Legislature(2021 - 2022)GRUENBERG 120
04/23/2021 08:00 AM House LABOR & COMMERCE
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| HB159 | |
| HB146 | |
| HB125 | |
| HB75 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| += | HB 146 | TELECONFERENCED | |
| += | HB 125 | TELECONFERENCED | |
| *+ | HB 159 | TELECONFERENCED | |
| + | TELECONFERENCED | ||
| += | HB 75 | TELECONFERENCED | |
HB 159-CONSUMER DATA PRIVACY ACT
8:04:02 AM
CO-CHAIR FIELDS announced that the first order of business would
be HOUSE BILL NO. 159, "An Act establishing the Consumer Data
Privacy Act; establishing data broker registration requirements;
making a violation of the Consumer Data Privacy Act an unfair or
deceptive trade practice; and providing for an effective date."
8:04:23 AM
CORI MILLS, Deputy Attorney General, Civil Division, Office of
the Attorney General, Department of Law, introduced HB 159 on
behalf of the House Rules Standing Committee, sponsor, at the
request of the governor. She said the intent of the proposed
legislation is to protect Alaskans' constitutionally protected
right to privacy, pointing out that Alaskans are concerned that
companies such as Facebook and Amazon are collecting and using
information in ways that negatively impact privacy. She also
noted that one of the administration's core initiatives is to
make Alaska "open for business," and she stated that HB 159 is a
good "starting place" to address the juxtaposition of privacy
concerns and economic priorities. The central purpose of HB
159, she said, is to provide Alaskans with the ability to know
what information companies are collecting and to allow control
over how the information is used. She expressed that the
administration understands that the proposed legislation needs
"substantial work" and said that it will be important to hear
from the business community regarding how the proposed
legislation could affect individual businesses.
8:08:35 AM
JOHN HALEY, Assistant Attorney General, Special Litigation and
Consumer Protection, Civil Division (Anchorage), Department of
Law, presented the sectional analysis for HB 159 on behalf of
the House Rules Standing Committee, sponsor, at the request of
the governor, which read as follows [original punctuation
provided]:
Section 1. Adds a new duty to the list of
responsibilities of the commissioner of the Department
of Commerce, Community, and Economic Development to
establish and maintain a data broker registry.
Section 2. Establishes the Consumer Data Privacy Act
as AS 45.49. Since this section of the bill lays out a
new chapter, the following information is organized by
the articles established in the new chapter and their
respective statutory sections.
Article 1. Collection, sale, or disclosure of consumer
personal information.
Sec. 45.49.010. Notice of collection, sale, or
disclosure of personal information.
This section requires that a business notify a
consumer before collecting personal information.
"Business" is defined in the definition section of
this Act as including only businesses that either have
annual gross revenues of $25 million or more, buy or
disclose the personal information of 100,000 or more
households, or that engage in the sale of personal
information. Notifications under this section must
include the categories of information collected, the
purpose for collecting that personal information, and
the right of a consumer to opt-out, established below.
This information, and other detailed information
relating to the personal information collected, must
be maintained and updated by a business as part of the
business' online privacy policy and consumer privacy
rights, or on the business' website if the business
does not maintain an online privacy policy. Businesses
subject to this section are charged with training
customer service staff in answering questions about
consumer rights.
8:11:36 AM
CO-CHAIR SPOHNHOLZ asked how many businesses would meet the
definition of "business" under the proposed legislation.
MR. HALEY responded that he doesn't know, and that part of the
difficulty of the proposed legislation is that the Department of
Commerce, Community, and Economic Development (DCCED) doesn't
necessarily have information on companies other than those that
are required to file reports.
CO-CHAIR SPOHNHOLZ said that it will be important to know that
information in the future.
8:12:33 AM
CO-CHAIR FIELDS commented that the legislation would be
meaningless without enforcement, and that companies won't
willingly disclose their financial information.
8:13:05 AM
MR. HALEY resumed his sectional analysis, which read as follows
[original punctuation provided]:
Sec. 45.49.015. Personal information; notification
upon receipt.
This section requires that a person who receives
personal information that was originally collected by
a business, as defined by this chapter, for a business
or commercial purpose notify the business of the
person's possession and provide their contact
information. The person must also deidentify the
personal information or maintain it in such a way that
it could be deleted or disclosed upon request. If this
person discloses the personal information to another
person for business or commercial purposes, they must
also inform the business that initially collected the
personal information of the disclosure within 10 days
and have a contract that requires the subsequent
recipient to comply with a deletion request under this
chapter. Finally, the business that initially
collected the personal information must maintain
records of each person to receive the collected
personal information.
8:13:56 AM
CO-CHAIR FIELDS asked how to avoid capturing midsized Alaska-
based businesses that collect and keep a piece of data as simple
as a consumer's phone number.
8:14:32 AM
REPRESENTATIVE MCCARTY asked whether a company's categorical
definition of "business" would be public knowledge.
MR. HALEY replied that the proposed legislation doesn't require
businesses to disclose its annual revenues to the Department of
Law.
8:16:09 AM
CO-CHAIR FIELDS commented that Florida just passed a data
privacy bill including an income threshold of $50 million. He
asked why the administration arrived at the income threshold of
$25 million.
MR. HALEY responded that the number was an initial attempt by
the administration to strike an appropriate balance. He said
that the income threshold related to the sale of personal
information is unique to HB 159.
8:17:39 AM
MR. HALEY commented that Sec. 45.49.015 would create a chain of
tracking requirements so that individuals may learn who has
their personal information. He then continued his presentation
of the sectional analysis, which read as follows [original
punctuation provided]:
Sec. 45.49.020. Right to request disclosure of
collected personal information.
Under this section, a consumer has the right to
request that a business that collected the person's
personal information within the last five years
disclose the type of information collected, the
sources from which the information was collected, and
the business or commercial purpose for collecting the
information. A business is required to respond to a
verified consumer request in accordance with AS
45.49.060, discussed below.
Sec. 45.49.030. Right to request deletion of personal
information.
If a consumer's personal information is collected
by a business, the consumer may request that the
business delete any information collected by the
business from the consumer within the five years
preceding the date for the request. The business is
required to delete the information identified in the
request from that business' records and must direct
all persons who received the information to delete it,
as well. Recipients of the collected information must
provide the originating business with a written
statement that the information was deleted within 45
days of the request. If this statement is not
provided, the business must immediately notify the
attorney general and consumer.
Recipients may be able to retain the information
if it is required to complete a transaction or
contract, provide a requested good or service within
an ongoing relationship with the consumer, fulfill the
terms of a warranty or recall, identify and repair
errors that impair certain products or services,
exercise a legal right, comply with a legal obligation
or court order, engage in certain types of public
research studies, or enable specifically internal uses
of the information aligned with the consumer's
expectations.
8:20:32 AM
CO-CHAIR FIELDS commented that there exist laws in Europe
regarding public dissemination of slanderous content, so-called
"right to be forgotten" laws. He said there is also a process
to remove such information from the Internet. He asked whether
HB 159 would affect only the business that collected information
rather than also affecting a business that makes the information
available for public consumption.
8:22:27 AM
MS. MILLS responded that the proposed legislation is not
intended to mirror "right to be forgotten" laws but is instead
directed at the business that initially collected the
information and subsequently disclosed it to a second business.
He pointed out that HB 159 isn't intended to address slanderous
Internet posts.
CO-CHAIR FIELDS discussed the idea of changing the proposed
legislation to mirror "right to be forgotten" legislation and
mentioned considerations of bullying and harassment.
8:22:40 AM
MR. HALEY resumed his presentation of the sectional analysis,
which read as follows [original punctuation provided]:
Sec. 45.49.040. Right to request disclosure of
personal information sold or disclosed for a business
or commercial purpose.
This section gives a consumer the right to
request disclosures from a business that sold or
disclosed the consumer's personal information for a
business or commercial purpose within the last five
years. The consumer may request disclosure of the
persons who received the personal information for a
business or commercial purpose, the categories of
information, and the business or commercial purpose
for disclosure. A business is required to respond to a
verified consumer request in accordance with AS
45.49.060, discussed below.
Sec. 45.49.050. Right to opt out or for a minor to opt
in.
This section provides that a consumer may request
that a business not sell the consumer's personal
information or specific categories of personal
information. A business may not contact a consumer
asking the consumer to renounce this request for a
year after the request is made. This section also
requires that a business limit the use or disclosure
of a consumer's precise geolocation data to that which
is necessary to provide goods or services the customer
reasonably expects or goods or services the business
reasonably expects the customer will request. A
business may use precise geolocation data for other
purposes if the consumer gives consent in writing.
8:25:09 AM
CO-CHAIR FIELDS pointed out that one of the criticisms of the
European Union's General Data Protection Regulation (GDPR) is
the ubiquitous use of pop-ups that void its protections.
8:25:40 AM
REPRESENTATIVE SNYDER noted that the proposed legislation
includes the option to "opt out" instead of "opt in" with
regards to participating in data sharing. She asked what the
argument is for starting with the "opt out" approach.
MR. HALEY replied that choosing an "opt in" policy seems to be a
stronger privacy provision, but that he doesn't know which
approach, as a matter of policy, would be most appropriate.
8:28:07 AM
CO-CHAIR FIELDS asked whether there exist legal models that
differentiate between advertising and application functions.
MR. HALEY responded that HB 159 would, to a degree, address the
difference. He said that deciding whether an advertisement
could be of reasonable, expected use would be relevant.
8:29:46 AM
MR. HALEY presented the last paragraph of the sectional analysis
pertaining to Sec. 45.49.050, which read as follows [original
punctuation provided]:
This section also requires that a business not
disclose personal information or precise geolocation
data if the business has actual knowledge, or
recklessly disregards the likelihood, that the
consumer is under 18 years of age. A parent or legal
guardian may authorize the sale or disclosure of
personal information of a consumer who is at least 13,
but under 18, years of age.
8:30:09 AM
REPRESENTATIVE NELSON asked for information on where the line
would be drawn regarding recklessly disregarding the likelihood
that a consumer is under 18 years of age.
MR. HALEY replied that the statutory language wouldn't provide
specific information regarding reckless disregard, but that what
constitutes reckless disregard could depend on future adoption
of technology in a manner similar to using a children's YouTube
channel to advertise cigarettes to minors.
REPRESENTATIVE NELSON commented that a teenager ordering pizza
by phone or website would be giving their data to a business,
and he asked whether such a scenario would fall under the
provision in Sec. 45.49.50.
MR. HALEY reminded the committee that the proposed legislation
would deal with the sale and disclosure of data, not with the
simple collection of data.
REPRESENTATIVE NELSON said he was looking for clarification
regarding whether the proposed legislation could affect a
business that doesn't know whether an individual is a minor.
MR. HALEY briefly described a possible intensive analysis for
determining whether such a case would violate the statute under
HB 159.
8:34:30 AM
MS. MILLS added that standards such as negligence and recklessly
disregarding the truth would be used in the analysis of whether
a company engaged in wrongdoing under HB 159.
8:35:42 AM
CO-CHAIR FIELDS commented on the value of the in-depth
discussion of the sectional analysis.
8:35:54 AM
MR. HALEY returned to his presentation of the sectional analysis
of HB 159, which read as follows [original punctuation
provided]:
Sec. 45.49.060. Disclosure or deletion request;
process.
This section lays out the process for a business
to respond to a verified consumer request. A business
is required to designate at least two methods to
submit a request, at minimum through a toll-free
telephone number and electronic mail address.
Information contained in a request may only be used to
identify the personal information and comply with the
request. If the request is for disclosure of
information under AS 45.49.020 or 45.49.040, the
business must provide the information in a readable,
electronic format or by mail, if requested. For all
requests made under AS 45.49.020 45.49.050, a
business must follow the outlined process to determine
if the request is verified, identify applicable
information, disclose and deliver the information,
and, if there is a request to delete information,
provide confirmation of compliance. A business has 45
days to respond under this section, but may take an
additional 45 days when reasonably necessary if the
business notifies the consumer.
This section prohibits a person from charging a
fee for performing an obligation under this chapter.
However, if a consumer's requests are manifestly
unfounded or excessive, a business may charge a
reasonable fee or refuse to act on a request. If
either of these actions are taken, the business must
notify the consumer of the decision within 45 days of
receipt of the request with a complete explanation of
the business' reason for finding the request or
requests excessive or unfounded. If the consumer has
made two verified requests within the previous 365
days, the business is not required to respond to a
request to delete or disclose information.
This section provides certain exceptions, as
well. A business that does not sell or disclose
information is not required to retain information
collected in a single, one-time transaction. If a
business does not maintain data in a manner that would
be considered "personal information" under this
chapter, the business does not need to reidentify or
link data. Finally, if the business cannot verify the
consumer request, it is not required to disclose or
delete information under this section.
Sec. 45.49.070. Third-party disclosure of personal
information.
Under this section, a third-party is prohibited
from disclosing personal information if it was
originally collected in violation of AS 45.49.010 or
45.49.050. If the third-party reasonably concludes
after an inquiry that the information was not obtained
in violation of these sections, they may not be held
liable for a violation. A third-party must have
written confirmation from the original collector that
the information was legally collected before
disclosing the information for a business or
commercial purpose.
8:41:18 AM
REPRESENTATIVE MCCARTY compared selling data to throwing a bag
of chicken feathers into the wind, saying that no one would ever
be able to collect them all. He then asked, "The third party is
not responsible for, but they may be very much involved in, the
distribution of these chicken feathers all over. What are we
doing to the person that's been violated ... any type of
integrity that's been compromised?"
MR. HALEY responded that enforcement would be a challenge
because it would be difficult to know where every piece of
information goes. He said that the proposed legislation
wouldn't create one "highly regulated" industry in which the
government has tracking powers; instead, he said, the proposed
legislation would be much broader in scope so it wouldn't be
necessary to know exactly who has violated the law. Information
would be provided by whistleblowers, tips, and news media.
REPRESENTATIVE MCCARTY commented that his name was misspelled in
the phone book, and a third party used what was found in the
phone book. He asked whether a third party would be held
accountable for errors for the purpose of helping consumers.
MR. HALEY responded that the intent of the proposed legislation
isn't to correct misinformation.
8:45:32 AM
CO-CHAIR FIELDS commented about the right to be forgotten and
asked Mr. Haley whether a private right of action is included in
the proposed legislation.
MR. HALEY replied that it is.
CO-CHAIR FIELDS asked whether it includes a private right of
action for enforcement of the provisions.
MR. HALEY replied that enforcement of the provisions in the
proposed legislation would be through the Office of the Attorney
General. He said that violations of the provisions would be
violations of the Unfair Trade Practices Act, as well as a
number of other acts within the larger act. He said that the
state has powers to issue subpoenas and force testimony, while
the Office of the Attorney General may file action seeking
injunctions and fines of up to $25,000 per violation.
CO-CHAIR FIELDS mentioned funding an enforcement section within
the Department of Law.
8:47:54 AM
MR. HALEY pointed out that the fiscal note for HB 159 requests
one attorney and one litigation assistant for enforcement and
the drafting of regulations. He then resumed his presentation
with the sectional analysis, which read as follows [original
punctuation provided]:
Sec. 45.49.080. Service provider obligations.
This section prohibits service providers from
taking certain actions with respect to personal
information. First, information received from a
business may only be retained, used, or disclosed for
the specific services contracted. Second, information
from one business may not be combined with that from
other sources unless provided for in regulation.
Finally, information may not be disclosed unless there
is written consent from the business or the recipient
and service provider sign a written contract
prohibiting the recipient from engaging in conduct
prohibited to the service provider. A personal who
receives personal information from a service provider
cannot disclose that personal information to any other
person.
45.49.080 service provider obligations
Sec. 45.49.090. Exemptions.
In addition to the restrictions inherent in this
chapter's definitions of terms such as "business,"
"person," and "consumer," there are a number of
exceptions. Those exceptions are as follows:
• protected health information collected by a covered
entity or business associate governed by the Health
Insurance Portability and Accountability Act (HIPAA);
• covered entities under HIPAA that maintain patient
information or protected health information;
• information collected as part of certain clinical
trials;
• vehicle or ownership information shared between a
motor vehicle dealer and manufacturer, or in
anticipation of a repair covered by warranty or
recall;
• collection or sales that occur wholly outside of the
state;
• certain activities subject to or information
collected or disclosed under federal laws or
regulations;
• a business may be exempted from collecting
information until January 1, 2024, if o the
information is related to a person's job application;
service as an employee; business ownership; service as
a licensed dentist, physician, or psychologist; or
work as a contractor; and o applies if the information
is used solely in the context for which it was
collected, is emergency contact information used for
that purpose, or is retained to administer benefits;
• information contained in communications between the
business and consumer if the consumer is a person
acting on behalf of a business or agency and the
transaction is within the context of the business
relationship;
• compliance would violate an evidentiary privilege;
• personal information is provided as part of a
privileged communication;
• the right or obligation would adversely affect
another consumer's rights or infringe on certain
noncommercial activity; Some of the above categories
may still provide for a right to file a claim under AS
45.49.120, duty to maintain reasonable security
measures, discussed below. A person may also disclose
information, notwithstanding this chapter, in order to
comply with federal, state, or local law; comply with
a legal inquiry, investigation, or subpoena; cooperate
with law enforcement; exercise or defend legal claims;
or as relates to deidentified or aggregated
information. Additionally, if component parts of a
transaction are separated in order to avoid compliance
with this chapter, they may be considered together to
determine compliance.
8:53:37 AM
REPRESENTATIVE KAUFMAN asked whether there exists a diagram
showing the proposed legislation's various decision points and
different actions resulting from those decisions, so he could
better visualize how the different elements would work together.
MR. HALEY replied that no one has made such a diagram.
REPRESENTATIVE KAUFMAN suggested that it would be interesting to
see possible gaps and decision points in the provisions.
8:55:07 AM
CO-CHAIR FIELDS announced that HB 159 was held over.
| Document Name | Date/Time | Subjects |
|---|---|---|
| HB 159 version A 3.31.21.PDF |
HL&C 4/23/2021 8:00:00 AM HL&C 5/12/2021 3:15:00 PM |
HB 159 |
| HB 159 Sponsor Statement version A 4.1.21.pdf |
HL&C 4/23/2021 8:00:00 AM HL&C 5/12/2021 3:15:00 PM |
HB 159 |
| HB 159 Sectional Analysis version A 4.1.21.pdf |
HL&C 4/23/2021 8:00:00 AM HL&C 5/12/2021 3:15:00 PM |
HB 159 |
| HB 159 Fiscal Note DCCED 3.31.2021.PDF |
HL&C 4/23/2021 8:00:00 AM HL&C 5/12/2021 3:15:00 PM |
HB 159 |
| HB 159 Fiscal Note Law 3.31.2021.PDF |
HL&C 4/23/2021 8:00:00 AM HL&C 5/12/2021 3:15:00 PM |
HB 159 |
| HB 125 Amendment #1 - Rep. Schrage 4.21.21.pdf |
HL&C 4/23/2021 8:00:00 AM |
HB 125 |
| Draft CS HB 146 L&C 4.21.21.pdf |
HL&C 4/23/2021 8:00:00 AM HL&C 4/28/2021 3:15:00 PM |
HB 146 |
| HB 146 Ver. B 4.21.21.pdf |
HL&C 4/23/2021 8:00:00 AM HL&C 4/28/2021 3:15:00 PM |
HB 146 |
| HB 146 Summary of Changes Ver. A to Ver. B 4.21.21.pdf |
HL&C 4/23/2021 8:00:00 AM HL&C 4/28/2021 3:15:00 PM |
HB 146 |
| HB 146 Sponsor Statement 4.21.21.pdf |
HL&C 4/23/2021 8:00:00 AM HL&C 4/28/2021 3:15:00 PM |
HB 146 |
| HB 146 Sectional Ver. B 4.21.21.pdf |
HL&C 4/23/2021 8:00:00 AM HL&C 4/28/2021 3:15:00 PM |
HB 146 |
| HB 146 University of Minnesota Paper 4.21.21.pdf |
HL&C 4/23/2021 8:00:00 AM HL&C 4/28/2021 3:15:00 PM |
HB 146 |
| HB 146 IWPR Pay Secrecy Report 4.21.21.pdf |
HL&C 4/23/2021 8:00:00 AM HL&C 4/28/2021 3:15:00 PM |
HB 146 |
| HB 146 Fiscal Note DOLWC-WH 4.5.21.pdf |
HL&C 4/23/2021 8:00:00 AM HL&C 4/28/2021 3:15:00 PM |
HB 146 |
| HB 159 Testimony Received as of 4.26.21.pdf |
HL&C 4/23/2021 8:00:00 AM HL&C 5/12/2021 3:15:00 PM |
HB 159 |