Read the full stored bill text
HB0367b -1- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
34-LS1485\H
CS FOR HOUSE BILL NO. 367(JUD)
IN THE LEGISLATURE OF THE STATE OF ALASKA
THIRTY-FOURTH LEGISLATURE - SECOND SESSION
BY THE HOUSE JUDICIARY COMMITTEE
Offered: 5/12/26
Referred: Finance
Sponsor(s): REPRESENTATIVE STORY
A BILL
FOR AN ACT ENTITLED
"An Act relating to personal data; establishing data broker registration requirements; 1
relating to social security numbers; making certain violations unfair or deceptive trade 2
practices; and providing for an effective date." 3
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 4
* Section 1. AS 37.05.146(c) is amended by adding a new paragraph to read: 5
(87) consumer privacy account (AS 45.48.860). 6
* Sec. 2. AS 44.33.020(a) is amended by adding a new paragraph to read: 7
(45) establish and maintain a data broker registry under AS 45.48.855. 8
* Sec. 3. AS 45.48.430(b) is amended to read: 9
(b) The prohibition in (a) of this section does not apply if 10
(1) the disclosure is authorized by local, state, or federal law, including 11
AS 45.48.800 - 45.48.898 or a regulation adopted under AS 45.48.470; 12
(2) the person is engaging in the business of government and 13
(A) is authorized by law to disclose the individual's social 14
34-LS1485\H
CSHB 367(JUD) -2- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
security number; or 1
(B) the disclosure of the individual's social security number is 2
required for the performance of the person's duties or responsibilities as 3
provided by law; 4
(3) the disclosure is to a person subject to or for a transaction regulated 5
by the Gramm-Leach-Bliley Financial Modernization Act, and the disclosure is for a 6
purpose authorized by the Gramm-Leach-Bliley Financial Modernization Act or to 7
facilitate a transaction of the individual; 8
(4) the disclosure is to a person subject to or for a transaction regulated 9
by the Fair Credit Reporting Act, and the disclosure is for a purpose authorized by the 10
Fair Credit Reporting Act; 11
(5) the disclosure is part of a report prepared by a consumer credit 12
reporting agency in response to a request by a person and the person submits the social 13
security number as part of the request to the consumer credit reporting agency for the 14
preparation of the report; or 15
(6) the disclosure is for a background check on the individual, identity 16
verification, fraud prevention, medical treatment, law enforcement or other 17
government purposes, or the individual's employment, including employment benefits. 18
* Sec. 4. AS 45.48.450(b) is amended to read: 19
(b) Notwithstanding the other provisions of AS 45.48.400 - 45.48.480, and 20
except as provided under AS 45.48.800 - 45.48.898 or for an agent under (a) of this 21
section, a person may disclose an individual's social security number to an 22
independent contractor of the person to facilitate the purpose or transaction for which 23
the individual initially provided the social security number to the person, but the 24
independent contractor may not use the social security number for another purpose or 25
make an unauthorized disclosure of the individual's personal information. In this 26
subsection, "independent contractor" includes a debt collector. 27
* Sec. 5. AS 45.48 is amended by adding new sections to read: 28
Article 6A. Data Privacy. 29
Sec. 45.48.800. Applicability. (a) AS 45.48.800 - 45.48.898 apply to a person 30
that conducts business in the state or produces products or provides services targeted 31
34-LS1485\H
HB0367b -3- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
to residents of this state and that, during the preceding calendar year, collected or 1
processed the personal data of at least 2
(1) 35,000 consumers, not including personal data controlled or 3
processed solely for the purpose of completing a payment transaction; or 4
(2) 10,000 consumers and derived more than 20 percent of the person's 5
gross revenue from the sale of personal data. 6
(b) AS 45.48.800 - 45.48.898 do not apply to the federal government, the 7
state, a public corporation of the state, the University of Alaska, a municipality, a 8
school district, a regional educational attendance area, or a tribal government. 9
Sec. 45.48.805. Consumer rights. (a) A consumer has the right to 10
(1) confirm whether a controller is collecting or processing the 11
consumer's personal data and access that personal data; 12
(2) obtain from a controller a list of specific third parties, other than 13
natural persons, to which the controller has transferred either 14
(A) the consumer's personal data; or 15
(B) any personal data; 16
(3) correct inaccuracies in the consumer's personal data, taking into 17
account the nature of the personal data and the purposes of the processing of the 18
consumer's personal data; 19
(4) delete personal data provided by, or obtained about, the consumer, 20
including personal data the consumer provided to the controller, personal data the 21
controller obtained from another source, and data derived from the personal data; 22
(5) obtain a copy of the consumer's personal data collected or 23
processed by the controller, in a portable and, to the extent technically practicable, 24
readily usable format that allows the consumer to transmit the data to another 25
controller without hindrance if the processing is carried out by automated means; and 26
(6) opt out of the collection and processing of the consumer's personal 27
data for purposes of 28
(A) targeted advertising; 29
(B) the sale of personal data; or 30
(C) profiling in furtherance of automated decisions that 31
34-LS1485\H
CSHB 367(JUD) -4- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
produce legal or similarly significant effects concerning the consumer. 1
(b) A parent or legal guardian of a minor may exercise the minor's consumer 2
rights under this section on the minor's behalf. A guardian or conservator of a 3
consumer subject to a guardianship, conservatorship, or other protective arrangement 4
may exercise the consumer's rights under this section on the consumer's behalf. 5
(c) A consumer may designate another person to serve as the consumer's 6
authorized agent, and act on the consumer's behalf, to exercise the consumer's rights 7
under this section. A controller shall comply with a request from an authorized agent if 8
the controller is able to verify, with commercially reasonable effort, the identity of the 9
consumer and the agent's authority to act on the consumer's behalf. 10
(d) A controller or processor may not collect, process, or transfer personal data 11
in a manner that discriminates against an individual or class of individuals, or 12
otherwise makes unavailable the equal enjoyment of goods or services, based on an 13
individual's or class of individuals' actual or perceived race, color, sex, sexual 14
orientation, gender identity, disability, religion, ancestry, or national origin. This 15
subsection does not apply to 16
(1) the collection, processing, or transfer of personal data for the sole 17
purpose of 18
(A) self-testing by a controller or processor to prevent or 19
mitigate unlawful discrimination or otherwise to ensure compliance with state 20
or federal law; or 21
(B) diversifying an applicant, participant, or customer pool; or 22
(2) a private establishment as described in 42 U.S.C. 2000a(e). 23
Sec. 45.48.810. Controller responses to consumer requests. (a) A consumer 24
may exercise a consumer right under AS 45.48.805 by a secure and reliable means 25
established by the controller and described to the consumer in the controller's privacy 26
notice. The means established by the controller must take into account the ways that a 27
consumer normally interacts with the controller, the need for secure and reliable 28
communication of a consumer request, and the ability of the controller to verify the 29
identity of the consumer making the request. A controller may not require a consumer 30
to create a new account to exercise a consumer right, but may require a consumer to 31
34-LS1485\H
HB0367b -5- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
use an existing account. 1
(b) In addition to other means established by the controller, a controller shall 2
allow a consumer to exercise an opt-out request under AS 45.48.805(a)(6) by 3
providing 4
(1) a clear and conspicuous "Do Not Sell My Personal Information" or 5
similarly worded link on the home page of the controller's Internet website; and 6
(2) an opt-out preference signal sent to the controller, with the 7
consumer's consent, by a platform, technology, or mechanism used by the consumer 8
that is consumer-friendly and easy for the average consumer to use and that allows the 9
controller to reasonably determine whether the consumer is a resident of the state and 10
whether the consumer has made a legitimate opt-out request; the use of an Internet 11
protocol address to estimate the consumer's location is sufficient to reasonably 12
determine residency under this paragraph. 13
(c) If a consumer's opt-out request under (b)(1) or (2) of this section conflicts 14
with the consumer's existing controller-specific privacy setting or voluntary 15
participation in a controller's financial incentive program offered under AS 45.48.840, 16
the controller shall comply with the consumer's opt-out preference provided under 17
(b)(1) or (2) of this section but may notify the consumer of the conflict and provide to 18
the consumer the choice to confirm the controller-specific privacy setting or 19
participation in the program. If a controller responds to a consumer opt‐out request 20
under (b)(1) or (2) of this section by informing the consumer of a change in the price, 21
rate, level, quality, or selection of goods or services, the controller shall present the 22
terms of any financial incentive offered under AS 45.48.840 for the retention, 23
processing, sale, or transfer of the consumer's personal data. 24
(d) Except as otherwise provided in AS 45.48.800 - 45.48.898, a controller 25
shall comply with a request by a consumer to exercise the consumer's rights as 26
follows: 27
(1) a controller shall respond to the consumer without undue delay, but 28
not later than 45 days after receiving the request; the controller may extend the 29
response period by 45 additional days when reasonably necessary, considering the 30
complexity and number of the consumer's requests, if the controller informs the 31
34-LS1485\H
CSHB 367(JUD) -6- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
consumer of the extension and the reason for the extension within the initial 45-day 1
response period; 2
(2) if a controller declines to take action regarding the consumer's 3
request, the controller shall inform the consumer without undue delay, but not later 4
than 45 days after receiving the request, of the justification for declining to take action 5
and provide instructions for how to appeal the decision; 6
(3) a controller shall provide information in response to a consumer 7
request free of charge once for each consumer during any 12-month period; if a 8
request from a consumer is manifestly unfounded, excessive, or repetitive, the 9
controller may charge the consumer a reasonable fee to cover the administrative costs 10
of complying with the request or decline to act on the request; the controller bears the 11
burden of demonstrating that the request is manifestly unfounded, excessive, or 12
repetitive; 13
(4) if a controller is unable to authenticate a request to exercise a right 14
afforded by AS 45.48.805(a)(1) - (5) using commercially reasonable efforts, the 15
controller is not required to comply with a request to initiate an action under this 16
section and shall provide notice to the consumer that the controller is unable to 17
authenticate the request until the consumer provides additional information reasonably 18
necessary to authenticate the consumer and the consumer's request; 19
(5) a controller may not require a consumer to authenticate to exercise 20
an opt-out request under AS 45.48.805(a)(6), but a controller may deny an opt-out 21
request if the controller has a good faith, reasonable, and documented belief that the 22
request is fraudulent; if a controller denies an opt-out request because the controller 23
believes the request is fraudulent, the controller shall send a notice to the person who 24
made the request disclosing that the controller believes the request is fraudulent, why 25
the controller believes the request is fraudulent, and that the controller will not comply 26
with the request; 27
(6) a controller that has obtained a consumer's personal data from a 28
source other than the consumer complies with a consumer's request to delete the data 29
under AS 45.48.805(a)(4) if the controller 30
(A) deletes the consumer's personal data retained by the 31
34-LS1485\H
HB0367b -7- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
controller; 1
(B) retains a record of the deletion request and the minimum 2
data necessary to ensure the consumer's personal data remains deleted from the 3
controller's records; and 4
(C) does not use retained data for any other purpose. 5
(e) A controller shall establish a process for a consumer to appeal the 6
controller's refusal to take action on a request within a reasonable period after the 7
consumer receives the decision refusing to take action. The appeal process must be 8
conspicuously available and similar to the process for the consumer to submit requests 9
under this section. Not later than 60 days after receiving an appeal, a controller shall 10
inform the consumer in writing of any action taken or not taken in response to the 11
appeal, including a written explanation of the reasons for the decisions. If the appeal is 12
denied, the controller shall provide the consumer with an online mechanism, if 13
available, or another method by which the consumer may contact the attorney general 14
to submit a complaint. 15
(f) A controller may not condition, expressly or effectively, or attempt to 16
condition the exercise of a consumer right under this section through the use of 17
(1) a false, fictitious, fraudulent, or materially misleading statement or 18
representation; or 19
(2) a dark pattern. 20
(g) A controller or processor is not required to comply with an authenticated 21
consumer rights request if the controller or processor 22
(1) is not reasonably capable of associating the request with the 23
personal data or it would be unreasonably burdensome for the controller or processor 24
to associate the request with the personal data; and 25
(2) does not use the personal data to recognize or respond to the 26
specific consumer who is the subject of the personal data or associate the personal data 27
with other personal data about the same specific consumer. 28
Sec. 45.48.812. Duty of loyalty. A controller may not perform an activity 29
related to the collection, processing, or transfer of personal data that 30
(1) conflicts with the best interests of an individual; 31
34-LS1485\H
CSHB 367(JUD) -8- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
(2) takes advantage of or otherwise exploits an individual; 1
(3) results in a disproportionate risk to an individual; 2
(4) is to the detriment of an individual; or 3
(5) causes harm to an individual. 4
Sec. 45.48.815. Data minimization rules and de-identified data. (a) A 5
controller shall limit the collection, processing, and transfer of personal data to that 6
which is reasonably necessary to provide or maintain 7
(1) a specific product or service requested by the consumer to whom 8
the data pertains and related routine administrative, operational, or account-servicing 9
activity, including billing, shipping, delivery, storage, or accounting; or 10
(2) a communication, other than an advertisement, by the controller to 11
the consumer reasonably anticipated within the context of the relationship between the 12
controller and the consumer. 13
(b) A controller may process or transfer personal data collected under (a) of 14
this section to provide first-party advertising or targeted advertising, except when 15
otherwise prohibited under AS 45.48.800 - 45.48.898. 16
(c) A controller that possesses de-identified data shall 17
(1) take technical measures to ensure that the data cannot be associated 18
with an individual; 19
(2) publicly commit to maintaining and using de-identified data 20
without attempting to reidentify the data; and 21
(3) contractually obligate a recipient of the de-identified data to 22
comply with the provisions of AS 45.48.800 - 45.48.898. 23
(d) A controller that transfers de-identified data shall exercise reasonable 24
oversight to monitor compliance with contractual commitments to which the de-25
identified data is subject and shall take appropriate steps to address a breach of those 26
contractual commitments. 27
(e) A controller or processor is not required to 28
(1) reidentify de-identified data; or 29
(2) maintain data in an identifiable form. 30
Sec. 45.48.820. Sensitive data. (a) A controller may not collect, process, or 31
34-LS1485\H
HB0367b -9- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
transfer sensitive data pertaining to a consumer unless the collection, processing, or 1
transfer is strictly necessary to provide or maintain a specific product or service 2
requested by the consumer to whom the sensitive data pertains. 3
(b) A controller may not sell sensitive data. 4
(c) A controller may not transfer sensitive data pertaining to a consumer 5
without first obtaining the consumer's affirmative consent. A controller shall provide 6
an effective mechanism for a consumer to revoke the consumer's affirmative consent 7
that is at least as easy as the mechanism the consumer used to provide the consumer's 8
affirmative consent and, on revocation of the consumer's affirmative consent, the 9
controller shall discontinue processing the data as soon as practicable, but not later 10
than 15 days after receiving the consumer's revocation of affirmative consent. 11
(d) Notwithstanding any other provision of AS 45.48.800 - 45.48.898, a 12
controller that knows or reasonably should know that a consumer is a minor may not 13
(1) process or transfer personal data of the minor for targeted 14
advertising; or 15
(2) sell the personal data of the minor. 16
Sec. 45.48.825. Privacy notice and disclosures. (a) A controller shall provide 17
a consumer with a reasonably accessible, clear, and meaningful privacy notice. The 18
privacy notice must include 19
(1) the categories of personal data collected and processed by the 20
controller and a separate list of categories of sensitive data collected and processed by 21
the controller, described in a level of detail that provides the consumer a meaningful 22
understanding of the type of personal data collected or processed; 23
(2) the purpose of collecting and processing each category of personal 24
data the controller collects or processes, described in a way that gives the consumer a 25
meaningful understanding of how each category of personal data will be used; 26
(3) how a consumer may exercise the consumer's rights under 27
AS 45.48.800 - 45.48.898, including how a consumer may appeal a controller's 28
decision about the consumer's request; 29
(4) the categories of personal data that the controller transfers to a third 30
party, if applicable, and the purpose of that transfer; 31
34-LS1485\H
CSHB 367(JUD) -10- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
(5) the categories of third parties, if any, to which the controller 1
transfers personal data; 2
(6) the length of time the controller intends to retain each category of 3
personal data or, if it is not possible to identify the length of time, the criteria used to 4
determine the length of time the controller intends to retain each category of personal 5
data; and 6
(7) an active electronic mail address or other online mechanism that 7
the consumer may use to contact the controller. 8
(b) If a controller makes a material change to the controller's privacy notice, 9
the controller shall, before implementing the material change for prospectively 10
collected personal data, notify each consumer affected by the material change and 11
provide a reasonable opportunity for each consumer to withdraw consent. A controller 12
shall provide a reasonable opportunity for each consumer to provide affirmative 13
consent to further materially different processing or transfer of previously collected 14
personal data under the changed policy. The controller shall take all reasonable 15
measures to provide to each affected consumer direct electronic notification about 16
material changes to the privacy notice, taking into account available technology and 17
the nature of the relationship. 18
(c) If a controller sells personal data to a third party or processes personal data 19
for targeted advertising, the controller shall clearly and conspicuously disclose that 20
sale or processing, as well as the manner in which a consumer may exercise the right 21
to opt out of that sale or processing. 22
Sec. 45.48.830. Responsibilities of processors and controllers. (a) A 23
processor shall adhere to the instructions of a controller and assist the controller in 24
meeting the controller's obligations under AS 45.48.800 - 45.48.898, taking into 25
account the nature of the processing and the information available to the processor, 26
including by 27
(1) using appropriate technical and organizational measures, to the 28
extent reasonably practicable, to fulfill the controller's obligation to respond to a 29
consumer rights request; 30
(2) assisting the controller in meeting the controller's obligations 31
34-LS1485\H
HB0367b -11- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
relating to the security of processing personal data and notification of a breach of 1
security of the system of the processor to meet the controller's obligations; and 2
(3) providing necessary information to enable the controller to conduct 3
and document a data protection assessment. 4
(b) A controller and a processor shall enter into a contract to govern the 5
processor's data processing procedures for processing performed on behalf of the 6
controller. The contract must be binding and clearly set out instructions for processing 7
data, the nature and purpose of processing, the type of data subject to processing, the 8
duration of processing, and the rights and obligations of both parties. The processor 9
shall adhere to the instructions of the controller and process and transfer the data the 10
processor receives from the controller only to the extent necessary to provide a service 11
requested by the controller, as set out in the contract. The contract must also require 12
that the processor 13
(1) ensure that each person processing personal data is subject to a 14
duty of confidentiality with respect to the data; 15
(2) at the controller's direction, delete or return all personal data to the 16
controller as requested at the end of the provision of services, unless retention of the 17
personal data is required by law; 18
(3) at the reasonable request of the controller, make available to the 19
controller information in the processor's possession that is necessary to demonstrate 20
the processor's compliance with the obligations set out in AS 45.48.800 - 45.48.898; 21
(4) after providing the controller with an opportunity to object, engage 22
a subcontractor under a written contract that requires the subcontractor to meet the 23
obligations of the processor with respect to the personal data if the processor engages 24
a subcontractor; 25
(5) ensure that personal data that the processor receives from or on 26
behalf of a controller not be combined with personal data that the processor receives 27
from or on behalf of another person or collects from the interaction of the processor 28
with an individual; and 29
(6) allow and cooperate with a reasonable assessment by the controller 30
or the controller's designated assessor, or arrange for a qualified and independent 31
34-LS1485\H
CSHB 367(JUD) -12- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
assessor to conduct an assessment, of the processor's policies and technical and 1
organizational measures in support of the obligations under AS 45.48.800 - 45.48.898, 2
using an appropriate and accepted control standard or framework and assessment 3
procedure, and provide a report of the assessment to the controller on request. 4
(c) Nothing in this section relieves a controller or processor from the liabilities 5
imposed on the controller or processor by virtue of the controller's or processor's role 6
in the processing relationship as described in AS 45.48.800 - 45.48.898. 7
(d) Whether a person is acting as a controller or processor with respect to a 8
specific processing of personal data depends on the facts and the context in which the 9
personal data is processed. A person who is not limited in the person's processing of 10
personal data under a controller's instructions, or who fails to adhere to those 11
instructions, is a controller and not a processor with respect to that specific processing 12
of data. A processor that continues to adhere to a controller's instructions with respect 13
to a specific processing of personal data remains a processor. If a processor begins, 14
alone or jointly with others, determining the purposes and means of the processing of 15
personal data, the processor becomes a controller with respect to that processing. 16
Sec. 45.48.835. Data protection assessments. (a) Before initiating the 17
processing activity, a controller shall conduct and document a data protection 18
assessment for each of the controller's processing activities that presents a heightened 19
risk of harm to a consumer, including 20
(1) the collection or processing of personal data for the purpose of 21
targeted advertising; 22
(2) the sale of personal data; 23
(3) the processing of personal data for the purpose of profiling, when 24
the profiling presents a reasonably foreseeable risk of 25
(A) unfair or deceptive treatment of, or having an unlawfully 26
disparate effect on, consumers; 27
(B) financial, physical, or reputational injury to consumers; 28
(C) a physical or other intrusion on the solitude or seclusion, or 29
the private affairs or concerns, of consumers, when the intrusion would be 30
offensive to a reasonable person; or 31
34-LS1485\H
HB0367b -13- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
(D) other substantial injury to consumers; and 1
(4) the collection or processing of sensitive data. 2
(b) A single data protection assessment may address a comparable set of 3
processing operations that include similar activities. 4
(c) A data protection assessment conducted under this section must 5
(1) identify the categories of personal data collected, the purposes of 6
collecting the personal data, and whether personal data is being transferred; 7
(2) consider the use of de-identified data, the reasonable expectations 8
of consumers, the context of the processing, and the relationship between the 9
controller and the consumer whose personal data will be processed; and 10
(3) identify and weigh the benefits resulting, directly or indirectly, 11
from the processing activity to the controller, the consumer, other stakeholders, and 12
the public against the potential risks to the consumer's rights, as mitigated by 13
safeguards that are employed by the controller to reduce those risks. 14
(d) Not later than 30 days after completing a data protection assessment under 15
this section, a controller shall submit a report of the data protection assessment or 16
evaluation to the attorney general. The report must include a summary of the data 17
protection assessment. The controller shall make the summary publicly available on 18
the controller's Internet website or another place that is easily accessible to consumers. 19
A controller may redact confidential or proprietary information from the report. The 20
attorney general may require a controller to disclose a data protection assessment that 21
is relevant to an investigation conducted by the attorney general, and the controller 22
shall make the data protection assessment available to the attorney general. The 23
attorney general may evaluate the data protection assessment for compliance with the 24
controller's responsibilities under AS 45.48.800 - 45.48.898. To the extent information 25
contained in a data protection assessment disclosed to the attorney general includes 26
information subject to attorney-client privilege or protection under the work product 27
doctrine, the disclosure does not constitute a waiver of the privilege or protection. 28
(e) A data protection assessment conducted by a controller for the purpose of 29
complying with another applicable law satisfies the requirements in this section if the 30
data protection assessment is reasonably similar in scope and effect to the data 31
34-LS1485\H
CSHB 367(JUD) -14- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
protection assessment that would otherwise have been conducted under this section. 1
(f) A controller shall review and update the data protection assessment as 2
often as appropriate considering the type, amount, and sensitivity of personal data 3
collected or processed and level of risk presented by the processing, throughout the 4
duration of the processing activity, 5
(1) to monitor for harm caused by the processing and adjust safeguards 6
accordingly; and 7
(2) to ensure that data protection and privacy are considered as the 8
controller makes new decisions with respect to the processing. 9
Sec. 45.48.840. Discrimination, retaliation, and financial incentives. (a) A 10
controller may not discriminate or retaliate against a consumer for exercising a 11
consumer right under AS 45.48.800 - 45.48.898 or refusing to agree to the collection 12
or processing of personal data for a separate product or service, including by 13
(1) denying goods or services; 14
(2) charging different prices or rates for goods or services; 15
(3) providing a different level of quality of goods or services to a 16
consumer. 17
(b) A controller is not required to provide a product or service that requires a 18
consumer's personal data that the controller does not collect or maintain. 19
(c) Notwithstanding (a) of this section, a controller may offer to a consumer a 20
different price, rate, level, quality, or selection of goods or services, including goods 21
or services for no fee, if the offer is made in connection with a consumer's voluntary 22
participation in a financial incentive program, such as a bona fide loyalty, rewards, 23
premium features, discount, or club card program. A controller that offers a financial 24
incentive program under this subsection may not 25
(1) transfer personal data to a third party as part of the program unless 26
(A) the transfer is functionally necessary to enable the third 27
party to provide a benefit to which the consumer is entitled; 28
(B) the transfer of personal data to the third party is clearly 29
disclosed in the terms of the program; and 30
(C) the third party uses the personal data only for purposes of 31
34-LS1485\H
HB0367b -15- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
facilitating a benefit to which the consumer is entitled and does not process or 1
transfer the personal data for any other purpose; 2
(2) consider the sale of personal data as functionally necessary to 3
provide the program; 4
(3) use financial incentive practices that are unjust, unreasonable, 5
coercive, or usurious. 6
Sec. 45.48.845. Transfer of information in a business change transaction. 7
(a) A controller may transfer to or share with a third party a consumer's personal data 8
as an asset that is part of a business change transaction if, within a reasonable time 9
before sharing or transferring the personal data, the controller provides an affected 10
consumer with 11
(1) a notice describing the business change transaction, including the 12
name of the third party receiving the consumer's personal data and the applicable 13
privacy policies of the third party; and 14
(2) a reasonable opportunity to 15
(A) withdraw the previously provided consent related to the 16
consumer's personal data; and 17
(B) request the deletion of the consumer's personal data. 18
(b) If a controller shares a consumer's personal data with a third party in the 19
process of evaluating and consummating a business change transaction, the controller 20
shall require that the third party agree by contract to keep the personal data 21
confidential and not use the personal data for a purpose other than evaluating and 22
consummating the transaction. 23
(c) A third party under (a) of this section may not use or share the consumer's 24
personal data in a manner that is materially inconsistent with (a) of this section or with 25
the privacy policy of the third party provided to the consumer in the notification 26
required under (a) of this section. 27
(d) A transfer under (a) of this section does not authorize a controller to make 28
material retroactive privacy policy changes or other changes in a manner that 29
constitutes an unfair or deceptive trade practice under AS 45.50.471 - 45.50.561. 30
(e) In this section, "business change transaction" means a merger, acquisition, 31
34-LS1485\H
CSHB 367(JUD) -16- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
bankruptcy, or other transaction in which the third party assumes control of some or 1
all of the controller's assets. 2
Sec. 45.48.850. Security procedures and practices. (a) A controller shall 3
implement and maintain reasonable administrative, technical, and physical security 4
procedures and practices to protect the confidentiality, integrity, and accessibility of 5
personal data that are appropriate to the volume and nature of the data. The security 6
procedures and practices adopted by a controller must include a retention schedule that 7
requires the deletion of personal data when the data is required to be deleted by law or 8
is no longer necessary for the purpose for which the data was collected, processed, or 9
transferred. 10
(b) A processor shall establish, implement, and maintain reasonable 11
administrative, technical, and physical data security practices to protect the 12
confidentiality, integrity, and accessibility of personal data appropriate to the volume 13
and nature of the personal data at issue. 14
Sec. 45.48.855. Data broker registration. (a) Before a controller begins 15
operating as a data broker, the controller shall register with the commissioner in 16
accordance with this section. 17
(b) To register as a data broker, a controller shall 18
(1) provide, on a form provided by the commissioner, 19
(A) the name of the data broker; 20
(B) the data broker's primary physical and mailing addresses; 21
(C) the data broker's electronic mail address; 22
(D) the data broker's primary Internet website address; and 23
(E) the Internet website address for the data broker's "Do Not 24
Sell My Personal Information" Internet website page as required under 25
AS 45.48.810(b); and 26
(2) pay a registration fee in an amount established by the department 27
by regulation. 28
(c) The department shall deposit the fees paid under this section into the 29
consumer privacy account established under AS 45.48.860. 30
(d) The commissioner shall make available on the department's Internet 31
34-LS1485\H
HB0367b -17- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
website a registry with the information provided by data brokers under this section. 1
Sec. 45.48.860. Consumer privacy account. (a) The consumer privacy 2
account is established in the general fund. Registration fees collected under 3
AS 45.48.855 and civil penalties and money collected in or as a result of an action 4
brought by the attorney general under AS 45.48.800 - 45.48.898 shall be deposited 5
into the general fund and separately accounted for under AS 37.05.142. 6
(b) The legislature may appropriate the annual estimated balance in the 7
account maintained under AS 37.05.142 to pay 8
(1) the salaries of attorneys in the Department of Law that enforce the 9
provisions of AS 45.48.800 - 45.48.898 at an amount that is competitive with the 10
private sector; and 11
(2) the administrative costs incurred by the department and the 12
Department of Law to enforce AS 45.48.800 - 45.48.898. 13
Sec. 45.48.865. Violations. (a) A violation of AS 45.48.800 - 45.48.898 is an 14
unfair or deceptive act or practice under AS 45.50.471 - 45.50.561. Each day of a 15
violation constitutes a separate violation. 16
(b) In an action brought under AS 45.50.531(a), a consumer whose personal 17
data is subjected to unauthorized access, destruction, use, modification, or disclosure 18
has suffered an ascertainable loss of money or property. 19
(c) The remedies provided under this section are in addition to the remedies 20
provided under AS 45.48.080 for a violation of AS 45.48.010 - 45.48.090. 21
Sec. 45.48.870. Regulations. The attorney general may adopt regulations 22
under AS 44.62 (Administrative Procedure Act) to implement AS 45.48.800 - 23
45.48.898. 24
Sec. 45.48.875. Exemptions. (a) AS 45.48.800 - 45.48.898 do not apply to 25
(1) protected health information that a covered entity or business 26
associate collects or processes in accordance with, or documents that a covered entity 27
or business associate creates for the purpose of complying with, the Health Insurance 28
Portability and Accountability Act of 1996 (P.L. 104-191) and regulations adopted 29
under that Act; in this paragraph, "business associate," "covered entity," and 30
"protected health information" have the meanings given in 45 C.F.R. 160.103; 31
34-LS1485\H
CSHB 367(JUD) -18- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
(2) data collected, processed, or maintained that must be retained to 1
administer benefits for another individual relating to an individual who is the subject 2
of protected health information under (1) of this subsection and used for the purpose 3
of administering the benefits; 4
(3) patient-identifying information under 42 U.S.C. 290dd-2; 5
(4) information that identifies a consumer that is collected, processed, 6
or maintained in connection with 7
(A) activities that are subject to 45 C.F.R. Part 46 (Protection 8
of Human Subjects); 9
(B) research on human subjects conducted under good clinical 10
practice guidelines issued by the International Council for Harmonisation of 11
Technical Requirements for Pharmaceuticals for Human Use; 12
(C) activities that are subject to the protections provided in 21 13
C.F.R. Parts 50 and 56; or 14
(D) personal data used or shared in research, as that term is 15
defined in 45 C.F.R. 164.501, that is conducted in accordance with the 16
standards applicable under (A) - (C) of this paragraph or other research 17
conducted in accordance with applicable law; 18
(5) information and documents created for purposes of 42 U.S.C. 19
11101 - 11152 (Health Care Quality Improvement Act of 1986) and related 20
regulations; 21
(6) patient safety work product, as defined in 42 C.F.R. 3.20, that is 22
created for purposes of improving patient safety under 42 C.F.R. Part 3 (Patient Safety 23
Organizations and Patient Safety Work Product) and 42 U.S.C. 299b-21 - 299b-26 24
(Patient Safety and Quality Improvement Act of 2005); 25
(7) information derived from health care-related information listed in 26
this subsection that is de-identified in accordance with the requirements for de-27
identification under the Health Insurance Portability and Accountability Act of 1996 28
(P.L. 104-191) and related regulations; 29
(8) information collected, processed, or sold that is subject to 15 30
U.S.C. 6801 - 6827 (Gramm-Leach-Bliley Act) and related regulations; 31
34-LS1485\H
HB0367b -19- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
(9) an activity that involves the collection, maintenance, disclosure, 1
sale, communication, or use of any information bearing on a consumer's 2
creditworthiness, credit standing, credit capacity, character, general reputation, 3
personal characteristics, or mode of living and that is subject to 15 U.S.C. 1681 - 4
1681x (Fair Credit Reporting Act), if the activity is performed by 5
(A) a consumer reporting agency, as that term is defined in 15 6
U.S.C. 1681a(f); 7
(B) a person who furnishes information to a consumer 8
reporting agency under 15 U.S.C. 1681s-2; or 9
(C) a person who uses a consumer report as provided in 15 10
U.S.C. 1681b(a)(3); 11
(10) personal data collected, processed, sold, or disclosed under 18 12
U.S.C. 2721 - 2725 (Driver's Privacy Protection Act of 1994) and related regulations; 13
(11) personal data regulated by 20 U.S.C. 1232g (Family Educational 14
Rights and Privacy Act of 1974); 15
(12) personal data collected, processed, sold, or disclosed in 16
compliance with 12 U.S.C. 2001 - 2279cc (Farm Credit System); 17
(13) data collected, processed, or maintained 18
(A) in the course of an individual applying to, being employed 19
by, or acting as an agent or independent contractor of a controller, processor, 20
or third party, to the extent that the data is collected and used within the 21
context of that role; or 22
(B) as the emergency contact information of an individual used 23
for emergency contact purposes; 24
(14) personal data collected, processed, sold, or disclosed related to a 25
price, route, or service of an air carrier, but only to the extent preempted by 49 U.S.C. 26
41713. 27
(b) AS 45.48.800 - 45.48.898 may not be construed to restrict the ability of a 28
controller or processor to collect, process, transfer, or disclose a consumer's personal 29
data to the extent necessary to 30
(1) comply with federal, state, municipal, or tribal law; 31
34-LS1485\H
CSHB 367(JUD) -20- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
(2) comply with a civil, criminal, or regulatory inquiry or an 1
investigation, subpoena, or summons by federal, state, municipal, or tribal authorities; 2
(3) cooperate with a law enforcement agency concerning conduct or 3
activity that the person reasonably and in good faith believes may violate federal, 4
state, municipal, or tribal law; 5
(4) investigate, establish, exercise, or defend a legal claim; 6
(5) provide a product or service specifically requested by the 7
consumer; 8
(6) perform under a contract to which the consumer is a party, 9
including fulfilling the terms of a written warranty; 10
(7) take steps at the request of a consumer before entering into a 11
contract; 12
(8) take immediate steps to protect an interest that is essential for the 13
life or physical safety of an individual when the collection, processing, transfer, or 14
disclosure cannot be manifestly justified using another legal basis; 15
(9) prevent, detect, protect against, or respond to a security incident or 16
malicious, deceptive, fraudulent, or illegal activity or preserve the integrity or security 17
of systems; 18
(10) engage in public or peer-reviewed scientific or statistical research 19
in the public interest that adheres to all relevant laws and regulations governing that 20
research and is approved, monitored, and governed by an institutional review board or 21
similar independent oversight entity that determines whether 22
(A) the deletion of personal data requested by a consumer 23
under AS 45.48.805(a)(4) is likely to provide substantial benefits that do not 24
exclusively accrue to the controller; 25
(B) the expected benefits of the research outweigh the privacy 26
risks; and 27
(C) the controller has implemented reasonable safeguards to 28
mitigate privacy risks associated with research, including risks associated with 29
reidentification; 30
(11) assist another controller, processor, or third party with any 31
34-LS1485\H
HB0367b -21- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
obligations under AS 45.48.800 - 45.48.898; 1
(12) process personal data for reasons of public interest in the areas of 2
public health, community health, or population health, but only to the extent that the 3
processing is 4
(A) subject to suitable and specific measures to safeguard the 5
rights of the consumer whose personal data is being processed; and 6
(B) under the responsibility of a professional subject to 7
confidentiality obligations under federal, state, municipal, or tribal law; 8
(13) ensure the data security and integrity of personal data as required 9
by AS 45.48.800 - 45.48.898, protect against spam, or protect and maintain networks 10
and systems, including through diagnostics, debugging, and repairs; 11
(14) carry out a product recall under federal or state law or to fulfill a 12
warranty; 13
(15) conduct medical research in compliance with 45 C.F.R. Part 46 14
(Protection of Human Subjects) or 21 C.F.R. Parts 50 and 56; or 15
(16) process personal data previously collected in accordance with 16
AS 45.48.800 - 45.48.898 to convert the personal data into de-identified data, 17
including to 18
(A) conduct internal research to develop, improve, or repair 19
products, services, or technology; 20
(B) identify and repair technical errors that impair existing or 21
intended functionality; or 22
(C) perform solely internal operations that are reasonably 23
aligned with the expectations of the consumer or reasonably anticipated based 24
on the consumer's existing relationship with the controller or are otherwise 25
compatible with processing data in furtherance of the provision of a product or 26
service specifically requested by a consumer or the performance of a contract 27
to which the consumer is a party. 28
(c) A requirement under AS 45.48.800 - 45.48.898 does not apply if 29
(1) compliance would violate an evidentiary privilege under state law; 30
(2) a controller or processor provides personal data as part of a 31
34-LS1485\H
CSHB 367(JUD) -22- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
privileged communication to a person covered by an evidentiary privilege; 1
(3) the right or obligation would adversely affect a right of another 2
person; 3
(4) a person collects or processes personal data in the course of that 4
person's purely personal or household activities; 5
(5) compliance would require a private school as defined in 6
AS 14.45.200 or a private institution of higher education as defined in 20 U.S.C. 1001 7
to delete personal data when that deletion would unreasonably interfere with the 8
school's provision of educational services or ordinary operations; 9
(6) compliance would require the affirmative collection of personal 10
data about the age of users that a controller does not already collect in the normal 11
course of business or require a controller to implement age restriction requirements or 12
age verification. 13
(d) A controller may collect or process personal data under this section only to 14
the extent that the collection or processing 15
(1) is reasonably necessary for and proportionate to the purposes listed 16
in this section or, in the case of sensitive data, strictly necessary for the purposes listed 17
in this section; 18
(2) is limited to data that is necessary in relation to the specific 19
purposes listed in this section; 20
(3) is subject to reasonable administrative, technical, and physical 21
measures to protect the confidentiality, integrity, and accessibility of the personal data 22
and to reduce reasonably foreseeable risks of harm to consumers related to the 23
processing of personal data; and 24
(4) complies with AS 45.48.805(d). 25
(e) A controller that collects or processes personal data under an exemption in 26
this section bears the burden of demonstrating that the collection or processing 27
qualifies for the exemption and complies with the requirements of (d) of this section. 28
(f) A violation of AS 45.48.800 - 45.48.898 by a processor or third-party 29
controller that receives and processes personal data from a controller or another 30
processor is not imputed to the controller or processor that disclosed the personal data 31
34-LS1485\H
HB0367b -23- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
unless the disclosing controller or processor had actual knowledge that the receiving 1
processor or third-party controller would commit the violation. A violation of 2
AS 45.48.800 - 45.48.898 by a controller or processor that discloses personal data to a 3
third-party controller or processor is not imputed to the receiving third-party controller 4
or processor. 5
Sec. 45.48.880. Component parts. If a series of steps or transactions are 6
component parts of a single transaction and are intended from the beginning to avoid 7
the reach of AS 45.48.800 - 45.48.898, including a controller's disclosure of 8
information to a third party to avoid being considered a sale of personal data, the steps 9
or transactions may not be considered separate for the purposes of determining 10
compliance with, an exception to, or a violation of AS 45.48.800 - 45.48.898. 11
Sec. 45.48.885. Provisions not waivable. A consumer's waiver of the 12
provisions of AS 45.48.800 - 45.48.898 is contrary to public policy and is 13
unenforceable and void. This section does not prevent a consumer from 14
(1) declining to request information from a controller; 15
(2) declining to request that a controller not collect, sell, or disclose the 16
consumer's personal data; or 17
(3) authorizing a controller to sell the consumer's personal data after 18
previously requesting that the controller not sell the personal data. 19
Sec. 45.48.890. Liberal construction. The intent of AS 45.48.800 - 45.48.898 20
is remedial, and its provisions shall be liberally construed. 21
Sec. 45.48.895. Definitions. In AS 45.48.800 - 45.48.898, unless the context 22
clearly indicates otherwise, 23
(1) "affiliate" means a legal entity that shares common branding with 24
another legal entity or controls, is controlled by, or is under common control with 25
another legal entity; in this paragraph, "control" and "controlled" mean having 26
(A) ownership of, or the power to vote, more than 50 percent of 27
the outstanding shares of any class of voting security of a legal entity; 28
(B) control in any manner over the election of a majority of the 29
directors or of individuals exercising similar functions; or 30
(C) the power to exercise controlling influence over the 31
34-LS1485\H
CSHB 367(JUD) -24- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
management of a legal entity; 1
(2) "affirmative consent" 2
(A) means a clear affirmative act signifying a consumer's freely 3
given, specific, informed, and unambiguous authorization for an act or 4
practice, after having been informed, in response to a specific request from a 5
controller; in making the request, the controller shall 6
(i) provide to the consumer a clear and conspicuous 7
stand-alone disclosure; 8
(ii) provide to the consumer a written request that 9
describes the processing purpose for which the consumer's consent is 10
sought, that clearly distinguishes between an act or practice that is 11
necessary to fulfill a request of the consumer and an act or practice that 12
is for another purpose, that clearly states the specific categories of 13
personal data that the controller intends to collect, process, or transfer 14
under each act or practice, and that uses easy-to-understand language 15
with prominent headings that enable a reasonable consumer to identify 16
and understand each act or practice; 17
(iii) clearly explain the consumer's rights related to 18
consent; 19
(iv) make the request reasonably accessible to and 20
usable by consumers with disabilities; 21
(v) make the request available to the consumer in each 22
language in which the controller provides a product or service for 23
which authorization is sought; and 24
(vi) ensure that the option to refuse to give consent is at 25
least as prominent and takes the same or fewer steps as the option to 26
give consent; 27
(B) does not include 28
(i) consent for an act or practice inferred from the 29
inaction of the consumer or the consumer's continued use of a service 30
or product provided by the controller; 31
34-LS1485\H
HB0367b -25- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
(ii) acceptance of general or broad terms of use or a 1
similar document that contains descriptions of personal data processing 2
along with other unrelated information; 3
(iii) hovering over, muting, pausing, or closing a given 4
piece of content on the Internet; 5
(iv) an agreement obtained through the use of a false, 6
fraudulent, or materially misleading statement or representation; or 7
(v) an agreement obtained through the use of a dark 8
pattern; 9
(3) "authenticate" means the use of reasonable means to determine that 10
a request to exercise a right granted to a consumer under AS 45.48.800 - 45.48.898 is 11
being made by, or on behalf of, the consumer who is entitled to exercise that right with 12
respect to the personal data; 13
(4) "biometric data" 14
(A) means data generated by automatic measurements of an 15
individual's fingerprint, voiceprint, retina, iris, gait, or other unique biological 16
pattern or characteristic that can be used to identify a specific individual; 17
(B) does not include 18
(i) a digital or physical photograph; 19
(ii) an audio or video recording; or 20
(iii) data generated from a digital or physical 21
photograph or an audio or video recording, unless the data is generated 22
to identify a specific individual; 23
(5) "collect" means to buy, rent, gather, obtain, receive, access, or 24
otherwise acquire personal data by any means; 25
(6) "commissioner" means the commissioner of commerce, 26
community, and economic development; 27
(7) "consumer" 28
(A) means an individual who is a resident of the state; 29
(B) does not include an individual acting in a commercial or 30
employment context or as an employee, owner, director, officer, or contractor 31
34-LS1485\H
CSHB 367(JUD) -26- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
of a company, partnership, sole proprietorship, nonprofit organization, or 1
government agency whose communications or transactions with the controller 2
occur solely within the context of that individual's role with the company, 3
partnership, sole proprietorship, nonprofit organization, or government agency; 4
(8) "consumer health data" means personal data that describes or 5
reveals a consumer's past, present, or future physical or mental health condition or 6
diagnosis; 7
(9) "contextual advertising" 8
(A) means displaying or presenting an advertisement that does 9
not vary based on the identity of the individual recipient and is based solely on 10
(i) the immediate content of an Internet website or 11
online service within which the advertisement appears; or 12
(ii) a specific request of the consumer for information 13
or feedback if displayed in proximity to the results of the request for 14
information; 15
(B) does not include a controller's use of the following types of 16
personal data to display a contextual advertisement without making inferences 17
about the consumer, profiling the consumer, or using the data for any other 18
purpose, if the consumer may use technical means to hide or change the 19
consumer's physical location and to specify a language preference: 20
(i) technical specifications that are necessary for the 21
advertisement to be delivered and display properly on a given device; 22
(ii) a consumer's immediate presence in a geographic 23
area with a radius not smaller than 10 miles, or an area reasonably 24
estimated to include online activity from at least 5,000 users, but not 25
including precise geolocation data; or 26
(iii) the consumer's language preferences, as inferred 27
from context, browser settings, or user settings; 28
(10) "controller" means a person who, alone or jointly with others, 29
determines the purpose and means of collecting or processing personal data; 30
(11) "dark pattern" means 31
34-LS1485\H
HB0367b -27- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
(A) a user interface designed or manipulated with the 1
substantial effect of subverting or impairing user autonomy, decision making, 2
or choice; and 3
(B) a practice the Federal Trade Commission refers to as a 4
"dark pattern"; 5
(12) "data broker" means a controller that knowingly collects and sells 6
to third parties the personal data of a consumer with whom the controller does not 7
have a direct relationship, but does not include a consumer reporting agency to the 8
extent the agency is covered by 15 U.S.C. 1681 et seq. (Fair Credit Reporting Act); 9
(13) "de-identified data" means data that does not identify and cannot 10
reasonably be used to infer information about, or otherwise be linked to, an identified 11
or identifiable individual or a device linked to the individual and for which the 12
controller holding the information 13
(A) takes reasonable physical, administrative, and technical 14
measures to ensure that the data cannot be associated with an individual or be 15
used to reidentify an individual or device that identifies or is linked, or is 16
reasonably linkable, to an individual; 17
(B) publicly commits to process the data only in a de-identified 18
fashion and does not attempt to reidentify the data; and 19
(C) contractually obligates a recipient of the data to satisfy the 20
criteria set out in (A) and (B) of this paragraph; 21
(14) "department" means the Department of Commerce, Community, 22
and Economic Development; 23
(15) "first party" means a consumer-facing controller with which the 24
consumer intends or expects to interact; 25
(16) "first-party advertising" means 26
(A) processing of first-party data by the first party for the 27
purposes of advertising and marketing 28
(i) through mail, electronic mail, text message, or other 29
direct communication with a consumer; 30
(ii) in a physical location operated by the first party; or 31
34-LS1485\H
CSHB 367(JUD) -28- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
(iii) through display or presentation of an advertisement 1
on the first party's own Internet website, application, or other online 2
content; and 3
(B) a marketing measurement related to advertising and 4
marketing under (A) of this paragraph; 5
(17) "first-party data" means personal data collected directly from a 6
consumer by a first party; 7
(18) "identified or identifiable individual" means an individual who 8
can be readily identified, directly or indirectly; 9
(19) "marketing measurement" means measuring and reporting on 10
marketing performance or media performance by the controller and processing of 11
personal data by the controller for measurement and reporting of frequency, 12
attribution, and performance; 13
(20) "minor" means a consumer who is under 18 years of age; 14
(21) "personal data" 15
(A) means information that is linked, or is reasonably linkable, 16
alone or in combination with other information, to an identified or identifiable 17
individual or a device that identifies or is linked, or is reasonably linkable, to 18
an individual; 19
(B) does not include publicly available information or de-20
identified data; 21
(22) "precise geolocation data" 22
(A) means information derived from a global positioning 23
system or other technology capable of determining with specificity the latitude 24
and longitude coordinates or other spatial location of an individual or device 25
and that reveals, with precision and accuracy within a radius of 1,750 feet or 26
less, the past or present physical location of 27
(i) an individual; or 28
(ii) a device that identifies one or more individuals or is 29
linked, or reasonably linkable, to one or more individuals; 30
(B) does not include 31
34-LS1485\H
HB0367b -29- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
(i) the content of communications, a photograph or 1
video, or metadata associated with a photograph or video that cannot be 2
linked to an individual; or 3
(ii) information generated by or connected to an 4
advanced utility metering infrastructure system or equipment for use by 5
a utility; 6
(23) "process" and "processing" mean any operation or set of 7
operations performed on personal data or on sets of personal data, whether or not by 8
automated means; 9
(24) "processor" means a person who collects, processes, or transfers 10
personal data on behalf of, and at the direction of, a controller, another processor, or a 11
federal, state, municipal, or tribal government; 12
(25) "profiling" means a form of processing performed on personal 13
data to evaluate, analyze, or predict an individual's economic situation, health, 14
personal preferences, interests, reliability, behavior, location, movements, or other 15
personal features; 16
(26) "publicly available information" 17
(A) means information that is lawfully made available to the 18
general public from 19
(i) federal, state, municipal, or tribal government 20
records, if the information is collected, processed, and transferred in 21
accordance with any restrictions or terms of use placed on the 22
information by the relevant government; 23
(ii) widely distributed media; or 24
(iii) a disclosure to the general public as required by 25
federal, state, municipal, or tribal law; 26
(B) does not include 27
(i) material that constitutes an obscene visual depiction 28
under 18 U.S.C. 1460; 29
(ii) an inference made exclusively from multiple 30
independent sources of publicly available information that reveals 31
34-LS1485\H
CSHB 367(JUD) -30- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
sensitive data pertaining to a consumer; 1
(iii) biometric data; 2
(iv) personal data created through the combination of 3
information under (A) of this paragraph with personal data that is not 4
publicly available information; 5
(v) genetic data, unless otherwise made available to the 6
public by the individual to whom the information pertains; 7
(vi) information made available by a consumer on an 8
Internet website or online service that is available to all members of the 9
public, with or without charge, when the consumer has restricted the 10
information to a specific audience; or 11
(vii) authentic or computer-generated intimate images 12
known to be nonconsensual; 13
(27) "sale of personal data" 14
(A) means an exchange of personal data for monetary or other 15
valuable consideration by a controller to a third party; 16
(B) does not include 17
(i) the disclosure of personal data to a processor that 18
processes the personal data on behalf of a controller; 19
(ii) the disclosure of personal data to a third party for 20
purposes of providing a product or service requested by the consumer; 21
(iii) the disclosure or transfer of personal data to an 22
affiliate of a controller; 23
(iv) the disclosure of personal data, with the consumer's 24
affirmative consent, when the consumer affirmatively directs a 25
controller to disclose the personal data or intentionally uses a controller 26
to interact with a third party; or 27
(v) the disclosure of personal data that the consumer 28
intentionally made available to the general public through mass media 29
and did not restrict to a specific audience; 30
(28) "sensitive data" means personal data that 31
34-LS1485\H
HB0367b -31- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
(A) reveals a consumer's racial or ethnic origin, religious 1
beliefs, mental or physical health condition or diagnosis, status as pregnant, 2
sexual orientation, status as transgender or nonbinary, union membership, or 3
citizenship or immigration status; 4
(B) contains consumer health data; 5
(C) contains a consumer's genetic or biometric data; 6
(D) pertains to a consumer that a controller knows or should 7
know, based on knowledge fairly implied under objective circumstances, is a 8
minor; 9
(E) contains precise geolocation data; 10
(F) contains a consumer's social security number, driver's 11
license number, known traveler number, state identification card number, 12
passport number, or other government-issued identifier that is not required by 13
law to be displayed in public; 14
(G) reveals the online activities of a consumer or device linked, 15
or reasonably linkable, to a consumer, over time and across Internet websites, 16
online applications, or mobile applications that do not share common branding, 17
or data generated by profiling those online activities; 18
(29) "targeted advertising" 19
(A) means 20
(i) displaying or presenting an online advertisement to a 21
consumer, to a device identified by a unique persistent identifier, or to a 22
group of consumers or devices identified by unique persistent 23
identifiers if the advertisement is selected based, in whole or in part, on 24
known or predicted preferences, characteristics, behavior, or interests 25
associated with the consumer or consumers or the device; 26
(ii) displaying or presenting an online advertisement for 27
a product or service based on the previous interaction of a consumer or 28
a device identified by a unique persistent identifier with the product or 29
service on an Internet website or online service that does not share 30
common branding with the Internet website or online service displaying 31
34-LS1485\H
CSHB 367(JUD) -32- HB0367b
New Text Underlined [DELETED TEXT BRACKETED]
or presenting the advertisement; or 1
(iii) a marketing measurement related to advertising 2
under (i) and (ii) of this subparagraph; 3
(B) does not include first-party advertising or contextual 4
advertising; 5
(30) "third party" 6
(A) means a person who collects personal data from another 7
person who is not the consumer to whom the data pertains; 8
(B) does not include 9
(i) a processor with respect to the personal data; or 10
(ii) a person who collects personal data from another 11
entity if the two entities are affiliates; 12
(31) "transfer" means to disclose, release, disseminate, make available, 13
license, rent, or share personal data to a third party by any means; 14
(32) "unique persistent identifier" 15
(A) includes a device identifier; an Internet protocol address; 16
cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; 17
customer number, unique pseudonym, or user alias; telephone numbers; or 18
other forms of persistent or probabilistic identifiers that are reasonably linkable 19
to one or more consumers or devices that identify or are reasonably linkable to 20
one or more consumers; 21
(B) does not include an identifier assigned by a controller for 22
the sole purpose of giving effect to the exercise of affirmative consent or opt 23
out by a consumer 24
(i) pertaining to the collection, processing, and transfer 25
of personal data; or 26
(ii) otherwise limiting the collection, processing, or 27
transfer of personal data. 28
Sec. 45.48.898. Short title. AS 45.48.800 - 45.48.898 may be cited as the 29
Alaska Data Privacy Act. 30
* Sec. 6. AS 45.50.471(b) is amended by adding a new paragraph to read: 31
34-LS1485\H
HB0367b -33- CSHB 367(JUD)
New Text Underlined [DELETED TEXT BRACKETED]
(58) violating AS 45.48.800 - 45.48.898 (Alaska Data Privacy Act). 1
* Sec. 7. The uncodified law of the State of Alaska is amended by adding a new section to 2
read: 3
APPLICABILITY: CONTRACTS. This Act applies to a contract entered into on or 4
after the effective date of this Act. 5
* Sec. 8. The uncodified law of the State of Alaska is amended by adding a new section to 6
read: 7
TRANSITION: DATA PROTECTION ASSESSMENTS. A data protection 8
assessment required under AS 45.48.835, added by sec. 5 of this Act, is not required for a 9
processing activity until January 1, 2028. 10
* Sec. 9. This Act takes effect January 1, 2027. 11