Alaska's Consumer Data Privacy Act: Another CCPA Copycat, but With Its Own Unanswered Questions

Last week, Alaska joined the growing number of states considering comprehensive consumer privacy legislation when, at the behest of Governor Dunleavy, the Consumer Data Privacy Act was introduced in both chambers of the Alaska legislature. If enacted, the Act would become effective on January 1, 2023.

The Act is modeled after the California Consumer Privacy Act (CCPA) and provides consumers certain rights and imposes obligations on businesses that collect consumers' personal information. Although similar to the CCPA in many respects, it diverges from the CCPA in some significant ways that would pose compliance challenges for businesses.

Whom Does the Act Cover?

The Act looks to the CCPA for most of its definitions, including those for "personal information" and "sale," but it expands the scope of businesses regulated and narrows the definition of consumers protected.

The Act defines "business" to include entities that meet thresholds found in the CCPA: $25 million annual revenue, or purchase or disclosure of the personal information of 100,000 consumers, households, or devices (this threshold was originally 50,000 in the CCPA, but was raised to 100,000 in the CPRA). But it also includes in the definition companies that have sold the personal information of a consumer, household, or device—even just one consumer, household, or device—during the preceding 365 days.

This expansive definition of "business" makes the Act an outlier among state privacy frameworks, which generally carve out small businesses altogether or limit coverage to those that either buy or sell a significant amount of personal information, or that generate a significant portion of their revenue from the collection, use, or disclosure of such information.

While the Act defines a wider range of companies as "businesses," it narrows the scope of individuals protected by covering only residents of Alaska who are "physically present in the state with the intent to remain indefinitely in the state." In contrast, the CCPA protects California residents regardless of whether they are in California at the time of the transaction so long as some part of the transaction occurs in the state. Like the CCPA, the Act exempts from coverage individuals acting in an employment or commercial context.

What Rights Does It Provide to Consumers?

The Act gives consumers the same rights that the CCPA provided before it was amended by the CPRA—namely, the right to:

• (1) Know what personal information is collected about them, the purposes for which such information is used, and so forth, both through a notice at the time of collection and a privacy policy;
• (2) Access personal information that the business has collected about them;
• (3) Delete personal information that the consumer has provided to the business;
• (4) Opt out of "sales" of personal information (or opt in, if a minor); and
• (5) Be free from retaliation for exercising the rights provided under the Act.

Because the Act does not track the CPRA, it does not, among other things, provide a right to correct inaccurate information or to opt out of either "sharing" personal information for online behavioral advertising or certain uses of sensitive personal information.

The rights that the Act provides are subject to exceptions—including, among other things, carve-outs for de-identified information, certain types of financial incentives, and transfers of personal information in the course of a merger, or other change in corporate control—that will be familiar to those businesses that comply with the CCPA, but the "lookback" period for deletion and access is extended under the Act to five years as opposed to the 12-month lookback that the CCPA provides for access requests.

Finally, as under the CCPA, consumers must be given at least two methods to request access to and deletion of personal information, including—at a minimum—a toll-free number and, if the business operates online, an email address.

How Does the Act Differ From the CCPA?

The Act diverges from the CCPA in some important respects, and also includes some confusing language that hopefully will be clarified as the Act makes its way through the legislative process.

Deletion

The Act requires businesses that receive a request for deletion to direct all persons to whom the business has disclosed the information to delete the information and provide a written statement verifying the deletion within 45 days of the consumer's request. If the person fails to provide the written verification, the business must notify the Alaska Attorney General in writing of the person's failure to do so.

This is a particularly burdensome requirement, as businesses will need to monitor whether service providers and third parties comply with their requests and notify the Attorney General if not. Businesses' failure to do so would be a violation of the Act.

Opt-Out Right

The Act gives consumers the right to opt out of the sale of their personal information or "particular categories" of personal information. This will require businesses to establish internal processes that enable them to segregate information by category to ensure that they can honor such requests.

In addition, while the Act tracks the CCPA's language regarding the right to opt out of "sales" of personal information, it nonetheless requires businesses to include a link on their homepage with the following language: "Do Not Collect or Sell My Personal Information." (Emphasis added.) This is very confusing, as it is the only mention in the Act of a possible right to prevent "collection" of personal information, and it is not clear what the scope of such a right might be or how a business would respond.

Special Rules Regarding Precise Geolocation Information

Businesses must limit their use and disclosure of precise geolocation information to what is necessary to provide goods and services that the consumer requests or would reasonably expect and allow a consumer to opt out of the use of the consumer's precise geolocation data for other purposes.

Minors

The Act would raise the age of minors from under 16 years of age (threshold in the CCPA) to consumers under 18 years old, and would prohibit businesses that have actual knowledge that a consumer is under 18 years of age from disclosing the minor's personal information even for a business purpose without prior consent of the minor's parent or guardian.

Because "business purposes" include providing the consumer with the products and services they requested, this provision prohibits businesses from engaging any service providers whatsoever to assist in providing services to consumers under 18 years old unless the minor's parent consents.

Names of Third Parties

Unlike the CCPA, which gives consumers the right to know the categories of service providers or third parties to whom their personal information was disclosed, the Act requires businesses to provide consumers with the actual names of those who received the consumer's personal information from the business.

Restrictions on Downstream Disclosures

The Act limits the ability of service providers and third parties from further disclosing personal information that they receive. For instance, service providers may disclose personal information to subcontractors but the subcontractors may not disclose the personal information to any other entity.

The Act also makes it difficult for third parties that receive personal information from businesses to further disclose the information. Specifically, the Act prohibits third parties from disclosing personal information that a business collected in violation of the Act's requirements.

Third parties may disclose personal information only if they first obtain from a business written confirmation that the information was collected in compliance with the Act. Third parties will not be liable for further disclosures so long as it is reasonable to conclude that the business's collection practices complied with the Act based on the written confirmation provided.

Registration Requirement for Data Brokers

The Act requires "data brokers" to register annually with the commissioner of the Alaska Department of Commerce, Community, and Economic Development. The registry will be publicly available and will provide direct access to the data broker's "Do Not Collect or Sell My Personal Information" link.

A "data broker" is a business that "knowingly collects and sells to third parties the personal information of a consumer with whom the [data broker] does not have a direct relationship." Consumer reporting agencies subject to the FCRA or GLBA are not subject to these requirements.

How Would the Act Be Enforced?

The Act expressly provides for enforcement by the Alaska Attorney General, who also has broad authority to promulgate rules to implement the Act. In addition, because violations of the Act are deemed to be unfair and deceptive acts or practices under the Alaska consumer protection statute, AS 45.50.471- 45.50.561, consumers would have a private right of action with statutory damages if they can show that they suffered loss of money or property as a result of the violation.

Takeaways

The Alaska legislature has much work to do to identify and resolve the many confusing provisions in the Act before it is ready for passage. Indeed, the Act in its current state is unworkable for businesses, which cannot—for instance—efficiently provide online services to minors if they have to obtain opt-in consent from a parent before any disclosure could be made to a service provider in order to provide such services.

The Act is also bad for consumers, who will be confused by a homepage link that suggests they have control over whether a business "collects" their personal information when, in fact, the Act otherwise provides for no such right. Alternatively, Alaska could consider a different framework that provides both strong consumer protection and flexibility to businesses, enabling them to innovate and grow.