Legislature(2021 - 2022)BARNES 124
05/05/2021 03:15 PM House LABOR & COMMERCE
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| SB21 | |
| HJR19 | |
| HB159 | |
| Presentation(s): Women in the Workforce & the Gender Pay Gap | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| += | HB 159 | TELECONFERENCED | |
| += | SB 21 | TELECONFERENCED | |
| + | TELECONFERENCED | ||
| + | TELECONFERENCED | ||
| += | HJR 19 | TELECONFERENCED | |
HB 159-CONSUMER DATA PRIVACY ACT
3:22:29 PM
CO-CHAIR FIELDS announced that the next order of business would
be HOUSE BILL NO. 159, "An Act establishing the Consumer Data
Privacy Act; establishing data broker registration requirements;
making a violation of the Consumer Data Privacy Act an unfair or
deceptive trade practice; and providing for an effective date."
CO-CHAIR FIELDS stated that the presentation of the sectional
analysis had commenced during the meeting of the House Labor and
Commerce Standing Committee on April 23, 2021. He said that the
administration is working with stakeholders on what constitutes
a "rewrite" of the bill and said that expert testimony would be
heard during today's hearing. He said that the purpose of the
invited testimony was to learn about the elements of the
proposed legislation and to ensure that it would not be a burden
on Alaska's businesses.
3:24:11 PM
JOSEPH JEROME, Director of Platform Accountability and State
Advocacy, Common Sense Media, stated that he is a lawyer
focusing on privacy issues, and that Common Sense Media has been
involved in several privacy efforts across the country. He
shared that there is a "general unease" about the volume of
information collected from consumers and about it's possible
uses. He said companies are now facing global privacy rules
including the European Union General Data Protection Regulation
(EU GDPR), as well as privacy rules in India, Brazil, and Japan;
the United States, he said, has "fallen behind." He said,
"Animating this conversation is an endless stream of headlines
documenting irresponsible data collection and use by tech
companies." He said some of the biggest companies in the world
testify about how burdensome a "patchwork of U.S. laws will be,"
and he opined that the "patchwork" already exists. He discussed
the Health Insurance Portability and Accountability Act (HIPAA)
and the Graham-Leach-Bliley Act (GLBA), both of which include
privacy protection as an afterthought to larger regulatory
efforts. Because of this sectoral approach, he said, there are
gaps in privacy regulations. As an example, he asked the
committee to consider the matter of student health; regulators
don't fully appreciate that most Americans have "absolutely no
grasp" of when their health information is protected by law.
"For all the talk about HIPAA," he said, "student immunizations
and other school health records are covered by our federal
[Family] Educational Rights and Privacy Act (FERPA) - that's
from 1974. FERPA, in turn, intersects with, and conflicts with,
our Children's Online Privacy Protection Act, and that only
covers the information of children under 13." He commented that
such gaps in protection leave the general public to rely on
state attorneys general, which often do not have adequate
resources to police commonly-used technology.
MR. JEROME said that dozens of states have introduced dozens of
privacy laws, but only California and Virginia have enacted such
laws. There are several different privacy models to consider,
he said, and states across the political spectrum have made
progress. He pointed out that North Dakota introduced what he
characterized as "probably the strongest single privacy law,"
and Oklahoma and Florida have debated similar laws up until the
last day of their respective legislative sessions. He said that
what Common Sense Media looks for in feasible privacy
legislation is extra protections for kids and teens; limits on
the abilities of advertisers and data brokers to circumvent the
law; and real enforcement "teeth."
3:29:53 PM
CAITRIONA FITZGERALD, Deputy Director, Electronic Privacy
Information Center (EPIC), shared that current laws in the U.S.
state that companies may collect any consumer data, as long as
the data's use(s) isn't misrepresented in the companies' privacy
policies. She said that allowing an individual to know the data
a company collects, and demand deletion of such data, puts the
entire burden of data protection on the individual consumer; a
good privacy bill would include strong data minimization
provisions such as limiting data collection to what is
reasonably necessary to provide a better service to the
consumer. Another component of data minimization provisions,
she said, would be the requirement that companies delete the
personal data when it's no longer needed for the original
purchase, which would blunt the impact of data breaches because
there would be less data at risk. She said that secondary uses
of data should be limited; downstream parties such as service
providers that collect data should be subject to the same
obligations as the original data collector.
MS. FITZGERALD then discussed promoting privacy-enhancing
technologies, which would make it easier for consumers to
enforce their right to privacy. She said that it's not
realistic to expect Internet users to take multiple steps to opt
out of data disclosure; every website uses banners to inform the
user that it's collecting "cookies," and the website makes it
difficult to allow users to opt out of data collection. There
are global mechanisms that allow settings to be configured in
Internet browsers that sent a signal to all websites saying that
a user wants to disallow the sale of data. This mechanism is in
the California Consumer Protection Act, she said, and technology
companies now comply with global privacy controls allowing
consumers to opt out of having their data sold.
3:35:15 PM
HAYLEY TSUKAYAMA, Legislative Activist, Electronic Frontier
Foundation (EFF), stated that strong laws require strong
enforcement, and EFF often studies the enforcement sections of
proposed legislation to determine not only how seriously
consumers would be protected, but whether the proposed
legislation addresses the widespread concern that drives the
call for such legislation. She encouraged the committee to
ensure adequate funding for enforcement mechanisms. She said
the "right to cure," usually existing within the enforcement
section of a bill, would give companies in violation of the law
a period of time to correct the violation and avoid disciplinary
action. She expressed that the right to cure is a "get out of
jail free" card that would mean no consequences for companies
that break the law, thus allowing consumers to be harmed with no
remedy to address the harm. She said that the strongest
enforcement mechanism EFF has seen is "private rights of action"
(PRAs), which play out in privacy laws across the country.
Illinois's Biometric Information Privacy Act contains a PRA, she
said, and was used to bring suit against Facebook over its use
of face recognition.
3:39:55 PM
MS. TSUKAYAMA discussed the importance of ensuring that
consumers who exercise their right to privacy aren't penalized
through mechanisms such as paying more for a service or being
ineligible for discounts offered to the general public. She
expressed approval for the prohibition on retaliation for
exercising privacy rights under HB 159, but she noted that the
proposed legislation still includes language regarding charges
that vary according to the value provided by the consumer's
data, which could open the door to privacy violations. She
discussed "dark patterns," otherwise known as "coercive design,"
which she described as mechanisms to undermine consumer consent
by presenting information in a certain way. A good example of
coercive design, she said, is a request to collect data with the
option to accept the request displayed in bright, colorful
graphics, while the option to opt out is in small text. She
discussed the possible harms of data abuse, pointing out that
data use often exacerbates existing discrimination; information
such as the high school a person went to can influence their
mortgage worthiness. She said that using data algorithms to
make decisions should require a mechanism for transparency
regarding the information that goes into the algorithm, and the
algorithms themselves should be audited.
3:44:09 PM
MAUREEN MAHONEY, Senior Policy Analyst, Consumer Reports, shared
that her comments would focus on the importance of covering
targeted advertising in proposed legislation, which she
characterized as an "under-discussed issue" in privacy
legislation. She said that "targeted advertising" refers to
data about consumer behavior that is shared with other companies
for the use of directing ads to the consumer; consumers are
constantly tracked, and said, and information about their online
and offline activities is used to glean detailed insights into
consumers' most personal characteristics. Everything from
health conditions to political affiliations is used to deliver
targeted advertising, she explained, which could lead to
disparate outcomes along racial or ethnic lines. She pointed
out that job or housing advertisements can target only certain
consumer demographics. Covering such data transactions is one
of the key motivators for consumer privacy legislation, she
said, and she noted that many companies are working to undermine
such legislation by adopting bad faith interpretations of such
legislation, such as claiming that targeted advertising isn't
covered by the law.
MS. MAHONEY urged the committee to keep the language in HB 159
regarding targeted advertising, and she noted that the
definition of "personal information" in the proposed legislation
covers information associated both with the consumer and with
the household. She proposed adjusting the text of HB 159 to not
require consumers to verify their identities in order to opt out
of the sale of their information; since a lot of data used for
tracking isn't associated specifically with a name or email
address, she said, requiring identity verification would open a
loophole for targeted advertising. Research done by Consumer
Reports has shown that consumers have been asked to provide
their social security or driver's license number in order to opt
out of data distribution, she said, and consumers are
uncomfortable sharing such information with an unknown data
broker. She recommended adjusting the definition of "sale"
within the text of HB 159 to include coverage of all data
disclosures to a third party for a commercial purpose; the
importance of such coverage, she said, is to ensure that
companies aren't able to circumvent the regulation by not
technically receiving money in the transaction.
3:48:42 PM
CO-CHAIR FIELDS noted the importance of hearing testimony from
unbiased sources. He pointed out that there will be testimony
from organizations that are funded by the businesses who
practice stealing, reselling, or aggregating data.
3:49:16 PM
REPRESENTATIVE KAUFMAN mentioned Ms. Fitzgerald's discussion of
essential elements to include in data privacy legislation and
expressed interest in receiving a copy of the list. He then
asked Ms. Mahoney to talk about the "Internet ecosystem" in
which many services are "free" but use data as part of a
company's business model.
MS. MAHONEY said that consumer privacy is a right which should
be afforded to everyone regardless of their income or ability to
pay; the baseline, she said, should be consumers' ability to
safely use online services or apps without having their privacy
compromised. If prices need to be adjusted to ensure online
safety, she said, such an action could be appropriate.
REPRESENTATIVE KAUFMAN hypothesized about a company offering a
mapping app with a "free" version that monetizes consumer data,
or a "paid" version that does not monetize consumer data. He
asked whether offering the two versions would be a form of
discrimination.
MS. MAHONEY responded that consumers should have the basic right
to use apps and services without having to compromise their
privacy, and that consumers shouldn't have to pay more or less
depending on their level of acceptance of privacy violations.
She said that consumers should, at the very least, have the
option of opting out of the targeted advertising ecosystem due
to the lack of transparency in how data is used and monetized.
REPRESENTATIVE KAUFMAN expressed concern for protecting consumer
privacy in an "effective and efficient" manner that doesn't
jeopardize the benefits of data collection. He said that if
data is a commodity, consumers should be able to give it away or
profit from it. He expressed the perspective that, under Ms.
Mahoney's model, consumers wouldn't have the option of allowing
unfettered data collection. He asked Ms. Mahoney whether her
vision of data privacy would prevent a consumer from
commoditizing their own data.
MS. MAHONEY deferred to Mr. Jerome from Common Sense Media.
3:55:02 PM
MR. JEROME surmised that Representative Kaufman's question
pertained to the relationship between secondary uses of
information and general online advertising. He said that none
of the consumer privacy proposals would end online advertising,
and that it's important to acknowledge that some of the data
collection business models aren't effective. He said that one-
third of the money spent on online advertising ends up going to
fake traffic and automated bots. Due to market dominance, he
said, Google and Facebook comprise up to 60 percent of all
online ad revenue; contextual advertising that does not invade
consumer privacy is as effective as targeted advertising. A
2019 study found a revenue discrepancy of only 4 percent based
on whether or not cookies were disabled, he said, which means
that using personal data increases revenue by only .00008 cents
per ad. He said that former digital advertisers at The New York
Times and Washington Post have argued that the entire model is
overhyped in its value to data publishers. He stated that the
imposition of strong privacy rules would likely not have the
negative impact many assume it would.
3:57:23 PM
REPRESENTATIVE SCHRAGE stated that he understands the concerns
around racial targeting and the targeting of children. He then
said that he doesn't understand how his privacy is being invaded
by a company simply knowing what he views online, asserting that
such targeted advertising could actually be of benefit in that
it reduces his search time.
3:58:17 PM
MR. JEROME stated that the reality is that kids and teens could
be "outed" if ads for issues around sexual orientation pop up on
shared devices. He shared the example of a pregnant teenager
whose family was informed of her pregnancy by targeted
advertising. YouTube and Facebook are constantly in trouble for
how they profile, he said. Kids can be profiled as "gamers,"
"impulsive purchasers," or "anxious oversharers," and are then
targeted by ads encouraging more of those behaviors. Facebook
has categorized hundreds of thousands of kids as "interested in
gambling" or "interested in alcohol," and has told advertisers
that they could identify teens who feel stressed, defeated,
anxious, or nervous, and could target such children with online
advertising for coffee or makeup tutorials. He said that such
commercial manipulation is endemic across the targeted
advertising ecosystem.
REPRESENTATIVE SCHRAGE said that he understands the concerns
about children but that he is still confused about the issue
with cookies. He opined that targeted advertising has benefits
in that companies may better tailor offerings to individuals
based on their shopping habits.
4:01:12 PM
CO-CHAIR SPOHNHOLZ expressed the perspective that there are many
ways in which data tracking is useful, sharing that she likes
getting targeted ads for products in which she's interested.
She then shared a personal experience in which a text exchange
with her husband resulted in a Facebook advertisement within
moments of the exchange. She said that Facebook is mining data
in ways not anticipated by the average consumer, and parts of
consumers' lives are now digitized in ways that had never before
been imagined. She characterized data privacy as the "Wild
West" and shared her concerns about the fact that a company in
another state could be mining texts between herself and her
husband for marketing purposes. She stated that there seems to
be no expectation of privacy, reminding committee members that
privacy issues were revealed by companies suing each other
rather than by governmental regulation. She expressed that the
government awareness and regulation of such issues lags behind
actual business practices, and parents often don't know or
understand the online environment in which their children are
operating. She said that the right to privacy has been upheld
many times in the last century by the U.S. Supreme Court and
that there is a strong right to privacy in Alaska, and that
ensuring a continued right to privacy is the responsibility of
legislators.
4:05:18 PM
REPRESENTATIVE SNYDER shared that she does not find value in
being the target of advertisements, expressing that she doesn't
want to be tempted by the next piece of consumerism or for her
online experience to be interrupted. She said that, regardless
of the rationale, consumers should be able to say they don't
want their data used in such ways.
4:06:46 PM
CO-CHAIR FIELDS stated his belief that Alaska has some of the
strongest constitutional privacy protections in the country, and
he characterized HB 159 as a discussion on how best to meet a
constitutional privacy mandate. He shared his concern that
biometric information and artificial intelligence (AI)
replicates and perpetuates racist power structures. He said
that the U.S. has less socioeconomic mobility than any other
developed country and noted the recent case of Google's photo
app placing photos of black people in albums called "gorilla
albums." He wondered what should be considered in questions of
biometric information, and he asked whether there exists a
consensus that the model for such data in Illinois is the best
one.
4:08:27 PM
MS. TSUKAYAMA responded that the Electronic Frontier Foundation
(EFF) considers Illinois's model to be the "gold standard" of
biometric privacy, pointing out that Co-Chair Fields' statement
highlighted many of the concerns surrounding the use of
biometric information. She stated that EFF advocates for a ban
on government use of face recognition.
4:09:21 PM
MS. FITZGERALD stated her agreement with Ms. Tsukayama's
statement and shared her understanding of Co-Chair Fields'
concern that AI can be used to perpetuate systemic inequalities.
She said society is now living with the consequences of allowing
social media to self-regulate, and she expressed the hope that
AI doesn't follow the same path. She said there exists language
in various proposed legislations requiring companies to engage
in activities such as impacts assessments before using new
algorithms, and performing audits during the life of the
activity to ensure that it's fair and nondiscriminatory.
4:10:44 PM
MR. JEROME expressed agreement with the previous statements and
added that using biometric products to authenticate an
individual can easily lead to profiling. He pointed out that
Black people tend to represent as being "angrier" in many AI
systems; in this context, he said, technology that analyzes
whether students or employees are paying attention can be
discriminatory.
4:12:06 PM
CO-CHAIR FIELDS expressed the desire to see an industry-funded
mechanism to establish a strong state enforcement unit within
the Department of Law, as well as a private right of action. He
pointed out that Alaska doesn't have a large tech industry, and
is not naturally going to have lawyers with tech industry
experience working in the Office of the Attorney General. He
expressed wanting a model for a robustly-funded enforcement wing
of the Department of Law, and he asked whether the panelists'
organizations would be interested in working with the committee
to draft a model for enforcement to ensure adequate capacity in
Alaska to police the companies with a record of inappropriate
data use.
4:13:08 PM
MS. TSUKAYAMA responded that EFF has not yet seen what it would
consider an adequately-funded department to address digital
privacy laws. She said EFF would be happy to work with the
committee on a private right of action and an agency to oversee
the issues.
4:14:00 PM
CO-CHAIR FIELDS stated his desire to establish strong standards
of enforcement for multinational companies that have a record of
exploiting data information, as well as to ensure that the law's
structure doesn't burden Alaska's small and medium-sized
businesses that are using data to serve their customers. He
asked whether there is a threshold for striking the right
balance between capturing the multinational companies while
protecting smaller businesses that collect information to
conduct legitimate business.
MS. MAHONEY, on behalf of Consumer Reports, responded that there
is no specific threshold to hit but that California, with its
threshold of 50,000 users per year, or Virginia's threshold of
100,000 users per year, both ensure that small and medium-sized
businesses aren't unduly affected by the law. She expressed
that many privacy laws under discussion at the state level put
few limits on a company's ability to collect data and advertise
to their customers; the main concern is putting controls on the
disclosure of data to third parties, and the associated sale and
resale by data brokers.
4:16:30 PM
CHRIS KOA, Attorney, DataEsque Law Group PLLC, stated that he is
a privacy, security, technology, and corporate attorney
representing Lynden, Incorporated ("Lynden"). He explained that
he is collaborating, in good faith and at the invitation of the
governor, with several other Alaska companies that would be
similarly impacted by the original version of HB 159. As
initially drafted, he said, Lynden opposes the proposed
legislation and would characterize it as among the most onerous
state privacy laws in the country and that it would not be in
the best interest of Alaska. He said that Lynden "conceptually"
supports the goal of increasing privacy protections and wants to
find ways to support that goal while ensuring that companies
with primarily business-to-business ("B2B") models that don't
engage in the sale of consumer data aren't adversely impacted,
especially in the absence of corresponding consumer protection
benefits that outweigh the anticipated burdens and costs to
businesses. The goal, he said, is to find a middle ground that
balances the interests of the administration, the Office of the
Attorney General, the legislature, businesses, and consumers.
MR. KOA said that as a B2B company, Lynden focuses on using data
solely to provide services requested by the customers, unlike
business-to-consumer ("B2C") organizations that heavily use
personal data. The initial draft of the proposed legislation,
he said, would hurt B2B companies that don't sell personal
information; that don't have high-risk business models that
depend on heavy use of personal information; and have not
engaged in systematic patterns of abuse. To ensure the ability
of B2B companies like Lynden to continue to serve Alaska, he
said, he recommends consideration and implementation of the
critical amendments he submitted [included in the committee
packet].
4:21:11 PM
MR. KOA expressed that the amended version of HB 159 would
provide a more focused approach, intended to avoid burdening B2B
companies such as Lynden, oil companies, mining, and
telecommunications, which don't sell data, and which employ
thousands of Alaskans while providing valuable services. Key
suggestions for HB 159, he said, include the following: delete
the standalone revenue threshold as a trigger for determining
companies for regulation; exclude B2B contacts and employees
from the scope of the proposed legislation; exclude personal
data provided by a consumer for the purpose of providing a
product or service requested by that consumer; delete the
private right of action and allow enforcement by the Office of
the Attorney General; provide a cure period, especially for
companies that are not repeat offenders; shorten the lookback
period to one year; and clarify ways for companies to comply
with reasonable security obligations.
MR. KOA stated Lynden's support for the goal of protecting
consumer privacy in a manner consistent with how businesses
operate and can respond, without disrupting a business's ability
to serve Alaska, and without incurring costs and burdens without
a corresponding consumer benefit. He said the intention for the
suggestions reflected in the suggested amendments is to balance
valid public policy interests and consumer privacy with the
realities of business operations.
4:25:56 PM
REPRESENTATIVE KAUFMAN asked how much content is in a typical
profile for an individual consumer.
MR. JEROME, on behalf of Common Sense Media, responded that the
amount of content varies, and that data brokerage is a
complicated ecosystem. The Federal Trade Commission, as well as
a report from the World Privacy Forum called The Scoring of
America, have made such information available. The challenge
with companies such as Google and Facebook, he said, is that
their information is not made available to consumers.
4:27:53 PM
REPRESENTATIVE SCHRAGE asked how multinational online companies
determine which state privacy laws to follow. He expressed that
he sees the merits of protecting privacy and wondered whether
the issue would be better addressed at the federal level.
MS. FITZGERALD, on behalf of the Electronic Privacy Information
Center, stated that the federal government has not moved to act
on this issue, which is why states are beginning to act to
protect citizens. Because it's difficult for large companies
such as Google or Facebook to comply with many different state
laws, she said, "The state with the strongest law sets the bar."
She pointed out that companies are already complying with the
European Union's General Data Protection Regulation.
4:30:12 PM
MS. MAHONEY, on behalf of Consumer Reports, noted that companies
can identify a consumer's location based on a consumer's
internet protocol (IP) address. She agreed that strong federal
privacy legislation would be the goal, but in the absence of
such legislation, states need to ensure that consumers have
strong privacy protections.
4:30:52 PM
CO-CHAIR FIELDS referred to Mr. Koa's suggestion to delete the
standalone revenue threshold and to exclude B2B contacts from
the proposed legislation. He asked for discussion on the
practicality of excluding B2B exchanges.
MS. MAHONEY said that, while there are a number of ways to
determine an appropriate threshold for regulation, the number of
consumers on which data is collected is an appropriate metric to
consider. She stated that the main concern of Consumer Reports
is to make sure consumers have strong privacy protections and
that they are able to exercise their preferences.
4:32:48 PM
CO-CHAIR FIELDS announced that HB 159 was held over.
| Document Name | Date/Time | Subjects |
|---|---|---|
| SB 21 Amendment #1 5.4.21.pdf |
HL&C 5/5/2021 3:15:00 PM |
SB 21 |
| SB 21 Statement of Zero Fiscal Impact 3.5.21.pdf |
HL&C 5/5/2021 3:15:00 PM |
SB 21 |
| DOLWD Gender Pay Gap Presentation 5.5.21.pdf |
HL&C 5/5/2021 3:15:00 PM |
|
| HB 159 Ad Trade Letter of Opposition 4.22.21.pdf |
HL&C 5/5/2021 3:15:00 PM HL&C 5/12/2021 3:15:00 PM |
HB 159 |
| CS HJR19 (L&C) Fiscal Note.pdf |
HL&C 5/5/2021 3:15:00 PM |
HJR 19 |
| CS HJR19 (L&C).pdf |
HL&C 5/5/2021 3:15:00 PM |
HJR 19 |
| Gender Pay Testimony House Labor Commerce - Foraker Group 5-5-2021.pdf |
HL&C 5/5/2021 3:15:00 PM |
|
| Gender Wage Gap - Hilary Morgan 5.5.21.pdf |
HL&C 5/5/2021 3:15:00 PM |
|
| DOLWD Analysis - The Gender Wage Gap, September 2019.pdf |
HL&C 5/5/2021 3:15:00 PM |
|
| Alaska Economic Trends - The Gender Wage Gap, 2017.pdf |
HL&C 5/5/2021 3:15:00 PM |