txt

HB 328: "An Act relating to biometric information and to the collection, use, storage, and disclosure of geolocation information; and establishing an unfair trade practice under the Alaska Unfair Trade Practices and Consumer Protection Act."

00                             HOUSE BILL NO. 328                                                                          
01 "An Act relating to biometric information and to the collection, use, storage, and                                      
02 disclosure of geolocation information; and establishing an unfair trade practice under                                  
03 the Alaska Unfair Trade Practices and Consumer Protection Act."                                                         
04 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA:                                                                
05    * Section 1. AS 18.13 is amended by adding new sections to read:                                                   
06                      Article 2. Biometric Information.                                                                
07            Sec. 18.13.200. Biometric data collection. (a) A person may not collect for                              
08       use in a biometric system the biometric data of an individual who is not the collector                            
09       unless the collector first                                                                                        
10                 (1)  notifies the individual in a clear manner                                                          
11                      (A)  that the biometric data is being collected for use in a                                       
12            biometric system;                                                                                            
13                      (B)  of the specific purpose for which the biometric information                                   
14            will be used; and                                                                                            
01                      (C)  of the length of time the biometric information will be kept;                                 
02            and                                                                                                          
03                 (2)  receives, in a written, electronic, or other form by which the                                     
04       consent can be documented, the individual's full consent to the                                                   
05                      (A)  collection of the biometric data for use in a biometric                                       
06            system;                                                                                                      
07                      (B)  specific purpose for which the biometric information will                                     
08            be used; and                                                                                                 
09                      (C)  length of time the biometric information will be kept.                                        
10 (b)  An individual may revoke or amend the individual's consent provided                                                
11 under (a) of this section at any time after the original purpose for which the consent                                  
12       was given ceases to exist.                                                                                        
13 Sec. 18.13.210. Disclosure of biometric information. (a) A collector and a                                            
14 contractor may not disclose, transfer, or distribute the biometric information of another                               
15 individual, except to the collector's contractor or to a person to authenticate the                                     
16       identity of the individual providing the biometric information.                                                   
17 (b)  A disclosure, transfer, or distribution under (a) of this section may be made                                      
18       only for the original purpose for which the biometric information was to be used.                                 
19 Sec. 18.13.220. Sale of biometric information. A person may not sell                                                  
20 biometric information, except that a contractor may sell the contractor's business to                                   
21       another person and transfer the biometric information to the buyer.                                               
22 Sec. 18.13.230. Disposal. (a) When a collector no longer needs an individual's                                        
23 biometric information for the original purpose for which the biometric information                                      
24 was to be used, the collector and the contractor, if any, shall, within 120 days and                                    
25 unless prohibited by other law, a regulation, or a court order, remove the individual's                                 
26 biometric information from all databases and storage systems and destroy the                                            
27       biometric information.                                                                                            
28 (b)  Within 60 days after determining that the collector no longer needs an                                             
29 individual's biometric information for the original purpose for which the biometric                                     
30 information was to be used, the collector shall notify the contractor, if any, that the                                 
31 collector is to remove the individual's biometric information from all databases and                                    
01       storage systems and destroy the biometric information.                                                            
02            Sec. 18.13.240. Use of biometric information. A collector may use biometric                                
03       information for a fraud prevention purpose in addition to the original purpose for                                
04       which the biometric information was to be used.                                                                   
05 Sec. 18.13.250. Storage of biometric information. A collector and a                                                   
06 contractor shall store an individual's biometric information in a secure manner, which                                  
07 may include encryption or another appropriate method, to ensure that the identity of                                    
08       the individual who provided the biometric information is protected.                                               
09            Sec. 18.13.260. Right of action. An individual may bring a civil action against                            
10 a person who intentionally violates AS 18.13.200 - 18.13.290. A person who                                              
11 intentionally violates AS 18.13.200 - 18.13.290 is liable to the individual for a penalty                               
12 of $1,000, except that, if the violation resulted in profit or monetary gain to the person,                             
13 the penalty is $5,000. In this section, "intentionally" has the meaning given in                                        
14       AS 11.81.900.                                                                                                     
15            Sec. 18.13.270. Exemptions.  AS 18.13.200 - 18.13.290 do not apply to the                                  
16                 (1)  collection, retention, analysis, disclosure, or distribution of                                    
17 (A)  biometric information for a law enforcement purpose,                                                               
18 including the identification of perpetrators, the investigation of crimes, the                                          
19 identification of missing or unidentified persons, or the identification of human                                       
20            remains;                                                                                                     
21 (B)  biometric information when authorized by state or federal                                                          
22            law;                                                                                                         
23 (C)  facial images by the Department of Administration for                                                              
24 drivers' licenses issued under AS 28.15, for state identification cards issued                                          
25 under AS 18.65.310, for administering AS 28.15, or for administering                                                    
26            AS 18.65.310; or                                                                                             
27 (D)  a photograph, unless the photograph is collected for use in                                                        
28            a biometric system; or                                                                                       
29                 (2)  retention of voices recorded for quality assurance purposes.                                       
30            Sec. 18.13.290. Definitions. In AS 18.13.200 - 18.13.290,                                                  
31 (1)  "biometric data" means fingerprints, handprints, voices, iris                                                      
01       images, retinal images, vein scans, hand geometry, finger geometry, or other physical                             
02       characteristics of an individual;                                                                                 
03                 (2)  "biometric information" means biometric data used in a biometric                                   
04       system;                                                                                                           
05                 (3)  "biometric system" means an automated system that                                                  
06                      (A)  captures biometric data from an individual's biometric                                        
07            information;                                                                                                 
08                      (B)  extracts and processes the biometric data captured under                                      
09            (A) of this paragraph;                                                                                       
10 (C)  stores the biometric data extracted under (B) of this                                                              
11            paragraph;                                                                                                   
12 (D)  compares the biometric data extracted under (B) of this                                                            
13 paragraph with biometric data from the individual stored for use in future                                              
14            recognition of the individual; and                                                                           
15 (E)  determines how well the extracted and stored biometric                                                             
16 data match when compared under (D) of this paragraph and indicates whether                                              
17            an identification or verification of identity has been achieved;                                             
18 (4)  "collector" means a person who collects the biometric information                                                  
19       of another individual;                                                                                            
20                 (5)  "contractor" means a person                                                                        
21 (A)  who contracts with a collector to store the biometric                                                              
22            information collected by the collector; or                                                                   
23 (B)  to whom the contractor sells the contractor's business and                                                         
24            transfers the biometric information stored by the contractor;                                                
25 (6)  "original purpose" means the specific purpose stated for the use of                                                
26       biometric information under AS 18.13.200(a)(1)(B);                                                                
27                 (7)  "person" includes                                                                                  
28 (A)  a corporation, company, partnership, firm, association,                                                            
29            organization, business trust, or society;                                                                    
30                      (B)  an individual;                                                                                
31 (C)  an agency of the executive, judicial, or legislative branch of                                                     
01            state government;                                                                                            
02                      (D)  a municipality or an agency of a municipality.                                                
03    * Sec. 2. AS 45.48 is amended by adding new sections to read:                                                    
04                 Article 6A. Geolocation Information Protection.                                                       
05 Sec. 45.48.800. Collection, use, storage, and disclosure of geolocation                                               
06 information. Except as provided in AS 45.48.820, a private person may not collect,                                    
07 use, store, or disclose an individual's geolocation information that the private person                                 
08 obtained from a location-based application on the individual's mobile electronic                                        
09 device, unless the private person first provides the individual with written notice under                               
10 AS 45.48.810 and the individual expressly consents to the disclosure. In this section,                                  
11 "location-based application" means a computer software program that collects, uses,                                     
12       or stores geolocation information.                                                                                
13 Sec. 45.48.810. Notice requirements. The notice required by AS 45.48.800                                              
14       must                                                                                                              
15                 (1)  be clear, prominent, and accurate;                                                                 
16 (2)  inform the individual that the private person will collect, use, store,                                            
17       or disclose the individual's geolocation information;                                                             
18 (3)  inform the individual of the specific purposes for which the private                                               
19       person will collect, use, store, or disclose the individual's geolocation information; and                        
20 (4)  provide the individual with a hyperlink or comparable easily                                                       
21 accessible means on the Internet to access the individual's geolocation information that                                
22 the private person collects, uses, stores, or discloses; in this paragraph, "hyperlink"                                 
23 means a highlighted word or picture on an Internet document or page that the                                            
24       individual can click to access the geolocation information.                                                       
25 Sec. 45.48.820. Exemptions. (a) A private person may collect, use, store, or                                          
26 disclose an individual's geolocation information without providing the notice required                                  
27       by AS 45.48.800 or receiving the express consent of the individual                                                
28 (1)  if the private person is collecting, using, storing, or disclosing the                                             
29       private person's own geolocation information;                                                                     
30 (2)  to allow a parent or other lawful custodian of a minor child to                                                    
31       locate the minor child; in this paragraph,                                                                        
01                      (A)  "lawful custodian" has the meaning given in AS 11.41.370;                                     
02                      (B)  "minor child" means a child who is under 18 years of age                                      
03 and whose disabilities of minority have not been removed under AS 09.55.590;                                            
04 (3)  to allow a court-appointed guardian to locate an incapacitated                                                     
05 person; in this paragraph, "incapacitated person" has the meaning given in                                              
06       AS 13.26.005; or                                                                                                  
07                 (4)  to allow a person to provide fire, medical, public safety, or other                                
08       emergency services.                                                                                               
09            (b)  AS 45.48.800 - 45.48.880 do not apply to utilities that furnish                                         
10 telecommunications services regulated under AS 42.05. In this subsection,                                               
11       "telecommunications" has the meaning given in AS 42.05.990.                                                       
12 Sec. 45.48.830. Effect on contracts. A contract that violates AS 45.48.800 -                                          
13       45.48.880 is void and unenforceable.                                                                              
14 Sec. 45.48.840. Waivers. A person may not waive the provisions of                                                     
15 AS 45.48.800 - 45.48.880. A waiver of the provisions of AS 45.48.800 - 45.48.880 is                                     
16       void and unenforceable.                                                                                           
17 Sec. 45.48.850. Violations. If a private person violates AS 45.48.800 -                                               
18 45.48.880, the violation is an unfair or deceptive act or practice under AS 45.50.471 -                                 
19 45.50.561, except that AS 45.50.531 does not apply to the violation; however, the                                       
20 individual whose geolocation information was the subject of the violation may bring a                                   
21       civil action in court to                                                                                          
22 (1)  recover liquidated damages of $1,000 or actual damages,                                                            
23       whichever amount is greater; and                                                                                  
24                 (2)  obtain other relief that the court determines is appropriate.                                      
25 Sec. 45.48.860. Relationship to federal law. AS 45.48.800 - 45.48.880 do not                                          
26       apply to a                                                                                                        
27 (1)  health care provider or other person that is subject to P.L. 104-191                                               
28 (Health Insurance Portability and Accountability Act of 1996) and the regulations                                       
29       adopted under that law;                                                                                           
30 (2)  financial institution or an affiliate of a financial institution that is                                           
31 subject to 15 U.S.C. 6801 - 6809 of the Gramm-Leach-Bliley Financial Modernization                                      
01       Act and the regulations adopted under that law.                                                                   
02            Sec. 45.48.870. Definitions. In AS 45.48.800 - 45.48.880,                                                  
03 (1)  "geolocation information" means information identifying the                                                        
04 geographical location of a person or device by using digital information processed                                      
05 through the Internet; "geolocation information" does not include Internet protocol                                      
06       addresses or the contents of an electronic communication;                                                         
07                 (2)  "Internet" means the combination of computer systems or networks                                   
08       that make up the international network for interactive communications services,                                   
09       including remote logins, file transfers, electronic mail, and newsgroups;                                         
10                 (3)  "private person" means a person that is not a governmental agency.                                 
11            Sec. 45.48.880. Short title. AS 45.48.800 - 45.48.880 may be cited as the                                  
12       Geolocation Information Protection Act.                                                                           
13    * Sec. 3. AS 45.50.471(b) is amended by adding a new paragraph to read:                                            
14                 (58)  violating AS 45.48.800 - 45.48.880 (geolocation information                                       
15       protection).                                                                                                      
16    * Sec. 4. The uncodified law of the State of Alaska is amended by adding a new section to                          
17 read:                                                                                                                   
18       APPLICABILITY. AS 45.48.830, added by sec. 2 of this Act, applies to contracts that                               
19 are entered into on or after the effective date of this Act.                                                            
20    * Sec. 5. The uncodified law of the State of Alaska is amended by adding a new section to                          
21 read:                                                                                                                   
22       REVISOR'S INSTRUCTION. Wherever "this chapter" appears in AS 18.13.010 -                                          
23 18.13.100, the revisor of statutes shall substitute "AS 18.13.010 - 18.13.100."