00 HOUSE BILL NO. 328
01 "An Act relating to biometric information and to the collection, use, storage, and
02 disclosure of geolocation information; and establishing an unfair trade practice under
03 the Alaska Unfair Trade Practices and Consumer Protection Act."
04 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA:
05 * Section 1. AS 18.13 is amended by adding new sections to read:
06 Article 2. Biometric Information.
07 Sec. 18.13.200. Biometric data collection. (a) A person may not collect for
08 use in a biometric system the biometric data of an individual who is not the collector
09 unless the collector first
10 (1) notifies the individual in a clear manner
11 (A) that the biometric data is being collected for use in a
12 biometric system;
13 (B) of the specific purpose for which the biometric information
14 will be used; and
01 (C) of the length of time the biometric information will be kept;
03 (2) receives, in a written, electronic, or other form by which the
04 consent can be documented, the individual's full consent to the
05 (A) collection of the biometric data for use in a biometric
07 (B) specific purpose for which the biometric information will
08 be used; and
09 (C) length of time the biometric information will be kept.
10 (b) An individual may revoke or amend the individual's consent provided
11 under (a) of this section at any time after the original purpose for which the consent
12 was given ceases to exist.
13 Sec. 18.13.210. Disclosure of biometric information. (a) A collector and a
14 contractor may not disclose, transfer, or distribute the biometric information of another
15 individual, except to the collector's contractor or to a person to authenticate the
16 identity of the individual providing the biometric information.
17 (b) A disclosure, transfer, or distribution under (a) of this section may be made
18 only for the original purpose for which the biometric information was to be used.
19 Sec. 18.13.220. Sale of biometric information. A person may not sell
20 biometric information, except that a contractor may sell the contractor's business to
21 another person and transfer the biometric information to the buyer.
22 Sec. 18.13.230. Disposal. (a) When a collector no longer needs an individual's
23 biometric information for the original purpose for which the biometric information
24 was to be used, the collector and the contractor, if any, shall, within 120 days and
25 unless prohibited by other law, a regulation, or a court order, remove the individual's
26 biometric information from all databases and storage systems and destroy the
27 biometric information.
28 (b) Within 60 days after determining that the collector no longer needs an
29 individual's biometric information for the original purpose for which the biometric
30 information was to be used, the collector shall notify the contractor, if any, that the
31 collector is to remove the individual's biometric information from all databases and
01 storage systems and destroy the biometric information.
02 Sec. 18.13.240. Use of biometric information. A collector may use biometric
03 information for a fraud prevention purpose in addition to the original purpose for
04 which the biometric information was to be used.
05 Sec. 18.13.250. Storage of biometric information. A collector and a
06 contractor shall store an individual's biometric information in a secure manner, which
07 may include encryption or another appropriate method, to ensure that the identity of
08 the individual who provided the biometric information is protected.
09 Sec. 18.13.260. Right of action. An individual may bring a civil action against
10 a person who intentionally violates AS 18.13.200 - 18.13.290. A person who
11 intentionally violates AS 18.13.200 - 18.13.290 is liable to the individual for a penalty
12 of $1,000, except that, if the violation resulted in profit or monetary gain to the person,
13 the penalty is $5,000. In this section, "intentionally" has the meaning given in
14 AS 11.81.900.
15 Sec. 18.13.270. Exemptions. AS 18.13.200 - 18.13.290 do not apply to the
16 (1) collection, retention, analysis, disclosure, or distribution of
17 (A) biometric information for a law enforcement purpose,
18 including the identification of perpetrators, the investigation of crimes, the
19 identification of missing or unidentified persons, or the identification of human
21 (B) biometric information when authorized by state or federal
23 (C) facial images by the Department of Administration for
24 drivers' licenses issued under AS 28.15, for state identification cards issued
25 under AS 18.65.310, for administering AS 28.15, or for administering
26 AS 18.65.310; or
27 (D) a photograph, unless the photograph is collected for use in
28 a biometric system; or
29 (2) retention of voices recorded for quality assurance purposes.
30 Sec. 18.13.290. Definitions. In AS 18.13.200 - 18.13.290,
31 (1) "biometric data" means fingerprints, handprints, voices, iris
01 images, retinal images, vein scans, hand geometry, finger geometry, or other physical
02 characteristics of an individual;
03 (2) "biometric information" means biometric data used in a biometric
05 (3) "biometric system" means an automated system that
06 (A) captures biometric data from an individual's biometric
08 (B) extracts and processes the biometric data captured under
09 (A) of this paragraph;
10 (C) stores the biometric data extracted under (B) of this
12 (D) compares the biometric data extracted under (B) of this
13 paragraph with biometric data from the individual stored for use in future
14 recognition of the individual; and
15 (E) determines how well the extracted and stored biometric
16 data match when compared under (D) of this paragraph and indicates whether
17 an identification or verification of identity has been achieved;
18 (4) "collector" means a person who collects the biometric information
19 of another individual;
20 (5) "contractor" means a person
21 (A) who contracts with a collector to store the biometric
22 information collected by the collector; or
23 (B) to whom the contractor sells the contractor's business and
24 transfers the biometric information stored by the contractor;
25 (6) "original purpose" means the specific purpose stated for the use of
26 biometric information under AS 18.13.200(a)(1)(B);
27 (7) "person" includes
28 (A) a corporation, company, partnership, firm, association,
29 organization, business trust, or society;
30 (B) an individual;
31 (C) an agency of the executive, judicial, or legislative branch of
01 state government;
02 (D) a municipality or an agency of a municipality.
03 * Sec. 2. AS 45.48 is amended by adding new sections to read:
04 Article 6A. Geolocation Information Protection.
05 Sec. 45.48.800. Collection, use, storage, and disclosure of geolocation
06 information. Except as provided in AS 45.48.820, a private person may not collect,
07 use, store, or disclose an individual's geolocation information that the private person
08 obtained from a location-based application on the individual's mobile electronic
09 device, unless the private person first provides the individual with written notice under
10 AS 45.48.810 and the individual expressly consents to the disclosure. In this section,
11 "location-based application" means a computer software program that collects, uses,
12 or stores geolocation information.
13 Sec. 45.48.810. Notice requirements. The notice required by AS 45.48.800
15 (1) be clear, prominent, and accurate;
16 (2) inform the individual that the private person will collect, use, store,
17 or disclose the individual's geolocation information;
18 (3) inform the individual of the specific purposes for which the private
19 person will collect, use, store, or disclose the individual's geolocation information; and
20 (4) provide the individual with a hyperlink or comparable easily
21 accessible means on the Internet to access the individual's geolocation information that
22 the private person collects, uses, stores, or discloses; in this paragraph, "hyperlink"
23 means a highlighted word or picture on an Internet document or page that the
24 individual can click to access the geolocation information.
25 Sec. 45.48.820. Exemptions. (a) A private person may collect, use, store, or
26 disclose an individual's geolocation information without providing the notice required
27 by AS 45.48.800 or receiving the express consent of the individual
28 (1) if the private person is collecting, using, storing, or disclosing the
29 private person's own geolocation information;
30 (2) to allow a parent or other lawful custodian of a minor child to
31 locate the minor child; in this paragraph,
01 (A) "lawful custodian" has the meaning given in AS 11.41.370;
02 (B) "minor child" means a child who is under 18 years of age
03 and whose disabilities of minority have not been removed under AS 09.55.590;
04 (3) to allow a court-appointed guardian to locate an incapacitated
05 person; in this paragraph, "incapacitated person" has the meaning given in
06 AS 13.26.005; or
07 (4) to allow a person to provide fire, medical, public safety, or other
08 emergency services.
09 (b) AS 45.48.800 - 45.48.880 do not apply to utilities that furnish
10 telecommunications services regulated under AS 42.05. In this subsection,
11 "telecommunications" has the meaning given in AS 42.05.990.
12 Sec. 45.48.830. Effect on contracts. A contract that violates AS 45.48.800 -
13 45.48.880 is void and unenforceable.
14 Sec. 45.48.840. Waivers. A person may not waive the provisions of
15 AS 45.48.800 - 45.48.880. A waiver of the provisions of AS 45.48.800 - 45.48.880 is
16 void and unenforceable.
17 Sec. 45.48.850. Violations. If a private person violates AS 45.48.800 -
18 45.48.880, the violation is an unfair or deceptive act or practice under AS 45.50.471 -
19 45.50.561, except that AS 45.50.531 does not apply to the violation; however, the
20 individual whose geolocation information was the subject of the violation may bring a
21 civil action in court to
22 (1) recover liquidated damages of $1,000 or actual damages,
23 whichever amount is greater; and
24 (2) obtain other relief that the court determines is appropriate.
25 Sec. 45.48.860. Relationship to federal law. AS 45.48.800 - 45.48.880 do not
26 apply to a
27 (1) health care provider or other person that is subject to P.L. 104-191
28 (Health Insurance Portability and Accountability Act of 1996) and the regulations
29 adopted under that law;
30 (2) financial institution or an affiliate of a financial institution that is
31 subject to 15 U.S.C. 6801 - 6809 of the Gramm-Leach-Bliley Financial Modernization
01 Act and the regulations adopted under that law.
02 Sec. 45.48.870. Definitions. In AS 45.48.800 - 45.48.880,
03 (1) "geolocation information" means information identifying the
04 geographical location of a person or device by using digital information processed
05 through the Internet; "geolocation information" does not include Internet protocol
06 addresses or the contents of an electronic communication;
07 (2) "Internet" means the combination of computer systems or networks
08 that make up the international network for interactive communications services,
09 including remote logins, file transfers, electronic mail, and newsgroups;
10 (3) "private person" means a person that is not a governmental agency.
11 Sec. 45.48.880. Short title. AS 45.48.800 - 45.48.880 may be cited as the
12 Geolocation Information Protection Act.
13 * Sec. 3. AS 45.50.471(b) is amended by adding a new paragraph to read:
14 (58) violating AS 45.48.800 - 45.48.880 (geolocation information
16 * Sec. 4. The uncodified law of the State of Alaska is amended by adding a new section to
18 APPLICABILITY. AS 45.48.830, added by sec. 2 of this Act, applies to contracts that
19 are entered into on or after the effective date of this Act.
20 * Sec. 5. The uncodified law of the State of Alaska is amended by adding a new section to
22 REVISOR'S INSTRUCTION. Wherever "this chapter" appears in AS 18.13.010 -
23 18.13.100, the revisor of statutes shall substitute "AS 18.13.010 - 18.13.100."