Alaska State Legislature

Home
Bill & Laws
Bills
CSHB 159(L&C) Detail
FullText

txt

CSHB 159(L&C): "An Act relating to the privacy of consumer personal information; establishing the Consumer Personal Information Privacy Act; establishing data broker registration requirements; relating to social security numbers; making certain violations unfair or deceptive trade practices; and providing for an effective date."

00 CS FOR HOUSE BILL NO. 159(L&C) 01 "An Act relating to the privacy of consumer personal information; establishing the 02 Consumer Personal Information Privacy Act; establishing data broker registration 03 requirements; relating to social security numbers; making certain violations unfair or 04 deceptive trade practices; and providing for an effective date." 05 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 06 * Section 1. AS 44.33.020(a) is amended by adding a new paragraph to read: 07 (45) establish and maintain a data broker registry established under 08 AS 45.48.900. 09 * Sec. 2. AS 45.48.430(b) is amended to read: 10 (b) The prohibition in (a) of this section does not apply if 11 (1) the disclosure is authorized by local, state, or federal law, including 12 AS 45.48.800 - 45.48.945 or a regulation adopted under AS 45.48.470; 13 (2) the person is engaging in the business of government and 14 (A) is authorized by law to disclose the individual's social

01 security number; or 02 (B) the disclosure of the individual's social security number is 03 required for the performance of the person's duties or responsibilities as 04 provided by law; 05 (3) the disclosure is to a person subject to or for a transaction regulated 06 by the Gramm-Leach-Bliley Financial Modernization Act, and the disclosure is for a 07 purpose authorized by the Gramm-Leach-Bliley Financial Modernization Act or to 08 facilitate a transaction of the individual; 09 (4) the disclosure is to a person subject to or for a transaction regulated 10 by the Fair Credit Reporting Act, and the disclosure is for a purpose authorized by the 11 Fair Credit Reporting Act; 12 (5) the disclosure is part of a report prepared by a consumer credit 13 reporting agency in response to a request by a person and the person submits the social 14 security number as part of the request to the consumer credit reporting agency for the 15 preparation of the report; or 16 (6) the disclosure is for a background check on the individual, identity 17 verification, fraud prevention, medical treatment, law enforcement or other 18 government purposes, or the individual's employment, including employment benefits. 19 * Sec. 3. AS 45.48.450(b) is amended to read: 20 (b) Notwithstanding the other provisions of AS 45.48.400 - 45.48.480, and 21 except as provided under AS 45.48.800 - 45.48.945 or for an agent under (a) of this 22 section, a person may disclose an individual's social security number to an 23 independent contractor of the person to facilitate the purpose or transaction for which 24 the individual initially provided the social security number to the person, but the 25 independent contractor may not use the social security number for another purpose or 26 make an unauthorized disclosure of the individual's personal information. In this 27 subsection, "independent contractor" includes a debt collector. 28 * Sec. 4. AS 45.48 is amended by adding new sections to read: 29 Article 6A. Consumer Personal Information Privacy. 30 Sec. 45.48.800. Notice before collection; disclosure of information; other 31 notices. (a) A business that collects personal information from a consumer shall notify

01 the consumer before collecting the information. Notification to the consumer must 02 indicate the categories of personal information that will be collected, the specific 03 purposes for which each category of personal information will be used, the consumer's 04 right under AS 45.48.835 not to have the consumer's personal information sold, 05 shared, or disclosed, and the limitations established under AS 45.48.840 on the use of 06 the consumer's precise geolocation data by the business. A business may not collect an 07 additional category of personal information or use the collected personal information 08 for an additional purpose without first notifying the consumer in accordance with this 09 section. 10 (b) A business shall maintain, and update at least once every 12 months, in the 11 business's online privacy policies and in any state-specific description of consumers' 12 privacy rights, or on the business's Internet website if the business does not maintain 13 online privacy policies or description, the following information: 14 (1) a description of a consumer's rights under AS 45.48.800 - 15 45.48.945; 16 (2) all the designated methods of the business by which a consumer 17 can request access to or deletion of information as provided under AS 45.48.800 - 18 45.48.945; 19 (3) a list of the categories of consumer personal information that the 20 business collected, sold, or disclosed for a business or commercial purpose in the 21 preceding 12 months, and a designation of that information as collected, sold, or 22 disclosed for a business or commercial purpose; or, if the business did not collect, sell, 23 or disclose any consumer personal information for a business or commercial purpose, 24 a disclosure of that fact; 25 (4) the categories of sources from which the consumer personal 26 information was collected; in this paragraph, "categories of sources" includes the 27 consumer, advertising networks, Internet service providers, data analytics providers, 28 government entities, operating systems and platforms, social networks, data brokers, 29 other sources listed in regulations adopted under AS 45.48.800 - 45.48.945, and other 30 types or groupings of persons or entities from which a business collects personal 31 information about consumers, described with enough particularity to provide

01 consumers with a meaningful understanding of the type of person or entity; 02 (5) a description of the business purpose or commercial purpose for 03 which each category of consumer personal information was collected, sold, or 04 disclosed; 05 (6) the categories of third parties to whom the business sold or 06 disclosed consumer personal information; in this paragraph, "categories of third 07 parties" includes advertising networks, Internet service providers, data analytics 08 providers, government entities, operating systems and platforms, social networks, data 09 brokers, other sources listed in regulations adopted under AS 45.48.800 - 45.48.945, 10 and other types or groupings of third parties with whom the business shares personal 11 information, described with enough particularity to provide consumers with a 12 meaningful understanding of the type of third party; 13 (7) a description of a consumer's right to request the specific pieces of 14 the consumer's personal information that the business collected; 15 (8) a statement that information collected to verify a consumer's 16 disclosure or deletion request shall only be used as provided in AS 45.48.850(d) and 17 (e)(1). 18 (c) In addition to the requirements under (b) of this section, a business shall 19 include on the home page of the business's Internet website under the business's online 20 privacy policies, if the business has online privacy policies, and under any state- 21 specific description of consumers' privacy rights, the following: 22 (1) a clear and conspicuous link to an Internet website page titled "Do 23 Not Collect or Sell My Personal Information" that enables a consumer to exercise the 24 consumer's rights under AS 45.48.800 - 45.48.945; a business may not require a 25 consumer to create an account to access this Internet website page or to exercise the 26 consumer's rights under AS 45.48.800 - 45.48.945; and 27 (2) a description of a consumer's rights under AS 45.48.800 - 28 45.48.945. 29 (d) A business may comply with (c) of this section by including the required 30 content on a separate and additional Internet website page that is dedicated to 31 consumers.

01 (e) A business shall include on an Internet website page dedicated to 02 consumers the content required under (b) and (c) of this section and reasonably ensure 03 that consumers are directed to the alternative Internet website. 04 (f) In this section, "home page" means 05 (1) the introductory page of an Internet website where personal 06 information is collected; 07 (2) in the case of a mobile application, the application's platform page 08 or download page, an electronic link within the application, and any other location that 09 allows consumers to review the notice required by (a) of this section. 10 Sec. 45.48.805. Limits on use, processing, collection, sharing, and retention 11 of personal information. (a) A business that collects a consumer's personal 12 information shall limit its collection and sharing of the personal information with third 13 parties to what is reasonably necessary for the business to provide a service or conduct 14 an activity that a consumer has requested, or has consented to, or that is reasonably 15 necessary for security or fraud prevention. In this subsection, "reasonably necessary 16 for security or fraud prevention" does not include profiting financially from the 17 personal information. 18 (b) A business that collects a consumer's personal information is not required 19 to retain personal information collected for a single one-time transaction if the 20 business does not sell or disclose the information. 21 (c) Except for the collection and sharing of personal information under (a) of 22 this section, a business shall limit the business's use and retention of collected personal 23 information to what is reasonably necessary to provide a service or conduct an activity 24 that a consumer has requested or consented to, or for a related operational purpose; 25 however, personal information that is collected or retained solely for security or fraud 26 prevention may not be used for operational purposes. 27 Sec. 45.48.810. Notification of business upon receipt or disclosure of 28 personal information. (a) When a person receives personal information for a business 29 purpose or commercial purpose that a business originally collected from a consumer, 30 the person shall notify the business that the person possesses the personal information 31 and provide the person's contact information. The person shall provide updated contact

01 information to the business if the person's contact information changes. 02 (b) A person who receives personal information that a business originally 03 collected from a consumer, and who discloses the personal information to another 04 person for a business purpose or commercial purpose, shall notify the business that 05 originally collected the information not later than 10 days after the disclosure. The 06 notification must include the contact information of the person to whom the personal 07 information was disclosed. 08 (c) A person that receives personal information that a business originally 09 collected from a consumer shall either de-identify the personal information or 10 maintain the personal information in a way that the person can readily comply with a 11 disclosure or deletion request under AS 45.48.800 - 45.48.945. 12 Sec. 45.48.815. Required records. A business that collects or has collected 13 personal information from a consumer shall maintain records of each person to whom 14 the business discloses the personal information. The business shall also maintain all 15 records provided to the business under AS 45.48.810(a) and (b). 16 Sec. 45.48.820. Request for disclosure of collected personal information. 17 (a) A consumer may request a business that collects or collected the consumer's 18 personal information to disclose to the consumer 19 (1) the categories and specific pieces of personal information that the 20 business collects or collected within the five years preceding the date of the request; 21 (2) the sources from which the business collects or collected each 22 category of personal information; and 23 (3) the business purpose or commercial purpose for the collection of 24 each category of personal information. 25 (b) A business shall respond to a consumer request under this section as 26 required by AS 45.48.850. 27 Sec. 45.48.825. Request for deletion of personal information. (a) A 28 consumer may request a business to delete any of the consumer's personal information 29 collected by the business from the consumer within the five years preceding the date 30 of the request. 31 (b) Upon receiving a consumer request under this section, a business shall

01 delete from the business's records the information identified in the request. 02 (c) Within 45 days after a consumer's deletion request, a business that receives 03 a deletion request under (b) of this section shall direct all persons to whom a business 04 disclosed records under AS 45.48.810 to delete the personal information and provide a 05 written statement verifying that the information has been deleted. A person shall 06 comply with a direction under this subsection. The business shall immediately provide 07 written notification to the attorney general and the consumer of a person who fails to 08 provide written verification of compliance. 09 (d) A person is not required to delete personal information under (c) of this 10 section if the person maintains the personal information to 11 (1) complete the transaction for which the personal information was 12 collected; 13 (2) provide a good or service requested or reasonably anticipated 14 within an ongoing business relationship with the consumer; 15 (3) fulfill the terms of a written warranty or product recall conducted in 16 accordance with federal law; 17 (4) perform a contract between the business and consumer; 18 (5) detect security incidents, protect against malicious, deceptive, 19 fraudulent, or illegal activity, or prosecute the person responsible for that activity; 20 (6) identify and repair errors that impair the existing intended 21 functionality of a product or service; 22 (7) exercise a right provided for by law, including the right under the 23 First Amendment of the United States Constitution and art. I, sec. 5, of the 24 Constitution of the State of Alaska to freedom of speech, or ensure the right of another 25 consumer to exercise that consumer's right to freedom of speech; 26 (8) comply with a search warrant, subpoena, or court order; 27 (9) engage in public or peer-reviewed scientific, historical, or 28 statistical research in the public interest that adheres to all other applicable ethics and 29 privacy laws, if 30 (A) the deletion of information is likely to seriously impair or 31 render impossible the achievement of the research; and

01 (B) the consumer has provided consent to the research; 02 (10) enable solely internal uses that are reasonably aligned with the 03 consumer's expectations, based on the consumer's relationship with the business; or 04 (11) comply with a legal obligation. 05 (e) A person may not disclose personal information that a business collected 06 from a consumer unless the personal information is disclosed in accordance with a 07 contract that requires the recipient to comply with a deletion request issued under 08 AS 45.48.800 - 45.48.945. 09 Sec. 45.48.830. Request for disclosure of personal information sold or 10 disclosed for a business purpose or commercial purpose. (a) A consumer may 11 request that a business that sold or disclosed the consumer's personal information for a 12 business purpose or commercial purpose within the last five years disclose to the 13 consumer 14 (1) the third parties subject to AS 45.48.810 in possession of the 15 consumer's personal information; 16 (2) the categories of personal information or specific pieces of personal 17 information that were sold or disclosed to each third party for a business purpose or 18 commercial purpose; 19 (3) for the third parties to which the business directly disclosed the 20 consumer's personal information for a business purpose or commercial purpose, the 21 business purpose or commercial purpose for disclosing each category of personal 22 information. 23 (b) A business shall respond to a consumer request under this section as 24 required by AS 45.48.850. 25 Sec. 45.48.835. Request not to sell, share, or disclose personal information. 26 (a) A consumer may, at any time, request a business not to sell, share, or disclose the 27 consumer's personal information or not to sell, share, or disclose particular categories 28 of the consumer's personal information. 29 (b) If a business collects personal information from a consumer online and the 30 consumer uses a global privacy control, the business shall treat the use of the global 31 privacy control as a valid request submitted by the consumer under (a) of this section

01 not to sell, share, or disclose the consumer's personal information. In this subsection, 02 (1) "global privacy control" includes a browser plug-in, privacy 03 setting, device setting, or other mechanism that communicates or signals the 04 consumer's choice not to have the consumer's personal information sold, shared, or 05 disclosed; 06 (2) "plug-in" means a piece of software code that enables a computer 07 application or program to perform an activity the application or program cannot do by 08 itself. 09 (c) A consumer may, as provided by regulation adopted under AS 45.48.915, 10 authorize another person solely to request that a business not sell, share, or disclose 11 the consumer's personal information, and a business shall comply with the request 12 received from the person for the consumer. 13 (d) A business shall respond to a consumer request under this section as 14 required by AS 45.48.850, unless the consumer later provides a clear and explicit 15 renunciation of the request. For one year after receiving a request under (a) - (c) of this 16 section, a business may not contact the consumer to request that the consumer 17 renounce the request. 18 (e) A business subject to this section may only use the personal information 19 collected from a consumer request under this section to comply with the request, 20 unless otherwise authorized by the consumer or by another provision of law. 21 Sec. 45.48.840. Use and disclosure of precise geolocation data. (a) A 22 business may use a consumer's precise geolocation data for other purposes than the 23 purpose disclosed under AS 45.48.800(a) if the consumer consents to the use. A 24 consumer who consents to the use of the consumer's precise geolocation data for other 25 purposes may, at any time, request that the business stop using the data for other 26 purposes. The consumer's consent must be in writing and in an agreement separate 27 from any other agreement for use, and the consumer must agree to the business's use 28 of the consumer's precise geolocation data for other purposes. 29 (b) Except as provided in (a) of this section, a business shall limit the use and 30 disclosure of a consumer's precise geolocation data to that necessary to provide goods 31 or services that a consumer requests and reasonably expects, or goods and services the

01 business reasonably expects the consumer will request. 02 (c) The provisions of AS 45.48.800 - 45.48.945 do not apply to a business that 03 uses a consumer's precise geolocation data if the consumer is an employee, contractor, 04 or vendor of the business. 05 Sec. 45.48.845. Treatment of individuals under 18 years of age. (a) 06 Notwithstanding any other provision of AS 45.48.800 - 45.48.945, a business that has 07 actual knowledge that a consumer is under 18 years of age may not disclose the 08 personal information of the consumer for a business purpose or commercial purpose, 09 use the consumer's precise geolocation data for a purpose other than to provide goods 10 or services that the consumer reasonably requests and expects, or sell or share the 11 consumer's personal information, unless the consumer consents to the disclosure, use, 12 or sale. If the consumer is 13 (1) at least 13 years of age, the consumer may give the consent; or 14 (2) under 13 years of age, a parent or guardian of a consumer must 15 give the consent. 16 (b) A business that recklessly disregards a reasonable likelihood that a 17 consumer is under 18 years of age is considered to have actual knowledge of the 18 consumer's age. In this subsection, "recklessly" has the meaning given in 19 AS 11.81.900(a). 20 (c) A business may not track or profile the personal information of an 21 individual who is under 18 years of age in order to provide to the individual a 22 commercial advertisement that is based on the personal information or computer 23 online activity of the individual. 24 Sec. 45.48.850. Disclosure or deletion request; process. (a) A business shall 25 respond to a consumer request under AS 45.48.820 or 45.48.830 by 26 (1) providing the requested information electronically to the consumer 27 in a portable and, to the extent technically feasible, readily useable format that allows 28 the consumer to transmit the information to another person without hindrance; 29 (2) if the information provided under (1) of this subsection is not in a 30 human-readable format, providing the requested information to the consumer in a 31 format that is easily readable by a human; and

01 (3) at the consumer's request, providing the requested information by 02 mail. 03 (b) A business subject to AS 45.48.800 - 45.48.945 shall designate at least two 04 methods for a consumer to submit a request under AS 45.48.820 - 45.48.835, 05 including, at a minimum, a toll-free telephone number and an electronic mail address. 06 If a business maintains an Internet website, the website must include an option to 07 submit requests under AS 45.48.820 - 45.48.835 on a public facing page. A designated 08 method for submitting requests may include a mailing address, electronic mail 09 address, Internet website, Internet website portal, toll-free telephone number, other 10 applicable contact information, or a new consumer-friendly means of contacting a 11 business as determined by regulation. 12 (c) A person may not charge a consumer a fee for performing a duty required 13 by AS 45.48.800 - 45.48.945. 14 (d) A person may only use the information provided by a consumer in a 15 request made under AS 45.48.820 - 45.48.835 to identify the consumer and comply 16 with the request. 17 (e) In response to a request made under AS 45.48.820 - 45.48.835, a business 18 shall 19 (1) promptly determine whether the request is a consumer request; a 20 business may not require that a consumer create an account with the business; 21 however, if the consumer maintains an account with the business, the business may 22 require the consumer to submit the request through the account; 23 (2) identify in writing the personal information subject to a disclosure 24 request; the information disclosed must 25 (A) cover the 12-month period preceding the request, or 26 another applicable period designated by the consumer; 27 (B) be designated by the most relevant category of personal 28 information; 29 (C) clearly separate information requested under AS 45.48.820 30 and 45.48.830; 31 (3) disclose and deliver the identified information in writing not later

01 than 45 days after receipt of the request; 02 (4) not later than 45 days after receipt of a deletion request, comply 03 with AS 45.48.825, and provide confirmation of compliance to the consumer. 04 (f) The time to respond to a disclosure or deletion request under (e)(3) and (4) 05 of this section may be extended once for an additional 45 days when reasonably 06 necessary. If the time to respond is extended, the business shall notify the consumer of 07 the extension. 08 (g) A business may disclose or provide confirmation of deletion of 09 information to the consumer by mail, through the consumer's account with the 10 business, or electronically at the consumer's request if the consumer does not have an 11 account with the business. 12 (h) Notwithstanding any other requirement in this section, if a consumer's 13 requests are manifestly unfounded or excessive, in particular because of the requests' 14 repetitive character, a business may either charge a reasonable fee, taking into account 15 the administrative costs of complying with the consumer's request, or refuse to act on 16 the request. The business shall notify the consumer of a decision to charge a fee or to 17 deny a request within the timeline provided under (e)(3) and (4) and (f) of this section. 18 The notification must completely explain the business's reason for finding the request 19 manifestly unfounded or excessive, including all pertinent facts. The business shall 20 bear the burden of proving that a consumer's request is manifestly unfounded or 21 excessive. 22 (i) A business is not required to respond to a disclosure or deletion request 23 under AS 45.48.825 or 45.48.830 if the consumer making the request has made two 24 consumer requests in the previous 365 days. 25 (j) A business is not required under this section to re-identify or otherwise link 26 data that, in the ordinary course of business, is not maintained in a manner that would 27 be considered personal information. 28 Sec. 45.48.855. Third-party disclosure and handling of personal 29 information. (a) A third party may not disclose personal information to another 30 person if the personal information was originally collected in violation of 31 AS 45.48.800 or 45.48.835. A third party that reasonably inquires into whether

01 personal information was collected in violation of AS 45.48.800 or 45.48.835, and 02 reasonably concludes that information was not obtained in violation of AS 45.48.800 03 or 45.48.835 may not be held liable for a violation under this section. 04 (b) A third party may not disclose a consumer's personal information for a 05 business purpose or commercial purpose unless the third party receives written 06 confirmation from the business that originally collected the personal information that 07 the information was collected in compliance with AS 45.48.800 and 45.48.835. 08 Sec. 45.48.860. Service provider obligations. (a) A service provider may not 09 (1) retain, use, or disclose personal information received from a 10 business for any purpose other than to perform the services specified in a written 11 contract with the business; 12 (2) combine personal information received from a business with 13 personal information the service provider receives from other sources, unless 14 otherwise provided in regulation; 15 (3) disclose personal information received from a business to any other 16 person without first 17 (A) receiving written consent of the business to disclose the 18 personal information to the other person; and 19 (B) entering into a written contract with the other person that 20 prohibits the other person from engaging in conduct prohibited under this 21 section. 22 (b) A person who receives personal information from a service provider may 23 not disclose the personal information to any other person. 24 Sec. 45.48.865. Exemptions. (a) AS 45.48.800 - 45.48.945 do not apply to 25 (1) protected health information that is collected by a covered entity or 26 business associate governed by the privacy, security, and breach notification rules 27 issued by the United States Department of Health and Human Services in 45 C.F.R. 28 Parts 160 and 164, established under the Health Insurance Portability and 29 Accountability Act of 1996 (P.L. 104-191) and the Health Information Technology for 30 Economic and Clinical Health Act (P.L. 111-5); in this paragraph, "protected health 31 information" has the meaning given in 45 C.F.R. 160.103;

01 (2) a covered entity governed by the privacy, security, and breach 02 notification rules issued by the United States Department of Health and Human 03 Services in 45 C.F.R. Parts 160 and 164, established under the Health Insurance 04 Portability and Accountability Act of 1996 (P.L. 104-191), to the extent the provider 05 or covered entity maintains patient information in the same manner as medical 06 information or protected health information as described in (1) of this subsection; 07 (3) information collected as part of a clinical trial subject to 45 C.F.R. 08 Part 46 (Protection of Human Subjects) under 09 (A) good clinical practice guidelines issued by the International 10 Council for Harmonisation of Technical Requirements for Pharmaceuticals for 11 Human Use; or 12 (B) human subject protection requirements of the United States 13 Food and Drug Administration; 14 (4) vehicle information or ownership information retained or shared 15 between a new motor vehicle dealer, as defined in AS 45.25.990, and the motor 16 vehicle manufacturer, as defined in AS 45.25.990, if the information is shared for the 17 purpose of or in anticipation of effectuating a vehicle repair covered by a vehicle 18 warranty or recall conducted under 49 U.S.C. 30118 - 30120, if the new motor vehicle 19 dealer or vehicle manufacturer does not sell, share, or use the information for another 20 purpose; in this paragraph, 21 (A) "ownership information" means the name of each 22 registered owner and accompanying contact information; 23 (B) "vehicle information" means the vehicle identification 24 number, the vehicle's make, model, or year, or the vehicle's odometer reading; 25 (5) a person, including a subsidiary or affiliate of the person, and data 26 that are subject to 15 U.S.C. 6801 - 6827 (Gramm-Leach-Bliley Act) and related 27 regulations; 28 (6) an individual's personal information collected by a business if 29 the business collects the personal information through the individual's 30 (A) job application made to the business; 31 (B) service as an employee, officer, or director of the

01 business; or 02 (C) work as a contractor for the business and consists only of 03 (i) personal information used solely within the 04 context for which it was collected; 05 (ii) emergency contact information used solely for the 06 purpose of having an emergency contact on file; or 07 (iii) personal information retained solely to administer 08 benefits for the individual. 09 (b) AS 45.48.800 - 45.48.945 do not apply to the disclosure of a consumer's 10 personal information to 11 (1) comply with federal, state, or local law; 12 (2) comply with a civil, criminal, or regulatory inquiry or an 13 investigation, subpoena, or summons by federal, state, or local authorities; 14 (3) cooperate with law enforcement agencies concerning conduct or 15 activity that the person reasonably and in good faith believes may violate federal, 16 state, or local law; 17 (4) exercise or defend legal claims; 18 (5) collect, use, retain, sell, or disclose de-identified consumer personal 19 information or aggregated consumer personal information. 20 (c) AS 45.48.800 - 45.48.945 do not apply to the collection or sale of a 21 consumer's personal information if the commercial conduct takes place wholly outside 22 the state. For the purpose of this subsection, commercial conduct takes place wholly 23 outside the state if 24 (1) the business collected the information while the consumer was 25 outside the state; the exemption allowed under this subsection does not include the 26 storage of personal information, including on a personal device, while the consumer is 27 in the state and collection when the consumer and stored information later leave the 28 state; 29 (2) no part of the sale of the consumer's personal information occurred 30 in the state; and 31 (3) no personal information collected while the consumer was in the

01 state was sold. 02 (d) AS 45.48.800 - 45.48.875 and 45.48.885 - 45.48.945 do not apply to 03 (1) an activity that is subject to 15 U.S.C. 1681 - 1681x (Fair Credit 04 Reporting Act) that involves the collection, maintenance, disclosure, sale, 05 communication, or use of any personal information bearing on a consumer's 06 creditworthiness, credit standing, credit capacity, character, general reputation, 07 personal characteristics, or mode of living by a consumer reporting agency; 08 (2) a furnisher of information who provides information for use in a 09 consumer report, or a user of a consumer report, to the extent the information is used 10 as authorized under 15 U.S.C. 1681 - 1681x (Fair Credit Reporting Act); 11 (3) personal information collected, processed, sold, or disclosed under 12 18 U.S.C. 2721 - 2725 (Driver's Privacy Protection Act of 1994) and related 13 regulations. 14 (e) Except as provided in AS 45.48.835 and 45.48.880, personal information 15 contained in a written communication, verbal communication, or transaction between 16 a business and a consumer is exempt from AS 45.48.800 - 45.48.945 if 17 (1) the consumer is an individual acting as an employee, owner, 18 director, officer, member, or contractor of a sole proprietorship, partnership, limited 19 liability company, corporation, association, or other legal entity that is organized or 20 operated for the profit or financial benefit of its shareholders, partners, members, or 21 other owners, or is a government agency; in this paragraph, "owner" means an 22 individual who 23 (A) owns, directly or indirectly, or has the power to vote, more 24 than 50 percent of the outstanding shares of a class of voting securities of a 25 business; 26 (B) controls, in any manner, the election of a majority of the 27 directors or of individuals exercising similar functions; or 28 (C) has the power to exercise a controlling influence over the 29 majority of the directors or of individuals exercising similar functions; and 30 (2) the communication or transaction occurs solely within the context 31 of the business exercising due diligence regarding a product or service of, the receipt

01 of a product or service from, or providing a product or service to the corporation, 02 partnership, sole proprietorship, or government agency. 03 (f) A requirement under AS 45.48.800 - 45.48.945 does not apply if 04 (1) compliance with the requirement would violate an evidentiary 05 privilege under state law; 06 (2) the business provides personal information as part of privileged 07 communication to a person covered by an evidentiary privilege; 08 (3) the right or obligation would adversely affect a right of another 09 consumer; 10 (4) the requirement would infringe on the noncommercial activity of a 11 person or entity exercising rights under art. I, sec. 5, Constitution of the State of 12 Alaska. 13 (g) A business does not sell or share a consumer's personal information under 14 AS 45.48.800 - 45.48.945 if 15 (1) the consumer intentionally directs the business to disclose the 16 consumer's personal information to a third party, intentionally uses the business to 17 disclose the consumer's personal information to a third party, or intentionally directs 18 the business to interact with a third party, and the third party does not also disclose the 19 personal information or discloses the personal information consistent with 20 AS 45.48.800 - 45.48.945; 21 (2) the business uses or shares a unique identifier for a consumer to 22 alert third parties that the consumer has requested under AS 45.48.835 that the 23 business not sell, share, or disclose the consumer's personal information or particular 24 categories of the consumer's personal information. 25 (h) A business does not sell personal information under AS 45.48.800 - 26 45.48.945 when the business uses or shares with a service provider a consumer's 27 personal information that is necessary to perform a business purpose if 28 (1) the business has provided notice under AS 45.48.800 of the 29 personal information being used or shared; and 30 (2) the service provider does not further collect, sell, or use the 31 consumer's personal information except as necessary to perform the business purpose.

01 (i) In this section, 02 (1) "contractor" means a person who is not an employee of a business 03 but provides a service to the business under a written contract; 04 (2) "covered entity" has the meaning given in 45 C.F.R. 160.103; 05 (3) "director" has the meaning given in AS 10.06.990; 06 (4) "intentionally" does not mean hovering over, muting, pausing, or 07 closing a piece of content; 08 (5) "officer" means a person appointed or designated as an officer of a 09 corporation by or under applicable law or the corporation's articles of incorporation or 10 bylaws, or a person who performs for the corporation the functions usually performed 11 by an officer of a corporation. 12 Sec. 45.48.870. Retaliation prohibited; financial incentives. (a) A business 13 may not retaliate against a consumer in response to a consumer exercising rights under 14 AS 45.48.800 - 45.48.945. Retaliation includes 15 (1) denying goods or services; 16 (2) charging different prices or rates for goods or services, including 17 using discounts or other benefits or imposing penalties; 18 (3) providing a different level or quality of goods or services to a 19 consumer; 20 (4) suggesting that a consumer will receive a different price or rate for 21 goods or services or a different level or quality of goods or services. 22 (b) Notwithstanding (a) of this section, a business may charge a consumer a 23 different rate or provide a different level or quality of goods or services to a consumer 24 if the difference is reasonably related to the value provided to the business by the 25 consumer's personal information. 26 (c) Notwithstanding (a) of this section, a business may offer a consumer a 27 financial incentive for the collection, sale, or retention of personal information, 28 including direct payments to a consumer as compensation. A business that offers a 29 financial incentive under this subsection 30 (1) shall notify consumers of the financial incentive; 31 (2) shall obtain a consumer's consent before entering a consumer into a

01 financial incentive program; to obtain a consumer's consent under this paragraph, the 02 business shall provide the consumer access to a clear description of the material terms 03 of the financial incentive program; the consumer may revoke the consent at any time; 04 (3) may not use financial incentive practices that are unjust, 05 unreasonable, coercive, or usurious. 06 (d) In this section, "business" does not include a newspaper. 07 Sec. 45.48.875. Transfer of information in a merger, acquisition, 08 bankruptcy, and certain other transactions. (a) A business may transfer to or share 09 with a third party a consumer's personal information as an asset that is part of a 10 business change transaction. 11 (b) If a business shares a consumer's personal information with a third party in 12 the process of evaluating and consummating a business change transaction, the 13 business shall require that the third party agree by contract to keep the personal 14 information confidential and not use the personal information for a purpose other than 15 evaluating and consummating the transaction. 16 (c) If a third party under (a) of this section decides to change how the third 17 party uses or shares the consumer's personal information in a manner that is materially 18 inconsistent with (a) of this section or with the uses identified in the notification made 19 under AS 45.48.800, the third party shall notify the consumer before the change. The 20 notice must be sufficiently prominent and robust to ensure that the consumer can 21 easily exercise the consumer's choices consistently with AS 45.48.800 - 45.48.945. 22 (d) A transfer under (a) of this section does not authorize a business to make 23 material retroactive privacy policy changes or other changes in a manner that 24 constitutes an unfair or deceptive trade practice under AS 45.50.471 - 45.40.561. 25 (e) In this section, "business change transaction" means a merger, acquisition, 26 bankruptcy, or other transaction in which the third party assumes control of all or part 27 of the business. 28 Sec. 45.48.880. Duty to maintain reasonable security measures. A business 29 that owns, licenses, or maintains a consumer's personal information shall implement 30 and maintain reasonable security procedures and practices appropriate to the nature of 31 the information to protect the personal information from unauthorized access,

01 destruction, use, modification, or disclosure. 02 Sec. 45.48.885. Component parts. If a series of steps or transactions are 03 component parts of a single transaction and are intended from the beginning to avoid 04 the reach of AS 45.48.800 - 45.48.945, including a business's disclosure of 05 information to a third party to avoid being considered a sale, the steps or transactions 06 may not be considered separate for the purposes of determining compliance with, an 07 exception to, or a violation of AS 45.48.800 - 45.48.945. 08 Sec. 45.48.890. Violations. (a) A violation of AS 45.48.800 - 45.48.945 is an 09 unfair or deceptive act or practice under AS 45.50.471 - 45.50.561. Each day of a 10 violation constitutes a separate violation. 11 (b) In an action brought under AS 45.50.531(a), a consumer whose personal 12 information is subjected to unauthorized access, destruction, use, modification, or 13 disclosure has suffered an ascertainable loss of $1 or another amount proven at trial, 14 whichever is greater. 15 (c) The remedies under this section are in addition to the remedies provided 16 under AS 45.48.080 for a violation of AS 45.48.010 - 45.48.090. 17 Sec. 45.48.895. Consumer privacy account. (a) The consumer privacy 18 account is established as a separate account in the general fund. 19 (b) The consumer privacy account consists of 20 (1) money appropriated to the account by the legislature; 21 (2) the registration fees collected under AS 45.48.900(b)(2); 22 (3) the fees collected under AS 45.48.910; and 23 (4) civil penalties and money collected in or as a result of an action 24 brought by the attorney general under AS 45.48.800 - 45.48.945. 25 (c) The purposes of the consumer privacy account are to pay 26 (1) the salaries of attorneys in the Department of Law that enforce the 27 provisions of AS 45.48.800 - 45.48.945 at an amount that is competitive with the 28 private sector; and 29 (2) the administrative costs incurred by the department and the 30 Department of Law to enforce AS 45.48.800 - 45.48.945. 31 (d) The legislature may appropriate money deposited under (b)(2) - (4) of this

01 section for the purposes of the account. 02 Sec. 45.48.900. Data broker registration. (a) Before a business begins 03 operating as a data broker, the business shall register with the commissioner in 04 accordance with this section. 05 (b) To register as a data broker, a business shall 06 (1) provide, on a form provided by the commissioner, 07 (A) the name of the data broker; 08 (B) the data broker's primary physical and mailing addresses; 09 (C) the data broker's electronic mailing address; 10 (D) the data broker's primary Internet website address; and 11 (E) the data broker's "Do Not Collect or Sell My Personal 12 Information" Internet website page as required under AS 45.48.800(c) or 13 alternative Internet website page that meets the requirements of 14 AS 45.48.800(d); and 15 (2) pay a registration fee in an amount established by the department 16 by regulation. 17 (c) The department shall deposit the fees paid under (b)(2) of this section into 18 the consumer privacy account established under AS 45.48.895. 19 Sec. 45.48.905. Data broker registry publicly displayed. The commissioner 20 shall make the information provided by data brokers under AS 45.48.900(b)(1) 21 available on the department's Internet website. 22 Sec. 45.48.910. Revenue fees. (a) A business that collects, sells, or shares 23 personal information from a consumer shall pay a fee to the department. The amount 24 of this fee is three percent of the revenue received by the business from the buying, 25 selling, or sharing of the personal information of a consumer or household 26 information. 27 (b) The department shall deposit the fees paid under (a) of this section into the 28 consumer privacy account established under AS 45.48.895. 29 Sec. 45.48.915. Regulations. (a) The attorney general shall adopt regulations 30 under AS 44.62 (Administrative Procedure Act) that 31 (1) create specific exceptions required to comply with state or federal

01 law; 02 (2) govern the Internet website page requirement of AS 45.48.800, 03 including 04 (A) the use of a recognizable and uniform mark to identify the 05 opportunity to exercise a right under AS 45.48.800 - 45.48.945; 06 (B) the submission of a consumer request; 07 (C) a business's compliance with a request under AS 45.48.835; 08 (3) update, as necessary, additional categories of personal information 09 required to be disclosed in response to relevant changes in technology, data collection 10 practices, privacy concerns, or obstacles to implementation; 11 (4) update, as necessary, the interpretation of unique identifiers in 12 response to relevant changes in technology, data collection practices, privacy 13 concerns, or obstacles to implementation; 14 (5) update, as necessary, the interpretation of designated methods for 15 submitting requests to facilitate a consumer's ability to obtain information from a 16 business; 17 (6) establish requirements to ensure that notices and information 18 provided under AS 45.48.800 are in plain language, accessible to consumers with 19 disabilities, and available in the language primarily used by the business to interact 20 with the consumer, including with regard to financial incentive offerings; 21 (7) designate the process for a consumer to authorize a representative 22 to exercise the rights provided under AS 45.48.800 - 45.48.945 on the consumer's 23 behalf; and 24 (8) further define the meaning of "profile." 25 (b) The attorney general may adopt regulations under AS 44.62 26 (Administrative Procedure Act) that 27 (1) establish rules and procedures for processing and complying with a 28 consumer request for specific pieces of personal information relating to a household to 29 address obstacles to implementation and privacy concerns; 30 (2) state that service providers may combine personal information for 31 specified purposes;

01 (3) are necessary to further the purposes of AS 45.48.800 - 45.48.945. 02 (c) The department shall establish by regulation adopted under AS 44.62 03 (Administrative Procedure Act) the amount of the registration fee that a data broker 04 shall pay under AS 45.48.900(b)(2). 05 Sec. 45.48.920. Persons who may consent. Except as provided in 06 AS 45.48.845(a), a person may provide consent for a consumer under AS 45.48.800 - 07 45.48.945 if the person is 08 (1) the consumer; 09 (2) the consumer's legal guardian; 10 (3) a person who holds a power of attorney for the consumer; or 11 (4) a person who is acting as a conservator for the consumer. 12 Sec. 45.48.925. Personnel training. A business subject to AS 45.48.800 - 13 45.48.945 shall provide training to individuals responsible for handling consumer 14 questions or requests under AS 45.48.800 - 45.48.945, including training the 15 individuals how to direct a consumer to exercise the consumer's rights under 16 AS 45.48.800 - 45.48.945. 17 Sec. 45.48.930. Provisions not waivable. A consumer's waiver of the 18 provisions of AS 45.48.800 - 45.48.945 is contrary to public policy and is 19 unenforceable and void. This section does not prevent a consumer from 20 (1) declining to request information from a business; 21 (2) declining to request that a business not collect, sell, or disclose the 22 consumer's personal information; or 23 (3) authorizing a business to sell the consumer's personal information 24 after previously requesting that the business not sell the personal information. 25 Sec. 45.48.935. Liberal construction. The intent of AS 45.48.800 - 45.48.945 26 is remedial and its provisions shall be liberally construed. 27 Sec. 45.48.940. Definitions. In AS 45.48.800 - 45.48.945, unless the context 28 indicates otherwise, 29 (1) "aggregated consumer information" means information that relates 30 to a group or category of consumers from which individual consumer identities have 31 been removed, and that is not linked or reasonably linkable by a device or other

01 method to a consumer or household; "aggregated consumer information" does not 02 mean an individual consumer record that has been de-identified; 03 (2) "application" means a computer software package that performs a 04 specific function; 05 (3) "beacon" means a small computer device that allows computer 06 information to be transmitted to a portable device that can connect to the Internet; 07 (4) "business" means a sole proprietorship, partnership, limited 08 liability company, corporation, association, or other legal entity that is organized or 09 operated for the profit or financial benefit of its shareholders, partners, members, or 10 other owners, that collects or has collected consumers' personal information or on the 11 behalf of which that information is collected, that alone or jointly with others 12 determines the purposes and means of processing personal information of consumers, 13 that does business in the state, and that 14 (A) satisfies one or both of the following thresholds: 15 (i) alone or in combination with another person, 16 annually buys, sells, or shares the personal information of 100,000 or 17 more consumers or households; or 18 (ii) derives 50 percent or more of its annual revenue 19 from selling or sharing the personal information of consumers; or 20 (B) controls or is controlled by a business that meets a 21 threshold in (A) of this paragraph and shares a name, service mark, trademark, 22 or other form of common branding with the business; in this subparagraph, 23 "control" means 24 (i) ownership or the power to vote more than 50 percent 25 of the outstanding shares of any class of voting security of a business; 26 (ii) control, in any manner, of the election of a majority 27 of the directors or of individuals exercising similar functions; or 28 (iii) the power to exercise a controlling influence over 29 the majority of the directors or of individuals exercising similar 30 functions; 31 (5) "business purpose" means a use for an operational purpose or other

01 notified purpose, if the use is reasonably necessary and proportionate to achieving the 02 operational purpose or other notified purpose for which personal information was 03 collected or processed, or is a compatible use; 04 (6) "categories of personal information" includes a category of 05 personal information set out in (24) of this section and a category of personal 06 information not specifically enumerated; 07 (7) "collect" includes buying, renting, gathering, obtaining, receiving, 08 or accessing personal information pertaining to a consumer by actively or passively 09 receiving information from the consumer, by observing the consumer's behavior, or by 10 any other means; 11 (8) "commercial purpose" includes marketing, advertising, and any 12 other purpose that advances a person's commercial or economic interests, except 13 engaging in political speech, journalism, or other speech that state or federal courts 14 have recognized as noncommercial speech; 15 (9) "commissioner" means the commissioner of commerce, 16 community, and economic development; 17 (10) "compatible use" means 18 (A) auditing related to a current interaction with the consumer 19 and counting the advertisement impressions made to individual visitors, 20 verifying positioning and quality of advertisement impressions, and auditing 21 compliance with this paragraph, other standards, and other concurrent 22 transactions; 23 (B) detecting security incidents, protecting against malicious, 24 deceptive, fraudulent, or illegal activity, and prosecuting those persons 25 responsible for that activity; 26 (C) identifying and removing errors from computer hardware 27 or software that impair existing intended functionality; 28 (D) the contextual customization of advertisements shown as 29 part of the same interaction and other short-term transient use, if the personal 30 information is not disclosed to a third party and is not used to build a profile 31 about a consumer or alter the experience of an individual consumer outside the

01 current interaction; 02 (E) maintaining or servicing accounts, providing customer 03 service, processing or fulfilling orders and transactions, verifying customer 04 information, processing payments, providing financing, providing advertising 05 or marketing services, providing analytical services, and performing other 06 services on behalf of the business or service provider; 07 (F) conducting internal research for technological development 08 and demonstration; 09 (G) performing activities to verify or maintain the quality or 10 safety of a service or device that is owned by, manufactured by, manufactured 11 for, or controlled by the business, and to improve, upgrade, or enhance the 12 service or device; or 13 (H) performing another use that is consistent with the context 14 in which the personal information was collected; 15 (11) "consent" 16 (A) means a consumer's freely given, specific, informed, and 17 unambiguous indication by statement, action, or other method, that the 18 consumer agrees to the processing of the consumer's personal information for a 19 narrowly defined purpose; 20 (B) does not mean 21 (i) acceptance of general terms of use, a broad statement 22 of terms of use, or a similar document that contains descriptions of 23 personal information processing along with other, unrelated 24 information; 25 (ii) hovering over, muting, pausing, or closing a given 26 piece of content on the Internet; or 27 (iii) an agreement obtained through the use of a user 28 interface designed or manipulated to subvert or impair user autonomy, 29 decision making, or choice; 30 (12) "conservator" has the meaning given in AS 13.06.050; 31 (13) "consumer" means an individual who is a resident of the state

01 under AS 01.10.055, whether identified by a unique identifier or other method of 02 identification, but does not mean an individual acting 03 (A) as an employee, owner, director, officer, member, or 04 contractor or in another capacity of a corporation, limited liability company, 05 sole proprietorship, partnership, association, nonprofit, or other entity or 06 government agency; 07 (B) for the entity or agency with another entity or agency; or 08 (C) in an employment context; 09 (14) "consumer request" means a request that is made by a consumer, 10 by a parent or legal guardian with legal custody of the consumer, or by a individual or 11 a person registered with the United States Secretary of State, authorized by the 12 consumer to act on the consumer's behalf; 13 (15) "data broker" means a business that knowingly collects and sells 14 to third parties the personal information of a consumer with whom the business does 15 not have a direct relationship, but does not include a consumer reporting agency to the 16 extent the agency is covered by 15 U.S.C. 1681 et seq. (Fair Credit Reporting Act); 17 (16) "de-identified" means that the information cannot reasonably 18 identify, relate to, describe, be capable of being associated with, or be directly or 19 indirectly linked to, an individual consumer, and the business holding the information 20 (A) has implemented technical safeguards that prohibit re- 21 identification of the consumer to whom the information may pertain; 22 (B) has implemented business processes that specifically 23 prohibit re-identification of the information; 24 (C) has implemented business processes to prevent inadvertent 25 release of de-identified information; and 26 (D) makes no attempt to re-identify the information; 27 (17) "department" means the Department of Commerce, Community, 28 and Economic Development; 29 (18) "device" includes a computer and a physical object that can 30 (A) read, write, or store information that is represented in 31 numerical form;

01 (B) connect to the Internet, directly or indirectly, or to another 02 device; 03 (19) "disclose" includes all types of disclosure, including the 04 disclosure of personal information related to a sale of personal information; 05 (20) "Internet website page" means a document accessible through the 06 Internet with a unique identifier used to locate a resource on the Internet; 07 (21) "knowingly" has the meaning given in AS 11.81.900(a); 08 (22) "operational purpose" means the use of personal information, 09 when reasonably necessary and proportionate, to achieve, if the use is limited to a 10 direct relationship and experience with a consumer, 11 (A) debugging to identify and repair errors that impair existing 12 intended functions; 13 (B) based on information collected by the business, 14 undertaking internal research for analysis, product improvement, and 15 technology development; 16 (C) verification or maintenance of the quality or safety of a 17 service or device that is owned, manufactured, manufactured for, or controlled 18 by the business, or to improve, upgrade, or enhance a service or device that is 19 owned, manufactured, manufactured for, or controlled by the business; 20 (D) customization of content based on information collected by 21 the business; or 22 (E) customization of advertising or marketing based on 23 information collected by the business; 24 (23) "person" means an individual, proprietorship, corporation, 25 company, partnership, firm, association, and any other non-governmental organization 26 or group of persons acting in concert; 27 (24) "personal information" 28 (A) means the information in the following categories that 29 identifies, relates to, describes, is reasonably capable of being associated with, 30 or could reasonably be linked, directly or indirectly, with a particular consumer 31 or household:

01 (i) a real name, alias, postal address, unique identifier, 02 online identifier, Internet protocol address, electronic mail address, 03 account name, or other identifier; 04 (ii) signature; 05 (iii) physical characteristics or physical description; 06 (iv) telephone number; 07 (v) insurance policy number; 08 (vi) characteristics of protected classifications under 09 state or federal law; 10 (vii) commercial information, including bank accounts, 11 records of personal property, products or services purchased, obtained, 12 or considered, or other purchasing or consuming histories or 13 tendencies; 14 (viii) browsing history, search history, and information 15 regarding a consumer's interaction with an Internet website, 16 application, or advertisement, or other Internet or electronic network 17 activity information; 18 (ix) geolocation data, including precise geolocation 19 data; 20 (x) audio, electronic, visual, thermal, olfactory, or 21 similar information; 22 (xi) professional or employment-related information; 23 (xii) information that is personally identifiable 24 information, as defined in 34 C.F.R. 99.3, that is not publicly available; 25 (xiii) sensitive personal information; 26 (xiv) inferences drawn from any of the information 27 identified in this subparagraph to create a profile about a consumer 28 reflecting the consumer's preferences, characteristics, psychological 29 trends, predispositions, behavior, attitudes, intelligence, abilities, and 30 aptitudes; 31 (B) does not mean

01 (i) publicly available information; 02 (ii) consumer information that is de-identified or is 03 aggregated consumer information; 04 (iii) biometric information; in this sub-subparagraph, 05 "biometric information" means an individual's physiological, 06 biological, or behavioral characteristics that can be used to establish 07 individual identity; 08 (25) "precise geolocation data" 09 (A) means data that is derived from a consumer device through 10 a technology that 11 (i) is capable of determining with specificity the latitude 12 and longitude coordinates or other spatial location of a person or 13 device; 14 (ii) has an accuracy level of less than 1,750 feet; 15 (iii) uses a global positioning system, a triangulated 16 location provided by a beacon, network radios, or a technology that 17 allows computers, mobile phones, or other devices to connect to the 18 Internet or communicate with one another wirelessly within a particular 19 area, or another technology; 20 (B) does not mean information that is or will be 21 (i) altered before the information is processed, in order 22 to be able to determine with specificity the physical location of an 23 individual or device; 24 (ii) used by a business when acting as an employer; 25 (26) "processing" means any operation or set of operations performed 26 on personal data or on sets of personal data, whether or not by automated means; 27 (27) "profile" or "profiling" means automated processing of personal 28 information, as further defined by regulation adopted under AS 45.48.915, to analyze 29 or predict an individual's work performance, economic situation, health, personal 30 preferences, interests, reliability, behavior, location, movements, or other personal 31 features;

01 (28) "publicly available information" means information that is 02 lawfully made available from federal, state, or local government records, that a 03 business has a reasonable basis to believe is lawfully made available to the general 04 public by the consumer or from widely distributed media, or that a consumer makes 05 available by a person to whom the consumer has disclosed the information if the 06 consumer has not restricted the information to a specific audience; 07 (29) "research" means scientific systematic study and observation that 08 is in the public interest, that adheres to all applicable ethics and privacy laws, and 09 (A) is compatible with the business purpose for which the 10 personal information was collected; 11 (B) is used solely for research purposes that are compatible 12 with the context in which the personal information was collected; 13 (C) is not used for a commercial purpose; and 14 (D) in which the personal information is 15 (i) later pseudonymized and de-identified, or de- 16 identified and in the aggregate, if the information cannot reasonably 17 identify, relate to, describe, be capable of being associated with, or be 18 linked, directly or indirectly, to a particular consumer; personal 19 information is considered pseudonymized if the information is 20 processed so that it is no longer attributable to a specific consumer 21 without the use of additional information, and the additional 22 information is kept separate and is subject to technical and 23 organizational measures to ensure that the personal information is not 24 attributed to an identified or identifiable consumer; 25 (ii) subject to technical safeguards that prohibit re- 26 identification of the consumer to whom the information may pertain; 27 (iii) subject to business processes that specifically 28 prohibit re-identification of the information; 29 (iv) subject to business processes to prevent inadvertent 30 release of de-identified information; and 31 (v) subjected by the business conducting the research to

01 additional security controls that limit access to the research data to 02 individuals in the business as necessary to carry out the research 03 purpose; 04 (30) "sale," "sell," or "sold" means renting, releasing, disclosing, 05 disseminating, making available, transferring, or otherwise communicating orally, in 06 writing, or by electronic or other means, a consumer's personal information by a 07 business to a third party for monetary or other valuable consideration or for another 08 commercial purpose; 09 (31) "sensitive personal information" means information that is not 10 publicly available information and reveals 11 (A) a consumer's social security number, driver's license 12 number, known traveler number, state identification card number, passport 13 number, or other unique identification number issued on a government 14 document commonly used to verify the identity of a specific individual; 15 (B) the number of a consumer's Internet account, financial 16 account, debit card account, credit card account, or other account, in 17 combination with any required security or access code, password, or 18 credentials allowing access to the account; 19 (C) a consumer's precise geolocation; 20 (D) a consumer's racial or ethnic origin, religious or 21 philosophical beliefs, or union membership; 22 (E) the contents of a consumer's mail or electronic mail, text 23 message, or other electronic communication, unless the business possessing the 24 information is the intended recipient of the communication; 25 (F) a consumer's genetic data; 26 (G) information about an individual who is less than 18 years 27 of age; 28 (H) information collected and analyzed concerning a 29 consumer's health; or 30 (I) information collected and analyzed about a consumer's 31 sexual life or sexual orientation;

01 (32) "service provider" means a person that receives personal 02 information from a business to be used solely for a business purpose under a written 03 contract that requires the service provider to comply with AS 45.48.860; 04 (33) "share" means renting, releasing, disclosing, disseminating, 05 making available, transferring, or otherwise communicating orally, in writing, or by 06 electronic or other means personal information by a business to a third party for 07 cross-context behavioral advertising, whether for monetary or other valuable 08 consideration, or in a transaction between a business and a third party for 09 cross-context behavioral advertising for the benefit of a business in which no money 10 is exchanged; in this paragraph, "cross-context behavioral advertising" means the 11 targeting of advertising to a consumer based on the consumer's personal information 12 obtained from the consumer's activity across businesses, distinctly branded Internet 13 websites, applications, or services, other than the business, distinctly branded website, 14 application, or service with which the consumer intentionally interacts; 15 (34) "third party" means any person, except 16 (A) the business that collected the personal information from 17 the consumer; and 18 (B) a service provider contracting with the business that 19 collected the personal information from the consumer; 20 (35) "unique identifier" includes a device identifier; an Internet 21 protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar 22 technology; customer number, unique pseudonym, or user alias; telephone numbers, or 23 other forms of persistent or probabilistic identifiers that can be used to identify a 24 particular consumer or device; or another persistent identifier that can be used to 25 recognize a consumer, a household, or a device that is linked to a consumer or 26 household, over time and across different services; in this paragraph, 27 (A) "cookie" means computer information that is used to 28 identify a person's computer while the person is using the computer; 29 (B) "pixel tag" means a small design or picture that is loaded 30 when a computer user visits an Internet website page or opens electronic mail; 31 (C) "probabilistic identifier" means the identification of a

01 consumer or a device to a degree of certainty of more probable than not based 02 on a category of personal information included in, or similar to, the categories 03 of personal information. 04 Sec. 45.48.945. Short title. AS 45.48.800 - 45.48.945 may be cited as the 05 Consumer Personal Information Privacy Act. 06 * Sec. 5. AS 45.50.471(b) is amended by adding a new paragraph to read: 07 (58) violating AS 45.48.800 - 45.48.945 (Consumer Personal 08 Information Privacy Act). 09 * Sec. 6. The uncodified law of the State of Alaska is amended by adding a new section to 10 read: 11 APPLICABILITY: CONTRACTS. This Act applies to a contract entered into on or after the 12 effective date of secs. 1 - 6 of this Act. 13 * Sec. 7. The uncodified law of the State of Alaska is amended by adding a new section to 14 read: 15 TRANSITION: EXEMPTION. (a) Except as provided in AS 45.48.800(a), 16 added by sec. 4 of this Act, and the right to file an action for a violation of AS 45.48.880, 17 added by sec. 4 of this Act, personal information collected by a business is exempt from 18 AS 45.48.800 - 45.48.945, added by sec. 4 of this Act, until January 1, 2024, if the personal 19 information is collected through a person's 20 (A) ownership of the business; or 21 (B) activity as a dentist licensed under AS 08.36, physician licensed 22 under AS 08.64, or a psychologist licensed under AS 08.86. 23 (b) In this section, "business" and "personal information" have the meanings given in 24 AS 45.48.940, added by sec. 4 of this Act. 25 * Sec. 8. The uncodified law of the State of Alaska is amended by adding a new section to 26 read: 27 TRANSITION: REGULATIONS. The attorney general shall adopt regulations as 28 authorized under AS 45.48.915, added by sec. 4 of this Act, to implement the changes made 29 by this Act. The regulations take effect under AS 44.62 (Administrative Procedure Act), but 30 not before the effective date of the law implemented by the regulation. 31 * Sec. 9. Section 8 of this Act takes effect immediately under AS 01.10.070(c).

01 * Sec. 10. Except as provided in sec. 9 of this Act, this Act takes effect January 1, 2023.