HB 328: "An Act relating to biometric information and to the collection, use, storage, and disclosure of geolocation information; and establishing an unfair trade practice under the Alaska Unfair Trade Practices and Consumer Protection Act."
00 HOUSE BILL NO. 328 01 "An Act relating to biometric information and to the collection, use, storage, and 02 disclosure of geolocation information; and establishing an unfair trade practice under 03 the Alaska Unfair Trade Practices and Consumer Protection Act." 04 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 05 * Section 1. AS 18.13 is amended by adding new sections to read: 06 Article 2. Biometric Information. 07 Sec. 18.13.200. Biometric data collection. (a) A person may not collect for 08 use in a biometric system the biometric data of an individual who is not the collector 09 unless the collector first 10 (1) notifies the individual in a clear manner 11 (A) that the biometric data is being collected for use in a 12 biometric system; 13 (B) of the specific purpose for which the biometric information 14 will be used; and
01 (C) of the length of time the biometric information will be kept; 02 and 03 (2) receives, in a written, electronic, or other form by which the 04 consent can be documented, the individual's full consent to the 05 (A) collection of the biometric data for use in a biometric 06 system; 07 (B) specific purpose for which the biometric information will 08 be used; and 09 (C) length of time the biometric information will be kept. 10 (b) An individual may revoke or amend the individual's consent provided 11 under (a) of this section at any time after the original purpose for which the consent 12 was given ceases to exist. 13 Sec. 18.13.210. Disclosure of biometric information. (a) A collector and a 14 contractor may not disclose, transfer, or distribute the biometric information of another 15 individual, except to the collector's contractor or to a person to authenticate the 16 identity of the individual providing the biometric information. 17 (b) A disclosure, transfer, or distribution under (a) of this section may be made 18 only for the original purpose for which the biometric information was to be used. 19 Sec. 18.13.220. Sale of biometric information. A person may not sell 20 biometric information, except that a contractor may sell the contractor's business to 21 another person and transfer the biometric information to the buyer. 22 Sec. 18.13.230. Disposal. (a) When a collector no longer needs an individual's 23 biometric information for the original purpose for which the biometric information 24 was to be used, the collector and the contractor, if any, shall, within 120 days and 25 unless prohibited by other law, a regulation, or a court order, remove the individual's 26 biometric information from all databases and storage systems and destroy the 27 biometric information. 28 (b) Within 60 days after determining that the collector no longer needs an 29 individual's biometric information for the original purpose for which the biometric 30 information was to be used, the collector shall notify the contractor, if any, that the 31 collector is to remove the individual's biometric information from all databases and
01 storage systems and destroy the biometric information. 02 Sec. 18.13.240. Use of biometric information. A collector may use biometric 03 information for a fraud prevention purpose in addition to the original purpose for 04 which the biometric information was to be used. 05 Sec. 18.13.250. Storage of biometric information. A collector and a 06 contractor shall store an individual's biometric information in a secure manner, which 07 may include encryption or another appropriate method, to ensure that the identity of 08 the individual who provided the biometric information is protected. 09 Sec. 18.13.260. Right of action. An individual may bring a civil action against 10 a person who intentionally violates AS 18.13.200 - 18.13.290. A person who 11 intentionally violates AS 18.13.200 - 18.13.290 is liable to the individual for a penalty 12 of $1,000, except that, if the violation resulted in profit or monetary gain to the person, 13 the penalty is $5,000. In this section, "intentionally" has the meaning given in 14 AS 11.81.900. 15 Sec. 18.13.270. Exemptions. AS 18.13.200 - 18.13.290 do not apply to the 16 (1) collection, retention, analysis, disclosure, or distribution of 17 (A) biometric information for a law enforcement purpose, 18 including the identification of perpetrators, the investigation of crimes, the 19 identification of missing or unidentified persons, or the identification of human 20 remains; 21 (B) biometric information when authorized by state or federal 22 law; 23 (C) facial images by the Department of Administration for 24 drivers' licenses issued under AS 28.15, for state identification cards issued 25 under AS 18.65.310, for administering AS 28.15, or for administering 26 AS 18.65.310; or 27 (D) a photograph, unless the photograph is collected for use in 28 a biometric system; or 29 (2) retention of voices recorded for quality assurance purposes. 30 Sec. 18.13.290. Definitions. In AS 18.13.200 - 18.13.290, 31 (1) "biometric data" means fingerprints, handprints, voices, iris
01 images, retinal images, vein scans, hand geometry, finger geometry, or other physical 02 characteristics of an individual; 03 (2) "biometric information" means biometric data used in a biometric 04 system; 05 (3) "biometric system" means an automated system that 06 (A) captures biometric data from an individual's biometric 07 information; 08 (B) extracts and processes the biometric data captured under 09 (A) of this paragraph; 10 (C) stores the biometric data extracted under (B) of this 11 paragraph; 12 (D) compares the biometric data extracted under (B) of this 13 paragraph with biometric data from the individual stored for use in future 14 recognition of the individual; and 15 (E) determines how well the extracted and stored biometric 16 data match when compared under (D) of this paragraph and indicates whether 17 an identification or verification of identity has been achieved; 18 (4) "collector" means a person who collects the biometric information 19 of another individual; 20 (5) "contractor" means a person 21 (A) who contracts with a collector to store the biometric 22 information collected by the collector; or 23 (B) to whom the contractor sells the contractor's business and 24 transfers the biometric information stored by the contractor; 25 (6) "original purpose" means the specific purpose stated for the use of 26 biometric information under AS 18.13.200(a)(1)(B); 27 (7) "person" includes 28 (A) a corporation, company, partnership, firm, association, 29 organization, business trust, or society; 30 (B) an individual; 31 (C) an agency of the executive, judicial, or legislative branch of
01 state government; 02 (D) a municipality or an agency of a municipality. 03 * Sec. 2. AS 45.48 is amended by adding new sections to read: 04 Article 6A. Geolocation Information Protection. 05 Sec. 45.48.800. Collection, use, storage, and disclosure of geolocation 06 information. Except as provided in AS 45.48.820, a private person may not collect, 07 use, store, or disclose an individual's geolocation information that the private person 08 obtained from a location-based application on the individual's mobile electronic 09 device, unless the private person first provides the individual with written notice under 10 AS 45.48.810 and the individual expressly consents to the disclosure. In this section, 11 "location-based application" means a computer software program that collects, uses, 12 or stores geolocation information. 13 Sec. 45.48.810. Notice requirements. The notice required by AS 45.48.800 14 must 15 (1) be clear, prominent, and accurate; 16 (2) inform the individual that the private person will collect, use, store, 17 or disclose the individual's geolocation information; 18 (3) inform the individual of the specific purposes for which the private 19 person will collect, use, store, or disclose the individual's geolocation information; and 20 (4) provide the individual with a hyperlink or comparable easily 21 accessible means on the Internet to access the individual's geolocation information that 22 the private person collects, uses, stores, or discloses; in this paragraph, "hyperlink" 23 means a highlighted word or picture on an Internet document or page that the 24 individual can click to access the geolocation information. 25 Sec. 45.48.820. Exemptions. (a) A private person may collect, use, store, or 26 disclose an individual's geolocation information without providing the notice required 27 by AS 45.48.800 or receiving the express consent of the individual 28 (1) if the private person is collecting, using, storing, or disclosing the 29 private person's own geolocation information; 30 (2) to allow a parent or other lawful custodian of a minor child to 31 locate the minor child; in this paragraph,
01 (A) "lawful custodian" has the meaning given in AS 11.41.370; 02 (B) "minor child" means a child who is under 18 years of age 03 and whose disabilities of minority have not been removed under AS 09.55.590; 04 (3) to allow a court-appointed guardian to locate an incapacitated 05 person; in this paragraph, "incapacitated person" has the meaning given in 06 AS 13.26.005; or 07 (4) to allow a person to provide fire, medical, public safety, or other 08 emergency services. 09 (b) AS 45.48.800 - 45.48.880 do not apply to utilities that furnish 10 telecommunications services regulated under AS 42.05. In this subsection, 11 "telecommunications" has the meaning given in AS 42.05.990. 12 Sec. 45.48.830. Effect on contracts. A contract that violates AS 45.48.800 - 13 45.48.880 is void and unenforceable. 14 Sec. 45.48.840. Waivers. A person may not waive the provisions of 15 AS 45.48.800 - 45.48.880. A waiver of the provisions of AS 45.48.800 - 45.48.880 is 16 void and unenforceable. 17 Sec. 45.48.850. Violations. If a private person violates AS 45.48.800 - 18 45.48.880, the violation is an unfair or deceptive act or practice under AS 45.50.471 - 19 45.50.561, except that AS 45.50.531 does not apply to the violation; however, the 20 individual whose geolocation information was the subject of the violation may bring a 21 civil action in court to 22 (1) recover liquidated damages of $1,000 or actual damages, 23 whichever amount is greater; and 24 (2) obtain other relief that the court determines is appropriate. 25 Sec. 45.48.860. Relationship to federal law. AS 45.48.800 - 45.48.880 do not 26 apply to a 27 (1) health care provider or other person that is subject to P.L. 104-191 28 (Health Insurance Portability and Accountability Act of 1996) and the regulations 29 adopted under that law; 30 (2) financial institution or an affiliate of a financial institution that is 31 subject to 15 U.S.C. 6801 - 6809 of the Gramm-Leach-Bliley Financial Modernization
01 Act and the regulations adopted under that law. 02 Sec. 45.48.870. Definitions. In AS 45.48.800 - 45.48.880, 03 (1) "geolocation information" means information identifying the 04 geographical location of a person or device by using digital information processed 05 through the Internet; "geolocation information" does not include Internet protocol 06 addresses or the contents of an electronic communication; 07 (2) "Internet" means the combination of computer systems or networks 08 that make up the international network for interactive communications services, 09 including remote logins, file transfers, electronic mail, and newsgroups; 10 (3) "private person" means a person that is not a governmental agency. 11 Sec. 45.48.880. Short title. AS 45.48.800 - 45.48.880 may be cited as the 12 Geolocation Information Protection Act. 13 * Sec. 3. AS 45.50.471(b) is amended by adding a new paragraph to read: 14 (58) violating AS 45.48.800 - 45.48.880 (geolocation information 15 protection). 16 * Sec. 4. The uncodified law of the State of Alaska is amended by adding a new section to 17 read: 18 APPLICABILITY. AS 45.48.830, added by sec. 2 of this Act, applies to contracts that 19 are entered into on or after the effective date of this Act. 20 * Sec. 5. The uncodified law of the State of Alaska is amended by adding a new section to 21 read: 22 REVISOR'S INSTRUCTION. Wherever "this chapter" appears in AS 18.13.010 - 23 18.13.100, the revisor of statutes shall substitute "AS 18.13.010 - 18.13.100."