HB 159-CONSUMER DATA PRIVACY ACT  8:04:02 AM CO-CHAIR FIELDS announced that the first order of business would be HOUSE BILL NO. 159, "An Act establishing the Consumer Data Privacy Act; establishing data broker registration requirements; making a violation of the Consumer Data Privacy Act an unfair or deceptive trade practice; and providing for an effective date." 8:04:23 AM CORI MILLS, Deputy Attorney General, Civil Division, Office of the Attorney General, Department of Law, introduced HB 159 on behalf of the House Rules Standing Committee, sponsor, at the request of the governor. She said the intent of the proposed legislation is to protect Alaskans' constitutionally protected right to privacy, pointing out that Alaskans are concerned that companies such as Facebook and Amazon are collecting and using information in ways that negatively impact privacy. She also noted that one of the administration's core initiatives is to make Alaska "open for business," and she stated that HB 159 is a good "starting place" to address the juxtaposition of privacy concerns and economic priorities. The central purpose of HB 159, she said, is to provide Alaskans with the ability to know what information companies are collecting and to allow control over how the information is used. She expressed that the administration understands that the proposed legislation needs "substantial work" and said that it will be important to hear from the business community regarding how the proposed legislation could affect individual businesses. 8:08:35 AM JOHN HALEY, Assistant Attorney General, Special Litigation and Consumer Protection, Civil Division (Anchorage), Department of Law, presented the sectional analysis for HB 159 on behalf of the House Rules Standing Committee, sponsor, at the request of the governor, which read as follows [original punctuation provided]: Section 1. Adds a new duty to the list of responsibilities of the commissioner of the Department of Commerce, Community, and Economic Development to establish and maintain a data broker registry. Section 2. Establishes the Consumer Data Privacy Act as AS 45.49. Since this section of the bill lays out a new chapter, the following information is organized by the articles established in the new chapter and their respective statutory sections. Article 1. Collection, sale, or disclosure of consumer  personal information.  Sec. 45.49.010. Notice of collection, sale, or  disclosure of personal information.  This section requires that a business notify a consumer before collecting personal information. "Business" is defined in the definition section of this Act as including only businesses that either have annual gross revenues of $25 million or more, buy or disclose the personal information of 100,000 or more households, or that engage in the sale of personal information. Notifications under this section must include the categories of information collected, the purpose for collecting that personal information, and the right of a consumer to opt-out, established below. This information, and other detailed information relating to the personal information collected, must be maintained and updated by a business as part of the business' online privacy policy and consumer privacy rights, or on the business' website if the business does not maintain an online privacy policy. Businesses subject to this section are charged with training customer service staff in answering questions about consumer rights. 8:11:36 AM CO-CHAIR SPOHNHOLZ asked how many businesses would meet the definition of "business" under the proposed legislation. MR. HALEY responded that he doesn't know, and that part of the difficulty of the proposed legislation is that the Department of Commerce, Community, and Economic Development (DCCED) doesn't necessarily have information on companies other than those that are required to file reports. CO-CHAIR SPOHNHOLZ said that it will be important to know that information in the future. 8:12:33 AM CO-CHAIR FIELDS commented that the legislation would be meaningless without enforcement, and that companies won't willingly disclose their financial information. 8:13:05 AM MR. HALEY resumed his sectional analysis, which read as follows [original punctuation provided]: Sec. 45.49.015. Personal information; notification  upon receipt.  This section requires that a person who receives personal information that was originally collected by a business, as defined by this chapter, for a business or commercial purpose notify the business of the person's possession and provide their contact information. The person must also deidentify the personal information or maintain it in such a way that it could be deleted or disclosed upon request. If this person discloses the personal information to another person for business or commercial purposes, they must also inform the business that initially collected the personal information of the disclosure within 10 days and have a contract that requires the subsequent recipient to comply with a deletion request under this chapter. Finally, the business that initially collected the personal information must maintain records of each person to receive the collected personal information. 8:13:56 AM CO-CHAIR FIELDS asked how to avoid capturing midsized Alaska- based businesses that collect and keep a piece of data as simple as a consumer's phone number. 8:14:32 AM REPRESENTATIVE MCCARTY asked whether a company's categorical definition of "business" would be public knowledge. MR. HALEY replied that the proposed legislation doesn't require businesses to disclose its annual revenues to the Department of Law. 8:16:09 AM CO-CHAIR FIELDS commented that Florida just passed a data privacy bill including an income threshold of $50 million. He asked why the administration arrived at the income threshold of $25 million. MR. HALEY responded that the number was an initial attempt by the administration to strike an appropriate balance. He said that the income threshold related to the sale of personal information is unique to HB 159. 8:17:39 AM MR. HALEY commented that Sec. 45.49.015 would create a chain of tracking requirements so that individuals may learn who has their personal information. He then continued his presentation of the sectional analysis, which read as follows [original punctuation provided]: Sec. 45.49.020. Right to request disclosure of  collected personal information.  Under this section, a consumer has the right to request that a business that collected the person's personal information within the last five years disclose the type of information collected, the sources from which the information was collected, and the business or commercial purpose for collecting the information. A business is required to respond to a verified consumer request in accordance with AS 45.49.060, discussed below. Sec. 45.49.030. Right to request deletion of personal  information.  If a consumer's personal information is collected by a business, the consumer may request that the business delete any information collected by the business from the consumer within the five years preceding the date for the request. The business is required to delete the information identified in the request from that business' records and must direct all persons who received the information to delete it, as well. Recipients of the collected information must provide the originating business with a written statement that the information was deleted within 45 days of the request. If this statement is not provided, the business must immediately notify the attorney general and consumer. Recipients may be able to retain the information if it is required to complete a transaction or contract, provide a requested good or service within an ongoing relationship with the consumer, fulfill the terms of a warranty or recall, identify and repair errors that impair certain products or services, exercise a legal right, comply with a legal obligation or court order, engage in certain types of public research studies, or enable specifically internal uses of the information aligned with the consumer's expectations. 8:20:32 AM CO-CHAIR FIELDS commented that there exist laws in Europe regarding public dissemination of slanderous content, so-called "right to be forgotten" laws. He said there is also a process to remove such information from the Internet. He asked whether HB 159 would affect only the business that collected information rather than also affecting a business that makes the information available for public consumption. 8:22:27 AM MS. MILLS responded that the proposed legislation is not intended to mirror "right to be forgotten" laws but is instead directed at the business that initially collected the information and subsequently disclosed it to a second business. He pointed out that HB 159 isn't intended to address slanderous Internet posts. CO-CHAIR FIELDS discussed the idea of changing the proposed legislation to mirror "right to be forgotten" legislation and mentioned considerations of bullying and harassment. 8:22:40 AM MR. HALEY resumed his presentation of the sectional analysis, which read as follows [original punctuation provided]: Sec. 45.49.040. Right to request disclosure of  personal information sold or disclosed for a business  or commercial purpose.  This section gives a consumer the right to request disclosures from a business that sold or disclosed the consumer's personal information for a business or commercial purpose within the last five years. The consumer may request disclosure of the persons who received the personal information for a business or commercial purpose, the categories of information, and the business or commercial purpose for disclosure. A business is required to respond to a verified consumer request in accordance with AS 45.49.060, discussed below. Sec. 45.49.050. Right to opt out or for a minor to opt  in.  This section provides that a consumer may request that a business not sell the consumer's personal information or specific categories of personal information. A business may not contact a consumer asking the consumer to renounce this request for a year after the request is made. This section also requires that a business limit the use or disclosure of a consumer's precise geolocation data to that which is necessary to provide goods or services the customer reasonably expects or goods or services the business reasonably expects the customer will request. A business may use precise geolocation data for other purposes if the consumer gives consent in writing. 8:25:09 AM CO-CHAIR FIELDS pointed out that one of the criticisms of the European Union's General Data Protection Regulation (GDPR) is the ubiquitous use of pop-ups that void its protections. 8:25:40 AM REPRESENTATIVE SNYDER noted that the proposed legislation includes the option to "opt out" instead of "opt in" with regards to participating in data sharing. She asked what the argument is for starting with the "opt out" approach. MR. HALEY replied that choosing an "opt in" policy seems to be a stronger privacy provision, but that he doesn't know which approach, as a matter of policy, would be most appropriate. 8:28:07 AM CO-CHAIR FIELDS asked whether there exist legal models that differentiate between advertising and application functions. MR. HALEY responded that HB 159 would, to a degree, address the difference. He said that deciding whether an advertisement could be of reasonable, expected use would be relevant. 8:29:46 AM MR. HALEY presented the last paragraph of the sectional analysis pertaining to Sec. 45.49.050, which read as follows [original punctuation provided]: This section also requires that a business not disclose personal information or precise geolocation data if the business has actual knowledge, or recklessly disregards the likelihood, that the consumer is under 18 years of age. A parent or legal guardian may authorize the sale or disclosure of personal information of a consumer who is at least 13, but under 18, years of age. 8:30:09 AM REPRESENTATIVE NELSON asked for information on where the line would be drawn regarding recklessly disregarding the likelihood that a consumer is under 18 years of age. MR. HALEY replied that the statutory language wouldn't provide specific information regarding reckless disregard, but that what constitutes reckless disregard could depend on future adoption of technology in a manner similar to using a children's YouTube channel to advertise cigarettes to minors. REPRESENTATIVE NELSON commented that a teenager ordering pizza by phone or website would be giving their data to a business, and he asked whether such a scenario would fall under the provision in Sec. 45.49.50. MR. HALEY reminded the committee that the proposed legislation would deal with the sale and disclosure of data, not with the simple collection of data. REPRESENTATIVE NELSON said he was looking for clarification regarding whether the proposed legislation could affect a business that doesn't know whether an individual is a minor. MR. HALEY briefly described a possible intensive analysis for determining whether such a case would violate the statute under HB 159. 8:34:30 AM MS. MILLS added that standards such as negligence and recklessly disregarding the truth would be used in the analysis of whether a company engaged in wrongdoing under HB 159. 8:35:42 AM CO-CHAIR FIELDS commented on the value of the in-depth discussion of the sectional analysis. 8:35:54 AM MR. HALEY returned to his presentation of the sectional analysis of HB 159, which read as follows [original punctuation provided]: Sec. 45.49.060. Disclosure or deletion request;  process.  This section lays out the process for a business to respond to a verified consumer request. A business is required to designate at least two methods to submit a request, at minimum through a toll-free telephone number and electronic mail address. Information contained in a request may only be used to identify the personal information and comply with the request. If the request is for disclosure of information under AS 45.49.020 or 45.49.040, the business must provide the information in a readable, electronic format or by mail, if requested. For all requests made under AS 45.49.020 45.49.050, a business must follow the outlined process to determine if the request is verified, identify applicable information, disclose and deliver the information, and, if there is a request to delete information, provide confirmation of compliance. A business has 45 days to respond under this section, but may take an additional 45 days when reasonably necessary if the business notifies the consumer. This section prohibits a person from charging a fee for performing an obligation under this chapter. However, if a consumer's requests are manifestly unfounded or excessive, a business may charge a reasonable fee or refuse to act on a request. If either of these actions are taken, the business must notify the consumer of the decision within 45 days of receipt of the request with a complete explanation of the business' reason for finding the request or requests excessive or unfounded. If the consumer has made two verified requests within the previous 365 days, the business is not required to respond to a request to delete or disclose information. This section provides certain exceptions, as well. A business that does not sell or disclose information is not required to retain information collected in a single, one-time transaction. If a business does not maintain data in a manner that would be considered "personal information" under this chapter, the business does not need to reidentify or link data. Finally, if the business cannot verify the consumer request, it is not required to disclose or delete information under this section. Sec. 45.49.070. Third-party disclosure of personal  information.  Under this section, a third-party is prohibited from disclosing personal information if it was originally collected in violation of AS 45.49.010 or 45.49.050. If the third-party reasonably concludes after an inquiry that the information was not obtained in violation of these sections, they may not be held liable for a violation. A third-party must have written confirmation from the original collector that the information was legally collected before disclosing the information for a business or commercial purpose. 8:41:18 AM REPRESENTATIVE MCCARTY compared selling data to throwing a bag of chicken feathers into the wind, saying that no one would ever be able to collect them all. He then asked, "The third party is not responsible for, but they may be very much involved in, the distribution of these chicken feathers all over. What are we doing to the person that's been violated ... any type of integrity that's been compromised?" MR. HALEY responded that enforcement would be a challenge because it would be difficult to know where every piece of information goes. He said that the proposed legislation wouldn't create one "highly regulated" industry in which the government has tracking powers; instead, he said, the proposed legislation would be much broader in scope so it wouldn't be necessary to know exactly who has violated the law. Information would be provided by whistleblowers, tips, and news media. REPRESENTATIVE MCCARTY commented that his name was misspelled in the phone book, and a third party used what was found in the phone book. He asked whether a third party would be held accountable for errors for the purpose of helping consumers. MR. HALEY responded that the intent of the proposed legislation isn't to correct misinformation. 8:45:32 AM CO-CHAIR FIELDS commented about the right to be forgotten and asked Mr. Haley whether a private right of action is included in the proposed legislation. MR. HALEY replied that it is. CO-CHAIR FIELDS asked whether it includes a private right of action for enforcement of the provisions. MR. HALEY replied that enforcement of the provisions in the proposed legislation would be through the Office of the Attorney General. He said that violations of the provisions would be violations of the Unfair Trade Practices Act, as well as a number of other acts within the larger act. He said that the state has powers to issue subpoenas and force testimony, while the Office of the Attorney General may file action seeking injunctions and fines of up to $25,000 per violation. CO-CHAIR FIELDS mentioned funding an enforcement section within the Department of Law. 8:47:54 AM MR. HALEY pointed out that the fiscal note for HB 159 requests one attorney and one litigation assistant for enforcement and the drafting of regulations. He then resumed his presentation with the sectional analysis, which read as follows [original punctuation provided]: Sec. 45.49.080. Service provider obligations. This section prohibits service providers from taking certain actions with respect to personal information. First, information received from a business may only be retained, used, or disclosed for the specific services contracted. Second, information from one business may not be combined with that from other sources unless provided for in regulation. Finally, information may not be disclosed unless there is written consent from the business or the recipient and service provider sign a written contract prohibiting the recipient from engaging in conduct prohibited to the service provider. A personal who receives personal information from a service provider cannot disclose that personal information to any other person. 45.49.080 service provider obligations Sec. 45.49.090. Exemptions. In addition to the restrictions inherent in this chapter's definitions of terms such as "business," "person," and "consumer," there are a number of exceptions. Those exceptions are as follows: • protected health information collected by a covered entity or business associate governed by the Health Insurance Portability and Accountability Act (HIPAA); • covered entities under HIPAA that maintain patient information or protected health information; • information collected as part of certain clinical trials; • vehicle or ownership information shared between a motor vehicle dealer and manufacturer, or in anticipation of a repair covered by warranty or recall; • collection or sales that occur wholly outside of the state; • certain activities subject to or information collected or disclosed under federal laws or regulations; • a business may be exempted from collecting information until January 1, 2024, if o the information is related to a person's job application; service as an employee; business ownership; service as a licensed dentist, physician, or psychologist; or work as a contractor; and o applies if the information is used solely in the context for which it was collected, is emergency contact information used for that purpose, or is retained to administer benefits; • information contained in communications between the business and consumer if the consumer is a person acting on behalf of a business or agency and the transaction is within the context of the business relationship; • compliance would violate an evidentiary privilege; • personal information is provided as part of a privileged communication; • the right or obligation would adversely affect another consumer's rights or infringe on certain noncommercial activity; Some of the above categories may still provide for a right to file a claim under AS 45.49.120, duty to maintain reasonable security measures, discussed below. A person may also disclose information, notwithstanding this chapter, in order to comply with federal, state, or local law; comply with a legal inquiry, investigation, or subpoena; cooperate with law enforcement; exercise or defend legal claims; or as relates to deidentified or aggregated information. Additionally, if component parts of a transaction are separated in order to avoid compliance with this chapter, they may be considered together to determine compliance. 8:53:37 AM REPRESENTATIVE KAUFMAN asked whether there exists a diagram showing the proposed legislation's various decision points and different actions resulting from those decisions, so he could better visualize how the different elements would work together. MR. HALEY replied that no one has made such a diagram. REPRESENTATIVE KAUFMAN suggested that it would be interesting to see possible gaps and decision points in the provisions. 8:55:07 AM CO-CHAIR FIELDS announced that HB 159 was held over.