Add Alaska to the expanding list of states to consider comprehensive data privacy legislation.
As far as Internet traffic is concerned, state boundaries have no relevance. A single set of data privacy rules that apply nationwide therefore is the preferred approach. But as I've described in a recent Perspectives from FSF Scholars and a number of posts to the Free State Foundation Blog, a steadily growing number of states are filling the void created by Congress' inability thus far to pass preemptive federal law.And on March 31, Alaska Governor Mike Dunleavy introduced the Consumer Data Privacy Act (Senate Bill No. 116, House Bill No. 159), draft legislation that borrows heavily from the California Consumer Protection Act (CCPA).
The Consumer Data Privacy Act would create consumer rights to know what personal information is collected, to access that data, to have that data deleted, and to opt out of its sale.
They also would be (1) prohibited from retaliating against those who exercise the rights listed above, (2) barred from using precise geolocation data beyond that which is necessary to provide requested goods and services absent express written consent, and (3) required to obtain opt-in consent from the parents/guardians of individuals under the age of 18 before disclosing their personal information, even, it would appear, if only to provide that individual with a requested product or service:
If a business has actual knowledge that a consumer is under 18 years of age, the business may not disclose the consumer's personal information for a business or commercial purpose, or use the consumer's precise geolocation data for a purpose other than to provide goods or services that the consumers reasonably requests and expects.
The Alaska Attorney General would have both enforcement and rulemaking authority under the Consumer Data Privacy Act. Consumers also could seek statutory damages via a private right of action created by state consumer protection law.
Though modeled on the CCPA, the Consumer Data Privacy Act deviates from the California law in a number of significant ways. For example, it would apply not just to a business that meets thresholds based upon annual revenue ($25 million) or the number of persons whose personal information it buys or sells (100,000), but also to a business that sold the personal information of even one consumer, household, or device during the previous year. It also defines a minor as less than 18, rather than 16, years old.
Should it become law, the Consumer Data Privacy Act would go into effect on January 1, 2023.