The global standard GPP defines a way for local standards to "plug-in" into the existing mechanics defined by GPP and the GPP client side API. This document outlines the technical specification for using the Nebraska section of the GPP specifications in accordance with the IAB Privacy Multi-State Privacy Agreement legal requirements, applicable to both Signatories and non-Signatories of the MSPA.
| Date | Version | Comments |
| July 2024 | 1.0 | Version 1.0 released |
The Nebraska Privacy String consists of the following components. Users of the spec should employ the Nebraska Privacy String only if they have determined the Nebraska Data Privacy Act, L.B. 1074 (2024), applies to their processing of a consumer’s personal data.
| Type | Value | Description |
| GPP Section ID | 19 | The Nebraska Section is registered as Section ID 19 under the GPP. |
| Client side API prefix | usne | The Nebraska Privacy Section is registered with client side API prefix “usne” in the GPP Client Side API. |
Note on the JS representation of the section: the field name should be in UpperCamelCase, with exactly the same spelling as the names in column "Field name". Follow this table to map the GPP field types to JavaScript native data types. Please refer to the PingReturn's parsedSections object for an example.
The core sub-section must always be present. Where terms are capitalized in the ‘description’ field they are defined in the Nebraska Act, Sec. 2 [Pending Codification]. It consists of the following fields:
|
Field name |
GPP Field Type |
Description |
|---|---|---|
| Version | Int(6) | The version of this section specification used to encode the string. |
| ProcessingNotice | Int(2) |
Notice of the Processing of Personal Data.0 = Not Applicable,
the Controller does not Process Personal Data1 = Yes, notice was provided2 = No, notice was not provided |
| SaleOptOutNotice | Int(2) |
Notice of the Opportunity to Opt Out of the Sale of the Consumer’s Personal Data 0 = Not Applicable,
the
Controller does not Sell Personal Data
1 = Yes, notice was provided
2 = No, notice was not provided
|
| TargetedAdvertisingOptOutNotice | Int(2) |
Notice of the Opportunity to Opt Out of Processing of the Consumer’s Personal Data for Targeted Advertising0 = Not Applicable, the Controller does not Process Personal Data for Targeted Advertising
1 = Yes, notice was provided
2 = No, notice was not provided
|
| SaleOptOut | Int(2) |
Opt-Out of the Sale of the Consumer’s Personal Data0 = Not Applicable, SaleOptOutNotice value was not applicable or no notice was provided1 = Opted Out2 = Did Not Opt Out |
| TargetedAdvertisingOptOut | Int(2) |
Opt-Out of Processing the Consumer’s Personal Data for Targeted Advertising0 = Not Applicable, TargetedAdvertisingOptOutNotice value was not applicable or no notice was provided1 = Opted Out2 = Did Not Opt Out |
| SensitiveDataProcessing | N-Bitfield(2,8) | Two bits for each Data Activity:0 = Not Applicable, the Controller does not Process the specific category of Sensitive Data1 = No Consent2 = Consent (1). Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Racial or Ethnic Origin.
(2). Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Religious Beliefs.
(3). Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing a Mental or Physical Health Diagnosis.
(4). Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Sexual Orientation.
(5). Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Citizenship or Immigration Status.
(6). Consent to Process the Consumer’s Sensitive Data Consisting of Genetic Data for the Purpose of Uniquely Identifying an Individual.
(7). Consent to Process the Consumer’s Sensitive Data Consisting of Biometric Data for the Purpose of Uniquely Identifying an Individual.
(8). Consent to Process the Consumer’s Sensitive Data Consisting of Precise Geolocation Data.
|
| KnownChildSensitiveDataConsents | Int(2) |
Consent to Process Personal Data from a Known Child.0 = Not Applicable, the Controller does not
Process Sensitive Data of a known Child1 = No Consent2 = Consent |
| AdditionalDataProcessingConsent | Int(2) | Consent to Processing of the Consumer’s Personal Data that Is Not Reasonably Necessary for nor Compatible with the Disclosed Purpose(s) for which the Consumer’s Personal Data Was Processed0 = Not Applicable, the Controller does not Process Personal Data that is Not Reasonably Necessary for nor Compatible with the Disclosed Purpose(s)1 = No Consent2 = Consent |
| MspaCoveredTransaction | Int(2) |
Publisher or Advertiser, as applicable, is a signatory to the IAB Multi-State Privacy Agreement (MSPA), as may be amended from time to time, and declares that the transaction is a “Covered Transaction” as defined in the MSPA. 1 = Yes2 = No |
| MspaOptOutOptionMode | Int(2) |
Publisher or Advertiser, as applicable, has enabled “Opt-Out Option Mode” for the “Covered Transaction,” as such terms are defined in the MSPA.0 = Not Applicable1 = Yes2 = No |
| MspaServiceProviderMode | Int(2) |
Publisher or Advertiser, as applicable, has enabled “Service Provider Mode” for the “Covered Transaction,” as such terms are defined in the MSPA.0 = Not Applicable1 = Yes2 = No |
GPC is signaled in user agent headers (Sec-GPC) and a simple javascript API (globalPrivacyControl) . Entities creating GPP strings should check for whether GPC is set and pass along the value they find (from the headers or javascript API) in this sub-section.
| Field Name | GPP Field Type | Description |
| SubsectionType | Int(2) | 0 = Core1 = GPC |
| Gpc | Boolean | 0 = false1 = true |