Alaska State Legislature

Home
Bill & Laws
Bills
HB 222 Detail
FullText

txt

HB 222: "An Act relating to personal information; relating to the privacy of personal information; relating to the collection, sale, sharing, deletion, correction, and use of personal information; relating to breaches of security of personal information; relating to genetic privacy; relating to social security numbers; and providing for an effective date."

00 HOUSE BILL NO. 222 01 "An Act relating to personal information; relating to the privacy of personal 02 information; relating to the collection, sale, sharing, deletion, correction, and use of 03 personal information; relating to breaches of security of personal information; relating 04 to genetic privacy; relating to social security numbers; and providing for an effective 05 date." 06 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 07 * Section 1. AS 18.13.010(a) is amended to read: 08 (a) Notwithstanding AS 45.48.760 - 45.48.925, and except [EXCEPT] as 09 provided in (b) of this section, 10 (1) a person may not collect a DNA sample from a person, perform a 11 DNA analysis on a sample, retain a DNA sample or the results of a DNA analysis, or 12 disclose the results of a DNA analysis unless the person has first obtained the 13 informed and written consent of the person, or the person's legal guardian or

01 authorized representative, for the collection, analysis, retention, or disclosure; 02 (2) a DNA sample and the results of a DNA analysis performed on the 03 sample are the exclusive property of the person sampled or analyzed. 04 * Sec. 2. AS 45.48.010(a) is amended to read: 05 (a) In addition to the requirements of AS 45.48.885(c) - (e), if [IF] a 06 covered person owns or licenses personal information in any form that includes 07 personal information on a state resident, and a breach of the security of the 08 information system that contains personal information occurs, the covered person 09 shall, after discovering or being notified of the breach, disclose the breach to each 10 state resident whose personal information was subject to the breach. 11 * Sec. 3. AS 45.48.430(b) is amended to read: 12 (b) The prohibition in (a) of this section does not apply if 13 (1) the disclosure is authorized by local, state, or federal law, including 14 AS 45.48.760 - 45.48.925 or a regulation adopted under AS 45.48.470; 15 (2) the person is engaging in the business of government and 16 (A) is authorized by law to disclose the individual's social 17 security number; or 18 (B) the disclosure of the individual's social security number is 19 required for the performance of the person's duties or responsibilities as 20 provided by law; 21 (3) the disclosure is to a person subject to or for a transaction regulated 22 by the Gramm-Leach-Bliley Financial Modernization Act, and the disclosure is for a 23 purpose authorized by the Gramm-Leach-Bliley Financial Modernization Act or to 24 facilitate a transaction of the individual; 25 (4) the disclosure is to a person subject to or for a transaction regulated 26 by the Fair Credit Reporting Act, and the disclosure is for a purpose authorized by the 27 Fair Credit Reporting Act; 28 (5) the disclosure is part of a report prepared by a consumer credit 29 reporting agency in response to a request by a person and the person submits the social 30 security number as part of the request to the consumer credit reporting agency for the 31 preparation of the report; or

01 (6) the disclosure is for a background check on the individual, identity 02 verification, fraud prevention, medical treatment, law enforcement or other 03 government purposes, or the individual's employment, including employment benefits. 04 * Sec. 4. AS 45.48.450(b) is amended to read: 05 (b) Notwithstanding the other provisions of AS 45.48.400 - 45.48.480, and 06 except as provided under AS 45.48.760 - 45.48.925 or for an agent under (a) of this 07 section, a person may disclose an individual's social security number to an 08 independent contractor of the person to facilitate the purpose or transaction for which 09 the individual initially provided the social security number to the person, but the 10 independent contractor may not use the social security number for another purpose or 11 make an unauthorized disclosure of the individual's personal information. In this 12 subsection, "independent contractor" includes a debt collector. 13 * Sec. 5. AS 45.48 is amended by adding new sections to read: 14 Article 6A. Treatment of Personal Information. 15 Sec. 45.48.760. General duties of businesses that control collection. (a) A 16 business that controls the collection of a consumer's personal information shall, at or 17 before the point of collection, notify the consumer of the following: 18 (1) the categories of personal information and categories of sensitive 19 personal information that the business will collect, the purposes for which the business 20 will collect the information, and whether the business will sell or share the 21 information; 22 (2) the length of time the business will retain each category of personal 23 information and category of sensitive personal information, or, if it is not possible for 24 the business to make this determination, the criteria used to determine the length of 25 time; and 26 (3) that the business may not retain the consumer's personal 27 information or sensitive personal information for longer than is reasonably necessary 28 for the purposes disclosed under (1) of this subsection. 29 (b) Unless a business that controls the collection of a consumer's personal 30 information provides the consumer with another disclosure under (a) of this section 31 informing the consumer of a previously undisclosed category or use, the business may

01 not collect a category of personal information or a category of sensitive personal 02 information unless the business has disclosed that category under (a)(1) of this section 03 and may not use personal information or sensitive personal information for a purpose 04 that is incompatible with the purposes disclosed under (a)(1) of this section. 05 (c) A business that, acting as a third party, controls the collection of a 06 consumer's personal information may make the disclosures required under (a) of this 07 section on the home page of the Internet website of the business, except that, if the 08 business controls the collection on the physical premises of the business, the business 09 shall also make the disclosures on the physical premises and ensure the information is 10 displayed prominently and conspicuously. In this subsection, "physical premises" 11 includes a motor vehicle. 12 Sec. 45.48.765. Deletion of personal information. (a) Except as provided 13 under this section and AS 45.48.815, a business shall delete personal information 14 collected from a consumer if the consumer makes a verifiable consumer request to the 15 business to delete the personal information. 16 (b) A business that collects personal information about a consumer shall notify 17 the consumer under AS 45.48.795 that the consumer may request that the business 18 delete the consumer's personal information. 19 (c) A business that receives a verifiable consumer request from a consumer 20 under (a) of this section shall 21 (1) delete the consumer's personal information from its records; 22 (2) notify its service providers and contractors to delete the consumer's 23 personal information from their records; and 24 (3) notify all third parties to whom the business has sold or with whom 25 the business has shared the consumer's personal information to delete the personal 26 information, unless the notification is impossible or involves effort that is 27 disproportionate to the request. 28 (d) A service provider or contractor of a business shall cooperate with the 29 business in responding to a verifiable consumer request under this section and, at the 30 direction of the business, shall delete, or enable the business to delete, and notify any 31 of its own service providers or contractors to delete, personal information about the

01 consumer collected, used, processed, or retained by the service provider or the 02 contractor. Unless the notification is impossible or involves disproportionate effort or 03 the information was accessed at the direction of the business, the service provider or 04 contractor shall notify a service provider, contractor, or third party who may have 05 accessed personal information about the consumer from or through the service 06 provider or contractor to delete the personal information. 07 (e) Unless prohibited by another provision of AS 45.48.760 - 45.48.925, a 08 business may maintain a record of a verifiable consumer request made under this 09 section only to prevent the personal information about the consumer who submitted 10 the request from being sold, to comply with law, or to achieve another purpose to the 11 extent allowed under AS 45.48.760 - 45.48.925. The business shall keep the record 12 confidential. 13 Sec. 45.48.770. Correction of personal information. (a) A business shall 14 correct inaccurate personal information collected from a consumer if the consumer 15 makes a verifiable consumer request to the business to correct the personal 16 information. 17 (b) A business that collects personal information about a consumer shall notify 18 the consumer under AS 45.48.795 that the consumer may request the business to 19 correct inaccurate personal information. 20 (c) A business that receives a verifiable consumer request to correct inaccurate 21 personal information about the consumer shall use, as directed by the consumer, 22 commercially reasonable efforts to correct the personal information. 23 Sec. 45.48.775. Disclosure of personal information collected. (a) In addition 24 to the disclosure required by (b) of this section, if a consumer makes a verifiable 25 consumer request to a business that collects personal information about a consumer, 26 the business shall disclose to the consumer the following information: 27 (1) the categories of personal information the business has collected 28 about the consumer; 29 (2) the sources identified by category from which the business collects 30 the personal information; 31 (3) the business purpose or commercial purpose for collecting, selling,

01 or sharing personal information; 02 (4) the third parties identified by category to whom the business 03 discloses personal information; and 04 (5) the specific pieces of personal information the business has 05 collected about the consumer. 06 (b) A business that collects personal information about a consumer shall 07 disclose the following information in its online privacy policy statement or, if the 08 business does not have an online privacy policy statement, on its Internet website, and 09 shall update that information at least once every 12 months: 10 (1) the categories of personal information the business has collected 11 about consumers in the preceding 12 months; 12 (2) the sources identified by category from which the business collects 13 personal information; 14 (3) the business purpose or commercial purpose for collecting, selling, 15 or sharing personal information; 16 (4) the third parties identified by category to whom the business 17 discloses personal information; and 18 (5) that a consumer may request the specific pieces of personal 19 information the business has collected about that consumer. 20 (c) A business complies with (b)(1) - (4) of this section if the categories of 21 personal information and the business purpose or commercial purpose for collecting, 22 selling, or sharing personal information the business is required to disclose to the 23 consumer under (b)(1) - (4) of this section are the same as the information it has 24 disclosed upon a verifiable consumer request under (a)(1) - (4) of this section. 25 (d) To identify a consumer making a verifiable consumer request under (a) of 26 this section, a business shall associate the information provided by the consumer in the 27 verifiable consumer request with personal information previously collected by the 28 business about the consumer. 29 (e) When identifying personal information by category under (a) and (b) of 30 this section, a business shall use the category of personal information that most closely 31 describes the disclosure required.

01 (f) When disclosing to a consumer the specific pieces of personal information 02 a business has collected about the consumer under (a)(5) of this section, the business 03 shall provide the information in a format that is easily understandable to the average 04 consumer and, to the extent technically feasible, in a structured, commonly used, 05 machine-readable format that may also be used to transmit the information without 06 difficulty to another person at the consumer's request. 07 (g) A business is not considered to have disclosed personal information as 08 required by this section if the business, at the request of the consumer, transfers the 09 personal information to another business in order for the consumer to change to 10 another business to provide services. 11 (h) In this section, "specific pieces of personal information" does not include 12 data generated to help ensure the security and integrity of personal information. 13 Sec. 45.48.780. Consumer direction not to sell or share personal 14 information; sale or sharing of personal information. (a) A consumer may, at any 15 time, direct a business that sells to or shares with a third party personal information 16 about consumers not to sell to or share with the third party the consumer's personal 17 information. 18 (b) A business that sells to or shares with a third party a consumer's personal 19 information shall provide notice under AS 45.48.825 that the information may be sold 20 or shared and that a consumer may direct the business not to sell or share personal 21 information about the consumer. 22 (c) A business may not sell or share personal information about a consumer if 23 the business has actual knowledge that the consumer is under 16 years of age unless 24 the consumer is at least 13 years of age and consents to the sale or sharing of the 25 consumer's personal information, or unless the consumer is under 13 years of age and 26 the consumer's parent or guardian authorizes the sale or sharing of the consumer's 27 personal information. A business that intentionally disregards a consumer's age shall 28 be considered to have had actual knowledge of the consumer's age. If consent for a 29 business to sell or share a consumer's personal information is refused, the business 30 shall wait at least 12 months before requesting the consumer to consent to the sale or 31 sharing of the consumer's personal information, or, if the consumer is between 13 and

01 16 years of age, shall wait until the consumer is 16 years of age. 02 (d) A third party may not sell or share the personal information about a 03 consumer that a business sold to or shared with the third party unless the business that 04 sold or shared the personal information provides notice to the consumer that the 05 personal information will be sold or shared and that the consumer may direct the third 06 party not to sell or share the personal information. 07 Sec. 45.48.785. Consumer direction to limit use of sensitive personal 08 information. (a) A business that collects sensitive personal information about a 09 consumer and uses the information for purposes other than those authorized by (b) of 10 this section shall provide a notice to consumers under AS 45.48.825 that the 11 information may be used, and disclosed to a service provider or contractor, for 12 additional, specified purposes and that a consumer may direct a business to limit the 13 use or disclosure of the information. 14 (b) A consumer may, at any time, direct a business that collects sensitive 15 personal information about the consumer to limit the use of the information to a use 16 that is necessary to provide the services or goods reasonably expected by an average 17 consumer who requests the services or goods and to provide the services set out in 18 AS 45.48.850(b)(2), (4), (5), and (8). 19 (c) A business that collects sensitive personal information about a consumer 20 and receives a direction from a consumer to limit the use of the information to a use 21 authorized by (b) of this section may not use the consumer's sensitive personal 22 information other than as authorized by (b) of this section, unless the consumer later 23 provides consent for the business to use the information for an additional purpose. 24 (d) A service provider or contractor that assists a business in performing the 25 purposes authorized by (b) of this section may not use a consumer's sensitive personal 26 information, to the extent the service provider or contractor has actual knowledge that 27 the personal information is sensitive personal information, for any purpose other than 28 the purposes authorized by (b) of this section if the business notifies the service 29 provider or contractor that the consumer directed the business to limit the use of the 30 information under (b) of this section. A service provider or contractor is not required 31 to limit the use of sensitive personal information received from a business unless the

01 business instructs the service provider or contractor to limit the use of the information, 02 and then the limitation only applies to the use that arises out of the relationship of the 03 service provider or contractor with the business. 04 (e) Sensitive personal information that is collected or processed without the 05 purpose of inferring characteristics about a consumer is not subject to this section and 06 is treated as personal information under AS 45.48.760 - 45.48.925. 07 Sec. 45.48.790. Required business disclosures of personal information sold, 08 shared, or disclosed. (a) A business that sells or shares personal information about a 09 consumer, or that discloses personal information about a consumer for a business 10 purpose, shall, upon receiving a verifiable consumer request from a consumer, 11 disclose to the consumer the category of personal information that the business 12 (1) collected about the consumer; 13 (2) sold or shared about the consumer and the categories of third 14 parties to whom the business sold, or with whom the business shared, the personal 15 information; the business shall make the disclosure by identifying the category of 16 personal information under each category of third parties to whom the business sold, 17 or with whom the business shared, the personal information; and 18 (3) disclosed about the consumer and the categories of persons to 19 whom the business disclosed the personal information. 20 (b) Without receiving a verifiable consumer request, a business that sells or 21 shares personal information about a consumer, or that discloses personal information 22 about a consumer for a business purpose, shall, using separate lists for (1) and (2) of 23 this subsection, disclose in its online privacy policy statement or, if the business does 24 not maintain an online privacy policy statement, on its Internet website the category of 25 consumers' personal information that most closely describes the personal information 26 the business has 27 (1) sold or shared; if the business has not sold or shared consumers' 28 personal information, the business shall disclose that fact; and 29 (2) disclosed for a business purpose; if the business has not disclosed 30 consumers' personal information for a business purpose, the business shall disclose 31 that fact.

01 (c) A business shall disclose the information under (b) of this section in a form 02 that is reasonably accessible to consumers and shall update the information at least 03 once every 12 months. 04 Sec. 45.48.795. Additional disclosure provisions. (a) In addition to any other 05 requirement of AS 45.48.760 - 45.48.925, a business that is subject to AS 45.48.760 - 06 45.48.790 or 45.48.830 shall disclose in a form that is reasonably accessible to 07 consumers the following information in its online privacy policy statement or, if the 08 business does not have an online privacy policy statement, on its Internet website, and 09 shall update the information at least once every 12 months: 10 (1) a description of a consumer's rights under AS 45.48.760 - 11 45.48.790 and 45.48.830, and a description of the financial incentives offered under 12 AS 45.48.830(d) that apply to the business; 13 (2) except as provided in AS 45.48.810(a)(1), two or more designated 14 methods for submitting a verifiable consumer request to the business; in this 15 paragraph, "designated method" means a mailing address, electronic mail address, 16 Internet website, Internet website portal, toll-free telephone number, or other contact 17 information; and 18 (3) for a business to which AS 45.48.775(c) applies, 19 (A) a list of the categories of personal information about 20 consumers the business has collected in the preceding 12 months by reference 21 to the category in AS 45.48.840(a) that most closely describes the personal 22 information collected; 23 (B) the categories of sources from which personal information 24 about consumers is collected; 25 (C) the business purpose or commercial purpose for collecting, 26 selling, or sharing personal information about consumers; and 27 (D) the categories of third parties to whom the business 28 discloses personal information about consumers. 29 (b) A business that sells or shares personal information about consumers, or 30 that uses or discloses sensitive personal information about consumers for a purpose 31 other than the purposes authorized by AS 45.48.785(b) shall include in its online

01 privacy policy statement or, if the business does not have an online privacy policy 02 statement, on its Internet website 03 (1) a description of a consumer's rights under AS 45.48.780 and 04 45.48.785; and 05 (2) an electronic connection to a "Do Not Sell or Share My Personal 06 Information" Internet page to direct a business not to sell or share a consumer's 07 personal information under AS 45.48.780(a), an electronic connection to a "Limit the 08 Use of My Sensitive Personal Information" Internet page to direct a business to limit 09 the use or disclosure of a consumer's sensitive personal information under 10 AS 45.48.785(a), a single electronic connection to both Internet pages, or a statement 11 that the business responds to and abides by preference signals sent by a platform, 12 technology, or mechanism established to direct the business not to sell or share 13 personal information or to limit the use or disclosure of sensitive personal information. 14 Sec. 45.48.800. Criteria for business to collect, use, retain, or share 15 personal information. A business may not collect, use, retain, or share personal 16 information about a consumer unless 17 (1) the collection, use, retention, or sharing is reasonably necessary 18 and proportionate for achieving the purposes disclosed under AS 45.48.760 for which 19 the business collected or processed the personal information or for another purpose 20 that is compatible with the context in which the business collected the personal 21 information and that was disclosed by the business under AS 45.48.760; and 22 (2) the business does not further process the personal information in a 23 manner that is incompatible with the purposes described in (1) of this section. 24 Sec. 45.48.805. Required agreement. (a) Before a business that collects 25 personal information about a consumer sells the personal information to a third party, 26 shares the personal information with a third party, or discloses the personal 27 information to a service provider or contractor, the business shall enter into an 28 agreement with the third party, service provider, or contractor that complies with (b) 29 of this section. 30 (b) The agreement required by (a) of this section must 31 (1) provide that the business is selling, sharing, or disclosing a

01 consumer's personal information only for limited and specified business purposes; 02 (2) require the third party, service provider, or contractor to comply 03 with the obligations that apply to the third party, service provider, or contractor under 04 AS 45.48.760 - 45.48.925; 05 (3) allow the business to take reasonable and appropriate steps to 06 ensure that the third party, service provider, or contractor uses the personal 07 information in a manner consistent with the obligations of the business under 08 AS 45.48.760 - 45.48.925; 09 (4) require the third party, service provider, or contractor to notify the 10 business if the third party, service provider, or contractor determines that the third 11 party, service provider, or contractor cannot meet the obligations of the third party, 12 service provider, or contractor under AS 45.48.760 - 45.48.925; and 13 (5) allow the business, after giving notice to the third party, service 14 provider, or contractor, or after receiving notice under (4) of this subsection, to take 15 reasonable and appropriate steps to stop any unauthorized use of personal information. 16 (c) In addition to the requirements of (b) of this section, an agreement between 17 a business and a service provider must 18 (1) prohibit a service provider from 19 (A) selling or sharing a consumer's personal information 20 received from the business; 21 (B) retaining, using, or disclosing a consumer's personal 22 information for a commercial or other purpose, other than the business 23 purposes specified in the contract with the business, or as otherwise permitted 24 by AS 45.48.760 - 45.48.895; 25 (C) retaining, using, or disclosing a consumer's personal 26 information outside of the direct business relationship between the service 27 provider and the business; 28 (D) combining a consumer's personal information that the 29 service provider receives from, or on behalf of, the business with a consumer's 30 personal information that the service provider receives from, or on behalf of, 31 another person, or collects directly from a consumer; however, a service

01 provider may combine personal information to perform a business purpose, 02 except as prohibited by AS 45.48.850(b)(6); 03 (2) permit the business to monitor the service provider's compliance 04 with the contract through ongoing manual reviews, automated scans, regular 05 assessments, audits, and other technical and operational testing at least once every 12 06 months; and 07 (3) require the service provider to notify the business if the service 08 provider is using another person to assist in processing the personal information or if 09 the other person is using another person to assist in processing the personal 10 information, and require the other person to comply with the agreement requirements 11 under (b) of this section and with this subsection. 12 Sec. 45.48.810. Rules for handling requests. (a) A business shall, in a form 13 that is reasonably accessible to consumers, make available to consumers two or more 14 methods, including a toll-free telephone number, for submitting a request for deletion 15 under AS 45.48.765, a request for correction under AS 45.48.770, or a request for 16 disclosure under AS 45.48.775 or 45.48.790, except that a business that 17 (1) operates exclusively online and has a direct relationship with a 18 consumer from whom it collects personal information is only required to provide the 19 consumer with an electronic mail address for submitting a request; 20 (2) maintains an Internet website shall also make the Internet website 21 available to consumers to submit a request. 22 (b) A business shall take a requested action within 45 days after receiving a 23 verifiable consumer request from the consumer, but, if a business determines that an 24 extension of time is reasonably necessary, and if the business provides the consumer 25 with notice of an extension within the 45-day period after submission of the request, 26 the business may extend the 45-day period one time for up to an additional 45 days. 27 (c) A business shall determine whether a request is a verifiable consumer 28 request within 45 days after receiving the request. A business may require 29 authentication of the consumer that is reasonable in light of the personal information 30 requested, but may not require the consumer to create an account with the business to 31 make a request. However, if a consumer has an account with the business, the business

01 may require the consumer to use that account to submit a request. 02 (d) For a disclosure request, the information required to be disclosed must 03 cover the 12-month period preceding the date the business receives the disclosure 04 request, except that if a consumer requests that the business disclose the required 05 information for a period before that 12-month period, the business shall provide the 06 information for that period, unless providing the information is impossible or involves 07 disproportionate effort. 08 (e) A business shall make the requested disclosure action in writing and shall 09 deliver the information in a format that is easily understandable to the average 10 consumer and, to the extent technically feasible, in a structured, commonly used, 11 machine-readable format that may also be used to transmit the information without 12 difficulty. 13 (f) A business shall make a disclosure under this section 14 (1) through the consumer's account with the business, if the consumer 15 maintains an account with the business; or 16 (2) by mail or electronic means, at the consumer's option, if the 17 consumer does not maintain an account with the business. 18 (g) A business that receives a disclosure request shall disclose to the consumer 19 the personal information the business has collected, directly or indirectly, about the 20 consumer and may use a service provider or contractor to disclose the information. 21 (h) If a business does not take action on a request within the 45-day period 22 under (b) of this section, the business shall notify the consumer, within that period, of 23 the reasons for not taking action and any right the consumer may have to appeal the 24 decision to the business. 25 (i) If a business receives a request that is manifestly unfounded or manifestly 26 excessive, including the repetition of an earlier request, the business may charge a 27 reasonable fee for the administrative costs of fulfilling the request or refuse to act on 28 the request and inform the consumer of the reason for refusing to act on the request. 29 The business has the burden of demonstrating that a verifiable consumer request is 30 manifestly unfounded or manifestly excessive. 31 (j) A service provider or contractor is not required to comply with a request

01 received directly from a consumer or the consumer's authorized agent under 02 AS 45.48.775 or 45.48.790 to the extent the service provider or contractor has 03 collected personal information about the consumer as a service provider or contractor. 04 A service provider or contractor shall assist a business with which it has an agreement 05 under AS 45.48.805 in responding to a request made to the business. The assistance 06 includes 07 (1) providing the business with the personal information about a 08 consumer that the service provider or contractor obtained and retains as a result of 09 providing services to the business; 10 (2) correcting inaccurate information or enabling the business to 11 correct inaccurate information; and 12 (3) providing appropriate technical and organizational assistance. 13 (k) Nothing in this section requires a business to retain personal information 14 about a consumer for any length of time. 15 (l) A business that receives a verifiable consumer request under AS 45.48.775 16 or 45.48.790 shall disclose to a consumer the personal information about the consumer 17 the business has collected, directly or indirectly, including information the business 18 has received through or from a service provider or contractor. 19 (m) A business is not required to make a disclosure to the same consumer 20 more than twice in a 12-month period. 21 (n) Except as provided in (i) of this section, a business shall satisfy a 22 disclosure request without charge to the consumer. 23 (o) A business shall ensure that each individual responsible for handling 24 consumer inquiries or the business's compliance with AS 45.48.760 - 45.48.925 is 25 informed of the requirements under this section and AS 45.48.765 - 45.48.775 and 26 45.48.790, and how to direct a consumer to exercise the consumer's rights under this 27 section, AS 45.48.765 - 45.48.775, and 45.48.790. 28 (p) In this section, 29 (1) "disclosure" means the disclosure required under AS 45.48.775 or 30 45.48.790; 31 (2) "disclosure action" means a disclosure made under AS 45.48.775

01 or 45.48.790; 02 (3) "disclosure request" means a request for disclosure under 03 AS 45.48.775 or 45.48.790; 04 (4) "request" means a request for deletion under AS 45.48.765, 05 correction under AS 45.48.770, or disclosure under AS 45.48.775 or 45.48.790; 06 (5) "requested action" means deletion under AS 45.48.765, correction 07 under AS 45.48.770, or disclosure under AS 45.48.775 or 45.48.790. 08 Sec. 45.48.815. Exceptions to requests for deletion. A business, or a service 09 provider or contractor acting under an agreement with the business under 10 AS 45.48.805, is not required to comply with a consumer's request to delete the 11 consumer's personal information under AS 45.48.765 if it is reasonably necessary for 12 the business, service provider, or contractor to maintain the consumer's personal 13 information to 14 (1) complete the transaction for which the personal information was 15 collected, fulfill the terms of a written warranty or product recall conducted under 16 federal law, provide the goods or services requested by the consumer or reasonably 17 expected by the consumer within the context of an ongoing business relationship with 18 the consumer, or otherwise perform a contract between the business and the consumer; 19 (2) ensure the security and integrity of the personal information to the 20 extent the use of the personal information is reasonably necessary and proportionate 21 for this purpose; 22 (3) identify and repair existing errors that impair the intended 23 functioning of the operations of the business, service provider, or contractor; 24 (4) exercise the right of free speech, ensure the right of another 25 consumer to exercise the consumer's right of free speech, or exercise another right 26 provided for by law; 27 (5) engage in public or peer-reviewed scientific, historical, or 28 statistical research that conforms or adheres to all other applicable ethics and privacy 29 laws, if deletion of the personal information is likely to render impossible or seriously 30 impair the ability to complete the research and if the consumer provides informed 31 consent for the research;

01 (6) enable uses that are solely internal, that are reasonably aligned with 02 the expectations of the consumer based on the consumer's relationship with the 03 business, and that are compatible with the context in which the consumer provided the 04 personal information; or 05 (7) comply with a legal obligation. 06 Sec. 45.48.820. Use of verification information. If a business collects 07 personal information from a consumer to verify the consumer's request under 08 AS 45.48.760 - 45.48.925, the business may not further disclose the personal 09 information to another person, retain the personal information for longer than is 10 necessary to verify the consumer's request, or use the personal information for 11 unrelated purposes. 12 Sec. 45.48.825. Business procedures and practices regarding the sale and 13 sharing of personal information and use and disclosure of sensitive personal 14 information. (a) A covered business shall, in a form that is reasonably accessible to 15 consumers, provide a clear and conspicuous electronic connection on the Internet 16 home page of the business to an Internet website that enables a consumer, or a person 17 authorized by the consumer, to direct the business 18 (1) not to sell or share the consumer's personal information; the 19 electronic connection must be labelled "Do Not Sell or Share My Personal 20 Information"; and 21 (2) to limit the use or disclosure of the consumer's sensitive personal 22 information to uses authorized by AS 45.48.785(b); the electronic connection must be 23 labelled "Limit the Use of My Sensitive Personal Information." 24 (b) Instead of providing the electronic connections described in (a) of this 25 section, a covered business may provide, on the Internet home page of the business, a 26 single, clearly labeled electronic connection that allows a consumer to easily direct the 27 covered business not to sell or share the consumer's personal information and to limit 28 the use or disclosure of the consumer's sensitive personal information. 29 (c) If a covered business responds to a consumer direction received under (a) 30 or (b) of this section by informing the consumer that there is a charge under 31 AS 45.48.810(i), the business shall also present the terms of a financial incentive

01 offered by the business under AS 45.48.830(d) for the sale or sharing of the 02 consumer's personal information. 03 (d) Instead of providing the electronic connections under (a) or (b) of this 04 section, a covered business may allow a consumer to direct the business not to sell or 05 share the consumer's personal information or to limit the use or disclosure of the 06 consumer's sensitive personal information by using an electronic preference signal 07 sent with the consumer's consent to the Internet website of the business, if 08 (1) the Internet website also allows the consumer or a person 09 authorized by the consumer to revoke the consent as easily as the consent is provided; 10 and 11 (2) the electronic preference signal does not degrade the consumer's 12 experience on the Internet website the consumer intends to visit and has a similar 13 appearance and size relative to other electronic connections on the same Internet 14 website. 15 (e) A covered business may not require a consumer to create an account or 16 provide additional information beyond what is necessary to direct the covered business 17 not to sell or share the consumer's personal information or to limit the use or 18 disclosure of the consumer's sensitive personal information. 19 (f) A covered business shall include a description of a consumer's rights under 20 AS 45.48.780, 45.48.785, or both, as applicable, in its online privacy policy statement 21 or, if the covered business does not have an online privacy policy statement, on its 22 Internet website. 23 (g) A covered business shall wait at least 12 months after a consumer directs 24 the covered business not to sell or share the consumer's personal information or to 25 limit the use and disclosure of the consumer's sensitive personal information, or both, 26 to ask the consumer to authorize the covered business to sell or share the consumer's 27 personal information or to use or disclose the consumer's sensitive personal 28 information for an additional purpose. 29 (h) Except as provided by this section, a covered business may not use the 30 personal information collected from a consumer in connection with the consumer's 31 submission of a direction not to sell or share the consumer's personal information or to

01 limit the use or disclosure of the consumer's sensitive personal information for a 02 purpose other than to implement the consumer's direction. 03 (i) A covered business does not have to include the electronic connections and 04 text required by this section on the Internet home page that the covered business 05 makes available to the public generally, if the covered business maintains a separate 06 and additional Internet home page that is dedicated to consumers in the state and that 07 includes the electronic connections and text required under (a) of this section, and if 08 the covered business takes reasonable steps to ensure that consumers in the state are 09 directed to the Internet home page for consumers in the state and not the Internet home 10 page made available to the public generally. 11 (j) If a covered business communicates a consumer's direction not to sell or 12 share the consumer's personal information under AS 45.48.780 to a person authorized 13 by the covered business to collect personal information, the person may use the 14 consumer's personal information only for a business purpose specified by the business 15 or as otherwise permitted by AS 45.48.760 - 45.48.925, and may not 16 (1) sell or share the personal information; 17 (2) retain, use, or disclose the personal information 18 (A) for a purpose other than providing the services to the 19 covered business; 20 (B) outside of the direct business relationship between the 21 person and the covered business; or 22 (C) for a commercial purpose other than providing the services 23 to the covered business. 24 (k) A covered business that communicates a consumer's direction under (a) or 25 (b) of this section to a person is not liable under AS 45.48.760 - 45.48.925 if the 26 person receiving the consumer's direction violates the restrictions set out in 27 AS 45.48.760 - 45.48.925 and the covered business, when communicating the 28 consumer's direction, does not have actual knowledge or reason to believe that the 29 person intends to commit the violation. A contract provision that waives or limits this 30 subsection is void and unenforceable. 31 (l) In this section, "covered business" means a business that

01 (1) sells or shares personal information about a consumer; or 02 (2) uses or discloses sensitive personal information about a consumer 03 for purposes other than those authorized by AS 45.48.785(b). 04 Sec. 45.48.830. Retaliation; incentives. (a) A business may not retaliate 05 against a consumer for exercising the consumer's rights under AS 45.48.760 - 06 45.48.925. In this subsection, "retaliate" includes 07 (1) denying goods or services to the consumer; 08 (2) charging different prices or rates for goods or services, including 09 through the use of discounts or other benefits or by imposing penalties; 10 (3) providing a different level or quality of goods or services to the 11 consumer; or 12 (4) suggesting that the consumer will receive a different price or rate 13 for goods or services or a different level or quality of goods or services. 14 (b) A business may not retaliate against an employee, applicant for 15 employment, or independent contractor for exercising the rights of a consumer under 16 AS 45.48.760 - 45.48.925. 17 (c) Nothing in (a) or (b) of this section prohibits a business from charging a 18 consumer a different price or rate, or from providing a different level or quality of 19 goods or services to the consumer, if the difference is reasonably related to the value 20 provided to the business by the consumer's data. This subsection does not prohibit a 21 business from offering loyalty, rewards, premium features, discounts, or loyalty card 22 programs that do not violate AS 45.48.760 - 45.48.925. 23 (d) A business may offer a financial incentive, including a payment, to a 24 consumer as compensation for the collection of personal information, the sale or 25 sharing of personal information, or the retention of personal information. 26 (e) A business may not enter a consumer into a financial incentive program 27 under (d) of this section unless, before entering the consumer into the financial 28 incentive program, the consumer gives the business consent that clearly describes the 29 material terms of the financial incentive program. A consumer may revoke the consent 30 at any time. If a consumer refuses to provide consent, the business shall wait at least 31 12 months after the refusal before next requesting that the consumer provide consent.

01 (f) A business may not use financial incentive practices that are unjust, 02 unreasonable, coercive, or usurious in nature. 03 (g) A business shall ensure that each individual responsible for handling 04 consumer inquiries about the business's compliance with AS 45.48.760 - 45.48.925 is 05 informed of the requirements of this section and how to direct a consumer to exercise 06 the consumer's rights under this section. 07 Sec. 45.48.835. Businesses covered. (a) A person is considered a business that 08 must comply with AS 45.48.760 - 45.48.925 if 09 (1) the person 10 (A) is organized or operated for the profit or financial benefit 11 of its shareholders or other owners; 12 (B) collects personal information about consumers or receives 13 personal information about consumers that is collected on the person's behalf; 14 (C) determines by itself, or jointly with other persons, the 15 purposes and means of processing of personal information about consumers; 16 (D) conducts its affairs in the state; and 17 (E) satisfies one of the following: 18 (i) as of January 1 of the applicable calendar year, had 19 annual gross revenue in excess of $25,000,000 in the preceding 20 calendar year; 21 (ii) by itself, or jointly with other persons, annually 22 buys, sells, or shares the personal information of 100,000 or more 23 consumers or households; 24 (iii) derives 50 percent or more of its annual revenue 25 from selling or sharing personal information about consumers; 26 (2) the person controls or is controlled by, has common branding with, 27 and receives consumers' personal information from a person described in (1) of this 28 subsection; in this paragraph, 29 (A) "common branding" means a shared name, service mark, or 30 trademark that the average consumer would understand to indicate that two or 31 more persons are commonly owned;

01 (B) "control" means ownership of, or the power to vote, more 02 than 50 percent of the outstanding shares or other ownership interests of a class 03 of voting securities of a business, the power over the election of a majority of 04 directors of a business or individuals exercising similar functions as directors, 05 or the power to influence the management of a business; or 06 (3) the person is a joint venture or partnership that consists of persons 07 identified in (1) or (2) of this subsection and in which each of the persons has at least a 08 40 percent interest in the joint venture or partnership. 09 (b) In AS 45.48.760 - 45.48.925, a joint venture or partnership under (a)(3) of 10 this section and each business that makes up the joint venture or partnership are 11 considered to be a single business. However, a business that is part of the joint venture 12 may not share with another business that is part of the joint venture the personal 13 information in the possession of the business and disclosed to the joint venture or 14 partnership. 15 Sec. 45.48.840. Personal and sensitive information covered. (a) In 16 AS 45.48.760 - 45.48.925, personal information includes the items in the following 17 categories if the item identifies, relates to, describes, is reasonably capable of being 18 associated with, or is reasonably capable of being connected with, directly or 19 indirectly, a particular consumer or household: 20 (1) name, alias, postal address, unique personal identifier, online 21 identifier address, Internet protocol address, electronic mail address, account name, or 22 another similar identifier; 23 (2) signature; 24 (3) physical characteristic or physical description; 25 (4) telephone number; 26 (5) insurance policy number; 27 (6) education, employment, professional employment, employment 28 history, or other information related to employment; 29 (7) bank account number or other financial information; 30 (8) medical or health insurance information; 31 (9) characteristics of classifications protected under federal law or the

01 law of this state; 02 (10) record of personal property, products, or services purchased, 03 obtained, or considered, other purchasing or consuming history or tendency, or other 04 commercial information; 05 (11) biometric information; 06 (12) Internet browsing history, Internet search history, information 07 regarding a consumer's interaction with an Internet website, application, or 08 advertisement, or other Internet or electronic network activity information; 09 (13) geolocation data; 10 (14) audio, electronic, visual, thermal, olfactory, or similar 11 information; 12 (15) information that is personally identifiable information under 34 13 C.F.R. 99.3; 14 (16) inferences drawn from the information identified in this 15 subsection to create a profile about a consumer reflecting the consumer's preferences, 16 characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, 17 abilities, or aptitudes; and 18 (17) sensitive personal information. 19 (b) Notwithstanding (a) of this section, information is not personal 20 information if the information is 21 (1) publicly available information or lawfully obtained truthful 22 information that is a matter of public concern; 23 (2) information that is de-identified or aggregate consumer 24 information. 25 (c) Under AS 45.48.760 - 45.48.925, information is considered to be sensitive 26 personal information if the information is not publicly available information and 27 (1) reveals 28 (A) a consumer's social security number, driver's license 29 number, state identification card number, or passport number; 30 (B) the number of a consumer's Internet account, financial 31 account, debit card account, credit card account, or other account, in

01 combination with any required security or access code, password, or 02 credentials allowing access to the account; 03 (C) a consumer's precise geolocation; 04 (D) a consumer's racial or ethnic origin, religious or 05 philosophical beliefs, or union membership; 06 (E) the contents of a consumer's mail or electronic mail, text 07 message, or other electronic communication, unless the business possessing the 08 information is the intended recipient of the communication; or 09 (F) a consumer's genetic data; 10 (2) includes biometric information that is processed or otherwise used 11 to identify a consumer; 12 (3) includes information collected and analyzed concerning a 13 consumer's health; or 14 (4) includes information collected and analyzed about a consumer's 15 sexual life or sexual orientation. 16 (d) When AS 45.48.760 - 45.48.925 require a category of sensitive personal 17 information to be disclosed, the category shall be described using the specific terms 18 set out in (c) of this section. 19 Sec. 45.48.845. Contractors covered. (a) A person is considered a contractor 20 that must comply with AS 45.48.760 - 45.48.925 if a business makes available to the 21 person a consumer's personal information for a business purpose under a written 22 contract with the business that satisfies (b) of this section. 23 (b) A contract under (a) of this section must 24 (1) prohibit the contractor from 25 (A) selling or sharing personal information the contractor 26 receives from the business; 27 (B) retaining, using, or disclosing personal information the 28 contractor receives from the business for a purpose other than a purpose 29 specified in the contract; 30 (C) retaining, using, or disclosing personal information in a 31 way or for a purpose that is not covered by the direct relationship with the

01 business; 02 (D) combining personal information that the contractor 03 receives under the contract with the business with personal information that the 04 contractor receives from or on behalf of another person or collects directly 05 from the consumer; 06 (2) include an agreement by the contractor that the contractor 07 understands and will comply with the restrictions in (1) of this subsection; and 08 (3) permit, subject to agreement with the contractor, the business to 09 monitor the contractor's compliance with the contract, including through reviews by 10 individuals, automated scans, regular assessments, audits, or other technical and 11 operational testing, at least once every 12 months. 12 (c) If a contractor uses another person to assist in processing personal 13 information for a business purpose on behalf of the business, or if the other person 14 uses another person to assist in processing personal information for the business 15 purpose, the contractor shall notify the business that the contractor or other person is 16 being used for the processing, the contractor shall use a written contract for the 17 services of the person, and the written contract must require the other person to 18 observe all the requirements set out in (b) of this section. 19 (d) A contractor is not required to 20 (1) re-identify or otherwise connect information that, in the ordinary 21 course of business, the contractor would not maintain in a manner that would be 22 considered personal information; 23 (2) retain personal information about a consumer if, in the ordinary 24 course of business, the contractor would not retain the information; 25 (3) maintain, collect, obtain, retain, or access data or technology in a 26 form that is capable of connecting or associating a verifiable consumer request with 27 personal information about a consumer. 28 Sec. 45.48.850. Covered business purposes. (a) In AS 45.48.760 - 45.48.925, 29 a purpose is considered to be a business purpose if 30 (1) a business uses a consumer's personal information for the 31 operational purposes of the business or for other purposes of which the consumer has

01 been notified or a service provider or contractor uses the personal information for the 02 operational purposes of the service provider or contractor; and 03 (2) the use of the personal information under (1) of this subsection is 04 reasonably necessary and proportionate to achieve the operational purpose for which 05 the personal information was collected or processed or for another purpose that is 06 compatible with the context in which the personal information was collected. 07 (b) A business purpose includes 08 (1) auditing related to counting the advertisement impressions of a 09 consumer, verifying positioning and quality of advertisement impressions, and 10 auditing compliance with this paragraph and other provisions of AS 45.48.760 - 11 45.48.925; in this paragraph, "advertisement impression" means a digital 12 advertisement display on a consumer's electronic screen; 13 (2) ensuring security and integrity of personal information about a 14 consumer to the extent the use of the consumer's personal information is reasonably 15 necessary and proportionate for this purpose; 16 (3) identifying and removing computer errors that impair existing 17 intended operations; 18 (4) nonpersonalized advertising shown as part of a consumer's current 19 interaction with the business and other short-term, transient use, if the consumer's 20 personal information is not disclosed to a third party and is not used to build a profile 21 about the consumer or otherwise alter the consumer's experience outside the current 22 interaction with the business; in this paragraph, "nonpersonalized advertising" means 23 advertising that is based solely on personal information about a consumer derived 24 from the consumer's current interaction with the business, except for the consumer's 25 precise geolocation; 26 (5) maintaining or servicing accounts, providing customer service, 27 processing or fulfilling orders and transactions, verifying customer information, 28 processing payments, providing financing, providing analytical services, or providing 29 similar services on behalf of the business; 30 (6) providing advertising and marketing services, other than cross- 31 context behavioral advertising, to a consumer, except that, for the purpose of

01 advertising and marketing, a service provider or contractor may not combine personal 02 information about a consumer that the service provider or contractor receives from, or 03 on behalf of, the business with personal information that the service provider or 04 contractor receives from, or on behalf of, another person, or collects directly from the 05 consumer, if the consumer has directed the business under AS 45.48.780 not to sell to 06 or share the consumer's personal information; in this paragraph, "advertising and 07 marketing" means a communication by a business or a person acting on behalf of the 08 business in a medium intended to induce a consumer to obtain goods, services, or 09 employment; 10 (7) undertaking internal research for technological development and 11 demonstration; and 12 (8) undertaking activities to verify or maintain the quality or safety of 13 or to improve, upgrade, or enhance a service or device that is owned by, manufactured 14 by or for, or controlled by the business. 15 Sec. 45.48.855. Characterization of personal information sharing. (a) 16 Except as provided in (b) of this section, a business shares personal information under 17 AS 45.48.760 - 45.48.925 when the business rents, releases, discloses, disseminates, 18 makes available, transfers, or otherwise communicates orally, in writing, or by 19 electronic or other means a consumer's personal information to a third party for cross- 20 context behavioral advertising, whether for money or other valuable consideration. 21 (b) A business does not share a consumer's personal information under (a) of 22 this section if 23 (1) a consumer uses or directs the business to intentionally disclose 24 personal information or intentionally interact with a third party; 25 (2) the consumer has directed the business not to share or sell the 26 consumer's personal information under AS 45.48.780 or to limit the use of the 27 consumer's sensitive personal information under AS 45.48.785 and the business uses 28 or rents, releases, discloses, disseminates, makes available, transfers, or otherwise 29 communicates an identifier for a consumer to alert a person that the consumer has 30 directed the business not to sell or share the consumer's personal information or to 31 limit the use of the consumer's sensitive personal information;

01 (3) the business transfers to a third party the personal information as an 02 asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the 03 third party assumes control of all or part of the business, if the business and the third 04 party use or share the personal information as required by AS 45.48.760 - 45.48.925. 05 (c) In (b)(3) of this section, if a third party will materially alter how it uses or 06 shares the personal information about a consumer in a manner that is materially 07 inconsistent with the disclosures made under AS 45.48.775 at the time the personal 08 information was collected, the third party shall provide a prominent notice of the new 09 or changed practice to the consumer before sharing or using the information. Nothing 10 in this subsection authorizes a business to make material, retroactive privacy policy 11 changes or other changes in its privacy policy in a manner that would violate 12 AS 45.50.471 - 45.50.561 (Alaska Unfair Trade Practices and Consumer Protection 13 Act). 14 Sec. 45.48.860. Requirements for consent. (a) Except as otherwise provided 15 for a minor's consent to selling or sharing personal information under 16 AS 45.48.780(c), a consumer may consent under AS 45.48.760 - 45.48.925 if the 17 consumer is 16 years of age or older or the consumer's parent, the consumer's legal 18 guardian, a person holding the consumer's power of attorney, or a person acting as a 19 conservator for the consumer communicates the consumer's consent. The consent must 20 be a specific, informed, and unambiguous agreement to the processing of personal 21 information relating to the consumer, and the purpose of processing the personal 22 information must be narrowly defined. 23 (b) Notwithstanding the other provisions of AS 45.48.760 - 45.48.925, a 24 person does not consent under AS 45.48.760 - 45.48.925 if the person 25 (1) accepts a document that consists of general or broad terms for the 26 use or processing of personal information or other unrelated information; 27 (2) hovers over, mutes, pauses, or closes a given piece of content on a 28 computer or other electronic device; 29 (3) enters into an agreement obtained through the use of a computer 30 interface designed or manipulated to subvert or impair the autonomy, decision making, 31 or choice of a computer; in this paragraph, "computer interface" means a boundary

01 shared by two or more separate parts of a computer system over which the 02 components exchange information. 03 Sec. 45.48.865. Covered sales. (a) In AS 45.48.760 - 45.48.925, "sell," 04 "selling," "sale," or "sold" refers to the activity of a business when the business trades, 05 rents, releases, discloses, disseminates, makes available, transfers, or otherwise 06 communicates orally, in writing, electronically, or by other means, a consumer's 07 personal information to a third party for monetary or other valuable consideration. 08 (b) Notwithstanding (a) of this section, a business does not sell a consumer's 09 personal information if 10 (1) the consumer uses or directs a business to intentionally disclose 11 personal information or intentionally interact with a third party that does not sell the 12 personal information under (a) of this section except as consistent with AS 45.48.810 - 13 45.48.890; in this paragraph, "intentionally" means intending to interact by one or 14 more deliberate interactions, but does not mean hovering over, muting, pausing, or 15 closing a given piece of content; 16 (2) the consumer has directed the business not to sell or share the 17 consumer's personal information under AS 45.48.780 or has limited the use of the 18 consumer's sensitive personal information under AS 45.48.785, and the business uses 19 or shares an identifier for a consumer to alert a person that the consumer has directed 20 the business not to sell or share the consumer's personal information or to limit the use 21 of the consumer's sensitive personal information; or 22 (3) the business transfers to a third party the personal information 23 about a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other 24 transaction in which the third party assumes control of all or part of the business, and 25 the third party uses or shares the information in accordance with AS 45.48.760 - 26 45.48.925; if the third party materially alters how it uses or shares the personal 27 information about a consumer in a manner that is materially inconsistent with the 28 disclosures made by the business under AS 45.48.775 at the time the personal 29 information was collected, the third party shall provide notice of the new or changed 30 practice to the consumer before using or sharing the personal information; the notice 31 must be sufficiently prominent and clear to ensure that the consumer can easily

01 exercise the consumer's choices under AS 45.48.760 - 45.48.925; nothing in this 02 paragraph authorizes a business to make material retroactive privacy policy changes or 03 other changes in its privacy policy in a manner that would violate AS 45.50.471 - 04 45.50.561 (Alaska Unfair Trade Practices and Consumer Protection Act). 05 Sec. 45.48.870. De-identification of personal information. (a) In 06 AS 45.48.760 - 45.48.925, personal information is de-identified if a person cannot 07 reasonably use the de-identified personal information to infer personal information 08 about, or otherwise be connected to, a particular consumer, and if the business that 09 possesses the de-identified personal information 10 (1) takes reasonable measures to ensure the de-identified personal 11 information cannot be associated with a consumer or household; 12 (2) publicly agrees to maintain and use the de-identified personal 13 information in de-identified form and not to attempt to re-identify the de-identified 14 personal information, except that the business may attempt to re-identify the de- 15 identified personal information solely for the purpose of determining whether its 16 processes satisfy the requirements of this subsection; and 17 (3) contractually obligates recipients of the de-identified personal 18 information to comply with the provisions of this subsection. 19 (b) A contract for the sale or license of de-identified personal information 20 must include the following provisions or substantially similar provisions: 21 (1) a statement that the de-identified personal information includes de- 22 identified consumer information; 23 (2) a statement that the purchaser or licensee may not re-identify or 24 attempt to re-identify the de-identified personal information; and 25 (3) a requirement that, unless otherwise allowed by law, the purchaser 26 or licensee of the de-identified personal information may not disclose the de-identified 27 personal information to a third party unless the third party is contractually bound by 28 the same or stricter restrictions and conditions. 29 Sec. 45.48.875. Re-identification of personal information. (a) Except as 30 otherwise provided in AS 45.48.760 - 45.48.925 or (b) of this section, a business or 31 other person may not re-identify, or attempt to re-identify, personal information that is

01 de-identified personal information. 02 (b) A business or other person may re-identify or attempt to re-identify de- 03 identified personal information 04 (1) for the treatment, payment, or health care operations conducted by 05 a covered entity or business associate acting on behalf of, and at the written direction 06 of, the covered entity; in this paragraph, "business associate" and "covered entity" 07 have the meanings given in 45 C.F.R. 160.103, and "health care operations," 08 "payment," and "treatment" have the meanings given in 45 C.F.R. 164.501; 09 (2) for a public health activity or purpose described in 45 C.F.R. 10 164.512; 11 (3) for research, as defined in 45 C.F.R. 164.501, that is conducted in 12 accordance with 45 C.F.R. Part 46 (Protection of Human Subjects); 13 (4) under a contract where the lawful holder of de-identified 14 information expressly engages a person to attempt to re-identify the de-identified 15 information to conduct testing, analysis, or validation of de-identification, or related 16 statistical techniques, if the contract prohibits any other use or disclosure of the re- 17 identified information and requires the return or destruction of the personal 18 information that was re-identified upon completion of the contract; in this paragraph, 19 "de-identified information" means information that is de-identified in accordance with 20 the requirements for de-identification set out in 45 C.F.R. 164.514, or is derived from 21 patient information that was originally collected, created, transmitted, or maintained 22 by a person regulated by the Health Insurance Portability and Accountability Act of 23 1996 (P.L. 104-191) or 45 C.F.R. Part 46 (Protection of Human Subjects); or 24 (5) if required by another provision of federal or state law. 25 (c) Information re-identified under this section is subject to applicable data 26 privacy and security laws of the federal government and the state, including the Health 27 Insurance Portability and Accountability Act of 1996 (P.L. 104-191) and 28 AS 45.48.760 - 45.48.925. 29 Sec. 45.48.880. Use of personal information for research. A business, 30 contractor, or service provider may not conduct research with personal information 31 that has been collected from a consumer in the course of the consumer's interactions

01 with a business for purposes other than research, unless the research 02 (1) is compatible with the business purpose for which the personal 03 information was collected; 04 (2) is later pseudonymized and de-identified, or de-identified and in 05 the aggregate, so that the information cannot reasonably identify, relate to, describe, 06 be capable of being associated with, or be connected to, directly or indirectly, a 07 particular consumer; in this paragraph, "pseudonymized" means the processing of 08 information in a manner that prevents the personal information from being attributable 09 to an identified or identifiable consumer without the use of additional information, in 10 which the additional information is kept separate from the personal information and 11 the personal information and the additional information are subject to technical and 12 organizational measures to ensure that the personal information is not attributed to an 13 identified or identifiable consumer; 14 (3) is subject to technical safeguards that prohibit re-identification of 15 the consumer to whom the information may relate; 16 (4) is subject to processes that specifically prohibit re-identification of 17 the information; 18 (5) is subject to business processes to prevent inadvertent release of 19 de-identified information; 20 (6) is protected from re-identification attempts; 21 (7) is used only for research purposes that are compatible with the 22 context in which the personal information was collected; 23 (8) is not used for a commercial purpose; and 24 (9) is subject to additional security controls that limit access to the 25 research data to only those individuals in a business that are necessary to carry out the 26 research. 27 Sec. 45.48.885. Liability of businesses, service providers, and contractors. 28 (a) A business that discloses personal information to a service provider or contractor in 29 compliance with AS 45.48.760 - 45.48.925 is not liable under AS 45.48.760 - 30 45.48.925 if the service provider or contractor uses the personal information in 31 violation of the restrictions set out in AS 45.48.760 - 45.48.925, if, when disclosing

01 the personal information, the business does not have actual knowledge, or reason to 02 believe, that the service provider or contractor intends to commit a violation. The 03 exemption from liability under this section does not apply to the disclosure of the 04 personal information about a consumer who 05 (1) has directed the business not to sell or share the consumer's 06 personal information under AS 45.48.780; 07 (2) has limited the use or disclosure of the consumer's sensitive 08 personal information under AS 45.48.785; or 09 (3) is under 16 years of age and has not consented to the sale or 10 sharing of the consumer's personal information to a third party. 11 (b) A service provider or contractor is not liable under AS 45.48.760 - 12 45.48.925 for the obligations of a business for which it provides services under 13 AS 45.48.760 - 45.48.925, except that the service provider or contractor is liable for its 14 own violations of AS 45.48.760 - 45.48.925. 15 (c) If a consumer's personal information, while not encrypted and not 16 redacted, or a consumer's electronic mail address in combination with a password or 17 security question and answer that would permit access to the account is accessed by or 18 disclosed to an unauthorized person because of a business's failure to implement and 19 maintain reasonable security procedures and practices appropriate to protect the 20 personal information, the consumer may institute a civil action against the business. In 21 the civil action, a court may 22 (1) award damages in an amount not less than $100 and not greater 23 than $750 for each failure, or actual damages, whichever amount is greater; 24 (2) issue an order for injunctive or declaratory relief; 25 (3) order other relief the court determines to be appropriate. 26 (d) When assessing the amount of damages under (c) of this section, the court 27 shall consider the nature and seriousness of the failure, the number of occurrences, the 28 persistence of the failure, the length of time over which the failure occurred, the 29 business's intent, the defendant's assets, liabilities, and net worth, and any other factor 30 that the court determines to be relevant. 31 (e) At least 30 days before bringing an action under (c) of this section, a

01 consumer shall give the business written notice identifying the specific failures of the 02 business. If, within the 30-day period, the business cures the noticed failures and 03 provides the consumer an express written statement that the failures have been cured 04 and that the business will not engage in further failures, the consumer may not bring 05 the action. If a business continues to engage in failures that breach the express written 06 statement provided to the consumer under this subsection, the consumer may initiate a 07 civil action against the business under (c) of this section to enforce the written 08 statement. 09 (f) The cause of action established by (c) of this section applies only to 10 violations under (c) of this section and may not be based on violations of any other 11 section of AS 45.48.760 - 45.48.925. 12 (g) This section does not create a private right of action under another law and 13 does not relieve a party from a duty or obligation imposed under another federal, state, 14 or municipal law. 15 Sec. 45.48.890. Effect on other persons. (a) A verifiable consumer request to 16 delete a consumer's personal information under AS 45.48.765, to correct inaccurate 17 personal information under AS 45.48.770, or to obtain specific pieces of personal 18 information under AS 45.48.775 does not extend to personal information about the 19 consumer that belongs to, or that the business maintains on behalf of, another natural 20 person. 21 (b) A business may rely on representations made in a verifiable consumer 22 request with respect to rights to personal information and is not required to search for 23 other persons that may have or claim to have a right to the personal information. A 24 business is not required to take any action under AS 45.48.760 - 45.48.925 if there is a 25 dispute between or among persons claiming the right to personal information in the 26 possession of the business. 27 Sec. 45.48.895. Civil penalties. (a) A business, service provider, contractor, or 28 other person that knowingly violates AS 45.48.760 - 45.48.925 is liable to the state for 29 a civil penalty not to exceed $2,500 for each violation. 30 (b) A business, service provider, contractor, or other person is liable to the 31 state for a civil penalty not to exceed $7,500 for each violation if the business, service

01 provider, contractor, or other person intentionally violates AS 45.48.760 - 45.48.925 02 and the violation involves personal information about a consumer who the business, 03 service provider, contractor, or other person has actual knowledge is under 16 years of 04 age. 05 Sec. 45.48.900. Exemptions. (a) The obligations imposed on a business, 06 service provider, contractor, or third party by AS 45.48.760 - 45.48.925 do not apply 07 to prevent a business, service provider, contractor, or third party from 08 (1) complying with federal, state, or local law; 09 (2) complying with a court order or subpoena to provide information; 10 (3) complying with a civil, criminal, or regulatory inquiry, 11 investigation, or summons of a federal, state, or municipal authority; 12 (4) cooperating with law enforcement agencies concerning conduct or 13 activity that the business, service provider, contractor, or third party reasonably and in 14 good faith believes may violate federal, state, or local law; 15 (5) cooperating with a federal, state, or municipal agency request for 16 emergency access to a consumer's personal information if a natural person is at risk or 17 in danger of death or serious physical injury and 18 (A) the agency's supervisor approves the request; 19 (B) the request is based on the agency's good faith 20 determination that the agency has a lawful basis to access the information on a 21 nonemergency basis; or 22 (C) the agency agrees to petition a court for an appropriate 23 order within three days after receiving the request and to destroy the 24 information if the order is not granted; 25 (6) exercising or defending a legal claim; 26 (7) collecting, using, retaining, selling, sharing, or disclosing personal 27 information about a consumer if the personal information is de-identified or aggregate 28 consumer information; 29 (8) collecting, selling, or sharing a consumer's personal information if 30 every aspect of the commercial conduct takes place outside the state; in this paragraph, 31 commercial conduct takes place outside the state if

01 (A) the business collects the information while the consumer is 02 outside the state; 03 (B) no part of the sale of the consumer's personal information 04 occurs in the state; and 05 (C) the business does not sell any part of the personal 06 information collected in the state. 07 (b) Notwithstanding (a)(8) of this section, a business may store, including on a 08 device, personal information about a consumer when the consumer is present in the 09 state and collect that personal information when the consumer is outside the state. 10 (c) The obligations imposed on a business by AS 45.48.775 - 45.48.795 and 11 45.48.825 do not apply when compliance would 12 (1) violate an evidentiary privilege; or 13 (2) prevent a business from providing the personal information about a 14 consumer to a person covered by an evidentiary privilege as part of a privileged 15 communication. 16 (d) AS 45.48.760 - 45.48.925 do not apply to 17 (1) protected health information that is collected by a covered entity or 18 business associate governed by 45 C.F.R. Parts 160 and 164; in this paragraph, 19 "business associate" has the meaning given in 45 C.F.R. 160.103; 20 (2) a covered entity governed by 45 C.F.R. Parts 160 and 164 to the 21 extent the covered entity maintains patient information in the same manner as 22 protected health information under (1) of this subsection; 23 (3) unless the personal information is re-identified when permitted by 24 AS 45.48.875, personal information that is 25 (A) de-identified in accordance with the requirements for de- 26 identification set out in 45 C.F.R. 164.514; or 27 (B) derived from patient information that was originally 28 collected, created, transmitted, or maintained by a person regulated by the 29 Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) or 30 45 C.F.R. Part 46 (Protection of Human Subjects); 31 (4) information that is collected, used, or disclosed in research,

01 including a clinical trial, and conducted in accordance with 45 C.F.R. Part 46 02 (Protection of Human Subjects), or the clinical guidelines issued by the International 03 Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human 04 Use; 05 (5) an activity involving the collection, maintenance, disclosure, sale, 06 communication, or use of personal information that affects a consumer's credit 07 worthiness, credit standing, credit capacity, character, general reputation, personal 08 characteristics, or mode of living, if the activity is performed by a consumer reporting 09 agency, by a furnisher of information who provides information for use in a consumer 10 report as provided in 15 U.S.C. 1681s-2 (Fair Credit Reporting Act), or by a user of a 11 consumer report under 15 U.S.C. 1681b (Fair Credit Reporting Act); this paragraph 12 applies only to the extent the activity is subject to regulation under 15 U.S.C. 1681a - 13 1681x (Fair Credit Reporting Act) and the information is collected, maintained, used, 14 communicated, disclosed, or sold as authorized by 15 U.S.C. 1681a - 1681x (Fair 15 Credit Reporting Act); the exemption created by this paragraph does not apply to 16 AS 45.48.885(c) - (e); in this paragraph, 17 (A) "consumer report" has the meaning given in 15 U.S.C. 18 1681a (Fair Credit Reporting Act); 19 (B) "consumer reporting agency" has the meaning given in 15 20 U.S.C. 1681a (Fair Credit Reporting Act); 21 (6) personal information collected, processed, sold, or disclosed under 22 15 U.S.C. 6801 - 6827 (Gramm-Leach-Bliley Financial Modernization Act of 1999), 23 or 12 U.S.C. 2001 - 2279cc (Farm Credit Act of 1971), except that the exemption 24 created by this paragraph does not apply to AS 45.48.885(c) - (e); 25 (7) personal information collected, processed, sold, or disclosed under 26 18 U.S.C. 2721 - 2725 (Driver's Privacy Protection Act of 1994), except that the 27 exemption created by this paragraph does not apply to AS 45.48.885(c) - (e). 28 (e) AS 45.48.785 does not apply to vehicle information or vehicle ownership 29 information retained or shared by a new motor vehicle dealer or the motor vehicle's 30 manufacturer if 31 (1) the motor vehicle or ownership information is shared to carry out,

01 or in anticipation of carrying out, a motor vehicle repair covered by a vehicle warranty 02 or a recall conducted under 49 U.S.C. 30118 - 30120; and 03 (2) the new motor vehicle dealer or motor vehicle manufacturer with 04 which the vehicle information or ownership information is shared does not sell, share, 05 or use that information for another purpose. 06 (f) AS 45.48.765 and 45.48.780 do not apply to 07 (1) a commercial credit reporting agency's collection, processing, sale, 08 or disclosure of business controller information to the extent the commercial credit 09 reporting agency uses the business controller information only to identify the 10 relationship of a consumer to a business that the consumer owns or to contact the 11 consumer in the consumer's role as the owner, director, officer, or management 12 employee of the business; in this paragraph, "owner" means a natural person who 13 (A) owns, or has the power to vote, more than 50 percent of the 14 outstanding shares of a class of voting security of a business; 15 (B) has control in any manner over the election of a majority of 16 the directors or of individuals exercising similar functions as directors; or 17 (C) has the power to exercise a controlling influence over the 18 management of a business; 19 (2) the use, disclosure, or sale by a business of a particular piece of a 20 consumer's personal information if the consumer has consented to the use, disclosure, 21 or sale by the business of that particular piece of information to produce a physical 22 item, including a school yearbook containing the consumer's photograph, and if 23 (A) the business has incurred significant expense in reliance on 24 the consumer's consent; 25 (B) compliance with the consumer's request to delete the 26 consumer's personal information under AS 45.48.765 or to prevent the sale of 27 the consumer's personal information under AS 45.48.780 would not be 28 commercially reasonable; and 29 (C) the business complies with the consumer's request as soon 30 as it is commercially reasonable to comply. 31 (g) The obligations imposed on businesses under AS 45.48.765 - 45.48.775

01 and 45.48.790 do not apply to household data. 02 (h) AS 45.48.760 - 45.48.925 do not require a business 03 (1) to comply with a verifiable consumer request to delete a 04 consumer's personal information under AS 45.48.765 to the extent the verifiable 05 consumer request applies to a student's grades, educational scores, or educational test 06 results that the business holds on behalf of an educational facility at which the student 07 is currently enrolled; if, under this paragraph, a business does not comply with a 08 request, the business shall notify the consumer that the business is acting under this 09 paragraph; 10 (2) to disclose, in response to a request made under AS 45.48.775, a 11 consumer's educational standardized assessment, a consumer's educational assessment, 12 or a consumer's specific responses to the educational standardized assessment or 13 educational assessment, if consumer access, possession, or control would jeopardize 14 the validity and reliability of the educational standardized assessment or educational 15 assessment by providing an advantage to the consumer who submitted a verifiable 16 consumer request or to another natural person; if, under this paragraph, a business 17 does not comply with a request, the business shall notify the consumer that the 18 business is acting under this paragraph; in this paragraph, "educational standardized 19 assessment" or "educational assessment" means 20 (A) a standardized or nonstandardized quiz, test, or other 21 assessment used to evaluate students in or for entry into kindergarten, grades 22 one to 12, schools, postsecondary institutions, vocational programs, or 23 postgraduate programs that are accredited by an accrediting agency or 24 organization recognized by the state or the United States Department of 25 Education; and 26 (B) license examinations used to determine the competency and 27 eligibility of an individual to receive certification or licensure from a 28 government agency or government certification body. 29 (i) In this section, unless the context indicates otherwise, 30 (1) "business controller information" means the name, business title, 31 and other contact information for the owner, director, officer, or management

01 employee of a business; 02 (2) "commercial credit report" 03 (A) means a report that is provided to a commercial person for 04 a business purpose and that relates to the financial status or payment habits of a 05 commercial person that is the subject of the report; 06 (B) does not mean a report that is prepared for commercial 07 insurance underwriting, claims, or auditing purposes, a report containing 08 information related to transactions or experiences between the subject and the 09 person making the report, an authorization or approval of a specific extension 10 of credit directly or indirectly by the issuer of a credit card or similar device, or 11 a report in which a person who has been requested by a third party to make a 12 specific extension of credit directly or indirectly to the third party conveys the 13 person's decision with respect to the request; 14 (3) "commercial credit reporting agency" means a person who, for a 15 monetary fee, or on a cooperative nonprofit basis, provides commercial credit reports 16 to third parties; 17 (4) "covered entity" has the meaning given in 45 CFR 160.103; 18 (5) "director" means a natural person who 19 (A) is designated in the articles of incorporation of a business 20 as a director; 21 (B) is elected a director by the incorporators of a business; 22 (C) is designated, elected, or appointed under any other name 23 or title to act as a director; or 24 (D) succeeds a person described in (A) - (C) of this paragraph 25 in the person's position; 26 (6) "identifiable private information" has the meaning given in 45 27 C.F.R. 46.102; 28 (7) "individually identifiable health information" has the meaning 29 given in 45 C.F.R. 160.103; 30 (8) "individually identifiable information" means information that 31 includes or contains

01 (A) an element of an individual's name, address, electronic mail 02 address, telephone number, social security number, or other personal 03 identifying information sufficient to allow identification of the individual; or 04 (B) other information that alone or in combination with other 05 publicly available information reveals the individual's identity; 06 (9) "management employee" means a natural person whose name and 07 contact information is reported to or collected by a commercial credit reporting agency 08 as the primary manager of a business and used solely within the context of the person's 09 role as the primary manager of the business; 10 (10) "manufacturer" has the meaning given in AS 45.25.990; 11 (11) "medical information" means individually identifiable information 12 in electronic or physical form in possession of or derived from a provider of health 13 care, health care service plan, pharmaceutical company, or contractor regarding a 14 patient's medical history, mental or physical condition, or treatment; 15 (12) "new motor vehicle dealer" has the meaning given in 16 AS 45.25.990; 17 (13) "officer" means a chief executive officer, president, secretary, 18 treasurer, or other natural person elected or appointed by the board of directors of a 19 business to manage the daily operations of the business; 20 (14) "ownership information" means the name of the registered owner 21 and the contact information for the owner; 22 (15) "patient information" means identifiable private information, 23 protected health information, individually identifiable health information, or medical 24 information; 25 (16) "protected health information" has the meaning given in 45 CFR 26 160.103; 27 (17) "provider of health care" means an individual licensed, certified, 28 or otherwise authorized or permitted by law to provide health care in the ordinary 29 course of business or the practice of a profession; 30 (18) "vehicle information" means the vehicle identification number, 31 make, model, year, or odometer reading.

01 Sec. 45.48.905. Waivers; limitations of application. A provision of a class 02 action waiver or other type of agreement that appears or claims to waive or limit in 03 any way the provisions of AS 45.48.760 - 45.48.925, including a remedy or a means 04 of enforcement, is contrary to public policy, void, and unenforceable. This section 05 does not prevent a consumer from declining to request information from a business, 06 declining to prevent a business from selling the consumer's personal information, or 07 authorizing a business to sell or share the consumer's personal information after 08 previously directing the business not to sell or share the consumer's personal 09 information. In this section, "class action waiver" means a court action in which a 10 party to the action is a group of people who are represented collectively by a member 11 of that group. 12 Sec. 45.48.910. Construction; general provisions. (a) If a provision of 13 AS 45.48.760 - 45.48.925 is preempted by or conflicts with federal law, the provision 14 does not apply to the extent of the preemption or conflict. 15 (b) If a conflict occurs between another state law and AS 45.48.760 - 16 45.48.925, the provisions of the law that afford the greatest protection for the right of 17 privacy of consumers control. 18 (c) AS 45.48.760 - 45.48.925 supersede and preempt the regulations, codes, 19 ordinances, and other laws adopted by a municipality regarding the collection and sale 20 by a business of personal information about a consumer. 21 (d) AS 45.48.760 - 45.48.925 shall be liberally construed to carry out the 22 purpose of AS 45.48.760 - 45.48.925. 23 (e) AS 45.48.760 - 45.48.925 may not be construed to require a business, 24 service provider, or contractor to 25 (1) re-identify or otherwise connect information that, in the ordinary 26 course of business, is not maintained in a manner that would be considered personal 27 information; 28 (2) retain personal information about a consumer if, in the ordinary 29 course of business, the information would not be retained; 30 (3) maintain information in identifiable, electronically connectible, or 31 associable form, or collect, obtain, retain, or access data or technology to be capable of

01 connecting or associating a verifiable consumer request with personal information 02 about a consumer. 03 (f) If more than one requirement of AS 45.48.760 - 45.48.925 affects a 04 business, service provider, or contractor, the business, service provider, or contractor 05 shall comply with all of the requirements, unless a provision of AS 45.48.760 - 06 45.48.925 provides otherwise. 07 (g) Nothing in AS 45.48.760 - 45.48.925 requires a business to disclose a 08 trade secret. 09 Sec. 45.48.915. Regulations. The Department of Commerce, Community, and 10 Economic Development may adopt regulations under AS 44.62 (Administrative 11 Procedure Act) to implement AS 45.48.760 - 45.48.925. 12 Sec. 45.48.920. Definitions. In AS 45.48.760 - 45.48.925, unless the context 13 indicates otherwise, 14 (1) "aggregate consumer information" 15 (A) means information that relates to a group or category of 16 consumers from which individual consumer identities have been removed and 17 that is not electronically connected or reasonably connected, including 18 connection by a device, to a consumer or household; 19 (B) does not mean individual consumer records that have been 20 de-identified; 21 (2) "application" means, when applied to the Internet, a computer 22 program that uses Internet technology to perform tasks over the Internet; 23 (3) "beacon" means an image that is placed on an Internet website used 24 to monitor the behavior of a consumer visiting the website; 25 (4) "biometric information" means 26 (A) information that relates to an individual's deoxyribonucleic 27 acid; 28 (B) iris imagery, retinal imagery, fingerprints, facial 29 recognition, hand geometry, palm vein patterns, voice recognition, keystroke 30 patterns, keystroke rhythms, gait patterns, gait rhythms, sleep data, health data, 31 and exercise data; and

01 (C) other physiological, biological, and behavioral 02 characteristics that are used or intended to be used, singly or in combination 03 with each other or with other identifying data, to establish individual identity; 04 (5) "business" means a person identified in AS 45.48.835; 05 (6) "business purpose" means a purpose identified in AS 45.48.850; 06 (7) "category of personal information" means a category of personal 07 information identified in AS 45.48.840(a); 08 (8) "category of sensitive personal information" means a category of 09 sensitive personal information identified in AS 45.48.840(c); 10 (9) "collect," "collected," or "collection" means receiving information, 11 either actively or passively, observing behavior, or otherwise buying, renting, 12 gathering, obtaining, receiving, or accessing personal information about a consumer; 13 (10) "commercial purpose" means 14 (A) inducing a person to buy, rent, lease, subscribe to, provide, 15 or exchange personal property, real property, information, or services, or join a 16 program; 17 (B) enabling or effecting, directly or indirectly, a commercial 18 transaction, or otherwise advancing an economic interest; 19 (11) "computer network" means an interconnection, including by 20 microwave or other means of electronic or optical communication, of two or more 21 computer systems, or between computers and remote terminals; 22 (12) "consent" means the consent described in AS 45.48.860; 23 (13) "conservator" has the meaning given in AS 13.06.050; 24 (14) "consumer" means a natural person who is a resident of the state, 25 whether the natural person is identified by a unique personal identifier or by another 26 method; 27 (15) "contractor" means a person that meets the requirements of 28 AS 45.48.845; 29 (16) "cookie" means a file with data that is used to identify a consumer 30 as the consumer uses a computer; 31 (17) "cross-context behavioral advertising" means the targeting of

01 advertising to a consumer based on the consumer's personal information obtained from 02 the consumer's activity across businesses, distinctly branded Internet websites, 03 applications, or services, other than a business, distinctly branded Internet website, 04 application, or service with which the consumer intentionally interacts; 05 (18) "de-identified information" means personal information that is de- 06 identified under AS 45.48.870(a); 07 (19) "device" means a physical object that is capable of connecting to 08 the Internet, directly or indirectly, or connecting to another physical object that is 09 capable of connecting directly or indirectly to the Internet; 10 (20) "family" means a custodial parent or guardian and children under 11 18 years of age over whom the parent or guardian has custody; 12 (21) "home page" means 13 (A) the introductory page of an Internet website; or 14 (B) in the case of a telephone application or other online 15 service that uses Internet technology to perform tasks over the Internet, 16 (i) the application's platform page or page that is 17 downloaded; 18 (ii) an electronic connection within or from the 19 configuration; 20 (iii) an electronic connection labelled "About" or 21 "Information"; 22 (iv) a settings page; or 23 (v) another location that allows a consumer to review 24 before or after downloading the service; 25 (22) "household" means a group, however identified, of consumers 26 who live with one another at the same residential address and share the use of devices 27 or services; 28 (23) "infer" or "inference" means to derive information, data, 29 assumptions, or conclusions from facts, evidence, or another source of information or 30 data; 31 (24) "intentionally" has the meaning given in AS 11.81.900;

01 (25) "intentionally interacts" 02 (A) means deliberately interacting with a person or deliberately 03 disclosing personal information to a person by visiting the person's Internet 04 website, purchasing a good or service from the person, or using another 05 method; 06 (B) does not mean hovering over, muting, pausing, or closing a 07 given piece of content; 08 (26) "Internet protocol address" means a numerical label assigned to a 09 device connected to a computer network that uses the Internet protocol for 10 communication; 11 (27) "knowingly" has the meaning given in AS 11.81.900; 12 (28) "person" means an individual, proprietorship, firm, partnership, 13 joint venture, syndicate, business trust, company, corporation, limited liability 14 company, association, committee, organization, or group of persons acting together; 15 (29) "personal information" means the information described in 16 AS 45.48.840(a), except as provided in AS 45.48.840(b); 17 (30) "pixel tag" means a short code on a consumer's Internet website; 18 (31) "platform" means an arrangement of computer components that 19 uses a particular operating system; 20 (32) "precise geolocation" means data derived from a device and used 21 or intended to be used to locate a consumer within a geographic area that is equal to or 22 less than the area of a circle with a radius of 1,850 feet; 23 (33) "probabilistic identifier" means the identification of a consumer or 24 a consumer's device to a degree of certainty of more probable than not based on a 25 category of personal information included in, or similar to, the categories identified in 26 AS 45.48.840(a) and (c); 27 (34) "process" means an operation performed on personal data, 28 whether by automated or other means; 29 (35) "publicly available information" 30 (A) means information that 31 (i) is lawfully made available from federal, state, or

01 local government records; 02 (ii) a business has reasonable cause to believe is 03 lawfully made available to the general public by the consumer or from 04 widely distributed media; or 05 (iii) a consumer makes available by a person to whom 06 the consumer has disclosed the information if the consumer has not 07 restricted the information to a specific audience; 08 (B) does not mean biometric information collected by a 09 business about a consumer without the consumer's knowledge; 10 (36) "re-identify" means the process of reversing de-identification, 11 including by adding specific pieces of information or data elements that can, 12 individually or in combination, be used to identify a particular individual, or by using 13 a statistical method, contrivance, computer software, or other method that has the 14 effect of associating de-identified personal information with a particular individual; 15 (37) "research" means basic research, applied research, studies 16 conducted in the public interest in the area of public health, and other scientific 17 analysis, systematic study, and systematic observation that is designed to develop or 18 contribute to public or scientific knowledge and that adheres or otherwise conforms to 19 all applicable laws on ethics and privacy; 20 (38) "security and integrity" means the ability of 21 (A) networks or information systems to detect security 22 incidents that compromise the availability, authenticity, integrity, or 23 confidentiality of stored or transmitted personal information; 24 (B) businesses to detect security breaches or other incidents, to 25 resist malicious, deceptive, fraudulent, and other illegal actions, and to help 26 prosecute persons responsible for those actions; 27 (39) "sensitive personal information" means the information described 28 in AS 45.48.840(c); 29 (40) "service" means work, labor, or an activity furnished in 30 connection with the sale or repair of goods and products; 31 (41) "service provider" means a person that receives from or on behalf

01 of a business personal information about a consumer for a business purpose and that 02 processes the personal information on behalf of the business; 03 (42) "share," "shared," or "sharing" has the meaning described in 04 AS 45.48.855; 05 (43) "third party" means a person that is not 06 (A) a business with whom a consumer intentionally interacts 07 and that collects personal information from the consumer as part of the 08 consumer's current interaction with the business; 09 (B) a service provider; or 10 (C) a contractor; 11 (44) "unique personal identifier" means a device identifier, Internet 12 protocol address, cookie, beacon, pixel tag, mobile advertisement identifier, customer 13 number, unique pseudonym, user alias, telephone number, or other form of persistent 14 or probabilistic identifier that can be used to recognize a consumer or family, or a 15 device that is connected to a consumer or family; 16 (45) "verifiable consumer request" means a request that 17 (A) is made by a consumer who is 18 years of age or older, by 18 a consumer on behalf of the consumer's child who is under 18 years of age, by 19 a natural person authorized by a consumer who is 18 years of age or older to 20 act on the consumer's behalf, by a person who holds a power of attorney for a 21 consumer, or by a person who is acting as a conservator for a consumer; and 22 (B) a business can reasonably verify as being made by a person 23 described in (A) of this paragraph. 24 Sec. 45.48.925. Short title. AS 45.48.760 - 45.48.925 may be cited as the 25 Alaska Consumer Information Protection Act. 26 * Sec. 6. AS 45.48.990 is amended to read: 27 Sec. 45.48.990. Definitions. In AS 45.48.010 - 45.48.750 and 45.48.990 - 28 45.48.995 [THIS CHAPTER], unless the context indicates otherwise, 29 (1) "consumer" means an individual; 30 (2) "consumer credit reporting agency" means a person who, for 31 monetary fees, dues, or on a cooperative nonprofit basis, regularly engages, in whole

01 or in part, in the practice of assembling or evaluating consumer credit information or 02 other information on consumers for the purpose of furnishing credit reports to third 03 parties; 04 (3) "credit report" means a consumer report that a consumer credit 05 reporting agency furnishes to a person that the consumer credit reporting agency has 06 reason to believe intends to use the consumer report as a factor in establishing the 07 consumer's eligibility for credit to be used primarily for personal, family, or household 08 purposes; in this paragraph, "consumer report" has the meaning given to "consumer 09 report" in 15 U.S.C. 1681a(d) (Fair Credit Reporting Act), except that "consumer 10 reporting agency" in 15 U.S.C. 1681a(d) is to be read as "consumer credit reporting 11 agency"; 12 (4) "Fair Credit Reporting Act" means 15 U.S.C. 1681 - 1681x; 13 (5) "Gramm-Leach-Bliley Financial Modernization Act" means 15 14 U.S.C. 6801 - 6827; 15 (6) "identity theft" means the theft of the identity of an individual; 16 (7) "information system" means any information system, including a 17 system consisting of digital databases and a system consisting of pieces of paper; 18 (8) "person" has the meaning given in AS 01.10.060 and includes a 19 state or local governmental agency, except for an agency of the judicial branch; 20 (9) "state resident" means an individual who satisfies the residency 21 requirements under AS 01.10.055. 22 * Sec. 7. AS 45.48.995 is amended to read: 23 Sec. 45.48.995. Short title. AS 45.48.010 - 45.48.750 and 45.48.990 - 24 45.48.995 [THIS CHAPTER] may be cited as the Alaska Personal Information 25 Protection Act. 26 * Sec. 8. The uncodified law of the State of Alaska is amended by adding a new section to 27 read: 28 APPLICABILITY: DISCLOSURE PERIOD. Notwithstanding AS 45.48.795(a)(3), 29 added by sec. 5 of this Act, the 12-month period of personal information that a business is 30 required to disclose to a consumer under AS 45.48.795(a)(3), added by sec. 5 of this Act, does 31 not cover personal information that the business collected about the consumer before the

01 effective date of this Act. In this section, "business," "collected," "consumer," and "personal 02 information" have the meanings given in AS 45.48.920, added by sec. 5 of this Act. 03 * Sec. 9. The uncodified law of the State of Alaska is amended by adding a new section to 04 read: 05 APPLICABILITY: CONTRACTS. This Act applies to a contract entered into on or 06 after the effective date of this Act. 07 * Sec. 10. This Act takes effect January 1, 2023.