the context of a consumer's current search query, visit to a website, or online application; or

(C) Is directed to a consumer in response to the consumer's request for information or feedback; or

(ii) The processing of personal data solely for measuring or reporting advertising performance, reach, or frequency;

(33) Third party means a person, other than the consumer, the controller, the processor, or an affiliate of the controller or processor; and

(34) Trade secret has the same meaning as in section 87-502.