Bill > HB367

This bill, titled the Consumer Data Privacy Act, establishes new regulations for how businesses handle consumer personal information in Alaska, aiming to enhance privacy protections. It mandates that businesses meeting certain thresholds for collecting or processing personal data, specifically those that collect or process data from at least 35,000 consumers or 10,000 consumers and derive over 20% of their revenue from selling that data, must comply with these new rules, with exemptions for government entities and certain other organizations. The Act grants consumers rights to access, correct, delete, and obtain a copy of their personal data, as well as to opt out of the sale of their data, targeted advertising, and profiling that produces significant legal or similar effects. It also requires businesses, referred to as "controllers," to implement data minimization practices, obtain affirmative consent for processing sensitive data, and provide clear privacy notices detailing data collection, purpose, and third-party sharing. Furthermore, the bill introduces a data broker registry, requiring entities that knowingly collect and sell personal data of consumers with whom they have no direct relationship to register with the state and pay a fee, with these fees contributing to a consumer privacy account used for enforcement. Violations of these provisions are considered unfair or deceptive trade practices, and the Act includes specific requirements for data security, data protection assessments for high-risk processing activities, and prohibits discrimination or retaliation against consumers for exercising their privacy rights. The bill also clarifies that certain existing laws, such as those related to health information, financial data, and credit reporting, are exempt from these new privacy requirements, and it sets an effective date of January 1, 2027, with some provisions, like data protection assessments, having a delayed implementation until January 1, 2028.