32-LS0343\A
HOUSE BILL NO. 222
IN THE LEGISLATURE OF THE STATE OF ALASKA
THIRTY-SECOND LEGISLATURE - SECOND SESSION
BY REPRESENTATIVES RAUSCHER, McCarty
Introduced: 1/18/22
Referred: Labor and Commerce, Judiciary
A BILL
FOR AN ACT ENTITLED
1 "An Act relating to personal information; relating to the privacy of personal
2 information; relating to the collection, sale, sharing, deletion, correction, and use of
3 personal information; relating to breaches of security of personal information; relating
4 to genetic privacy; relating to social security numbers; and providing for an effective
5 date."
6 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA:
7 * Section 1. AS 18.13.010(a) is amended to read:
8 (a) Notwithstanding AS 45.48.760 - 45.48.925, and except [EXCEPT] as
9 provided in (b) of this section,
10 (1) a person may not collect a DNA sample from a person, perform a
11 DNA analysis on a sample, retain a DNA sample or the results of a DNA analysis, or
12 disclose the results of a DNA analysis unless the person has first obtained the
13 informed and written consent of the person, or the person's legal guardian or
HB0222a -1- HB 222
New Text Underlined [DELETED TEXT BRACKETED]
 32-LS0343\A
1 authorized representative, for the collection, analysis, retention, or disclosure;
2 (2) a DNA sample and the results of a DNA analysis performed on the
3 sample are the exclusive property of the person sampled or analyzed.
4 * Sec. 2. AS 45.48.010(a) is amended to read:
5 (a) In addition to the requirements of AS 45.48.885(c) - (e), if [IF] a
6 covered person owns or licenses personal information in any form that includes
7 personal information on a state resident, and a breach of the security of the
8 information system that contains personal information occurs, the covered person
9 shall, after discovering or being notified of the breach, disclose the breach to each
10 state resident whose personal information was subject to the breach.
11 * Sec. 3. AS 45.48.430(b) is amended to read:
12 (b) The prohibition in (a) of this section does not apply if
13 (1) the disclosure is authorized by local, state, or federal law, including
14 AS 45.48.760 - 45.48.925 or a regulation adopted under AS 45.48.470;
15 (2) the person is engaging in the business of government and
16 (A) is authorized by law to disclose the individual's social
17 security number; or
18 (B) the disclosure of the individual's social security number is
19 required for the performance of the person's duties or responsibilities as
20 provided by law;
21 (3) the disclosure is to a person subject to or for a transaction regulated
22 by the Gramm-Leach-Bliley Financial Modernization Act, and the disclosure is for a
23 purpose authorized by the Gramm-Leach-Bliley Financial Modernization Act or to
24 facilitate a transaction of the individual;
25 (4) the disclosure is to a person subject to or for a transaction regulated
26 by the Fair Credit Reporting Act, and the disclosure is for a purpose authorized by the
27 Fair Credit Reporting Act;
28 (5) the disclosure is part of a report prepared by a consumer credit
29 reporting agency in response to a request by a person and the person submits the social
30 security number as part of the request to the consumer credit reporting agency for the
31 preparation of the report; or
HB 222 -2- HB0222a
New Text Underlined [DELETED TEXT BRACKETED]
 32-LS0343\A
1 (6) the disclosure is for a background check on the individual, identity
2 verification, fraud prevention, medical treatment, law enforcement or other
3 government purposes, or the individual's employment, including employment benefits.
4 * Sec. 4. AS 45.48.450(b) is amended to read:
5 (b) Notwithstanding the other provisions of AS 45.48.400 - 45.48.480, and
6 except as provided under AS 45.48.760 - 45.48.925 or for an agent under (a) of this
7 section, a person may disclose an individual's social security number to an
8 independent contractor of the person to facilitate the purpose or transaction for which
9 the individual initially provided the social security number to the person, but the
10 independent contractor may not use the social security number for another purpose or
11 make an unauthorized disclosure of the individual's personal information. In this
12 subsection, "independent contractor" includes a debt collector.
13 * Sec. 5. AS 45.48 is amended by adding new sections to read:
14 Article 6A. Treatment of Personal Information.
15 Sec. 45.48.760. General duties of businesses that control collection. (a) A
16 business that controls the collection of a consumer's personal information shall, at or
17 before the point of collection, notify the consumer of the following:
18 (1) the categories of personal information and categories of sensitive
19 personal information that the business will collect, the purposes for which the business
20 will collect the information, and whether the business will sell or share the
21 information;
22 (2) the length of time the business will retain each category of personal
23 information and category of sensitive personal information, or, if it is not possible for
24 the business to make this determination, the criteria used to determine the length of
25 time; and
26 (3) that the business may not retain the consumer's personal
27 information or sensitive personal information for longer than is reasonably necessary
28 for the purposes disclosed under (1) of this subsection.
29 (b) Unless a business that controls the collection of a consumer's personal
30 information provides the consumer with another disclosure under (a) of this section
31 informing the consumer of a previously undisclosed category or use, the business may
HB0222a -3- HB 222
New Text Underlined [DELETED TEXT BRACKETED]
 32-LS0343\A
1 not collect a category of personal information or a category of sensitive personal
2 information unless the business has disclosed that category under (a)(1) of this section
3 and may not use personal information or sensitive personal information for a purpose
4 that is incompatible with the purposes disclosed under (a)(1) of this section.
5 (c) A business that, acting as a third party, controls the collection of a
6 consumer's personal information may make the disclosures required under (a) of this
7 section on the home page of the Internet website of the business, except that, if the
8 business controls the collection on the physical premises of the business, the business
9 shall also make the disclosures on the physical premises and ensure the information is
10 displayed prominently and conspicuously. In this subsection, "physical premises"
11 includes a motor vehicle.
12 Sec. 45.48.765. Deletion of personal information. (a) Except as provided
13 under this section and AS 45.48.815, a business shall delete personal information
14 collected from a consumer if the consumer makes a verifiable consumer request to the
15 business to delete the personal information.
16 (b) A business that collects personal information about a consumer shall notify
17 the consumer under AS 45.48.795 that the consumer may request that the business
18 delete the consumer's personal information.
19 (c) A business that receives a verifiable consumer request from a consumer
20 under (a) of this section shall
21 (1) delete the consumer's personal information from its records;
22 (2) notify its service providers and contractors to delete the consumer's
23 personal information from their records; and
24 (3) notify all third parties to whom the business has sold or with whom
25 the business has shared the consumer's personal information to delete the personal
26 information, unless the notification is impossible or involves effort that is
27 disproportionate to the request.
28 (d) A service provider or contractor of a business shall cooperate with the
29 business in responding to a verifiable consumer request under this section and, at the
30 direction of the business, shall delete, or enable the business to delete, and notify any
31 of its own service providers or contractors to delete, personal information about the
HB 222 -4- HB0222a
New Text Underlined [DELETED TEXT BRACKETED]
 32-LS0343\A
1 consumer collected, used, processed, or retained by the service provider or the
2 contractor. Unless the notification is impossible or involves disproportionate effort or
3 the information was accessed at the direction of the business, the service provider or
4 contractor shall notify a service provider, contractor, or third party who may have
5 accessed personal information about the consumer from or through the service
6 provider or contractor to delete the personal information.
7 (e) Unless prohibited by another provision of AS 45.48.760 - 45.48.925, a
8 business may maintain a record of a verifiable consumer request made under this
9 section only to prevent the personal information about the consumer who submitted
10 the request from being sold, to comply with law, or to achieve another purpose to the
11 extent allowed under AS 45.48.760 - 45.48.925. The business shall keep the record
12 confidential.
13 Sec. 45.48.770. Correction of personal information. (a) A business shall
14 correct inaccurate personal information collected from a consumer if the consumer
15 makes a verifiable consumer request to the business to correct the personal
16 information.
17 (b) A business that collects personal information about a consumer shall notify
18 the consumer under AS 45.48.795 that the consumer may request the business to
19 correct inaccurate personal information.
20 (c) A business that receives a verifiable consumer request to correct inaccurate
21 personal information about the consumer shall use, as directed by the consumer,
22 commercially reasonable efforts to correct the personal information.
23 Sec. 45.48.775. Disclosure of personal information collected. (a) In addition
24 to the disclosure required by (b) of this section, if a consumer makes a verifiable
25 consumer request to a business that collects personal information about a consumer,
26 the business shall disclose to the consumer the following information:
27 (1) the categories of personal information the business has collected
28 about the consumer;
29 (2) the sources identified by category from which the business collects
30 the personal information;
31 (3) the business purpose or commercial purpose for collecting, selling,
HB0222a -5- HB 222
New Text Underlined [DELETED TEXT BRACKETED]
 32-LS0343\A
1 or sharing personal information;
2 (4) the third parties identified by category to whom the business
3 discloses personal information; and
4 (5) the specific pieces of personal information the business has
5 collected about the consumer.
6 (b) A business that collects personal information about a consumer shall
7 disclose the following information in its online privacy policy statement or, if the
8 business does not have an online privacy policy statement, on its Internet website, and
9 shall update that information at least once every 12 months:
10 (1) the categories of personal information the business has collected
11 about consumers in the preceding 12 months;
12 (2) the sources identified by category from which the business collects
13 personal information;
14 (3) the business purpose or commercial purpose for collecting, selling,
15 or sharing personal information;
16 (4) the third parties identified by category to whom the business
17 discloses personal information; and
18 (5) that a consumer may request the specific pieces of personal
19 information the business has collected about that consumer.
20 (c) A business complies with (b)(1) - (4) of this section if the categories of
21 personal information and the business purpose or commercial purpose for collecting,
22 selling, or sharing personal information the business is required to disclose to the
23 consumer under (b)(1) - (4) of this section are the same as the information it has
24 disclosed upon a verifiable consumer request under (a)(1) - (4) of this section.
25 (d) To identify a consumer making a verifiable consumer request under (a) of
26 this section, a business shall associate the information provided by the consumer in the
27 verifiable consumer request with personal information previously collected by the
28 business about the consumer.
29 (e) When identifying personal information by category under (a) and (b) of
30 this section, a business shall use the category of personal information that most closely
31 describes the disclosure required.
HB 222 -6- HB0222a
New Text Underlined [DELETED TEXT BRACKETED]
 32-LS0343\A
1 (f) When disclosing to a consumer the specific pieces of personal information
2 a business has collected about the consumer under (a)(5) of this section, the business
3 shall provide the information in a format that is easily understandable to the average
4 consumer and, to the extent technically feasible, in a structured, commonly used,
5 machine-readable format that may also be used to transmit the information without
6 difficulty to another person at the consumer's request.
7 (g) A business is not considered to have disclosed personal information as
8 required by this section if the business, at the request of the consumer, transfers the
9 personal information to another business in order for the consumer to change to
10 another business to provide services.
11 (h) In this section, "specific pieces of personal information" does not include
12 data generated to help ensure the security and integrity of personal information.
13 Sec. 45.48.780. Consumer direction not to sell or share personal
14 information; sale or sharing of personal information. (a) A consumer may, at any
15 time, direct a business that sells to or shares with a third party personal information
16 about consumers not to sell to or share with the third party the consumer's personal
17 information.
18 (b) A business that sells to or shares with a third party a consumer's personal
19 information shall provide notice under AS 45.48.825 that the information may be sold
20 or shared and that a consumer may direct the business not to sell or share personal
21 information about the consumer.
22 (c) A business may not sell or share personal information about a consumer if
23 the business has actual knowledge that the consumer is under 16 years of age unless
24 the consumer is at least 13 years of age and consents to the sale or sharing of the
25 consumer's personal information, or unless the consumer is under 13 years of age and
26 the consumer's parent or guardian authorizes the sale or sharing of the consumer's
27 personal information. A business that intention