CSHB 367(JUD): "An Act relating to personal data; establishing data broker registration requirements; relating to social security numbers; making certain violations unfair or deceptive trade practices; and providing for an effective date."
00 CS FOR HOUSE BILL NO. 367(JUD) 01 "An Act relating to personal data; establishing data broker registration requirements; 02 relating to social security numbers; making certain violations unfair or deceptive trade 03 practices; and providing for an effective date." 04 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 05 * Section 1. AS 37.05.146(c) is amended by adding a new paragraph to read: 06 (87) consumer privacy account (AS 45.48.860). 07 * Sec. 2. AS 44.33.020(a) is amended by adding a new paragraph to read: 08 (45) establish and maintain a data broker registry under AS 45.48.855. 09 * Sec. 3. AS 45.48.430(b) is amended to read: 10 (b) The prohibition in (a) of this section does not apply if 11 (1) the disclosure is authorized by local, state, or federal law, including 12 AS 45.48.800 - 45.48.898 or a regulation adopted under AS 45.48.470; 13 (2) the person is engaging in the business of government and 14 (A) is authorized by law to disclose the individual's social
01 security number; or 02 (B) the disclosure of the individual's social security number is 03 required for the performance of the person's duties or responsibilities as 04 provided by law; 05 (3) the disclosure is to a person subject to or for a transaction regulated 06 by the Gramm-Leach-Bliley Financial Modernization Act, and the disclosure is for a 07 purpose authorized by the Gramm-Leach-Bliley Financial Modernization Act or to 08 facilitate a transaction of the individual; 09 (4) the disclosure is to a person subject to or for a transaction regulated 10 by the Fair Credit Reporting Act, and the disclosure is for a purpose authorized by the 11 Fair Credit Reporting Act; 12 (5) the disclosure is part of a report prepared by a consumer credit 13 reporting agency in response to a request by a person and the person submits the social 14 security number as part of the request to the consumer credit reporting agency for the 15 preparation of the report; or 16 (6) the disclosure is for a background check on the individual, identity 17 verification, fraud prevention, medical treatment, law enforcement or other 18 government purposes, or the individual's employment, including employment benefits. 19 * Sec. 4. AS 45.48.450(b) is amended to read: 20 (b) Notwithstanding the other provisions of AS 45.48.400 - 45.48.480, and 21 except as provided under AS 45.48.800 - 45.48.898 or for an agent under (a) of this 22 section, a person may disclose an individual's social security number to an 23 independent contractor of the person to facilitate the purpose or transaction for which 24 the individual initially provided the social security number to the person, but the 25 independent contractor may not use the social security number for another purpose or 26 make an unauthorized disclosure of the individual's personal information. In this 27 subsection, "independent contractor" includes a debt collector. 28 * Sec. 5. AS 45.48 is amended by adding new sections to read: 29 Article 6A. Data Privacy. 30 Sec. 45.48.800. Applicability. (a) AS 45.48.800 - 45.48.898 apply to a person 31 that conducts business in the state or produces products or provides services targeted
01 to residents of this state and that, during the preceding calendar year, collected or 02 processed the personal data of at least 03 (1) 35,000 consumers, not including personal data controlled or 04 processed solely for the purpose of completing a payment transaction; or 05 (2) 10,000 consumers and derived more than 20 percent of the person's 06 gross revenue from the sale of personal data. 07 (b) AS 45.48.800 - 45.48.898 do not apply to the federal government, the 08 state, a public corporation of the state, the University of Alaska, a municipality, a 09 school district, a regional educational attendance area, or a tribal government. 10 Sec. 45.48.805. Consumer rights. (a) A consumer has the right to 11 (1) confirm whether a controller is collecting or processing the 12 consumer's personal data and access that personal data; 13 (2) obtain from a controller a list of specific third parties, other than 14 natural persons, to which the controller has transferred either 15 (A) the consumer's personal data; or 16 (B) any personal data; 17 (3) correct inaccuracies in the consumer's personal data, taking into 18 account the nature of the personal data and the purposes of the processing of the 19 consumer's personal data; 20 (4) delete personal data provided by, or obtained about, the consumer, 21 including personal data the consumer provided to the controller, personal data the 22 controller obtained from another source, and data derived from the personal data; 23 (5) obtain a copy of the consumer's personal data collected or 24 processed by the controller, in a portable and, to the extent technically practicable, 25 readily usable format that allows the consumer to transmit the data to another 26 controller without hindrance if the processing is carried out by automated means; and 27 (6) opt out of the collection and processing of the consumer's personal 28 data for purposes of 29 (A) targeted advertising; 30 (B) the sale of personal data; or 31 (C) profiling in furtherance of automated decisions that
01 produce legal or similarly significant effects concerning the consumer. 02 (b) A parent or legal guardian of a minor may exercise the minor's consumer 03 rights under this section on the minor's behalf. A guardian or conservator of a 04 consumer subject to a guardianship, conservatorship, or other protective arrangement 05 may exercise the consumer's rights under this section on the consumer's behalf. 06 (c) A consumer may designate another person to serve as the consumer's 07 authorized agent, and act on the consumer's behalf, to exercise the consumer's rights 08 under this section. A controller shall comply with a request from an authorized agent if 09 the controller is able to verify, with commercially reasonable effort, the identity of the 10 consumer and the agent's authority to act on the consumer's behalf. 11 (d) A controller or processor may not collect, process, or transfer personal data 12 in a manner that discriminates against an individual or class of individuals, or 13 otherwise makes unavailable the equal enjoyment of goods or services, based on an 14 individual's or class of individuals' actual or perceived race, color, sex, sexual 15 orientation, gender identity, disability, religion, ancestry, or national origin. This 16 subsection does not apply to 17 (1) the collection, processing, or transfer of personal data for the sole 18 purpose of 19 (A) self-testing by a controller or processor to prevent or 20 mitigate unlawful discrimination or otherwise to ensure compliance with state 21 or federal law; or 22 (B) diversifying an applicant, participant, or customer pool; or 23 (2) a private establishment as described in 42 U.S.C. 2000a(e). 24 Sec. 45.48.810. Controller responses to consumer requests. (a) A consumer 25 may exercise a consumer right under AS 45.48.805 by a secure and reliable means 26 established by the controller and described to the consumer in the controller's privacy 27 notice. The means established by the controller must take into account the ways that a 28 consumer normally interacts with the controller, the need for secure and reliable 29 communication of a consumer request, and the ability of the controller to verify the 30 identity of the consumer making the request. A controller may not require a consumer 31 to create a new account to exercise a consumer right, but may require a consumer to
01 use an existing account. 02 (b) In addition to other means established by the controller, a controller shall 03 allow a consumer to exercise an opt-out request under AS 45.48.805(a)(6) by 04 providing 05 (1) a clear and conspicuous "Do Not Sell My Personal Information" or 06 similarly worded link on the home page of the controller's Internet website; and 07 (2) an opt-out preference signal sent to the controller, with the 08 consumer's consent, by a platform, technology, or mechanism used by the consumer 09 that is consumer-friendly and easy for the average consumer to use and that allows the 10 controller to reasonably determine whether the consumer is a resident of the state and 11 whether the consumer has made a legitimate opt-out request; the use of an Internet 12 protocol address to estimate the consumer's location is sufficient to reasonably 13 determine residency under this paragraph. 14 (c) If a consumer's opt-out request under (b)(1) or (2) of this section conflicts 15 with the consumer's existing controller-specific privacy setting or voluntary 16 participation in a controller's financial incentive program offered under AS 45.48.840, 17 the controller shall comply with the consumer's opt-out preference provided under 18 (b)(1) or (2) of this section but may notify the consumer of the conflict and provide to 19 the consumer the choice to confirm the controller-specific privacy setting or 20 participation in the program. If a controller responds to a consumer opt-out request 21 under (b)(1) or (2) of this section by informing the consumer of a change in the price, 22 rate, level, quality, or selection of goods or services, the controller shall present the 23 terms of any financial incentive offered under AS 45.48.840 for the retention, 24 processing, sale, or transfer of the consumer's personal data. 25 (d) Except as otherwise provided in AS 45.48.800 - 45.48.898, a controller 26 shall comply with a request by a consumer to exercise the consumer's rights as 27 follows: 28 (1) a controller shall respond to the consumer without undue delay, but 29 not later than 45 days after receiving the request; the controller may extend the 30 response period by 45 additional days when reasonably necessary, considering the 31 complexity and number of the consumer's requests, if the controller informs the
01 consumer of the extension and the reason for the extension within the initial 45-day 02 response period; 03 (2) if a controller declines to take action regarding the consumer's 04 request, the controller shall inform the consumer without undue delay, but not later 05 than 45 days after receiving the request, of the justification for declining to take action 06 and provide instructions for how to appeal the decision; 07 (3) a controller shall provide information in response to a consumer 08 request free of charge once for each consumer during any 12-month period; if a 09 request from a consumer is manifestly unfounded, excessive, or repetitive, the 10 controller may charge the consumer a reasonable fee to cover the administrative costs 11 of complying with the request or decline to act on the request; the controller bears the 12 burden of demonstrating that the request is manifestly unfounded, excessive, or 13 repetitive; 14 (4) if a controller is unable to authenticate a request to exercise a right 15 afforded by AS 45.48.805(a)(1) - (5) using commercially reasonable efforts, the 16 controller is not required to comply with a request to initiate an action under this 17 section and shall provide notice to the consumer that the controller is unable to 18 authenticate the request until the consumer provides additional information reasonably 19 necessary to authenticate the consumer and the consumer's request; 20 (5) a controller may not require a consumer to authenticate to exercise 21 an opt-out request under AS 45.48.805(a)(6), but a controller may deny an opt-out 22 request if the controller has a good faith, reasonable, and documented belief that the 23 request is fraudulent; if a controller denies an opt-out request because the controller 24 believes the request is fraudulent, the controller shall send a notice to the person who 25 made the request disclosing that the controller believes the request is fraudulent, why 26 the controller believes the request is fraudulent, and that the controller will not comply 27 with the request; 28 (6) a controller that has obtained a consumer's personal data from a 29 source other than the consumer complies with a consumer's request to delete the data 30 under AS 45.48.805(a)(4) if the controller 31 (A) deletes the consumer's personal data retained by the
01 controller; 02 (B) retains a record of the deletion request and the minimum 03 data necessary to ensure the consumer's personal data remains deleted from the 04 controller's records; and 05 (C) does not use retained data for any other purpose. 06 (e) A controller shall establish a process for a consumer to appeal the 07 controller's refusal to take action on a request within a reasonable period after the 08 consumer receives the decision refusing to take action. The appeal process must be 09 conspicuously available and similar to the process for the consumer to submit requests 10 under this section. Not later than 60 days after receiving an appeal, a controller shall 11 inform the consumer in writing of any action taken or not taken in response to the 12 appeal, including a written explanation of the reasons for the decisions. If the appeal is 13 denied, the controller shall provide the consumer with an online mechanism, if 14 available, or another method by which the consumer may contact the attorney general 15 to submit a complaint. 16 (f) A controller may not condition, expressly or effectively, or attempt to 17 condition the exercise of a consumer right under this section through the use of 18 (1) a false, fictitious, fraudulent, or materially misleading statement or 19 representation; or 20 (2) a dark pattern. 21 (g) A controller or processor is not required to comply with an authenticated 22 consumer rights request if the controller or processor 23 (1) is not reasonably capable of associating the request with the 24 personal data or it would be unreasonably burdensome for the controller or processor 25 to associate the request with the personal data; and 26 (2) does not use the personal data to recognize or respond to the 27 specific consumer who is the subject of the personal data or associate the personal data 28 with other personal data about the same specific consumer. 29 Sec. 45.48.812. Duty of loyalty. A controller may not perform an activity 30 related to the collection, processing, or transfer of personal data that 31 (1) conflicts with the best interests of an individual;
01 (2) takes advantage of or otherwise exploits an individual; 02 (3) results in a disproportionate risk to an individual; 03 (4) is to the detriment of an individual; or 04 (5) causes harm to an individual. 05 Sec. 45.48.815. Data minimization rules and de-identified data. (a) A 06 controller shall limit the collection, processing, and transfer of personal data to that 07 which is reasonably necessary to provide or maintain 08 (1) a specific product or service requested by the consumer to whom 09 the data pertains and related routine administrative, operational, or account-servicing 10 activity, including billing, shipping, delivery, storage, or accounting; or 11 (2) a communication, other than an advertisement, by the controller to 12 the consumer reasonably anticipated within the context of the relationship between the 13 controller and the consumer. 14 (b) A controller may process or transfer personal data collected under (a) of 15 this section to provide first-party advertising or targeted advertising, except when 16 otherwise prohibited under AS 45.48.800 - 45.48.898. 17 (c) A controller that possesses de-identified data shall 18 (1) take technical measures to ensure that the data cannot be associated 19 with an individual; 20 (2) publicly commit to maintaining and using de-identified data 21 without attempting to reidentify the data; and 22 (3) contractually obligate a recipient of the de-identified data to 23 comply with the provisions of AS 45.48.800 - 45.48.898. 24 (d) A controller that transfers de-identified data shall exercise reasonable 25 oversight to monitor compliance with contractual commitments to which the de- 26 identified data is subject and shall take appropriate steps to address a breach of those 27 contractual commitments. 28 (e) A controller or processor is not required to 29 (1) reidentify de-identified data; or 30 (2) maintain data in an identifiable form. 31 Sec. 45.48.820. Sensitive data. (a) A controller may not collect, process, or
01 transfer sensitive data pertaining to a consumer unless the collection, processing, or 02 transfer is strictly necessary to provide or maintain a specific product or service 03 requested by the consumer to whom the sensitive data pertains. 04 (b) A controller may not sell sensitive data. 05 (c) A controller may not transfer sensitive data pertaining to a consumer 06 without first obtaining the consumer's affirmative consent. A controller shall provide 07 an effective mechanism for a consumer to revoke the consumer's affirmative consent 08 that is at least as easy as the mechanism the consumer used to provide the consumer's 09 affirmative consent and, on revocation of the consumer's affirmative consent, the 10 controller shall discontinue processing the data as soon as practicable, but not later 11 than 15 days after receiving the consumer's revocation of affirmative consent. 12 (d) Notwithstanding any other provision of AS 45.48.800 - 45.48.898, a 13 controller that knows or reasonably should know that a consumer is a minor may not 14 (1) process or transfer personal data of the minor for targeted 15 advertising; or 16 (2) sell the personal data of the minor. 17 Sec. 45.48.825. Privacy notice and disclosures. (a) A controller shall provide 18 a consumer with a reasonably accessible, clear, and meaningful privacy notice. The 19 privacy notice must include 20 (1) the categories of personal data collected and processed by the 21 controller and a separate list of categories of sensitive data collected and processed by 22 the controller, described in a level of detail that provides the consumer a meaningful 23 understanding of the type of personal data collected or processed; 24 (2) the purpose of collecting and processing each category of personal 25 data the controller collects or processes, described in a way that gives the consumer a 26 meaningful understanding of how each category of personal data will be used; 27 (3) how a consumer may exercise the consumer's rights under 28 AS 45.48.800 - 45.48.898, including how a consumer may appeal a controller's 29 decision about the consumer's request; 30 (4) the categories of personal data that the controller transfers to a third 31 party, if applicable, and the purpose of that transfer;
01 (5) the categories of third parties, if any, to which the controller 02 transfers personal data; 03 (6) the length of time the controller intends to retain each category of 04 personal data or, if it is not possible to identify the length of time, the criteria used to 05 determine the length of time the controller intends to retain each category of personal 06 data; and 07 (7) an active electronic mail address or other online mechanism that 08 the consumer may use to contact the controller. 09 (b) If a controller makes a material change to the controller's privacy notice, 10 the controller shall, before implementing the material change for prospectively 11 collected personal data, notify each consumer affected by the material change and 12 provide a reasonable opportunity for each consumer to withdraw consent. A controller 13 shall provide a reasonable opportunity for each consumer to provide affirmative 14 consent to further materially different processing or transfer of previously collected 15 personal data under the changed policy. The controller shall take all reasonable 16 measures to provide to each affected consumer direct electronic notification about 17 material changes to the privacy notice, taking into account available technology and 18 the nature of the relationship. 19 (c) If a controller sells personal data to a third party or processes personal data 20 for targeted advertising, the controller shall clearly and conspicuously disclose that 21 sale or processing, as well as the manner in which a consumer may exercise the right 22 to opt out of that sale or processing. 23 Sec. 45.48.830. Responsibilities of processors and controllers. (a) A 24 processor shall adhere to the instructions of a controller and assist the controller in 25 meeting the controller's obligations under AS 45.48.800 - 45.48.898, taking into 26 account the nature of the processing and the information available to the processor, 27 including by 28 (1) using appropriate technical and organizational measures, to the 29 extent reasonably practicable, to fulfill the controller's obligation to respond to a 30 consumer rights request; 31 (2) assisting the controller in meeting the controller's obligations
01 relating to the security of processing personal data and notification of a breach of 02 security of the system of the processor to meet the controller's obligations; and 03 (3) providing necessary information to enable the controller to conduct 04 and document a data protection assessment. 05 (b) A controller and a processor shall enter into a contract to govern the 06 processor's data processing procedures for processing performed on behalf of the 07 controller. The contract must be binding and clearly set out instructions for processing 08 data, the nature and purpose of processing, the type of data subject to processing, the 09 duration of processing, and the rights and obligations of both parties. The processor 10 shall adhere to the instructions of the controller and process and transfer the data the 11 processor receives from the controller only to the extent necessary to provide a service 12 requested by the controller, as set out in the contract. The contract must also require 13 that the processor 14 (1) ensure that each person processing personal data is subject to a 15 duty of confidentiality with respect to the data; 16 (2) at the controller's direction, delete or return all personal data to the 17 controller as requested at the end of the provision of services, unless retention of the 18 personal data is required by law; 19 (3) at the reasonable request of the controller, make available to the 20 controller information in the processor's possession that is necessary to demonstrate 21 the processor's compliance with the obligations set out in AS 45.48.800 - 45.48.898; 22 (4) after providing the controller with an opportunity to object, engage 23 a subcontractor under a written contract that requires the subcontractor to meet the 24 obligations of the processor with respect to the personal data if the processor engages 25 a subcontractor; 26 (5) ensure that personal data that the processor receives from or on 27 behalf of a controller not be combined with personal data that the processor receives 28 from or on behalf of another person or collects from the interaction of the processor 29 with an individual; and 30 (6) allow and cooperate with a reasonable assessment by the controller 31 or the controller's designated assessor, or arrange for a qualified and independent
01 assessor to conduct an assessment, of the processor's policies and technical and 02 organizational measures in support of the obligations under AS 45.48.800 - 45.48.898, 03 using an appropriate and accepted control standard or framework and assessment 04 procedure, and provide a report of the assessment to the controller on request. 05 (c) Nothing in this section relieves a controller or processor from the liabilities 06 imposed on the controller or processor by virtue of the controller's or processor's role 07 in the processing relationship as described in AS 45.48.800 - 45.48.898. 08 (d) Whether a person is acting as a controller or processor with respect to a 09 specific processing of personal data depends on the facts and the context in which the 10 personal data is processed. A person who is not limited in the person's processing of 11 personal data under a controller's instructions, or who fails to adhere to those 12 instructions, is a controller and not a processor with respect to that specific processing 13 of data. A processor that continues to adhere to a controller's instructions with respect 14 to a specific processing of personal data remains a processor. If a processor begins, 15 alone or jointly with others, determining the purposes and means of the processing of 16 personal data, the processor becomes a controller with respect to that processing. 17 Sec. 45.48.835. Data protection assessments. (a) Before initiating the 18 processing activity, a controller shall conduct and document a data protection 19 assessment for each of the controller's processing activities that presents a heightened 20 risk of harm to a consumer, including 21 (1) the collection or processing of personal data for the purpose of 22 targeted advertising; 23 (2) the sale of personal data; 24 (3) the processing of personal data for the purpose of profiling, when 25 the profiling presents a reasonably foreseeable risk of 26 (A) unfair or deceptive treatment of, or having an unlawfully 27 disparate effect on, consumers; 28 (B) financial, physical, or reputational injury to consumers; 29 (C) a physical or other intrusion on the solitude or seclusion, or 30 the private affairs or concerns, of consumers, when the intrusion would be 31 offensive to a reasonable person; or
01 (D) other substantial injury to consumers; and 02 (4) the collection or processing of sensitive data. 03 (b) A single data protection assessment may address a comparable set of 04 processing operations that include similar activities. 05 (c) A data protection assessment conducted under this section must 06 (1) identify the categories of personal data collected, the purposes of 07 collecting the personal data, and whether personal data is being transferred; 08 (2) consider the use of de-identified data, the reasonable expectations 09 of consumers, the context of the processing, and the relationship between the 10 controller and the consumer whose personal data will be processed; and 11 (3) identify and weigh the benefits resulting, directly or indirectly, 12 from the processing activity to the controller, the consumer, other stakeholders, and 13 the public against the potential risks to the consumer's rights, as mitigated by 14 safeguards that are employed by the controller to reduce those risks. 15 (d) Not later than 30 days after completing a data protection assessment under 16 this section, a controller shall submit a report of the data protection assessment or 17 evaluation to the attorney general. The report must include a summary of the data 18 protection assessment. The controller shall make the summary publicly available on 19 the controller's Internet website or another place that is easily accessible to consumers. 20 A controller may redact confidential or proprietary information from the report. The 21 attorney general may require a controller to disclose a data protection assessment that 22 is relevant to an investigation conducted by the attorney general, and the controller 23 shall make the data protection assessment available to the attorney general. The 24 attorney general may evaluate the data protection assessment for compliance with the 25 controller's responsibilities under AS 45.48.800 - 45.48.898. To the extent information 26 contained in a data protection assessment disclosed to the attorney general includes 27 information subject to attorney-client privilege or protection under the work product 28 doctrine, the disclosure does not constitute a waiver of the privilege or protection. 29 (e) A data protection assessment conducted by a controller for the purpose of 30 complying with another applicable law satisfies the requirements in this section if the 31 data protection assessment is reasonably similar in scope and effect to the data
01 protection assessment that would otherwise have been conducted under this section. 02 (f) A controller shall review and update the data protection assessment as 03 often as appropriate considering the type, amount, and sensitivity of personal data 04 collected or processed and level of risk presented by the processing, throughout the 05 duration of the processing activity, 06 (1) to monitor for harm caused by the processing and adjust safeguards 07 accordingly; and 08 (2) to ensure that data protection and privacy are considered as the 09 controller makes new decisions with respect to the processing. 10 Sec. 45.48.840. Discrimination, retaliation, and financial incentives. (a) A 11 controller may not discriminate or retaliate against a consumer for exercising a 12 consumer right under AS 45.48.800 - 45.48.898 or refusing to agree to the collection 13 or processing of personal data for a separate product or service, including by 14 (1) denying goods or services; 15 (2) charging different prices or rates for goods or services; 16 (3) providing a different level of quality of goods or services to a 17 consumer. 18 (b) A controller is not required to provide a product or service that requires a 19 consumer's personal data that the controller does not collect or maintain. 20 (c) Notwithstanding (a) of this section, a controller may offer to a consumer a 21 different price, rate, level, quality, or selection of goods or services, including goods 22 or services for no fee, if the offer is made in connection with a consumer's voluntary 23 participation in a financial incentive program, such as a bona fide loyalty, rewards, 24 premium features, discount, or club card program. A controller that offers a financial 25 incentive program under this subsection may not 26 (1) transfer personal data to a third party as part of the program unless 27 (A) the transfer is functionally necessary to enable the third 28 party to provide a benefit to which the consumer is entitled; 29 (B) the transfer of personal data to the third party is clearly 30 disclosed in the terms of the program; and 31 (C) the third party uses the personal data only for purposes of
01 facilitating a benefit to which the consumer is entitled and does not process or 02 transfer the personal data for any other purpose; 03 (2) consider the sale of personal data as functionally necessary to 04 provide the program; 05 (3) use financial incentive practices that are unjust, unreasonable, 06 coercive, or usurious. 07 Sec. 45.48.845. Transfer of information in a business change transaction. 08 (a) A controller may transfer to or share with a third party a consumer's personal data 09 as an asset that is part of a business change transaction if, within a reasonable time 10 before sharing or transferring the personal data, the controller provides an affected 11 consumer with 12 (1) a notice describing the business change transaction, including the 13 name of the third party receiving the consumer's personal data and the applicable 14 privacy policies of the third party; and 15 (2) a reasonable opportunity to 16 (A) withdraw the previously provided consent related to the 17 consumer's personal data; and 18 (B) request the deletion of the consumer's personal data. 19 (b) If a controller shares a consumer's personal data with a third party in the 20 process of evaluating and consummating a business change transaction, the controller 21 shall require that the third party agree by contract to keep the personal data 22 confidential and not use the personal data for a purpose other than evaluating and 23 consummating the transaction. 24 (c) A third party under (a) of this section may not use or share the consumer's 25 personal data in a manner that is materially inconsistent with (a) of this section or with 26 the privacy policy of the third party provided to the consumer in the notification 27 required under (a) of this section. 28 (d) A transfer under (a) of this section does not authorize a controller to make 29 material retroactive privacy policy changes or other changes in a manner that 30 constitutes an unfair or deceptive trade practice under AS 45.50.471 - 45.50.561. 31 (e) In this section, "business change transaction" means a merger, acquisition,
01 bankruptcy, or other transaction in which the third party assumes control of some or 02 all of the controller's assets. 03 Sec. 45.48.850. Security procedures and practices. (a) A controller shall 04 implement and maintain reasonable administrative, technical, and physical security 05 procedures and practices to protect the confidentiality, integrity, and accessibility of 06 personal data that are appropriate to the volume and nature of the data. The security 07 procedures and practices adopted by a controller must include a retention schedule that 08 requires the deletion of personal data when the data is required to be deleted by law or 09 is no longer necessary for the purpose for which the data was collected, processed, or 10 transferred. 11 (b) A processor shall establish, implement, and maintain reasonable 12 administrative, technical, and physical data security practices to protect the 13 confidentiality, integrity, and accessibility of personal data appropriate to the volume 14 and nature of the personal data at issue. 15 Sec. 45.48.855. Data broker registration. (a) Before a controller begins 16 operating as a data broker, the controller shall register with the commissioner in 17 accordance with this section. 18 (b) To register as a data broker, a controller shall 19 (1) provide, on a form provided by the commissioner, 20 (A) the name of the data broker; 21 (B) the data broker's primary physical and mailing addresses; 22 (C) the data broker's electronic mail address; 23 (D) the data broker's primary Internet website address; and 24 (E) the Internet website address for the data broker's "Do Not 25 Sell My Personal Information" Internet website page as required under 26 AS 45.48.810(b); and 27 (2) pay a registration fee in an amount established by the department 28 by regulation. 29 (c) The department shall deposit the fees paid under this section into the 30 consumer privacy account established under AS 45.48.860. 31 (d) The commissioner shall make available on the department's Internet
01 website a registry with the information provided by data brokers under this section. 02 Sec. 45.48.860. Consumer privacy account. (a) The consumer privacy 03 account is established in the general fund. Registration fees collected under 04 AS 45.48.855 and civil penalties and money collected in or as a result of an action 05 brought by the attorney general under AS 45.48.800 - 45.48.898 shall be deposited 06 into the general fund and separately accounted for under AS 37.05.142. 07 (b) The legislature may appropriate the annual estimated balance in the 08 account maintained under AS 37.05.142 to pay 09 (1) the salaries of attorneys in the Department of Law that enforce the 10 provisions of AS 45.48.800 - 45.48.898 at an amount that is competitive with the 11 private sector; and 12 (2) the administrative costs incurred by the department and the 13 Department of Law to enforce AS 45.48.800 - 45.48.898. 14 Sec. 45.48.865. Violations. (a) A violation of AS 45.48.800 - 45.48.898 is an 15 unfair or deceptive act or practice under AS 45.50.471 - 45.50.561. Each day of a 16 violation constitutes a separate violation. 17 (b) In an action brought under AS 45.50.531(a), a consumer whose personal 18 data is subjected to unauthorized access, destruction, use, modification, or disclosure 19 has suffered an ascertainable loss of money or property. 20 (c) The remedies provided under this section are in addition to the remedies 21 provided under AS 45.48.080 for a violation of AS 45.48.010 - 45.48.090. 22 Sec. 45.48.870. Regulations. The attorney general may adopt regulations 23 under AS 44.62 (Administrative Procedure Act) to implement AS 45.48.800 - 24 45.48.898. 25 Sec. 45.48.875. Exemptions. (a) AS 45.48.800 - 45.48.898 do not apply to 26 (1) protected health information that a covered entity or business 27 associate collects or processes in accordance with, or documents that a covered entity 28 or business associate creates for the purpose of complying with, the Health Insurance 29 Portability and Accountability Act of 1996 (P.L. 104-191) and regulations adopted 30 under that Act; in this paragraph, "business associate," "covered entity," and 31 "protected health information" have the meanings given in 45 C.F.R. 160.103;
01 (2) data collected, processed, or maintained that must be retained to 02 administer benefits for another individual relating to an individual who is the subject 03 of protected health information under (1) of this subsection and used for the purpose 04 of administering the benefits; 05 (3) patient-identifying information under 42 U.S.C. 290dd-2; 06 (4) information that identifies a consumer that is collected, processed, 07 or maintained in connection with 08 (A) activities that are subject to 45 C.F.R. Part 46 (Protection 09 of Human Subjects); 10 (B) research on human subjects conducted under good clinical 11 practice guidelines issued by the International Council for Harmonisation of 12 Technical Requirements for Pharmaceuticals for Human Use; 13 (C) activities that are subject to the protections provided in 21 14 C.F.R. Parts 50 and 56; or 15 (D) personal data used or shared in research, as that term is 16 defined in 45 C.F.R. 164.501, that is conducted in accordance with the 17 standards applicable under (A) - (C) of this paragraph or other research 18 conducted in accordance with applicable law; 19 (5) information and documents created for purposes of 42 U.S.C. 20 11101 - 11152 (Health Care Quality Improvement Act of 1986) and related 21 regulations; 22 (6) patient safety work product, as defined in 42 C.F.R. 3.20, that is 23 created for purposes of improving patient safety under 42 C.F.R. Part 3 (Patient Safety 24 Organizations and Patient Safety Work Product) and 42 U.S.C. 299b-21 - 299b-26 25 (Patient Safety and Quality Improvement Act of 2005); 26 (7) information derived from health care-related information listed in 27 this subsection that is de-identified in accordance with the requirements for de- 28 identification under the Health Insurance Portability and Accountability Act of 1996 29 (P.L. 104-191) and related regulations; 30 (8) information collected, processed, or sold that is subject to 15 31 U.S.C. 6801 - 6827 (Gramm-Leach-Bliley Act) and related regulations;
01 (9) an activity that involves the collection, maintenance, disclosure, 02 sale, communication, or use of any information bearing on a consumer's 03 creditworthiness, credit standing, credit capacity, character, general reputation, 04 personal characteristics, or mode of living and that is subject to 15 U.S.C. 1681 - 05 1681x (Fair Credit Reporting Act), if the activity is performed by 06 (A) a consumer reporting agency, as that term is defined in 15 07 U.S.C. 1681a(f); 08 (B) a person who furnishes information to a consumer 09 reporting agency under 15 U.S.C. 1681s-2; or 10 (C) a person who uses a consumer report as provided in 15 11 U.S.C. 1681b(a)(3); 12 (10) personal data collected, processed, sold, or disclosed under 18 13 U.S.C. 2721 - 2725 (Driver's Privacy Protection Act of 1994) and related regulations; 14 (11) personal data regulated by 20 U.S.C. 1232g (Family Educational 15 Rights and Privacy Act of 1974); 16 (12) personal data collected, processed, sold, or disclosed in 17 compliance with 12 U.S.C. 2001 - 2279cc (Farm Credit System); 18 (13) data collected, processed, or maintained 19 (A) in the course of an individual applying to, being employed 20 by, or acting as an agent or independent contractor of a controller, processor, 21 or third party, to the extent that the data is collected and used within the 22 context of that role; or 23 (B) as the emergency contact information of an individual used 24 for emergency contact purposes; 25 (14) personal data collected, processed, sold, or disclosed related to a 26 price, route, or service of an air carrier, but only to the extent preempted by 49 U.S.C. 27 41713. 28 (b) AS 45.48.800 - 45.48.898 may not be construed to restrict the ability of a 29 controller or processor to collect, process, transfer, or disclose a consumer's personal 30 data to the extent necessary to 31 (1) comply with federal, state, municipal, or tribal law;
01 (2) comply with a civil, criminal, or regulatory inquiry or an 02 investigation, subpoena, or summons by federal, state, municipal, or tribal authorities; 03 (3) cooperate with a law enforcement agency concerning conduct or 04 activity that the person reasonably and in good faith believes may violate federal, 05 state, municipal, or tribal law; 06 (4) investigate, establish, exercise, or defend a legal claim; 07 (5) provide a product or service specifically requested by the 08 consumer; 09 (6) perform under a contract to which the consumer is a party, 10 including fulfilling the terms of a written warranty; 11 (7) take steps at the request of a consumer before entering into a 12 contract; 13 (8) take immediate steps to protect an interest that is essential for the 14 life or physical safety of an individual when the collection, processing, transfer, or 15 disclosure cannot be manifestly justified using another legal basis; 16 (9) prevent, detect, protect against, or respond to a security incident or 17 malicious, deceptive, fraudulent, or illegal activity or preserve the integrity or security 18 of systems; 19 (10) engage in public or peer-reviewed scientific or statistical research 20 in the public interest that adheres to all relevant laws and regulations governing that 21 research and is approved, monitored, and governed by an institutional review board or 22 similar independent oversight entity that determines whether 23 (A) the deletion of personal data requested by a consumer 24 under AS 45.48.805(a)(4) is likely to provide substantial benefits that do not 25 exclusively accrue to the controller; 26 (B) the expected benefits of the research outweigh the privacy 27 risks; and 28 (C) the controller has implemented reasonable safeguards to 29 mitigate privacy risks associated with research, including risks associated with 30 reidentification; 31 (11) assist another controller, processor, or third party with any
01 obligations under AS 45.48.800 - 45.48.898; 02 (12) process personal data for reasons of public interest in the areas of 03 public health, community health, or population health, but only to the extent that the 04 processing is 05 (A) subject to suitable and specific measures to safeguard the 06 rights of the consumer whose personal data is being processed; and 07 (B) under the responsibility of a professional subject to 08 confidentiality obligations under federal, state, municipal, or tribal law; 09 (13) ensure the data security and integrity of personal data as required 10 by AS 45.48.800 - 45.48.898, protect against spam, or protect and maintain networks 11 and systems, including through diagnostics, debugging, and repairs; 12 (14) carry out a product recall under federal or state law or to fulfill a 13 warranty; 14 (15) conduct medical research in compliance with 45 C.F.R. Part 46 15 (Protection of Human Subjects) or 21 C.F.R. Parts 50 and 56; or 16 (16) process personal data previously collected in accordance with 17 AS 45.48.800 - 45.48.898 to convert the personal data into de-identified data, 18 including to 19 (A) conduct internal research to develop, improve, or repair 20 products, services, or technology; 21 (B) identify and repair technical errors that impair existing or 22 intended functionality; or 23 (C) perform solely internal operations that are reasonably 24 aligned with the expectations of the consumer or reasonably anticipated based 25 on the consumer's existing relationship with the controller or are otherwise 26 compatible with processing data in furtherance of the provision of a product or 27 service specifically requested by a consumer or the performance of a contract 28 to which the consumer is a party. 29 (c) A requirement under AS 45.48.800 - 45.48.898 does not apply if 30 (1) compliance would violate an evidentiary privilege under state law; 31 (2) a controller or processor provides personal data as part of a
01 privileged communication to a person covered by an evidentiary privilege; 02 (3) the right or obligation would adversely affect a right of another 03 person; 04 (4) a person collects or processes personal data in the course of that 05 person's purely personal or household activities; 06 (5) compliance would require a private school as defined in 07 AS 14.45.200 or a private institution of higher education as defined in 20 U.S.C. 1001 08 to delete personal data when that deletion would unreasonably interfere with the 09 school's provision of educational services or ordinary operations; 10 (6) compliance would require the affirmative collection of personal 11 data about the age of users that a controller does not already collect in the normal 12 course of business or require a controller to implement age restriction requirements or 13 age verification. 14 (d) A controller may collect or process personal data under this section only to 15 the extent that the collection or processing 16 (1) is reasonably necessary for and proportionate to the purposes listed 17 in this section or, in the case of sensitive data, strictly necessary for the purposes listed 18 in this section; 19 (2) is limited to data that is necessary in relation to the specific 20 purposes listed in this section; 21 (3) is subject to reasonable administrative, technical, and physical 22 measures to protect the confidentiality, integrity, and accessibility of the personal data 23 and to reduce reasonably foreseeable risks of harm to consumers related to the 24 processing of personal data; and 25 (4) complies with AS 45.48.805(d). 26 (e) A controller that collects or processes personal data under an exemption in 27 this section bears the burden of demonstrating that the collection or processing 28 qualifies for the exemption and complies with the requirements of (d) of this section. 29 (f) A violation of AS 45.48.800 - 45.48.898 by a processor or third-party 30 controller that receives and processes personal data from a controller or another 31 processor is not imputed to the controller or processor that disclosed the personal data
01 unless the disclosing controller or processor had actual knowledge that the receiving 02 processor or third-party controller would commit the violation. A violation of 03 AS 45.48.800 - 45.48.898 by a controller or processor that discloses personal data to a 04 third-party controller or processor is not imputed to the receiving third-party controller 05 or processor. 06 Sec. 45.48.880. Component parts. If a series of steps or transactions are 07 component parts of a single transaction and are intended from the beginning to avoid 08 the reach of AS 45.48.800 - 45.48.898, including a controller's disclosure of 09 information to a third party to avoid being considered a sale of personal data, the steps 10 or transactions may not be considered separate for the purposes of determining 11 compliance with, an exception to, or a violation of AS 45.48.800 - 45.48.898. 12 Sec. 45.48.885. Provisions not waivable. A consumer's waiver of the 13 provisions of AS 45.48.800 - 45.48.898 is contrary to public policy and is 14 unenforceable and void. This section does not prevent a consumer from 15 (1) declining to request information from a controller; 16 (2) declining to request that a controller not collect, sell, or disclose the 17 consumer's personal data; or 18 (3) authorizing a controller to sell the consumer's personal data after 19 previously requesting that the controller not sell the personal data. 20 Sec. 45.48.890. Liberal construction. The intent of AS 45.48.800 - 45.48.898 21 is remedial, and its provisions shall be liberally construed. 22 Sec. 45.48.895. Definitions. In AS 45.48.800 - 45.48.898, unless the context 23 clearly indicates otherwise, 24 (1) "affiliate" means a legal entity that shares common branding with 25 another legal entity or controls, is controlled by, or is under common control with 26 another legal entity; in this paragraph, "control" and "controlled" mean having 27 (A) ownership of, or the power to vote, more than 50 percent of 28 the outstanding shares of any class of voting security of a legal entity; 29 (B) control in any manner over the election of a majority of the 30 directors or of individuals exercising similar functions; or 31 (C) the power to exercise controlling influence over the
01 management of a legal entity; 02 (2) "affirmative consent" 03 (A) means a clear affirmative act signifying a consumer's freely 04 given, specific, informed, and unambiguous authorization for an act or 05 practice, after having been informed, in response to a specific request from a 06 controller; in making the request, the controller shall 07 (i) provide to the consumer a clear and conspicuous 08 stand-alone disclosure; 09 (ii) provide to the consumer a written request that 10 describes the processing purpose for which the consumer's consent is 11 sought, that clearly distinguishes between an act or practice that is 12 necessary to fulfill a request of the consumer and an act or practice that 13 is for another purpose, that clearly states the specific categories of 14 personal data that the controller intends to collect, process, or transfer 15 under each act or practice, and that uses easy-to-understand language 16 with prominent headings that enable a reasonable consumer to identify 17 and understand each act or practice; 18 (iii) clearly explain the consumer's rights related to 19 consent; 20 (iv) make the request reasonably accessible to and 21 usable by consumers with disabilities; 22 (v) make the request available to the consumer in each 23 language in which the controller provides a product or service for 24 which authorization is sought; and 25 (vi) ensure that the option to refuse to give consent is at 26 least as prominent and takes the same or fewer steps as the option to 27 give consent; 28 (B) does not include 29 (i) consent for an act or practice inferred from the 30 inaction of the consumer or the consumer's continued use of a service 31 or product provided by the controller;
01 (ii) acceptance of general or broad terms of use or a 02 similar document that contains descriptions of personal data processing 03 along with other unrelated information; 04 (iii) hovering over, muting, pausing, or closing a given 05 piece of content on the Internet; 06 (iv) an agreement obtained through the use of a false, 07 fraudulent, or materially misleading statement or representation; or 08 (v) an agreement obtained through the use of a dark 09 pattern; 10 (3) "authenticate" means the use of reasonable means to determine that 11 a request to exercise a right granted to a consumer under AS 45.48.800 - 45.48.898 is 12 being made by, or on behalf of, the consumer who is entitled to exercise that right with 13 respect to the personal data; 14 (4) "biometric data" 15 (A) means data generated by automatic measurements of an 16 individual's fingerprint, voiceprint, retina, iris, gait, or other unique biological 17 pattern or characteristic that can be used to identify a specific individual; 18 (B) does not include 19 (i) a digital or physical photograph; 20 (ii) an audio or video recording; or 21 (iii) data generated from a digital or physical 22 photograph or an audio or video recording, unless the data is generated 23 to identify a specific individual; 24 (5) "collect" means to buy, rent, gather, obtain, receive, access, or 25 otherwise acquire personal data by any means; 26 (6) "commissioner" means the commissioner of commerce, 27 community, and economic development; 28 (7) "consumer" 29 (A) means an individual who is a resident of the state; 30 (B) does not include an individual acting in a commercial or 31 employment context or as an employee, owner, director, officer, or contractor
01 of a company, partnership, sole proprietorship, nonprofit organization, or 02 government agency whose communications or transactions with the controller 03 occur solely within the context of that individual's role with the company, 04 partnership, sole proprietorship, nonprofit organization, or government agency; 05 (8) "consumer health data" means personal data that describes or 06 reveals a consumer's past, present, or future physical or mental health condition or 07 diagnosis; 08 (9) "contextual advertising" 09 (A) means displaying or presenting an advertisement that does 10 not vary based on the identity of the individual recipient and is based solely on 11 (i) the immediate content of an Internet website or 12 online service within which the advertisement appears; or 13 (ii) a specific request of the consumer for information 14 or feedback if displayed in proximity to the results of the request for 15 information; 16 (B) does not include a controller's use of the following types of 17 personal data to display a contextual advertisement without making inferences 18 about the consumer, profiling the consumer, or using the data for any other 19 purpose, if the consumer may use technical means to hide or change the 20 consumer's physical location and to specify a language preference: 21 (i) technical specifications that are necessary for the 22 advertisement to be delivered and display properly on a given device; 23 (ii) a consumer's immediate presence in a geographic 24 area with a radius not smaller than 10 miles, or an area reasonably 25 estimated to include online activity from at least 5,000 users, but not 26 including precise geolocation data; or 27 (iii) the consumer's language preferences, as inferred 28 from context, browser settings, or user settings; 29 (10) "controller" means a person who, alone or jointly with others, 30 determines the purpose and means of collecting or processing personal data; 31 (11) "dark pattern" means
01 (A) a user interface designed or manipulated with the 02 substantial effect of subverting or impairing user autonomy, decision making, 03 or choice; and 04 (B) a practice the Federal Trade Commission refers to as a 05 "dark pattern"; 06 (12) "data broker" means a controller that knowingly collects and sells 07 to third parties the personal data of a consumer with whom the controller does not 08 have a direct relationship, but does not include a consumer reporting agency to the 09 extent the agency is covered by 15 U.S.C. 1681 et seq. (Fair Credit Reporting Act); 10 (13) "de-identified data" means data that does not identify and cannot 11 reasonably be used to infer information about, or otherwise be linked to, an identified 12 or identifiable individual or a device linked to the individual and for which the 13 controller holding the information 14 (A) takes reasonable physical, administrative, and technical 15 measures to ensure that the data cannot be associated with an individual or be 16 used to reidentify an individual or device that identifies or is linked, or is 17 reasonably linkable, to an individual; 18 (B) publicly commits to process the data only in a de-identified 19 fashion and does not attempt to reidentify the data; and 20 (C) contractually obligates a recipient of the data to satisfy the 21 criteria set out in (A) and (B) of this paragraph; 22 (14) "department" means the Department of Commerce, Community, 23 and Economic Development; 24 (15) "first party" means a consumer-facing controller with which the 25 consumer intends or expects to interact; 26 (16) "first-party advertising" means 27 (A) processing of first-party data by the first party for the 28 purposes of advertising and marketing 29 (i) through mail, electronic mail, text message, or other 30 direct communication with a consumer; 31 (ii) in a physical location operated by the first party; or
01 (iii) through display or presentation of an advertisement 02 on the first party's own Internet website, application, or other online 03 content; and 04 (B) a marketing measurement related to advertising and 05 marketing under (A) of this paragraph; 06 (17) "first-party data" means personal data collected directly from a 07 consumer by a first party; 08 (18) "identified or identifiable individual" means an individual who 09 can be readily identified, directly or indirectly; 10 (19) "marketing measurement" means measuring and reporting on 11 marketing performance or media performance by the controller and processing of 12 personal data by the controller for measurement and reporting of frequency, 13 attribution, and performance; 14 (20) "minor" means a consumer who is under 18 years of age; 15 (21) "personal data" 16 (A) means information that is linked, or is reasonably linkable, 17 alone or in combination with other information, to an identified or identifiable 18 individual or a device that identifies or is linked, or is reasonably linkable, to 19 an individual; 20 (B) does not include publicly available information or de- 21 identified data; 22 (22) "precise geolocation data" 23 (A) means information derived from a global positioning 24 system or other technology capable of determining with specificity the latitude 25 and longitude coordinates or other spatial location of an individual or device 26 and that reveals, with precision and accuracy within a radius of 1,750 feet or 27 less, the past or present physical location of 28 (i) an individual; or 29 (ii) a device that identifies one or more individuals or is 30 linked, or reasonably linkable, to one or more individuals; 31 (B) does not include
01 (i) the content of communications, a photograph or 02 video, or metadata associated with a photograph or video that cannot be 03 linked to an individual; or 04 (ii) information generated by or connected to an 05 advanced utility metering infrastructure system or equipment for use by 06 a utility; 07 (23) "process" and "processing" mean any operation or set of 08 operations performed on personal data or on sets of personal data, whether or not by 09 automated means; 10 (24) "processor" means a person who collects, processes, or transfers 11 personal data on behalf of, and at the direction of, a controller, another processor, or a 12 federal, state, municipal, or tribal government; 13 (25) "profiling" means a form of processing performed on personal 14 data to evaluate, analyze, or predict an individual's economic situation, health, 15 personal preferences, interests, reliability, behavior, location, movements, or other 16 personal features; 17 (26) "publicly available information" 18 (A) means information that is lawfully made available to the 19 general public from 20 (i) federal, state, municipal, or tribal government 21 records, if the information is collected, processed, and transferred in 22 accordance with any restrictions or terms of use placed on the 23 information by the relevant government; 24 (ii) widely distributed media; or 25 (iii) a disclosure to the general public as required by 26 federal, state, municipal, or tribal law; 27 (B) does not include 28 (i) material that constitutes an obscene visual depiction 29 under 18 U.S.C. 1460; 30 (ii) an inference made exclusively from multiple 31 independent sources of publicly available information that reveals
01 sensitive data pertaining to a consumer; 02 (iii) biometric data; 03 (iv) personal data created through the combination of 04 information under (A) of this paragraph with personal data that is not 05 publicly available information; 06 (v) genetic data, unless otherwise made available to the 07 public by the individual to whom the information pertains; 08 (vi) information made available by a consumer on an 09 Internet website or online service that is available to all members of the 10 public, with or without charge, when the consumer has restricted the 11 information to a specific audience; or 12 (vii) authentic or computer-generated intimate images 13 known to be nonconsensual; 14 (27) "sale of personal data" 15 (A) means an exchange of personal data for monetary or other 16 valuable consideration by a controller to a third party; 17 (B) does not include 18 (i) the disclosure of personal data to a processor that 19 processes the personal data on behalf of a controller; 20 (ii) the disclosure of personal data to a third party for 21 purposes of providing a product or service requested by the consumer; 22 (iii) the disclosure or transfer of personal data to an 23 affiliate of a controller; 24 (iv) the disclosure of personal data, with the consumer's 25 affirmative consent, when the consumer affirmatively directs a 26 controller to disclose the personal data or intentionally uses a controller 27 to interact with a third party; or 28 (v) the disclosure of personal data that the consumer 29 intentionally made available to the general public through mass media 30 and did not restrict to a specific audience; 31 (28) "sensitive data" means personal data that
01 (A) reveals a consumer's racial or ethnic origin, religious 02 beliefs, mental or physical health condition or diagnosis, status as pregnant, 03 sexual orientation, status as transgender or nonbinary, union membership, or 04 citizenship or immigration status; 05 (B) contains consumer health data; 06 (C) contains a consumer's genetic or biometric data; 07 (D) pertains to a consumer that a controller knows or should 08 know, based on knowledge fairly implied under objective circumstances, is a 09 minor; 10 (E) contains precise geolocation data; 11 (F) contains a consumer's social security number, driver's 12 license number, known traveler number, state identification card number, 13 passport number, or other government-issued identifier that is not required by 14 law to be displayed in public; 15 (G) reveals the online activities of a consumer or device linked, 16 or reasonably linkable, to a consumer, over time and across Internet websites, 17 online applications, or mobile applications that do not share common branding, 18 or data generated by profiling those online activities; 19 (29) "targeted advertising" 20 (A) means 21 (i) displaying or presenting an online advertisement to a 22 consumer, to a device identified by a unique persistent identifier, or to a 23 group of consumers or devices identified by unique persistent 24 identifiers if the advertisement is selected based, in whole or in part, on 25 known or predicted preferences, characteristics, behavior, or interests 26 associated with the consumer or consumers or the device; 27 (ii) displaying or presenting an online advertisement for 28 a product or service based on the previous interaction of a consumer or 29 a device identified by a unique persistent identifier with the product or 30 service on an Internet website or online service that does not share 31 common branding with the Internet website or online service displaying
01 or presenting the advertisement; or 02 (iii) a marketing measurement related to advertising 03 under (i) and (ii) of this subparagraph; 04 (B) does not include first-party advertising or contextual 05 advertising; 06 (30) "third party" 07 (A) means a person who collects personal data from another 08 person who is not the consumer to whom the data pertains; 09 (B) does not include 10 (i) a processor with respect to the personal data; or 11 (ii) a person who collects personal data from another 12 entity if the two entities are affiliates; 13 (31) "transfer" means to disclose, release, disseminate, make available, 14 license, rent, or share personal data to a third party by any means; 15 (32) "unique persistent identifier" 16 (A) includes a device identifier; an Internet protocol address; 17 cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; 18 customer number, unique pseudonym, or user alias; telephone numbers; or 19 other forms of persistent or probabilistic identifiers that are reasonably linkable 20 to one or more consumers or devices that identify or are reasonably linkable to 21 one or more consumers; 22 (B) does not include an identifier assigned by a controller for 23 the sole purpose of giving effect to the exercise of affirmative consent or opt 24 out by a consumer 25 (i) pertaining to the collection, processing, and transfer 26 of personal data; or 27 (ii) otherwise limiting the collection, processing, or 28 transfer of personal data. 29 Sec. 45.48.898. Short title. AS 45.48.800 - 45.48.898 may be cited as the 30 Alaska Data Privacy Act. 31 * Sec. 6. AS 45.50.471(b) is amended by adding a new paragraph to read:
01 (58) violating AS 45.48.800 - 45.48.898 (Alaska Data Privacy Act). 02 * Sec. 7. The uncodified law of the State of Alaska is amended by adding a new section to 03 read: 04 APPLICABILITY: CONTRACTS. This Act applies to a contract entered into on or 05 after the effective date of this Act. 06 * Sec. 8. The uncodified law of the State of Alaska is amended by adding a new section to 07 read: 08 TRANSITION: DATA PROTECTION ASSESSMENTS. A data protection 09 assessment required under AS 45.48.835, added by sec. 5 of this Act, is not required for a 10 processing activity until January 1, 2028. 11 * Sec. 9. This Act takes effect January 1, 2027.