SB 118: "An Act relating to the disclosure of personal information."
00 SENATE BILL NO. 118 01 "An Act relating to the disclosure of personal information." 02 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 03 * Section 1. The uncodified law of the State of Alaska is amended by adding a new section 04 to read: 05 SHORT TITLE. AS 45.48.800 - 45.48.890, enacted by sec. 3 of this Act, may be 06 cited as the Right to Know Act. 07 * Sec. 2. The uncodified law of the State of Alaska is amended by adding a new section to 08 read: 09 LEGISLATIVE FINDINGS. The legislature finds that 10 (1) the state has an express right to privacy under art. I, sec. 22, Constitution 11 of the State of Alaska; 12 (2) it is important to be transparent with individuals in regard to how 13 businesses share personal information, especially information relating to children, and that 14 transparency is crucial for citizens of this state to protect themselves and their families from 15 cybercrimes and identity theft;
01 (3) for free market forces to have a role in shaping business privacy practices 02 and for the remedy to opt in or out of information handling requests to be effective, 03 consumers must be more than vaguely informed that a business might share personal 04 information with third parties; 05 (4) consumers must be better informed about the kinds of personal 06 information a business shares with other businesses; 07 (5) when consumers are better informed of how protective of consumer 08 privacy a business is, consumers can more knowledgeably choose among businesses that 09 disclose information to third parties and whether to opt in or opt out of information handling 10 requests made by businesses; 11 (6) businesses are now collecting, sharing, and selling personal information in 12 ways that current law does not consider or adequately address; 13 (7) some Internet websites are installing tracking tools that record when a 14 consumer visits an Internet website page and are sending personal information about the 15 consumer, including age, gender, race, income, health concerns, religion, and recent 16 purchases, to third-party marketers and data brokers; 17 (8) third-party data brokers are buying, selling, and trading personal 18 information obtained from mobile phones, financial institutions, social media sites, and other 19 online and brick and mortar companies; 20 (9) some mobile telephone and computer applications are sharing personal 21 information, including location information, unique telephone identification numbers, and 22 age, gender, and other personal details with third-party businesses; and 23 (10) to protect properly the privacy, personal safety, and financial security of 24 consumers, it is important for consumers to know how businesses collect a customer's 25 personal information and share or sell that information to third parties. 26 * Sec. 3. AS 45.48 is amended by adding new sections to read: 27 Article 6A. Disclosure of Personal Information. 28 Sec. 45.48.800. Notification of information sharing practices. (a) If a 29 commercial Internet website or commercial online service collects personal 30 information through the Internet about customers who use or visit the Internet website 31 or online service, the owner of the Internet website or online service shall, in the
01 agreement of the Internet website or online service with the customer, 02 (1) identify the categories of personal information under AS 45.48.820 03 that the owner collects about customers through the Internet website or online service; 04 (2) identify all categories of third parties to whom the owner discloses, 05 or may disclose, the personal information that the owner collects through the Internet 06 website or online service; 07 (3) describe a customer's rights under AS 45.48.810; and 08 (4) provide a request address, which may include an electronic mail 09 address or toll-free telephone number, that the customer may use to request or obtain 10 the information the owner is required to provide under AS 45.48.810. 11 (b) An owner may use an addendum incorporated into the agreement to satisfy 12 the requirement of (a) of this section to place the information in an agreement. 13 Sec. 45.48.810. Disclosure to customer. (a) An owner that discloses a 14 customer's personal information to a third party shall, upon request and without 15 charge, provide to the customer the information described in (b) of this section that the 16 owner disclosed to third parties during the 12 months that preceded the date of the 17 customer's request. 18 (b) The information that an owner must provide to a customer under (a) of this 19 section is the following: 20 (1) the categories of personal information under AS 45.48.820 that the 21 owner disclosed to a third party; and 22 (2) the names of the third parties that received the customer's personal 23 information. 24 (c) An owner shall provide the information under this section to the customer 25 within 30 days after receiving the customer's request. 26 Sec. 45.48.820. Categories of personal information. An owner shall use the 27 following categories of personal information when complying with 28 AS 45.48.800(a)(1) and 45.48.810(b)(1): 29 (1) identity information, including name, alias, nickname, and user 30 name; 31 (2) address information, including postal address and electronic mail
01 address; 02 (3) telephone number; 03 (4) financial accounts; 04 (5) government-issued identification number, including driver's license 05 number, identification card number, and passport number; 06 (6) date of birth or age; 07 (7) information regarding physical characteristics, including height and 08 weight; 09 (8) sexual information, including sexual orientation, sex, gender status, 10 gender identity, and gender expression; 11 (9) race or ethnicity; 12 (10) religious affiliation or activity; 13 (11) political affiliation or activity; 14 (12) professional or employment-related information; 15 (13) educational information; 16 (14) medical information, including medical conditions, drugs taken, 17 therapies used, mental health condition, medical products used, and medical 18 equipment use; 19 (15) financial information, including credit, debit, and account 20 numbers, account balances, payment history, information on assets, information on 21 liabilities, and general creditworthiness; 22 (16) commercial information, including records of property, products 23 provided, obtained, or considered, services provided, obtained, or considered, and 24 other purchasing or consumer history or tendency; 25 (17) location information; 26 (18) Internet or mobile telephone activity information, including 27 Internet protocol addresses, and information concerning the access to or use of any 28 Internet or mobile-based site or service; 29 (19) content generated or provided by the customer, including text, 30 photographs, audio recordings, video recordings, and other material; and 31 (20) information under (1) - (19) of this section relating to children of
01 the customer. 02 Sec. 45.48.830. Exemptions from disclosure requirement. (a) Subject to (b) 03 of this section, the requirements of AS 45.48.810 and 45.48.820 do not apply to the 04 disclosure of personal information to a third party if the disclosure is 05 (1) made under a written contract between the owner and the third 06 party, and the contract 07 (A) only authorizes the third party to use the personal 08 information to perform services on behalf of the owner; and 09 (B) prohibits the third party from using the personal 10 information for a reason other than performing the service on behalf of the 11 owner and from disclosing the personal information to other third parties; 12 (2) based on a good-faith belief that disclosure is required to comply 13 with applicable law, legal process, or court order; or 14 (3) reasonably necessary to address fraud, security, or technical issues, 15 to protect the disclosure of the person's rights or property, or to protect customers or 16 the public from illegal activities as required or permitted by law. 17 (b) To qualify for an exemption from disclosure under (a)(1) of this section, 18 the third party must enforce the prohibition made in (a)(1)(B) of this section. 19 (c) AS 45.48.800 - 45.48.890 do not apply to an owner that is 20 (1) a governmental agency; or 21 (2) acting in the capacity of a contractor, subcontractor, or agent of a 22 governmental agency. 23 (d) In this section, "services" includes maintaining or servicing accounts, 24 providing customer services, processing or fulfilling orders and transactions, verifying 25 customer information, processing payments, providing financing, or similar services. 26 Sec. 45.48.840. Right of action. If an owner violates AS 45.48.800 - 27 45.48.890, the customer who is the subject of the violation may recover from the 28 owner damages of $5,000 or actual damages, whichever amount is greater, attorney 29 fees and costs as allowed by the rules of court, and injunctive relief that the court 30 determines is appropriate. 31 Sec. 45.48.850. Relationship to other law. (a) AS 45.48.800 - 45.48.890 may
01 not be construed to conflict with P.L. 104-191 (Health Insurance Portability and 02 Accountability Act of 1996) and the rules adopted under that law. 03 (b) AS 45.48.800 - 45.48.890 do not apply to a financial institution or an 04 affiliate of a financial institution that is subject to 15 U.S.C. 6801 - 6809 (Gramm- 05 Leach-Bliley Financial Modernization Act of 1999) and the rules adopted under that 06 Act. 07 (c) AS 45.48.800 - 45.48.890 do not apply to the activities of an individual or 08 another person to the extent that those activities are subject to P.L. 73-416 (Federal 09 Communications Act of 1934). 10 (d) If there is a conflict between AS 45.48.800 - 45.48.890 and AS 45.48.400 - 11 45.48.470, the provisions of AS 45.48.400 - 45.48.470 govern. 12 Sec. 45.48.890. Definitions. In AS 45.48.800 - 45.48.890, 13 (1) "customer" means an individual who uses or visits an Internet 14 website or online service; 15 (2) "disclose" means to release, transfer, share, disseminate, make 16 available, or otherwise communicate to a third party orally, in writing, by electronic 17 means, or by another method; 18 (3) "owner" means a person that owns an Internet website or online 19 service; 20 (4) "personal information" means information that 21 (A) identifies, relates to, describes, or is capable of being 22 associated with a particular individual, including the individual's name, 23 signature, physical characteristics, physical description, address, telephone 24 number, passport number, driver's license number, state identification card 25 number, insurance policy number, education, employment, employment 26 history, bank account number, credit card number, debit card number, and 27 other financial information; 28 (B) relates to an individual's income, assets, liabilities, 29 purchases, leases, or rentals of goods, services, or real property, if the 30 information is disclosed with the information described under (A) of this 31 paragraph;
01 (5) "third party" means a person that 02 (A) is a separate legal entity from the owner; 03 (B) does not share common ownership or common corporate 04 control with the owner; or 05 (C) does not share a brand name or common branding with the 06 owner. 07 * Sec. 4. The uncodified law of the State of Alaska is amended by adding a new section to 08 read: 09 APPLICABILITY. AS 45.48.800 - 45.48.890, enacted by sec. 3 of this Act, applies 10 only to personal information disclosed after the effective date of this Act.