HB 159-CONSUMER DATA PRIVACY ACT  3:23:01 PM CO-CHAIR SPOHNHOLZ announced that the first order of business would be HOUSE BILL NO. 159, "An Act establishing the Consumer Data Privacy Act; establishing data broker registration requirements; making a violation of the Consumer Data Privacy Act an unfair or deceptive trade practice; and providing for an effective date." 3:23:52 PM ASHKAN SOLTANI, Fellow, Institute for Technology, Law, and Policy, Georgetown University Law Center, shared that he is a technologist and researcher with over 20 years' experience in technology, privacy, and behavioral economics. He said he has served as Chief Technologist with the Federal Trade Commission (FTC) and Senior Advisor in the White House Office of Science and Technology Policy, co-authored the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and is the co-creator of the proposed Global Privacy Control standard, which creates and mechanism by which consumers can communicate their privacy preferences. Mr. Soltani gave a brief history of CCPA and described the lobbying efforts of businesses against data privacy. 3:28:07 PM MR. SOLTANI described the lobbying efforts business engage in to prevent or weaken data privacy laws, including strategies to battle CPRA by introducing weaker legislation in other states in an effort to bring down the overall standard of privacy and justify federal preemption. He pointed out that there have been letters to the committee from business interests advocating for Alaska to adopt the Virginia model of data privacy, the Virginia Consumer Data Protection Act (VCDPA), which was drafted largely by Amazon and other large industry interests. He expressed approval of HB 159's definition of "pseudonymous" information, which does not refer to individuals by name but nonetheless permits data brokers to exchange information about individuals. The definition responds to the realities of current digital advertising practices, he said, in which online tracking and profiling relies on pseudonyms such as numeric identifiers corresponding to an individual or a device. MR. SOLTANI expressed approval of the addition of "authorized agents for consumer rights," and he shared that such an addition may relieve consumers of the onerous task of requesting their information from every business that has it. Allowing consumers to exercise their rights through the use of an authorized agent may assist in the development in new industry standards and market solutions to innovate new ways to manage consumer data. He then pointed out that HB 159 also provides consumers with the right to know who has their information beyond the business that initially collected it; having that knowledge, he said, may allow consumers to request the deletion of their information or opt out of future sales. MR. SOLTANI suggested several changes to HB 159. He suggested including the Global Privacy Control (GPC), which helps implement opt-out preferences for businesses; instead of having to go through the onerous work of opting out on each individual website, he said, GPC would integrate with a consumer's Internet browser. He stated that 40 million consumers already use browsers with built-in privacy controls; GPC would allow a consumer to click one button to opt out of all online tracking. He said the California Office of the Attorney General has recognized GPC as a valid standard and will begin enforcement against companies that don't recognize GPC's opt-out function. 3:32:51 PM MR. SOLTANI suggested that the proposed legislation be amended to update the definition of "sale" to include "sale and sharing." He said the business industry has begun arranging contracts for the sharing of personal information, indicating in the contract that a transaction was a "no value" exchange in order to circumvent the initial prohibitions in CCPA. MR. SOLTANI addressed verified user requests and said that the proposed legislation should not require customers to submit verified requests to opt out of business use of their data. He noted that verified requests for access and deletion of data are important since those rights, if exercised fraudulently, can adversely impact the individual; however, simply asking a business to not use personal data does not create the same risk, he said, and does not need the same level of verification. He pointed out that the proposed legislation should include that any information collected by the business for the purpose of opting out of data sale or sharing cannot be used for another purpose. As an example, he said, clicking "unsubscribe" on a spam email verifies to the company that their emails are getting through to a live person; the company will then sell the list of email addresses to another company, which repeats the cycle. MR. SOLTANI addressed the possible inclusion of nonprofit organizations, noting that they engage in the same practice of data sharing and sale as for profit businesses. He said that there is currently no state or federal oversight of nonprofits' use of data information. He then stated that the largest component of HB 159 would be enforcement; whether the Office of the Attorney General has the right to enforce the law, or whether there would be a private right of action. 3:38:04 PM CO-CHAIR FIELDS expressed that Alaska's Office of the Attorney General doesn't currently have the technical expertise to effectively enforce the parameters under HB 159. He asked, "How do we put that into law, to collect an adequate amount of revenue to sustainably fund an adequately-sized cadre of ... [attorneys general] who will make sure this law is being followed?" MR. SOLTANI said that the people qualified to do such work would normally receive "three or four times" the salary that a government agency could pay; not only the number of staff, but also the expertise of the staff, is critical to the sustainability of the proposed legislation. He said that one model is to fine the company a percentage of the money it receives from the sale of the information; however, in many cases the value of the transaction is not monetary. He also discussed an "eat what you kill" model, in which the revenue collected by fining companies is then used to build staff and expertise. 3:42:28 PM REPRESENTATIVE MCCARTY asked what features a consumer gives up when implementing the Global Privacy Control (GPC) in an Internet browser. MR. SOLTANI replied that current law requires companies to provide a link for consumers to opt out of the sale of their information; GPC, he said, essentially clicks that button for the consumer. He said that the question now is, "What happens after the button is clicked?" He stated that HB 159 would allow companies to charge consumers different rates in direct relation to the consumer's choice to opt out of data sharing. For example, he said, "When a business encounters a Global Privacy Control they could say, 'We've noticed you would like to opt out of the sale of your personal information. Would you like to either disable that for our site and permit us to opt in, or would you like to pay a fee?' or whatever else the law permits when a consumer opts out." He clarified that GPC is like a little robot that clicks the "do not sell" link. He said that most websites honor GPC without any extra fees to the user; however, while the current ecosystem of the data-supported ad economy exists on the sale of personal information, there are new, innovative technologies that attempt to advertise without using personal information in the same manner. Development in contextual ads, or ads based on the website a consumer visits, is a way for companies to sell advertisement without using a consumer's personal information. He said companies are innovating ways to practice sustainable advertising in the same way there are innovations in sustainable energy. REPRESENTATIVE MCCARTY asked whether there exists the practice of increasing prices for those who have opted out of having their data sold. MR. SOLTANI responded that the law permits that a company may charge a person a non-usurious, non-exploitative fee in direct relation to the sale of their personal information. He said that in California, if a company's only revenue is from their sale of user information, the law permits the company to charge the customer for the use of the website. He pointed out that companies are exploring models such as subscription services or per-use fees. 3:47:58 PM CO-CHAIR FIELDS asked about the best practices for the protection of children's information. MR. SOLTANI replied that he believes the "opt-in" requirement is critical. He said discussed the civil penalty judgement in FTC v. Google, No. 1:19-cv-2642 (D.D.C. Sept. 4, 2019), and he shared the argument that a website that contains children's content should be held to a higher standard. 3:50:22 PM REPRESENTATIVE SNYDER asked for a written summary or resources pertaining to the recommendations that have been addressed in the hearing on HB 159. CO-CHAIR SPOHNHOLZ asked Mr. Soltani to email his written testimony. MR. SOLTANI agreed. CO-CHAIR FIELDS noted that his staff has been keeping track of all the recommendations from Mr. Soltani and the previous experts, as well as the businesses that have provided testimony, and he said he will be considering those recommendations in drafting a committee substitute that would protect Alaska's businesses while ensuring adequate oversight of outside technology companies. MR. SOLTANI added that, since the passage of CCPA and CPRA, the business industry will fight legislation in every state. He pointed out that the issue is so technically nuanced that California's legislation almost included a seven-word amendment that would have nullified the standards in the legislation. CO-CHAIR FIELDS said that his intent is to work through the committee substitute with the experts. 3:52:34 PM CO-CHAIR SPOHNHOLZ stated that the committee would hear another portion of the sectional analysis. 3:53:01 PM JOHN HALEY, Assistant Attorney General, Special Litigation and Consumer Protection, Department of Law, resumed his presentation, which commenced on April 23, 2021, of the sectional analysis of HB 159 on behalf of the House Rules Standing Committee by request of the governor. He said that he previously ended his presentation just before "Article 2.  Activities and penalties regarding personal information." 3:53:24 PM REPRESENTATIVE SNYDER referenced Sec. 45.49.015 and asked for a definition of "person." MR. HALEY replied that "person" would be defined as either a corporation or any "natural person." He said that business not qualifying under the definition of "business" would be "persons" under the section in question. REPRESENTATIVE SNYDER said she was trying to understand a scenario involving businesses and "persons." MR. HALEY responded that he hasn't thought of a situation in which a business would disclose a person's personal information to a legislator. He said the main intent is to address businesses sharing information with corporations that wouldn't normally meet the definition of "business." He said that an individual should be able to understand which, and how many, businesses have their personal information by making a request of the initial collector. The sharing of information with smaller corporations who don't meet the definition of "business" or with "individual humans," he said, is a scenario on which he would need to consider further. 3:56:24 PM MR. HALEY resumed detailing the sectional analysis, which read as follows [original punctuation provided]: Sec. 45.49.100. Retaliation prohibited.  As the subject suggests, this section prohibits a business from retaliating against a consumer that exercises their rights under this chapter and lists examples of activities that may be considered retaliation. A business may, however, provide a different rate or quality if it is reasonably related to the value provided to the business by the consumer's data. A business may also provide consumers with a financial incentive for collection, sale, or retention of information, so long as the business notifies the consumer of the incentives and obtains consent before entering a customer into a financial incentive program. Financial incentive practices may not be unjust, unreasonable, coercive, or usurious. 3:58:37 PM CO-CHAIR SPOHNHOLZ pointed out that page 15, lines 7-8, of the text of HB 159, says "(2) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;". She pointed out that page 15, lines 13-16, says that business may charge different prices or rates. She asked Mr. Haley to comment on the apparent conflict between the two statements. MR. HALEY responded that the intent is to provide a general rule with a condition that the difference in price or rate must be reasonably related to the value provided by the sale of data. 3:59:46 PM REPRESENTATIVE KAUFMAN asked whether the problem is in the writing or in the "pure difficulty" of the concept. He said, "To say that it has to be equal, but then it can be different, that just seems like a stiff challenge." MR. HALEY replied that the general rule is that while a business could not retaliate against a person for disallowing the sale of their information, a business may charge a different rate or provide a different level of service if the difference is reasonably related to the value of the data. 4:00:59 PM REPRESENTATIVE SCHRAGE asked Mr. Haley whether there is a reason that outright denying a good or service would not be allowed. MR. HALEY responded that the subsection is attempting to create a scenario where consumers are always going to be able to have at least some ability to access various services and social media companies without having to give up their privacy rights. If denying a service was included, he said, it wouldn't fit well within the concept because it's not possible to provide a different rate for a service when that service is denied altogether. He said that complete denial of a service would mean that consumers could be faced with losing a service they've used for years. 4:03:01 PM CO-CHAIR SPOHNHOLZ commented that a business could force acceptance of data sharing by refusing to continue providing services. 4:03:47 PM REPRESENTATIVE SCHRAGE expressed the idea of a social media site such as Facebook being so integrated into the fabric of society that it could be regulated like a utility. He asked, "Is it a private business that has the ability to exclude access ... or is it a common piece of infrastructure to society that should be regulated on a federal level?" 4:04:24 PM CO-CHAIR FIELDS pointed out that Facebook can't be used on a smart phone unless it has access to an individual's private phone contacts. He said he would like to see functional federal regulations but, he said, "Congress is broken, so I think we have no choice but to do it in Alaska." 4:05:01 PM REPRESENTATIVE KAUFMAN shared his belief that social media companies regularly ban users because of their political beliefs. He mentioned the possibility of a consumer bill of rights and said that there may be "traps" which may never be reconciled within the current structure. 4:05:55 PM CO-CHAIR SPOHNHOLZ opined that the challenge with broader principles is that there would be endless litigation. 4:06:20 PM MR. HALEY resumed his presentation of the sectional analysis, which read as follows [original punctuation provided]: Sec. 45.49.110. Transfer of information in a merger or  acquisition.  This section authorizes a business to transfer personal information to a third-party as part of a merger or acquisition of all or part of the business. If the new owner decides to change the policy for use or sharing of the personal information in a material way, they must notify the consumer before making the change and ensure that existing customers can easily exercise their rights under this chapter. The new owner may not make material, retroactive privacy policy or other changes in a manner that violates state law. Sec. 45.49.120. Duty to maintain reasonable security  measures.  Under this section, a business that owns, licenses, or maintains personal information has to implement and maintain reasonable security procedures to protect the information from unauthorized access, destruction, use, modification, or disclosure. 4:07:37 PM REPRESENTATIVE SCHRAGE asked whether there is an advocacy group that has set some standard that could be referred to as "reasonable." He then asked Mr. Haley to comment on the definition of "reasonable" from the perspective of the Department of Law. MR. HALEY responded that concepts such as two-step authentication exist for privacy protections. He pointed out that, while the term "reasonable" is a term that has a degree of vagueness, it's a common standard in law and is necessary because standards change over time. He said that two-step authentication has become standard because of the way scammers' techniques have developed over time. He said that as technology changes, standards of what is reasonable also change. REPRESENTATIVE SCHRAGE commented that the Federal Trade Commission may have such standards in place. 4:09:31 PM MR. HALEY resumed his presentation of the sectional analysis for HB 149, which read as follows [original punctuation provided]: Sec. 45.49.130. Violations.  This section makes a violation of this chapter a violation of the Unfair Trade Practices and Consumer Protection Act under AS 45.50.471 45.50.561. This section also creates a presumption that a consumer whose personal information is subjected to unauthorized activity has suffered a loss of $1 or an amount proven at trial. The number of violations may be counted by each action or omission, each person affected, or each day the activity continues, whichever is greater. Funds recovered as a result of an action under this section may be appropriated to the consumer privacy account created in AS 45.49.140, below, for the Department of Law to offset costs incurred in connection with enforcing this chapter. MR. HALEY said that in order to bring a claim against a business under the Unfair Trade Practices and Consumer Protection Act, an individual would be required to show an ascertainable loss of money or property. He said that it's very likely that a consumer would not be able to demonstrate such a loss because a business may refuse to respond to a disclosure request. He pointed out that if an action is brought under AS 45.50.531, the Private Person Unfair Trade Practices Act, an automatic loss of $1 is created in order to get a business into court. 4:13:57 PM CO-CHAIR SPOHNHOLZ announced that HB 159 was held over.