HB 159-CONSUMER DATA PRIVACY ACT  3:22:29 PM CO-CHAIR FIELDS announced that the next order of business would be HOUSE BILL NO. 159, "An Act establishing the Consumer Data Privacy Act; establishing data broker registration requirements; making a violation of the Consumer Data Privacy Act an unfair or deceptive trade practice; and providing for an effective date." CO-CHAIR FIELDS stated that the presentation of the sectional analysis had commenced during the meeting of the House Labor and Commerce Standing Committee on April 23, 2021. He said that the administration is working with stakeholders on what constitutes a "rewrite" of the bill and said that expert testimony would be heard during today's hearing. He said that the purpose of the invited testimony was to learn about the elements of the proposed legislation and to ensure that it would not be a burden on Alaska's businesses. 3:24:11 PM JOSEPH JEROME, Director of Platform Accountability and State Advocacy, Common Sense Media, stated that he is a lawyer focusing on privacy issues, and that Common Sense Media has been involved in several privacy efforts across the country. He shared that there is a "general unease" about the volume of information collected from consumers and about it's possible uses. He said companies are now facing global privacy rules including the European Union General Data Protection Regulation (EU GDPR), as well as privacy rules in India, Brazil, and Japan; the United States, he said, has "fallen behind." He said, "Animating this conversation is an endless stream of headlines documenting irresponsible data collection and use by tech companies." He said some of the biggest companies in the world testify about how burdensome a "patchwork of U.S. laws will be," and he opined that the "patchwork" already exists. He discussed the Health Insurance Portability and Accountability Act (HIPAA) and the Graham-Leach-Bliley Act (GLBA), both of which include privacy protection as an afterthought to larger regulatory efforts. Because of this sectoral approach, he said, there are gaps in privacy regulations. As an example, he asked the committee to consider the matter of student health; regulators don't fully appreciate that most Americans have "absolutely no grasp" of when their health information is protected by law. "For all the talk about HIPAA," he said, "student immunizations and other school health records are covered by our federal [Family] Educational Rights and Privacy Act (FERPA) - that's from 1974. FERPA, in turn, intersects with, and conflicts with, our Children's Online Privacy Protection Act, and that only covers the information of children under 13." He commented that such gaps in protection leave the general public to rely on state attorneys general, which often do not have adequate resources to police commonly-used technology. MR. JEROME said that dozens of states have introduced dozens of privacy laws, but only California and Virginia have enacted such laws. There are several different privacy models to consider, he said, and states across the political spectrum have made progress. He pointed out that North Dakota introduced what he characterized as "probably the strongest single privacy law," and Oklahoma and Florida have debated similar laws up until the last day of their respective legislative sessions. He said that what Common Sense Media looks for in feasible privacy legislation is extra protections for kids and teens; limits on the abilities of advertisers and data brokers to circumvent the law; and real enforcement "teeth." 3:29:53 PM CAITRIONA FITZGERALD, Deputy Director, Electronic Privacy Information Center (EPIC), shared that current laws in the U.S. state that companies may collect any consumer data, as long as the data's use(s) isn't misrepresented in the companies' privacy policies. She said that allowing an individual to know the data a company collects, and demand deletion of such data, puts the entire burden of data protection on the individual consumer; a good privacy bill would include strong data minimization provisions such as limiting data collection to what is reasonably necessary to provide a better service to the consumer. Another component of data minimization provisions, she said, would be the requirement that companies delete the personal data when it's no longer needed for the original purchase, which would blunt the impact of data breaches because there would be less data at risk. She said that secondary uses of data should be limited; downstream parties such as service providers that collect data should be subject to the same obligations as the original data collector. MS. FITZGERALD then discussed promoting privacy-enhancing technologies, which would make it easier for consumers to enforce their right to privacy. She said that it's not realistic to expect Internet users to take multiple steps to opt out of data disclosure; every website uses banners to inform the user that it's collecting "cookies," and the website makes it difficult to allow users to opt out of data collection. There are global mechanisms that allow settings to be configured in Internet browsers that sent a signal to all websites saying that a user wants to disallow the sale of data. This mechanism is in the California Consumer Protection Act, she said, and technology companies now comply with global privacy controls allowing consumers to opt out of having their data sold. 3:35:15 PM HAYLEY TSUKAYAMA, Legislative Activist, Electronic Frontier Foundation (EFF), stated that strong laws require strong enforcement, and EFF often studies the enforcement sections of proposed legislation to determine not only how seriously consumers would be protected, but whether the proposed legislation addresses the widespread concern that drives the call for such legislation. She encouraged the committee to ensure adequate funding for enforcement mechanisms. She said the "right to cure," usually existing within the enforcement section of a bill, would give companies in violation of the law a period of time to correct the violation and avoid disciplinary action. She expressed that the right to cure is a "get out of jail free" card that would mean no consequences for companies that break the law, thus allowing consumers to be harmed with no remedy to address the harm. She said that the strongest enforcement mechanism EFF has seen is "private rights of action" (PRAs), which play out in privacy laws across the country. Illinois's Biometric Information Privacy Act contains a PRA, she said, and was used to bring suit against Facebook over its use of face recognition. 3:39:55 PM MS. TSUKAYAMA discussed the importance of ensuring that consumers who exercise their right to privacy aren't penalized through mechanisms such as paying more for a service or being ineligible for discounts offered to the general public. She expressed approval for the prohibition on retaliation for exercising privacy rights under HB 159, but she noted that the proposed legislation still includes language regarding charges that vary according to the value provided by the consumer's data, which could open the door to privacy violations. She discussed "dark patterns," otherwise known as "coercive design," which she described as mechanisms to undermine consumer consent by presenting information in a certain way. A good example of coercive design, she said, is a request to collect data with the option to accept the request displayed in bright, colorful graphics, while the option to opt out is in small text. She discussed the possible harms of data abuse, pointing out that data use often exacerbates existing discrimination; information such as the high school a person went to can influence their mortgage worthiness. She said that using data algorithms to make decisions should require a mechanism for transparency regarding the information that goes into the algorithm, and the algorithms themselves should be audited. 3:44:09 PM MAUREEN MAHONEY, Senior Policy Analyst, Consumer Reports, shared that her comments would focus on the importance of covering targeted advertising in proposed legislation, which she characterized as an "under-discussed issue" in privacy legislation. She said that "targeted advertising" refers to data about consumer behavior that is shared with other companies for the use of directing ads to the consumer; consumers are constantly tracked, and said, and information about their online and offline activities is used to glean detailed insights into consumers' most personal characteristics. Everything from health conditions to political affiliations is used to deliver targeted advertising, she explained, which could lead to disparate outcomes along racial or ethnic lines. She pointed out that job or housing advertisements can target only certain consumer demographics. Covering such data transactions is one of the key motivators for consumer privacy legislation, she said, and she noted that many companies are working to undermine such legislation by adopting bad faith interpretations of such legislation, such as claiming that targeted advertising isn't covered by the law. MS. MAHONEY urged the committee to keep the language in HB 159 regarding targeted advertising, and she noted that the definition of "personal information" in the proposed legislation covers information associated both with the consumer and with the household. She proposed adjusting the text of HB 159 to not require consumers to verify their identities in order to opt out of the sale of their information; since a lot of data used for tracking isn't associated specifically with a name or email address, she said, requiring identity verification would open a loophole for targeted advertising. Research done by Consumer Reports has shown that consumers have been asked to provide their social security or driver's license number in order to opt out of data distribution, she said, and consumers are uncomfortable sharing such information with an unknown data broker. She recommended adjusting the definition of "sale" within the text of HB 159 to include coverage of all data disclosures to a third party for a commercial purpose; the importance of such coverage, she said, is to ensure that companies aren't able to circumvent the regulation by not technically receiving money in the transaction. 3:48:42 PM CO-CHAIR FIELDS noted the importance of hearing testimony from unbiased sources. He pointed out that there will be testimony from organizations that are funded by the businesses who practice stealing, reselling, or aggregating data. 3:49:16 PM REPRESENTATIVE KAUFMAN mentioned Ms. Fitzgerald's discussion of essential elements to include in data privacy legislation and expressed interest in receiving a copy of the list. He then asked Ms. Mahoney to talk about the "Internet ecosystem" in which many services are "free" but use data as part of a company's business model. MS. MAHONEY said that consumer privacy is a right which should be afforded to everyone regardless of their income or ability to pay; the baseline, she said, should be consumers' ability to safely use online services or apps without having their privacy compromised. If prices need to be adjusted to ensure online safety, she said, such an action could be appropriate. REPRESENTATIVE KAUFMAN hypothesized about a company offering a mapping app with a "free" version that monetizes consumer data, or a "paid" version that does not monetize consumer data. He asked whether offering the two versions would be a form of discrimination. MS. MAHONEY responded that consumers should have the basic right to use apps and services without having to compromise their privacy, and that consumers shouldn't have to pay more or less depending on their level of acceptance of privacy violations. She said that consumers should, at the very least, have the option of opting out of the targeted advertising ecosystem due to the lack of transparency in how data is used and monetized. REPRESENTATIVE KAUFMAN expressed concern for protecting consumer privacy in an "effective and efficient" manner that doesn't jeopardize the benefits of data collection. He said that if data is a commodity, consumers should be able to give it away or profit from it. He expressed the perspective that, under Ms. Mahoney's model, consumers wouldn't have the option of allowing unfettered data collection. He asked Ms. Mahoney whether her vision of data privacy would prevent a consumer from commoditizing their own data. MS. MAHONEY deferred to Mr. Jerome from Common Sense Media. 3:55:02 PM MR. JEROME surmised that Representative Kaufman's question pertained to the relationship between secondary uses of information and general online advertising. He said that none of the consumer privacy proposals would end online advertising, and that it's important to acknowledge that some of the data collection business models aren't effective. He said that one- third of the money spent on online advertising ends up going to fake traffic and automated bots. Due to market dominance, he said, Google and Facebook comprise up to 60 percent of all online ad revenue; contextual advertising that does not invade consumer privacy is as effective as targeted advertising. A 2019 study found a revenue discrepancy of only 4 percent based on whether or not cookies were disabled, he said, which means that using personal data increases revenue by only .00008 cents per ad. He said that former digital advertisers at The New York Times and Washington Post have argued that the entire model is overhyped in its value to data publishers. He stated that the imposition of strong privacy rules would likely not have the negative impact many assume it would. 3:57:23 PM REPRESENTATIVE SCHRAGE stated that he understands the concerns around racial targeting and the targeting of children. He then said that he doesn't understand how his privacy is being invaded by a company simply knowing what he views online, asserting that such targeted advertising could actually be of benefit in that it reduces his search time. 3:58:17 PM MR. JEROME stated that the reality is that kids and teens could be "outed" if ads for issues around sexual orientation pop up on shared devices. He shared the example of a pregnant teenager whose family was informed of her pregnancy by targeted advertising. YouTube and Facebook are constantly in trouble for how they profile, he said. Kids can be profiled as "gamers," "impulsive purchasers," or "anxious oversharers," and are then targeted by ads encouraging more of those behaviors. Facebook has categorized hundreds of thousands of kids as "interested in gambling" or "interested in alcohol," and has told advertisers that they could identify teens who feel stressed, defeated, anxious, or nervous, and could target such children with online advertising for coffee or makeup tutorials. He said that such commercial manipulation is endemic across the targeted advertising ecosystem. REPRESENTATIVE SCHRAGE said that he understands the concerns about children but that he is still confused about the issue with cookies. He opined that targeted advertising has benefits in that companies may better tailor offerings to individuals based on their shopping habits. 4:01:12 PM CO-CHAIR SPOHNHOLZ expressed the perspective that there are many ways in which data tracking is useful, sharing that she likes getting targeted ads for products in which she's interested. She then shared a personal experience in which a text exchange with her husband resulted in a Facebook advertisement within moments of the exchange. She said that Facebook is mining data in ways not anticipated by the average consumer, and parts of consumers' lives are now digitized in ways that had never before been imagined. She characterized data privacy as the "Wild West" and shared her concerns about the fact that a company in another state could be mining texts between herself and her husband for marketing purposes. She stated that there seems to be no expectation of privacy, reminding committee members that privacy issues were revealed by companies suing each other rather than by governmental regulation. She expressed that the government awareness and regulation of such issues lags behind actual business practices, and parents often don't know or understand the online environment in which their children are operating. She said that the right to privacy has been upheld many times in the last century by the U.S. Supreme Court and that there is a strong right to privacy in Alaska, and that ensuring a continued right to privacy is the responsibility of legislators. 4:05:18 PM REPRESENTATIVE SNYDER shared that she does not find value in being the target of advertisements, expressing that she doesn't want to be tempted by the next piece of consumerism or for her online experience to be interrupted. She said that, regardless of the rationale, consumers should be able to say they don't want their data used in such ways. 4:06:46 PM CO-CHAIR FIELDS stated his belief that Alaska has some of the strongest constitutional privacy protections in the country, and he characterized HB 159 as a discussion on how best to meet a constitutional privacy mandate. He shared his concern that biometric information and artificial intelligence (AI) replicates and perpetuates racist power structures. He said that the U.S. has less socioeconomic mobility than any other developed country and noted the recent case of Google's photo app placing photos of black people in albums called "gorilla albums." He wondered what should be considered in questions of biometric information, and he asked whether there exists a consensus that the model for such data in Illinois is the best one. 4:08:27 PM MS. TSUKAYAMA responded that the Electronic Frontier Foundation (EFF) considers Illinois's model to be the "gold standard" of biometric privacy, pointing out that Co-Chair Fields' statement highlighted many of the concerns surrounding the use of biometric information. She stated that EFF advocates for a ban on government use of face recognition. 4:09:21 PM MS. FITZGERALD stated her agreement with Ms. Tsukayama's statement and shared her understanding of Co-Chair Fields' concern that AI can be used to perpetuate systemic inequalities. She said society is now living with the consequences of allowing social media to self-regulate, and she expressed the hope that AI doesn't follow the same path. She said there exists language in various proposed legislations requiring companies to engage in activities such as impacts assessments before using new algorithms, and performing audits during the life of the activity to ensure that it's fair and nondiscriminatory. 4:10:44 PM MR. JEROME expressed agreement with the previous statements and added that using biometric products to authenticate an individual can easily lead to profiling. He pointed out that Black people tend to represent as being "angrier" in many AI systems; in this context, he said, technology that analyzes whether students or employees are paying attention can be discriminatory. 4:12:06 PM CO-CHAIR FIELDS expressed the desire to see an industry-funded mechanism to establish a strong state enforcement unit within the Department of Law, as well as a private right of action. He pointed out that Alaska doesn't have a large tech industry, and is not naturally going to have lawyers with tech industry experience working in the Office of the Attorney General. He expressed wanting a model for a robustly-funded enforcement wing of the Department of Law, and he asked whether the panelists' organizations would be interested in working with the committee to draft a model for enforcement to ensure adequate capacity in Alaska to police the companies with a record of inappropriate data use. 4:13:08 PM MS. TSUKAYAMA responded that EFF has not yet seen what it would consider an adequately-funded department to address digital privacy laws. She said EFF would be happy to work with the committee on a private right of action and an agency to oversee the issues. 4:14:00 PM CO-CHAIR FIELDS stated his desire to establish strong standards of enforcement for multinational companies that have a record of exploiting data information, as well as to ensure that the law's structure doesn't burden Alaska's small and medium-sized businesses that are using data to serve their customers. He asked whether there is a threshold for striking the right balance between capturing the multinational companies while protecting smaller businesses that collect information to conduct legitimate business. MS. MAHONEY, on behalf of Consumer Reports, responded that there is no specific threshold to hit but that California, with its threshold of 50,000 users per year, or Virginia's threshold of 100,000 users per year, both ensure that small and medium-sized businesses aren't unduly affected by the law. She expressed that many privacy laws under discussion at the state level put few limits on a company's ability to collect data and advertise to their customers; the main concern is putting controls on the disclosure of data to third parties, and the associated sale and resale by data brokers. 4:16:30 PM CHRIS KOA, Attorney, DataEsque Law Group PLLC, stated that he is a privacy, security, technology, and corporate attorney representing Lynden, Incorporated ("Lynden"). He explained that he is collaborating, in good faith and at the invitation of the governor, with several other Alaska companies that would be similarly impacted by the original version of HB 159. As initially drafted, he said, Lynden opposes the proposed legislation and would characterize it as among the most onerous state privacy laws in the country and that it would not be in the best interest of Alaska. He said that Lynden "conceptually" supports the goal of increasing privacy protections and wants to find ways to support that goal while ensuring that companies with primarily business-to-business ("B2B") models that don't engage in the sale of consumer data aren't adversely impacted, especially in the absence of corresponding consumer protection benefits that outweigh the anticipated burdens and costs to businesses. The goal, he said, is to find a middle ground that balances the interests of the administration, the Office of the Attorney General, the legislature, businesses, and consumers. MR. KOA said that as a B2B company, Lynden focuses on using data solely to provide services requested by the customers, unlike business-to-consumer ("B2C") organizations that heavily use personal data. The initial draft of the proposed legislation, he said, would hurt B2B companies that don't sell personal information; that don't have high-risk business models that depend on heavy use of personal information; and have not engaged in systematic patterns of abuse. To ensure the ability of B2B companies like Lynden to continue to serve Alaska, he said, he recommends consideration and implementation of the critical amendments he submitted [included in the committee packet]. 4:21:11 PM MR. KOA expressed that the amended version of HB 159 would provide a more focused approach, intended to avoid burdening B2B companies such as Lynden, oil companies, mining, and telecommunications, which don't sell data, and which employ thousands of Alaskans while providing valuable services. Key suggestions for HB 159, he said, include the following: delete the standalone revenue threshold as a trigger for determining companies for regulation; exclude B2B contacts and employees from the scope of the proposed legislation; exclude personal data provided by a consumer for the purpose of providing a product or service requested by that consumer; delete the private right of action and allow enforcement by the Office of the Attorney General; provide a cure period, especially for companies that are not repeat offenders; shorten the lookback period to one year; and clarify ways for companies to comply with reasonable security obligations. MR. KOA stated Lynden's support for the goal of protecting consumer privacy in a manner consistent with how businesses operate and can respond, without disrupting a business's ability to serve Alaska, and without incurring costs and burdens without a corresponding consumer benefit. He said the intention for the suggestions reflected in the suggested amendments is to balance valid public policy interests and consumer privacy with the realities of business operations. 4:25:56 PM REPRESENTATIVE KAUFMAN asked how much content is in a typical profile for an individual consumer. MR. JEROME, on behalf of Common Sense Media, responded that the amount of content varies, and that data brokerage is a complicated ecosystem. The Federal Trade Commission, as well as a report from the World Privacy Forum called The Scoring of America, have made such information available. The challenge with companies such as Google and Facebook, he said, is that their information is not made available to consumers. 4:27:53 PM REPRESENTATIVE SCHRAGE asked how multinational online companies determine which state privacy laws to follow. He expressed that he sees the merits of protecting privacy and wondered whether the issue would be better addressed at the federal level. MS. FITZGERALD, on behalf of the Electronic Privacy Information Center, stated that the federal government has not moved to act on this issue, which is why states are beginning to act to protect citizens. Because it's difficult for large companies such as Google or Facebook to comply with many different state laws, she said, "The state with the strongest law sets the bar." She pointed out that companies are already complying with the European Union's General Data Protection Regulation. 4:30:12 PM MS. MAHONEY, on behalf of Consumer Reports, noted that companies can identify a consumer's location based on a consumer's internet protocol (IP) address. She agreed that strong federal privacy legislation would be the goal, but in the absence of such legislation, states need to ensure that consumers have strong privacy protections. 4:30:52 PM CO-CHAIR FIELDS referred to Mr. Koa's suggestion to delete the standalone revenue threshold and to exclude B2B contacts from the proposed legislation. He asked for discussion on the practicality of excluding B2B exchanges. MS. MAHONEY said that, while there are a number of ways to determine an appropriate threshold for regulation, the number of consumers on which data is collected is an appropriate metric to consider. She stated that the main concern of Consumer Reports is to make sure consumers have strong privacy protections and that they are able to exercise their preferences. 4:32:48 PM CO-CHAIR FIELDS announced that HB 159 was held over.