00 HOUSE BILL NO. 367 01 "An Act relating to the privacy of consumer personal information; establishing the 02 Consumer Personal Information Privacy Act; establishing data broker registration 03 requirements; relating to social security numbers; making certain violations unfair or 04 deceptive trade practices; and providing for an effective date." 05 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 06  * Section 1. AS 44.33.020(a) is amended by adding a new paragraph to read: 07 (45) establish and maintain a data broker registry established under 08 AS 45.48.900. 09  * Sec. 2. AS 45.48.430(b) is amended to read: 10 (b) The prohibition in (a) of this section does not apply if 11 (1) the disclosure is authorized by local, state, or federal law, including 12 AS 45.48.800 - 45.48.945 or a regulation adopted under AS 45.48.470; 13 (2) the person is engaging in the business of government and 14 (A) is authorized by law to disclose the individual's social 01 security number; or 02 (B) the disclosure of the individual's social security number is 03 required for the performance of the person's duties or responsibilities as 04 provided by law; 05 (3) the disclosure is to a person subject to or for a transaction regulated 06 by the Gramm-Leach-Bliley Financial Modernization Act, and the disclosure is for a 07 purpose authorized by the Gramm-Leach-Bliley Financial Modernization Act or to 08 facilitate a transaction of the individual; 09 (4) the disclosure is to a person subject to or for a transaction regulated 10 by the Fair Credit Reporting Act, and the disclosure is for a purpose authorized by the 11 Fair Credit Reporting Act; 12 (5) the disclosure is part of a report prepared by a consumer credit 13 reporting agency in response to a request by a person and the person submits the social 14 security number as part of the request to the consumer credit reporting agency for the 15 preparation of the report; or 16 (6) the disclosure is for a background check on the individual, identity 17 verification, fraud prevention, medical treatment, law enforcement or other 18 government purposes, or the individual's employment, including employment benefits. 19  * Sec. 3. AS 45.48.450(b) is amended to read: 20 (b) Notwithstanding the other provisions of AS 45.48.400 - 45.48.480, and 21 except as provided under AS 45.48.800 - 45.48.945 or for an agent under (a) of this 22 section, a person may disclose an individual's social security number to an 23 independent contractor of the person to facilitate the purpose or transaction for which 24 the individual initially provided the social security number to the person, but the 25 independent contractor may not use the social security number for another purpose or 26 make an unauthorized disclosure of the individual's personal information. In this 27 subsection, "independent contractor" includes a debt collector. 28  * Sec. 4. AS 45.48 is amended by adding new sections to read: 29 Article 6A. Consumer Personal Information Privacy.  30 Sec. 45.48.800. Notice before collection; disclosure of information; other  31 notices. (a) A business that collects personal information from a consumer shall notify 01 the consumer before collecting the information. Notification to the consumer must 02 clearly and conspicuously indicate the categories of personal information that will be 03 collected, the specific purposes for which each category of personal information will 04 be used, the consumer's right under AS 45.48.835 not to have the consumer's personal 05 information sold, shared, or disclosed, and the limitations established under 06 AS 45.48.840 on the use of the consumer's precise geolocation data by the business. A 07 business may not collect an additional category of personal information or use the 08 collected personal information for an additional purpose without first notifying the 09 consumer in accordance with this section. 10 (b) A business shall maintain, and update at least once every 12 months, in the 11 business's online privacy policies and in any state-specific description of consumers' 12 privacy rights, or on the business's Internet website if the business does not maintain 13 online privacy policies or description, the following information: 14 (1) a description of a consumer's rights under AS 45.48.800 - 15 45.48.945; 16 (2) all the designated methods of the business by which a consumer 17 can request access to or deletion of information as provided under AS 45.48.800 - 18 45.48.945; 19 (3) a list of the categories of consumer personal information that the 20 business collected, sold, or disclosed for a business or commercial purpose in the 21 preceding 12 months, and a designation of that information as collected, sold, or 22 disclosed for a business or commercial purpose; or, if the business did not collect, sell, 23 or disclose any consumer personal information for a business or commercial purpose, 24 a disclosure of that fact; 25 (4) the categories of sources from which the consumer personal 26 information was collected; in this paragraph, "categories of sources" includes the 27 consumer, advertising networks, Internet service providers, data analytics providers, 28 government entities, operating systems and platforms, social networks, data brokers, 29 other sources listed in regulations adopted under AS 45.48.800 - 45.48.945, and other 30 types or groupings of persons or entities from which a business collects personal 31 information about consumers, described with enough particularity to provide 01 consumers with a meaningful understanding of the type of person or entity; 02 (5) a description of the business purpose or commercial purpose for 03 which each category of consumer personal information was collected, sold, or 04 disclosed; 05 (6) the categories of third parties to whom the business sold or 06 disclosed consumer personal information; in this paragraph, "categories of third 07 parties" includes advertising networks, Internet service providers, data analytics 08 providers, government entities, operating systems and platforms, social networks, data 09 brokers, other sources listed in regulations adopted under AS 45.48.800 - 45.48.945, 10 and other types or groupings of third parties with whom the business shares personal 11 information, described with enough particularity to provide consumers with a 12 meaningful understanding of the type of third party; 13 (7) a description of a consumer's right to request the specific pieces of 14 the consumer's personal information that the business collected; 15 (8) a statement that information collected to verify a consumer's 16 disclosure or deletion request shall only be used as provided in AS 45.48.850(d) and 17 (e)(1). 18 (c) In addition to the requirements under (b) of this section, a business shall 19 include on the home page of the business's Internet website under the business's online 20 privacy policies, if the business has online privacy policies, and under any state- 21 specific description of consumers' privacy rights, the following: 22 (1) a clear and conspicuous link to an Internet website page titled "Do 23 Not Collect or Sell My Personal Information" that enables a consumer to exercise the 24 consumer's rights under AS 45.48.800 - 45.48.945; a business may not require a 25 consumer to create an account to access this Internet website page or to exercise the 26 consumer's rights under AS 45.48.800 - 45.48.945; and 27 (2) a description of a consumer's rights under AS 45.48.800 - 28 45.48.945. 29 (d) A business may comply with (c) of this section by including the required 30 content on a separate and additional Internet website page that is dedicated to 31 consumers. 01 (e) A business shall include on an Internet website page dedicated to 02 consumers the content required under (b) and (c) of this section and reasonably ensure 03 that consumers are directed to the alternative Internet website. 04 (f) In this section, "home page" means 05 (1) the introductory page of an Internet website where personal 06 information is collected; 07 (2) in the case of a mobile application, the application's platform page 08 or download page, an electronic link within the application, and any other location that 09 allows consumers to review the notice required by (a) of this section. 10 Sec. 45.48.805. Limits on use, processing, collection, sharing, and retention  11 of personal information. (a) A business that collects a consumer's personal 12 information shall limit its collection and sharing of the personal information with third 13 parties to what is reasonably necessary for the business to provide a service or conduct 14 an activity that a consumer has requested, or has consented to, or that is reasonably 15 necessary for security or fraud prevention. In this subsection, "reasonably necessary 16 for security or fraud prevention" does not include profiting financially from the 17 personal information. 18 (b) A business that collects a consumer's personal information is not required 19 to retain personal information collected for a single one-time transaction if the 20 business does not sell or disclose the information. 21 (c) Except for the collection and sharing of personal information under (a) of 22 this section, a business shall limit the business's use and retention of collected personal 23 information to what is reasonably necessary to provide a service or conduct an activity 24 that a consumer has requested or consented to, or for a related operational purpose; 25 however, personal information that is collected or retained solely for security or fraud 26 prevention may not be used for operational purposes. 27 Sec. 45.48.810. Notification of business upon receipt or disclosure of  28 personal information. (a) When a person receives personal information for a business 29 purpose or commercial purpose that a business originally collected from a consumer, 30 the person shall notify the business that the person possesses the personal information 31 and provide the person's contact information. The person shall provide updated contact 01 information to the business if the person's contact information changes. 02 (b) A person who receives personal information that a business originally 03 collected from a consumer, and who discloses the personal information to another 04 person for a business purpose or commercial purpose, shall notify the business that 05 originally collected the information not later than 10 days after the disclosure. The 06 notification must include the contact information of the person to whom the personal 07 information was disclosed. 08 (c) A person that receives personal information that a business originally 09 collected from a consumer shall either de-identify the personal information or 10 maintain the personal information in a way that the person can readily comply with a 11 disclosure or deletion request under AS 45.48.800 - 45.48.945. 12 Sec. 45.48.815. Required records. A business that collects or has collected 13 personal information from a consumer shall maintain records of each person to whom 14 the business discloses the personal information. The business shall also maintain all 15 records provided to the business under AS 45.48.810(a) and (b). 16 Sec. 45.48.820. Request for disclosure of collected personal information. 17 (a) A consumer may request a business that collects or collected the consumer's 18 personal information to disclose to the consumer 19 (1) the categories and specific pieces of personal information that the 20 business collects or collected within the five years preceding the date of the request; 21 (2) the sources from which the business collects or collected each 22 category of personal information; and 23 (3) the business purpose or commercial purpose for the collection of 24 each category of personal information. 25 (b) A business shall respond to a consumer request under this section as 26 required by AS 45.48.850. 27 Sec. 45.48.825. Request for deletion of personal information. (a) A 28 consumer may request a business to delete any of the consumer's personal information 29 collected by the business from the consumer within the five years preceding the date 30 of the request. 31 (b) Upon receiving a consumer request under this section, a business shall 01 delete from the business's records the information identified in the request. 02 (c) Within 45 days after a consumer's deletion request, a business that receives 03 a deletion request under (b) of this section shall direct all persons to whom a business 04 disclosed records under AS 45.48.810 to delete the personal information and provide a 05 written statement verifying that the information has been deleted. A person shall 06 comply with a direction under this subsection. The business shall immediately provide 07 written notification to the attorney general and the consumer of a person who fails to 08 provide written verification of compliance. 09 (d) A person is not required to delete personal information under (c) of this 10 section if the person maintains the personal information to 11 (1) complete the transaction for which the personal information was 12 collected; 13 (2) provide a good or service requested or reasonably anticipated 14 within an ongoing business relationship with the consumer; 15 (3) fulfill the terms of a written warranty or product recall conducted in 16 accordance with federal law; 17 (4) perform a contract between the business and consumer; 18 (5) detect security incidents, protect against malicious, deceptive, 19 fraudulent, or illegal activity, or prosecute the person responsible for that activity; 20 (6) identify and repair errors that impair the existing intended 21 functionality of a product or service; 22 (7) exercise a right provided for by law, including the right under the 23 First Amendment of the United States Constitution and art. I, sec. 5, of the 24 Constitution of the State of Alaska to freedom of speech, or ensure the right of another 25 consumer to exercise that consumer's right to freedom of speech; 26 (8) comply with a search warrant, subpoena, or court order; 27 (9) engage in public or peer-reviewed scientific, historical, or 28 statistical research in the public interest that adheres to all other applicable ethics and 29 privacy laws, if 30 (A) the deletion of information is likely to seriously impair or 31 render impossible the achievement of the research; and 01 (B) the consumer has provided consent to the research; 02 (10) enable solely internal uses that are reasonably aligned with the 03 consumer's expectations, based on the consumer's relationship with the business; or 04 (11) comply with a legal obligation. 05 (e) A person may not disclose personal information that a business collected 06 from a consumer unless the personal information is disclosed in accordance with a 07 contract that requires the recipient to comply with a deletion request issued under 08 AS 45.48.800 - 45.48.945. 09 Sec. 45.48.830. Request for disclosure of personal information sold or  10 disclosed for a business purpose or commercial purpose. (a) A consumer may 11 request that a business that sold or disclosed the consumer's personal information for a 12 business purpose or commercial purpose within the last five years disclose to the 13 consumer 14 (1) the third parties subject to AS 45.48.810 in possession of the 15 consumer's personal information; 16 (2) the categories of personal information or specific pieces of personal 17 information that were sold or disclosed to each third party for a business purpose or 18 commercial purpose; 19 (3) for the third parties to which the business directly disclosed the 20 consumer's personal information for a business purpose or commercial purpose, the 21 business purpose or commercial purpose for disclosing each category of personal 22 information. 23 (b) A business shall respond to a consumer request under this section as 24 required by AS 45.48.850. 25 Sec. 45.48.835. Request not to sell, share, or disclose personal information. 26 (a) A consumer may, at any time, request a business not to sell, share, or disclose the 27 consumer's personal information or not to sell, share, or disclose particular categories 28 of the consumer's personal information. 29 (b) If a business collects personal information from a consumer online and the 30 consumer uses a global privacy control, the business shall treat the use of the global 31 privacy control as a valid request submitted by the consumer under (a) of this section 01 not to sell, share, or disclose the consumer's personal information. In this subsection, 02 (1) "extension" means a piece of software code that enables a 03 computer application or program to perform an activity the application or program 04 cannot do by itself; 05 (2) "global privacy control" includes a browser extension, privacy 06 setting, device setting, or other mechanism that communicates or signals the 07 consumer's choice not to have the consumer's personal information sold, shared, or 08 disclosed. 09 (c) A consumer may, as provided by regulation adopted under AS 45.48.915, 10 authorize another person solely to request that a business not sell, share, or disclose 11 the consumer's personal information, and a business shall comply with the request 12 received from the person for the consumer. 13 (d) A business shall respond to a consumer request under this section as 14 required by AS 45.48.850, unless the consumer later provides a clear and explicit 15 renunciation of the request. For one year after receiving a request under (a) - (c) of this 16 section, a business may not contact the consumer to request that the consumer 17 renounce the request. 18 (e) A business subject to this section may only use the personal information 19 collected from a consumer request under this section to comply with the request, 20 unless otherwise authorized by the consumer or by another provision of law. 21 Sec. 45.48.840. Use and disclosure of precise geolocation data. (a) A 22 business may use a consumer's precise geolocation data for other purposes than the 23 purpose disclosed under AS 45.48.800(a) if the consumer consents to the use. A 24 consumer who consents to the use of the consumer's precise geolocation data for other 25 purposes may, at any time, request that the business stop using the data for other 26 purposes. The consumer's consent must be in writing and in an agreement separate 27 from any other agreement for use, and the consumer must agree to the business's use 28 of the consumer's precise geolocation data for other purposes. 29 (b) Except as provided in (a) of this section, a business shall limit the use and 30 disclosure of a consumer's precise geolocation data to that necessary to provide goods 31 or services that a consumer requests and reasonably expects, or goods and services the 01 business reasonably expects the consumer will request. 02 (c) The provisions of AS 45.48.800 - 45.48.945 do not apply to a business that 03 uses a consumer's precise geolocation data if the consumer is an employee, contractor, 04 or vendor of the business.  05 Sec. 45.48.845. Treatment of individuals 16 years of age or under. (a) 06 Notwithstanding any other provision of AS 45.48.800 - 45.48.945, a business that has 07 actual knowledge that a consumer is 16 years of age or under may not 08 (1) disclose the personal information of the consumer for a business 09 purpose or commercial purpose, or use the consumer's precise geolocation data for a 10 purpose other than to provide goods or services that the consumer reasonably requests 11 and expects, unless the consumer's parent or guardian consents to the disclosure or 12 use; or 13 (2) sell or share the personal information of the consumer. 14 (b) A business that recklessly disregards a reasonable likelihood that a 15 consumer is 16 years of age or under is considered to have actual knowledge of the 16 consumer's age. In this subsection, "recklessly" has the meaning given in 17 AS 11.81.900(a). 18 (c) A business may not track or profile the personal information of an 19 individual who is 16 years of age or under in order to provide to the individual a 20 commercial advertisement that is based on the personal information or online activity 21 of the individual.  22 Sec. 45.48.850. Disclosure or deletion request; process. (a) A business shall 23 respond to a consumer request under AS 45.48.820 or 45.48.830 by 24 (1) providing the requested information electronically to the consumer 25 in a portable and, to the extent technically feasible, readily useable format that allows 26 the consumer to transmit the information to another person without hindrance; 27 (2) if the information provided under (1) of this subsection is not in a 28 human-readable format, providing the requested information to the consumer in a 29 format that is easily readable by a human; and 30 (3) at the consumer's request, providing the requested information by 31 mail. 01 (b) A business subject to AS 45.48.800 - 45.48.945 shall designate at least two 02 methods for a consumer to submit a request under AS 45.48.820 - 45.48.835, 03 including, at a minimum, a toll-free telephone number and an electronic mail address. 04 If a business maintains an Internet website, the website must include an option to 05 submit requests under AS 45.48.820 - 45.48.835 on a public facing page. A designated 06 method for submitting requests may include a mailing address, electronic mail 07 address, Internet website, Internet website portal, toll-free telephone number, other 08 applicable contact information, or a new consumer-friendly means of contacting a 09 business as determined by regulation. 10 (c) A person may not charge a consumer a fee for performing a duty required 11 by AS 45.48.800 - 45.48.945. 12 (d) A person may only use the information provided by a consumer in a 13 request made under AS 45.48.820 - 45.48.835 to identify the consumer and comply 14 with the request. 15 (e) In response to a request made under AS 45.48.820 - 45.48.835, a business 16 shall 17 (1) promptly determine whether the request is a consumer request; a 18 business may not require that a consumer create an account with the business; 19 however, if the consumer maintains an account with the business, the business may 20 require the consumer to submit the request through the account; 21 (2) identify in writing the personal information subject to a disclosure 22 request; the information disclosed must 23 (A) cover the 12-month period preceding the request, or 24 another applicable period designated by the consumer; 25 (B) be designated by the most relevant category of personal 26 information; 27 (C) clearly separate information requested under AS 45.48.820 28 and 45.48.830; 29 (3) disclose and deliver the identified information in writing not later 30 than 45 days after receipt of the request; 31 (4) not later than 45 days after receipt of a deletion request, comply 01 with AS 45.48.825, and provide confirmation of compliance to the consumer. 02 (f) The time to respond to a disclosure or deletion request under (e)(3) and (4) 03 of this section may be extended once for an additional 45 days when reasonably 04 necessary. If the time to respond is extended, the business shall notify the consumer of 05 the extension. 06 (g) A business may disclose or provide confirmation of deletion of 07 information to the consumer by mail, through the consumer's account with the 08 business, or electronically at the consumer's request if the consumer does not have an 09 account with the business. 10 (h) Notwithstanding any other requirement in this section, if a consumer's 11 requests are manifestly unfounded or excessive, in particular because of the requests' 12 repetitive character, a business may either charge a reasonable fee, taking into account 13 the administrative costs of complying with the consumer's request, or refuse to act on 14 the request. The business shall notify the consumer of a decision to charge a fee or to 15 deny a request within the timeline provided under (e)(3) and (4) and (f) of this section. 16 The notification must completely explain the business's reason for finding the request 17 manifestly unfounded or excessive, including all pertinent facts. The business shall 18 bear the burden of proving that a consumer's request is manifestly unfounded or 19 excessive. 20 (i) A business is not required to respond to a disclosure or deletion request 21 under AS 45.48.825 or 45.48.830 if the consumer making the request has made two 22 consumer requests in the previous 365 days. 23 (j) A business is not required under this section to re-identify or otherwise link 24 data that, in the ordinary course of business, is not maintained in a manner that would 25 be considered personal information. 26 Sec. 45.48.855. Third-party disclosure and handling of personal  27 information. (a) A third party may not disclose personal information to another 28 person if the personal information was originally collected in violation of 29 AS 45.48.800 or 45.48.835. A third party that reasonably inquires into whether 30 personal information was collected in violation of AS 45.48.800 or 45.48.835, and 31 reasonably concludes that information was not obtained in violation of AS 45.48.800 01 or 45.48.835 may not be held liable for a violation under this section. 02 (b) A third party may not disclose a consumer's personal information for a 03 business purpose or commercial purpose unless the third party receives written 04 confirmation from the business that originally collected the personal information that 05 the information was collected in compliance with AS 45.48.800 and 45.48.835. 06 Sec. 45.48.860. Service provider obligations. (a) A service provider may not 07 (1) retain, use, or disclose personal information received from a 08 business for any purpose other than to perform the services specified in a written 09 contract with the business; 10 (2) combine personal information received from a business with 11 personal information the service provider receives from other sources, unless 12 otherwise provided in regulation; 13 (3) disclose personal information received from a business to any other 14 person without first 15 (A) receiving written consent of the business to disclose the 16 personal information to the other person; and 17 (B) entering into a written contract with the other person that 18 prohibits the other person from engaging in conduct prohibited under this 19 section. 20 (b) A person who receives personal information from a service provider may 21 not disclose the personal information to any other person. 22 Sec. 45.48.865. Exemptions. (a) AS 45.48.800 - 45.48.945 do not apply to 23 (1) protected health information that is collected by a covered entity or 24 business associate governed by the privacy, security, and breach notification rules 25 issued by the United States Department of Health and Human Services in 45 C.F.R. 26 Parts 160 and 164, established under the Health Insurance Portability and 27 Accountability Act of 1996 (P.L. 104-191) and the Health Information Technology for 28 Economic and Clinical Health Act (P.L. 111-5); in this paragraph, "protected health 29 information" has the meaning given in 45 C.F.R. 160.103; 30 (2) a covered entity governed by the privacy, security, and breach 31 notification rules issued by the United States Department of Health and Human 01 Services in 45 C.F.R. Parts 160 and 164, established under the Health Insurance 02 Portability and Accountability Act of 1996 (P.L. 104-191), to the extent the provider 03 or covered entity maintains patient information in the same manner as medical 04 information or protected health information as described in (1) of this subsection; 05 (3) information collected as part of a clinical trial subject to 45 C.F.R. 06 Part 46 (Protection of Human Subjects) under 07 (A) good clinical practice guidelines issued by the International 08 Council for Harmonisation of Technical Requirements for Pharmaceuticals for 09 Human Use; or 10 (B) human subject protection requirements of the United States 11 Food and Drug Administration; 12 (4) vehicle information or ownership information retained or shared 13 between a new motor vehicle dealer, as defined in AS 45.25.990, and the motor 14 vehicle manufacturer, as defined in AS 45.25.990, if the information is shared for the 15 purpose of or in anticipation of effectuating a vehicle repair covered by a vehicle 16 warranty or recall conducted under 49 U.S.C. 30118 - 30120, if the new motor vehicle 17 dealer or vehicle manufacturer does not sell, share, or use the information for another 18 purpose; in this paragraph, 19 (A) "ownership information" means the name of each 20 registered owner and accompanying contact information; 21 (B) "vehicle information" means the vehicle identification 22 number, the vehicle's make, model, or year, or the vehicle's odometer reading; 23 (5) a person, including a subsidiary or affiliate of the person, and data 24 that are subject to 15 U.S.C. 6801 - 6827 (Gramm-Leach-Bliley Act) and related 25 regulations; 26 (6) an individual's personal information collected by a business if the 27 business collects the personal information through the individual's 28 (A) job application made to the business; 29 (B) service as an employee, officer, or director of the business; 30 or 31 (C) work as a contractor for the business and consists only of 01 (i) personal information used solely within the context 02 for which it was collected; 03 (ii) emergency contact information used solely for the 04 purpose of having an emergency contact on file; or 05 (iii) personal information retained solely to administer 06 benefits for the individual. 07 (b) AS 45.48.800 - 45.48.945 do not apply to the disclosure of a consumer's 08 personal information to 09 (1) comply with federal, state, or local law; 10 (2) comply with a civil, criminal, or regulatory inquiry or an 11 investigation, subpoena, or summons by federal, state, or local authorities; 12 (3) cooperate with law enforcement agencies concerning conduct or 13 activity that the person reasonably and in good faith believes may violate federal, 14 state, or local law; 15 (4) exercise or defend legal claims; 16 (5) collect, use, retain, sell, or disclose de-identified consumer personal 17 information or aggregated consumer personal information. 18 (c) AS 45.48.800 - 45.48.945 do not apply to the collection or sale of a 19 consumer's personal information if the commercial conduct takes place wholly outside 20 the state. For the purpose of this subsection, commercial conduct takes place wholly 21 outside the state if 22 (1) the business collected the information while the consumer was 23 outside the state; the exemption allowed under this subsection does not include the 24 storage of personal information, including on a personal device, while the consumer is 25 in the state and collection when the consumer and stored information later leave the 26 state; 27 (2) no part of the sale of the consumer's personal information occurred 28 in the state; and 29 (3) no personal information collected while the consumer was in the 30 state was sold. 31 (d) AS 45.48.800 - 45.48.875 and 45.48.885 - 45.48.945 do not apply to 01 (1) an activity that is subject to 15 U.S.C. 1681 - 1681x (Fair Credit 02 Reporting Act) that involves the collection, maintenance, disclosure, sale, 03 communication, or use of any personal information bearing on a consumer's 04 creditworthiness, credit standing, credit capacity, character, general reputation, 05 personal characteristics, or mode of living by a consumer reporting agency; 06 (2) a furnisher of information who provides information for use in a 07 consumer report, or a user of a consumer report, to the extent the information is used 08 as authorized under 15 U.S.C. 1681 - 1681x (Fair Credit Reporting Act); 09 (3) personal information collected, processed, sold, or disclosed under 10 18 U.S.C. 2721 - 2725 (Driver's Privacy Protection Act of 1994) and related 11 regulations. 12 (e) Except as provided in AS 45.48.835 and 45.48.880, personal information 13 contained in a written communication, oral communication, or transaction between a 14 business and a consumer is exempt from AS 45.48.800 - 45.48.945 if 15 (1) the consumer is an individual acting as an employee, owner, 16 director, officer, member, or contractor of a sole proprietorship, partnership, limited 17 liability company, corporation, association, or other legal entity that is organized or 18 operated for the profit or financial benefit of its shareholders, partners, members, or 19 other owners, or is a government agency; in this paragraph, "owner" means an 20 individual who 21 (A) owns, directly or indirectly, or has the power to vote, more 22 than 50 percent of the outstanding shares of a class of voting securities of a 23 business; 24 (B) controls, in any manner, the election of a majority of the 25 directors or of individuals exercising similar functions; or 26 (C) has the power to exercise a controlling influence over the 27 majority of the directors or of individuals exercising similar functions; and 28 (2) the communication or transaction occurs solely within the context 29 of the business exercising due diligence regarding a product or service of, the receipt 30 of a product or service from, or providing a product or service to the corporation, 31 partnership, sole proprietorship, or government agency. 01 (f) A requirement under AS 45.48.800 - 45.48.945 does not apply if 02 (1) compliance with the requirement would violate an evidentiary 03 privilege under state law; 04 (2) the business provides personal information as part of privileged 05 communication to a person covered by an evidentiary privilege; 06 (3) the right or obligation would adversely affect a right of another 07 consumer; 08 (4) the requirement would infringe on the noncommercial activity of a 09 person or entity exercising rights under art. I, sec. 5, Constitution of the State of 10 Alaska. 11 (g) A business does not sell or share a consumer's personal information under 12 AS 45.48.800 - 45.48.945 if 13 (1) the consumer intentionally directs the business to disclose the 14 consumer's personal information to a third party, intentionally uses the business to 15 disclose the consumer's personal information to a third party, or intentionally directs 16 the business to interact with a third party, and the third party does not also disclose the 17 personal information or discloses the personal information consistent with 18 AS 45.48.800 - 45.48.945; 19 (2) the business uses or shares a unique identifier for a consumer to 20 alert third parties that the consumer has requested under AS 45.48.835 that the 21 business not sell, share, or disclose the consumer's personal information or particular 22 categories of the consumer's personal information. 23 (h) A business does not sell personal information under AS 45.48.800 - 24 45.48.945 when the business uses or shares with a service provider a consumer's 25 personal information that is necessary to perform a business purpose if 26 (1) the business has provided notice under AS 45.48.800 of the 27 personal information being used or shared; and 28 (2) the service provider does not further collect, sell, or use the 29 consumer's personal information except as necessary to perform the business purpose. 30 (i) In this section, 31 (1) "contractor" means a person who is not an employee of a business 01 but provides a service to the business under a written contract; 02 (2) "covered entity" has the meaning given in 45 C.F.R. 160.103; 03 (3) "director" has the meaning given in AS 10.06.990; 04 (4) "intentionally" does not mean hovering over, muting, pausing, or 05 closing a piece of content; 06 (5) "officer" means a person appointed or designated as an officer of a 07 corporation by or under applicable law or the corporation's articles of incorporation or 08 bylaws, or a person who performs for the corporation the functions usually performed 09 by an officer of a corporation. 10 Sec. 45.48.870. Retaliation prohibited; financial incentives. (a) A business 11 may not retaliate against a consumer in response to a consumer exercising rights under 12 AS 45.48.800 - 45.48.945. Retaliation includes 13 (1) denying goods or services; 14 (2) charging different prices or rates for goods or services, including 15 using discounts or other benefits or imposing penalties; 16 (3) providing a different level or quality of goods or services to a 17 consumer; 18 (4) suggesting that a consumer will receive a different price or rate for 19 goods or services or a different level or quality of goods or services. 20 (b) Notwithstanding (a) of this section, a business may charge a consumer a 21 different rate or provide a different level or quality of goods or services to a consumer 22 if the difference is reasonably related to the value provided to the business by the 23 consumer's personal information. 24 (c) Notwithstanding (a) of this section, a business may offer a consumer a 25 financial incentive for the collection, sale, or retention of personal information, 26 including direct payments to a consumer as compensation. A business that offers a 27 financial incentive under this subsection 28 (1) shall notify consumers of the financial incentive; 29 (2) shall obtain a consumer's consent before entering a consumer into a 30 financial incentive program; to obtain a consumer's consent under this paragraph, the 31 business shall provide the consumer access to a clear and conspicuous description of 01 the material terms of the financial incentive program; the consumer may revoke the 02 consent at any time; 03 (3) may not use financial incentive practices that are unjust, 04 unreasonable, coercive, or usurious. 05 (d) In this section, "business" does not include a newspaper. 06 Sec. 45.48.875. Transfer of information in a merger, acquisition,  07 bankruptcy, and certain other transactions. (a) A business may transfer to or share 08 with a third party a consumer's personal information as an asset that is part of a 09 business change transaction. 10 (b) If a business shares a consumer's personal information with a third party in 11 the process of evaluating and consummating a business change transaction, the 12 business shall require that the third party agree by contract to keep the personal 13 information confidential and not use the personal information for a purpose other than 14 evaluating and consummating the transaction. 15 (c) A third party under (a) of this section may not use or share the consumer's 16 personal information in a manner that is materially inconsistent with (a) of this section 17 or with the uses identified in the notification made under AS 45.48.800. 18 (d) A transfer under (a) of this section does not authorize a business to make 19 material retroactive privacy policy changes or other changes in a manner that 20 constitutes an unfair or deceptive trade practice under AS 45.50.471 - 45.50.561. 21 (e) In this section, "business change transaction" means a merger, acquisition, 22 bankruptcy, or other transaction in which the third party assumes control of all or part 23 of the business. 24 Sec. 45.48.880. Duty to maintain reasonable security measures. A business 25 that owns, licenses, or maintains a consumer's personal information shall implement 26 and maintain reasonable security procedures and practices appropriate to the nature of 27 the information to protect the personal information from unauthorized access, 28 destruction, use, modification, or disclosure. 29 Sec. 45.48.885. Component parts. If a series of steps or transactions are 30 component parts of a single transaction and are intended from the beginning to avoid 31 the reach of AS 45.48.800 - 45.48.945, including a business's disclosure of 01 information to a third party to avoid being considered a sale, the steps or transactions 02 may not be considered separate for the purposes of determining compliance with, an 03 exception to, or a violation of AS 45.48.800 - 45.48.945. 04 Sec. 45.48.890. Violations. (a) A violation of AS 45.48.800 - 45.48.945 is an 05 unfair or deceptive act or practice under AS 45.50.471 - 45.50.561. Each day of a 06 violation constitutes a separate violation. 07 (b) In an action brought under AS 45.50.531(a), a consumer whose personal 08 information is subjected to unauthorized access, destruction, use, modification, or 09 disclosure has suffered an ascertainable loss of $1 or another amount proven at trial, 10 whichever is greater. 11 (c) The remedies under this section are in addition to the remedies provided 12 under AS 45.48.080 for a violation of AS 45.48.010 - 45.48.090. 13 Sec. 45.48.895. Consumer privacy account. (a) The consumer privacy 14 account is established as a separate account in the general fund. 15 (b) The consumer privacy account consists of 16 (1) money appropriated to the account by the legislature; 17 (2) the registration fees collected under AS 45.48.900(b)(2); 18 (3) the fees collected under AS 45.48.910; and 19 (4) civil penalties and money collected in or as a result of an action 20 brought by the attorney general under AS 45.48.800 - 45.48.945. 21 (c) The purposes of the consumer privacy account are to pay 22 (1) the salaries of attorneys in the Department of Law that enforce the 23 provisions of AS 45.48.800 - 45.48.945 at an amount that is competitive with the 24 private sector; and 25 (2) the administrative costs incurred by the department and the 26 Department of Law to enforce AS 45.48.800 - 45.48.945. 27 (d) The legislature may appropriate money deposited under (b)(2) - (4) of this 28 section for the purposes of the account. 29 Sec. 45.48.900. Data broker registration. (a) Before a business begins 30 operating as a data broker, the business shall register with the commissioner in 31 accordance with this section. 01 (b) To register as a data broker, a business shall 02 (1) provide, on a form provided by the commissioner, 03 (A) the name of the data broker; 04 (B) the data broker's primary physical and mailing addresses; 05 (C) the data broker's electronic mailing address; 06 (D) the data broker's primary Internet website address; and 07 (E) the data broker's "Do Not Collect or Sell My Personal 08 Information" Internet website page as required under AS 45.48.800(c) or 09 alternative Internet website page that meets the requirements of 10 AS 45.48.800(d); and 11 (2) pay a registration fee in an amount established by the department 12 by regulation. 13 (c) The department shall deposit the fees paid under (b)(2) of this section into 14 the consumer privacy account established under AS 45.48.895. 15 Sec. 45.48.905. Data broker registry publicly displayed. The commissioner 16 shall make the information provided by data brokers under AS 45.48.900(b)(1) 17 available on the department's Internet website. 18 Sec. 45.48.910. Revenue fees. (a) A business that collects, sells, or shares 19 personal information from a consumer shall pay a fee to the department. The amount 20 of this fee is three percent of the revenue received by the business from the buying, 21 selling, or sharing of the personal information of a consumer or household 22 information. 23 (b) The department shall deposit the fees paid under (a) of this section into the 24 consumer privacy account established under AS 45.48.895. 25 Sec. 45.48.915. Regulations. (a) The attorney general shall adopt regulations 26 under AS 44.62 (Administrative Procedure Act) that 27 (1) create specific exceptions required to comply with state or federal 28 law; 29 (2) govern the Internet website page requirement of AS 45.48.800, 30 including 31 (A) the use of a recognizable and uniform mark to identify the 01 opportunity to exercise a right under AS 45.48.800 - 45.48.945; 02 (B) the submission of a consumer request; 03 (C) a business's compliance with a request under AS 45.48.835; 04 (3) update, as necessary, additional categories of personal information 05 required to be disclosed in response to relevant changes in technology, data collection 06 practices, privacy concerns, or obstacles to implementation; 07 (4) update, as necessary, the interpretation of unique identifiers in 08 response to relevant changes in technology, data collection practices, privacy 09 concerns, or obstacles to implementation; 10 (5) update, as necessary, the interpretation of designated methods for 11 submitting requests to facilitate a consumer's ability to obtain information from a 12 business; 13 (6) establish requirements to ensure that notices and information 14 provided under AS 45.48.800 are in plain language, accessible to consumers with 15 disabilities, and available in the language primarily used by the business to interact 16 with the consumer, including with regard to financial incentive offerings; 17 (7) designate the process for a consumer to authorize a representative 18 to exercise the rights provided under AS 45.48.800 - 45.48.945 on the consumer's 19 behalf; and 20 (8) further define the meaning of "profile." 21 (b) The attorney general may adopt regulations under AS 44.62 22 (Administrative Procedure Act) that 23 (1) establish rules and procedures for processing and complying with a 24 consumer request for specific pieces of personal information relating to a household to 25 address obstacles to implementation and privacy concerns; 26 (2) state that service providers may combine personal information for 27 specified purposes; 28 (3) are necessary to further the purposes of AS 45.48.800 - 45.48.945. 29 (c) The department shall establish by regulation adopted under AS 44.62 30 (Administrative Procedure Act) the amount of the registration fee that a data broker 31 shall pay under AS 45.48.900(b)(2). 01 Sec. 45.48.920. Persons who may consent. Except as provided in 02 AS 45.48.845(a), a person may provide consent for a consumer under AS 45.48.800 - 03 45.48.945 if the person is 04 (1) the consumer; 05 (2) the consumer's legal guardian; 06 (3) a person who holds a power of attorney for the consumer; or 07 (4) a person who is acting as a conservator for the consumer. 08 Sec. 45.48.925. Personnel training. A business subject to AS 45.48.800 - 09 45.48.945 shall provide training to individuals responsible for handling consumer 10 questions or requests under AS 45.48.800 - 45.48.945, including training the 11 individuals how to direct a consumer to exercise the consumer's rights under 12 AS 45.48.800 - 45.48.945. 13 Sec. 45.48.930. Provisions not waivable. A consumer's waiver of the 14 provisions of AS 45.48.800 - 45.48.945 is contrary to public policy and is 15 unenforceable and void. This section does not prevent a consumer from 16 (1) declining to request information from a business; 17 (2) declining to request that a business not collect, sell, or disclose the 18 consumer's personal information; or 19 (3) authorizing a business to sell the consumer's personal information 20 after previously requesting that the business not sell the personal information. 21 Sec. 45.48.935. Liberal construction. The intent of AS 45.48.800 - 45.48.945 22 is remedial and its provisions shall be liberally construed. 23 Sec. 45.48.940. Definitions. In AS 45.48.800 - 45.48.945, unless the context 24 indicates otherwise, 25 (1) "aggregated consumer information" means information that relates 26 to a group or category of consumers from which individual consumer identities have 27 been removed, and that is not linked or reasonably linkable by a device or other 28 method to a consumer or household; "aggregated consumer information" does not 29 mean an individual consumer record that has been de-identified; 30 (2) "application" means a computer software package that performs a 31 specific function; 01 (3) "beacon" means a small computer device that allows computer 02 information to be transmitted to a portable device that can connect to the Internet; 03 (4) "business" means a sole proprietorship, partnership, limited 04 liability company, corporation, association, or other legal entity that is organized or 05 operated for the profit or financial benefit of its shareholders, partners, members, or 06 other owners, that collects or has collected consumers' personal information or on the 07 behalf of which that information is collected, that alone or jointly with others 08 determines the purposes and means of processing personal information of consumers, 09 that does business in the state, and that 10 (A) satisfies one or both of the following thresholds: 11 (i) alone or in combination with another person, 12 annually buys, sells, or shares the personal information of 100,000 or 13 more consumers or households; or 14 (ii) derives 50 percent or more of its annual revenue 15 from selling or sharing the personal information of consumers; or 16 (B) controls or is controlled by a business that meets a 17 threshold in (A) of this paragraph and shares a name, service mark, trademark, 18 or other form of common branding with the business; in this subparagraph, 19 "control" means 20 (i) ownership or the power to vote more than 50 percent 21 of the outstanding shares of any class of voting security of a business; 22 (ii) control, in any manner, of the election of a majority 23 of the directors or of individuals exercising similar functions; or 24 (iii) the power to exercise a controlling influence over 25 the majority of the directors or of individuals exercising similar 26 functions; 27 (5) "business purpose" means a use for an operational purpose or other 28 notified purpose, if the use is reasonably necessary and proportionate to achieving the 29 operational purpose or other notified purpose for which personal information was 30 collected or processed, or is a compatible use; 31 (6) "categories of personal information" includes a category of 01 personal information set out in (24) of this section and a category of personal 02 information not specifically enumerated; 03 (7) "collect" includes buying, renting, gathering, obtaining, receiving, 04 or accessing personal information pertaining to a consumer by actively or passively 05 receiving information from the consumer, by observing the consumer's behavior, or by 06 any other means; 07 (8) "commercial purpose" includes marketing, advertising, and any 08 other purpose that advances a person's commercial or economic interests, except 09 engaging in political speech, journalism, or other speech that state or federal courts 10 have recognized as noncommercial speech; 11 (9) "commissioner" means the commissioner of commerce, 12 community, and economic development; 13 (10) "compatible use" means 14 (A) auditing related to a current interaction with the consumer 15 and counting the advertisement impressions made to individual visitors, 16 verifying positioning and quality of advertisement impressions, and auditing 17 compliance with this paragraph, other standards, and other concurrent 18 transactions; 19 (B) detecting security incidents, protecting against malicious, 20 deceptive, fraudulent, or illegal activity, and prosecuting those persons 21 responsible for that activity; 22 (C) identifying and removing errors from computer hardware 23 or software that impair existing intended functionality; 24 (D) the contextual customization of advertisements shown as 25 part of the same interaction and other short-term transient use, if the personal 26 information is not disclosed to a third party and is not used to build a profile 27 about a consumer or alter the experience of an individual consumer outside the 28 current interaction; 29 (E) maintaining or servicing accounts, providing customer 30 service, processing or fulfilling orders and transactions, verifying customer 31 information, processing payments, providing financing, providing advertising 01 or marketing services, providing analytical services, and performing other 02 services on behalf of the business or service provider; 03 (F) conducting internal research for technological development 04 and demonstration; 05 (G) performing activities to verify or maintain the quality or 06 safety of a service or device that is owned by, manufactured by, manufactured 07 for, or controlled by the business, and to improve, upgrade, or enhance the 08 service or device; or 09 (H) performing another use that is consistent with the context 10 in which the personal information was collected; 11 (11) "consent" 12 (A) means a consumer's freely given, specific, informed, and 13 unambiguous indication by statement, action, or other method, that the 14 consumer agrees to the processing of the consumer's personal information for a 15 narrowly defined purpose; 16 (B) does not mean 17 (i) acceptance of general terms of use, a broad statement 18 of terms of use, or a similar document that contains descriptions of 19 personal information processing along with other, unrelated 20 information; 21 (ii) hovering over, muting, pausing, or closing a given 22 piece of content on the Internet; or 23 (iii) an agreement obtained through the use of a user 24 interface designed or manipulated to subvert or impair user autonomy, 25 decision making, or choice; 26 (12) "conservator" has the meaning given in AS 13.06.050; 27 (13) "consumer" means an individual who is a resident of the state 28 under AS 01.10.055, whether identified by a unique identifier or other method of 29 identification, but does not mean an individual acting 30 (A) as an employee, owner, director, officer, member, or 31 contractor or in another capacity of a corporation, limited liability company, 01 sole proprietorship, partnership, association, nonprofit, or other entity or 02 government agency; 03 (B) for the entity or agency with another entity or agency; or 04 (C) in an employment context; 05 (14) "consumer request" means a request that is made by a consumer, 06 by a parent or legal guardian with legal custody of the consumer, or by a individual or 07 a person registered with the United States Secretary of State, authorized by the 08 consumer to act on the consumer's behalf; 09 (15) "data broker" means a business that knowingly collects and sells 10 to third parties the personal information of a consumer with whom the business does 11 not have a direct relationship, but does not include a consumer reporting agency to the 12 extent the agency is covered by 15 U.S.C. 1681 et seq. (Fair Credit Reporting Act); 13 (16) "de-identified" means that the information cannot reasonably 14 identify, relate to, describe, be capable of being associated with, or be directly or 15 indirectly linked to, an individual consumer, and the business holding the information 16 (A) has implemented technical safeguards that prohibit re- 17 identification of the consumer to whom the information may pertain; 18 (B) has implemented business processes that specifically 19 prohibit re-identification of the information; 20 (C) has implemented business processes to prevent inadvertent 21 release of de-identified information; and 22 (D) makes no attempt to re-identify the information; 23 (17) "department" means the Department of Commerce, Community, 24 and Economic Development; 25 (18) "device" includes a computer and a physical object that can 26 (A) read, write, or store information that is represented in 27 numerical form; 28 (B) connect to the Internet, directly or indirectly, or to another 29 device; 30 (19) "disclose" includes all types of disclosure, including the 31 disclosure of personal information related to a sale of personal information; 01 (20) "Internet website page" means a document accessible through the 02 Internet with a unique identifier used to locate a resource on the Internet; 03 (21) "knowingly" has the meaning given in AS 11.81.900(a); 04 (22) "operational purpose" means the use of personal information, 05 when reasonably necessary and proportionate, to achieve, if the use is limited to a 06 direct relationship and experience with a consumer, 07 (A) debugging to identify and repair errors that impair existing 08 intended functions; 09 (B) based on information collected by the business, 10 undertaking internal research for analysis, product improvement, and 11 technology development; 12 (C) verification or maintenance of the quality or safety of a 13 service or device that is owned, manufactured, manufactured for, or controlled 14 by the business, or to improve, upgrade, or enhance a service or device that is 15 owned, manufactured, manufactured for, or controlled by the business; 16 (D) customization of content based on information collected by 17 the business; or 18 (E) customization of advertising or marketing based on 19 information collected by the business; 20 (23) "person" means an individual, proprietorship, corporation, 21 company, partnership, firm, association, and any other nongovernmental organization 22 or group of persons acting in concert; 23 (24) "personal information" 24 (A) means the information in the following categories that 25 identifies, relates to, describes, is reasonably capable of being associated with, 26 or could reasonably be linked, directly or indirectly, with a particular consumer 27 or household: 28 (i) a real name, alias, postal address, unique identifier, 29 online identifier, Internet protocol address, electronic mail address, 30 account name, or other identifier; 31 (ii) signature; 01 (iii) physical characteristics or physical description; 02 (iv) telephone number; 03 (v) insurance policy number; 04 (vi) characteristics of protected classifications under 05 state or federal law; 06 (vii) commercial information, including bank accounts, 07 records of personal property, products or services purchased, obtained, 08 or considered, or other purchasing or consuming histories or 09 tendencies; 10 (viii) browsing history, search history, and information 11 regarding a consumer's interaction with an Internet website, 12 application, or advertisement, or other Internet or electronic network 13 activity information; 14 (ix) geolocation data, including precise geolocation 15 data; 16 (x) audio, electronic, visual, thermal, olfactory, or 17 similar information; 18 (xi) professional or employment-related information; 19 (xii) information that is personally identifiable 20 information, as defined in 34 C.F.R. 99.3, that is not publicly available; 21 (xiii) sensitive personal information; 22 (xiv) inferences drawn from any of the information 23 identified in this subparagraph to create a profile about a consumer 24 reflecting the consumer's preferences, characteristics, psychological 25 trends, predispositions, behavior, attitudes, intelligence, abilities, and 26 aptitudes; 27 (B) does not mean 28 (i) publicly available information; 29 (ii) consumer information that is de-identified or is 30 aggregated consumer information; 31 (iii) biometric information; in this sub-subparagraph, 01 "biometric information" means an individual's physiological, 02 biological, or behavioral characteristics that can be used to establish 03 individual identity; 04 (25) "precise geolocation data" 05 (A) means data that is derived from a consumer device through 06 a technology that 07 (i) is capable of determining with specificity the latitude 08 and longitude coordinates or other spatial location of a person or 09 device; 10 (ii) has an accuracy level of less than 1,750 feet; 11 (iii) uses a global positioning system, a triangulated 12 location provided by a beacon, network radios, or a technology that 13 allows computers, mobile phones, or other devices to connect to the 14 Internet or communicate with one another wirelessly within a particular 15 area, or another technology; 16 (B) does not mean information that is or will be 17 (i) altered before the information is processed, in order 18 to be able to determine with specificity the physical location of an 19 individual or device; 20 (ii) used by a business when acting as an employer; 21 (26) "processing" means any operation or set of operations performed 22 on personal data or on sets of personal data, whether or not by automated means; 23 (27) "profile" or "profiling" means automated processing of personal 24 information, as further defined by regulation adopted under AS 45.48.915, to analyze 25 or predict an individual's work performance, economic situation, health, personal 26 preferences, interests, reliability, behavior, location, movements, or other personal 27 features; 28 (28) "publicly available information" means information that is 29 lawfully made available from federal, state, or local government records, that a 30 business has a reasonable basis to believe is lawfully made available to the general 31 public by the consumer or from widely distributed media, or that a consumer makes 01 available by a person to whom the consumer has disclosed the information if the 02 consumer has not restricted the information to a specific audience; 03 (29) "research" means scientific systematic study and observation that 04 is in the public interest, that adheres to all applicable ethics and privacy laws, and 05 (A) is compatible with the business purpose for which the 06 personal information was collected; 07 (B) is used solely for research purposes that are compatible 08 with the context in which the personal information was collected; 09 (C) is not used for a commercial purpose; and 10 (D) in which the personal information is 11 (i) later pseudonymized and de-identified, or de- 12 identified and in the aggregate, if the information cannot reasonably 13 identify, relate to, describe, be capable of being associated with, or be 14 linked, directly or indirectly, to a particular consumer; personal 15 information is considered pseudonymized if the information is 16 processed so that it is no longer attributable to a specific consumer 17 without the use of additional information, and the additional 18 information is kept separate and is subject to technical and 19 organizational measures to ensure that the personal information is not 20 attributed to an identified or identifiable consumer; 21 (ii) subject to technical safeguards that prohibit re- 22 identification of the consumer to whom the information may pertain; 23 (iii) subject to business processes that specifically 24 prohibit re-identification of the information; 25 (iv) subject to business processes to prevent inadvertent 26 release of de-identified information; and 27 (v) subjected by the business conducting the research to 28 additional security controls that limit access to the research data to 29 individuals in the business as necessary to carry out the research 30 purpose; 31 (30) "sale," "sell," or "sold" means renting, releasing, disclosing, 01 disseminating, making available, transferring, or otherwise communicating orally, in 02 writing, or by electronic or other means, a consumer's personal information by a 03 business to a third party for monetary or other valuable consideration or for another 04 commercial purpose; 05 (31) "sensitive personal information" means information that is not 06 publicly available information and reveals 07 (A) a consumer's social security number, driver's license 08 number, known traveler number, state identification card number, passport 09 number, or other unique identification number issued on a government 10 document commonly used to verify the identity of a specific individual; 11 (B) the number of a consumer's Internet account, financial 12 account, debit card account, credit card account, or other account, in 13 combination with any required security or access code, password, or 14 credentials allowing access to the account; 15 (C) a consumer's precise geolocation; 16 (D) a consumer's racial or ethnic origin, religious or 17 philosophical beliefs, mental or physical health diagnosis, sexual orientation, 18 citizenship or immigration status, or union membership; 19 (E) the contents of a consumer's mail or electronic mail, text 20 message, or other electronic communication, unless the business possessing the 21 information is the intended recipient of the communication; 22 (F) a consumer's genetic data; 23 (G) information about an individual who is less than 18 years 24 of age; 25 (H) information collected and analyzed concerning a 26 consumer's health; or 27 (I) information collected and analyzed about a consumer's 28 sexual life or sexual orientation; 29 (32) "service provider" means a person that receives personal 30 information from a business to be used solely for a business purpose under a written 31 contract that requires the service provider to comply with AS 45.48.860; 01 (33) "share" means renting, releasing, disclosing, disseminating, 02 making available, transferring, or otherwise communicating orally, in writing, or by 03 electronic or other means personal information by a business to a third party for 04 cross-context behavioral advertising, whether for monetary or other valuable 05 consideration, or in a transaction between a business and a third party for 06 cross-context behavioral advertising for the benefit of a business in which no money is 07 exchanged; in this paragraph, "cross-context behavioral advertising" means the 08 targeting of advertising to a consumer based on the consumer's personal information 09 obtained from the consumer's activity across businesses, distinctly branded Internet 10 websites, applications, or services, other than the business, distinctly branded website, 11 application, or service with which the consumer intentionally interacts; 12 (34) "third party" means any person, except 13 (A) the business that collected the personal information from 14 the consumer; and 15 (B) a service provider contracting with the business that 16 collected the personal information from the consumer; 17 (35) "unique identifier" includes a device identifier; an Internet 18 protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar 19 technology; customer number, unique pseudonym, or user alias; telephone numbers, or 20 other forms of persistent or probabilistic identifiers that can be used to identify a 21 particular consumer or device; or another persistent identifier that can be used to 22 recognize a consumer, a household, or a device that is linked to a consumer or 23 household, over time and across different services; in this paragraph, 24 (A) "cookie" means information from an Internet website 25 stored by a person's computer that is used to identify the person's computer 26 while the person is using the website; 27 (B) "pixel tag" means a small design or picture that is loaded 28 when a computer user visits an Internet website page or opens electronic mail; 29 (C) "probabilistic identifier" means the identification of a 30 consumer or a device to a degree of certainty of more probable than not based 31 on a category of personal information included in, or similar to, the categories 01 of personal information. 02 Sec. 45.48.945. Short title. AS 45.48.800 - 45.48.945 may be cited as the 03 Consumer Personal Information Privacy Act. 04  * Sec. 5. AS 45.50.471(b) is amended by adding a new paragraph to read: 05 (58) violating AS 45.48.800 - 45.48.945 (Consumer Personal 06 Information Privacy Act). 07  * Sec. 6. The uncodified law of the State of Alaska is amended by adding a new section to 08 read: 09 APPLICABILITY: CONTRACTS. This Act applies to a contract entered into on or 10 after the effective date of secs. 1 - 6 of this Act. 11  * Sec. 7. The uncodified law of the State of Alaska is amended by adding a new section to 12 read: 13 TRANSITION: REGULATIONS. The attorney general shall adopt regulations as 14 authorized under AS 45.48.915, added by sec. 4 of this Act, to implement the changes made 15 by this Act. The regulations take effect under AS 44.62 (Administrative Procedure Act), but 16 not before the effective date of the law implemented by the regulation. 17  * Sec. 8. Section 7 of this Act takes effect immediately under AS 01.10.070(c). 18  * Sec. 9. Except as provided in sec. 8 of this Act, this Act takes effect January 1, 2027.