Alaska Data Privacy Laws: Constitutional Privacy & Breach Rules (2026)

Alaska takes a distinctive approach to data privacy. Rather than enacting a single comprehensive consumer privacy statute like California or Texas, the state relies on a combination of its constitutional privacy guarantee, targeted data protection statutes, and federal law to safeguard personal information.

This guide covers every major Alaska data privacy protection, from the constitutional right to privacy through breach notification rules, biometric safeguards, and recent enforcement actions.

Alaska's Constitutional Right to Privacy

Alaska is one of a small number of states that explicitly recognizes a right to privacy in its state constitution. Article I, Section 22 of the Alaska Constitution states:

"The right of the people to privacy is recognized and shall not be infringed. The legislature shall implement this section."

This provision was added by amendment in 1972, making Alaska an early adopter of explicit constitutional privacy protections. The language is notably broad compared to other states that have similar provisions.

How Courts Interpret Alaska's Privacy Right

Alaska courts have developed a framework for analyzing privacy claims under Section 22. The right is not absolute. A person asserting a privacy claim must demonstrate a subjective expectation of privacy that society recognizes as reasonable.

Courts apply a balancing test that weighs the individual's privacy interest against competing government or public interests. This analysis considers the nature of the information at stake, the circumstances of the disclosure, and whether less intrusive alternatives exist.

The constitutional privacy right primarily limits government action. It restricts how state and local agencies collect, store, and share personal data about Alaska residents. Private entities are not directly bound by Section 22, but the legislature has enacted several statutes that extend data privacy protections to the private sector.

Article I, Section 14: Search and Seizure Protections

Alaska's constitution also protects privacy through Article I, Section 14, which mirrors the Fourth Amendment but has been interpreted more broadly by Alaska courts. This section protects against unreasonable searches and seizures of persons, houses, property, papers, and effects.

Together, Sections 14 and 22 create a stronger baseline of privacy protection in Alaska than exists under federal law alone.

Alaska Personal Information Protection Act (AS 45.48)

The Alaska Personal Information Protection Act, codified at AS 45.48.010 through AS 45.48.090, is Alaska's primary data breach notification statute. Enacted in 2009, it requires businesses and government agencies to notify Alaska residents when their personal information has been compromised.

What Counts as Personal Information

Under the statute, "personal information" means an individual's first name or initial combined with their last name, plus one or more of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number, combined with any required security code, access code, or password that would permit access to the account
• Passwords, personal identification numbers (PINs), or other access codes for financial accounts

The definition covers information in any format, whether electronic or paper. Information that has been encrypted or redacted is excluded from the definition, provided the encryption key has not been compromised.

Who Must Comply

The breach notification requirements apply to any person conducting business in Alaska or any entity with more than 10 employees that owns, licenses, or maintains personal information about Alaska residents.

This broad scope means that businesses headquartered outside Alaska must still comply if they hold personal data belonging to Alaska residents.

Notification Timing and Methods

When a breach occurs, the entity must notify affected Alaska residents "in the most expeditious time possible and without unreasonable delay." The statute does not set a specific deadline in days, but it does allow time for the entity to determine the scope of the breach and restore the integrity of its systems.

Notification can be provided through:

• Written notice sent to the resident
• Electronic notice, if that is the primary method of communication with the resident or if it complies with federal E-SIGN Act requirements
• Substitute notice, available when the cost of notification exceeds $150,000, the affected group exceeds 300,000 residents, or the entity lacks sufficient contact information

Substitute notice requires email notification where possible, conspicuous posting on the entity's website, and notification through major statewide media.

Attorney General Notification

An entity may determine that notification is not required after conducting an appropriate investigation, but only if it concludes there is no reasonable likelihood that harm has resulted or will result from the breach. The entity must provide written notification to the Alaska Attorney General of this determination.

Large Breach Reporting

If a breach affects more than 1,000 Alaska residents, the entity must also notify all nationwide consumer credit reporting agencies without unreasonable delay. This requirement mirrors provisions in many other state breach notification laws.

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that the notice would impede a criminal investigation. Once law enforcement clears the notice, the entity must proceed with notification.

Penalties for Noncompliance

Violations of the breach notification law carry significant consequences:

Government agencies that fail to comply face civil penalties of up to $500 for each resident who was not properly notified. The total penalty for a single breach is capped at $50,000. The Department of Administration enforces these penalties through administrative procedures.

Non-government entities face the same $500 per person penalty, capped at $50,000. A violation also constitutes an unfair or deceptive trade practice under Alaska consumer protection law, which opens the door to additional enforcement by the Attorney General.

Individual lawsuits are permitted. A person harmed by a breach can bring a civil action to recover actual economic damages up to $500, plus court costs and attorney's fees.

Social Security Number Protections (AS 45.48.400-430)

Alaska has enacted specific protections for Social Security numbers that go beyond the general breach notification requirements.

AS 45.48.400 prohibits any person from:

• Making a Social Security number available to the general public
• Requiring a person to provide a Social Security number to access products or services, including internet access
• Printing a Social Security number on materials mailed to a consumer

These restrictions do not apply to government agencies when the use of the SSN is authorized by law or necessary for the performance of official duties.

AS 45.48.410 further restricts when entities can request and collect Social Security numbers, while AS 45.48.430 limits the disclosure of SSNs except in specifically enumerated circumstances.

Knowing violations of the SSN protection statutes carry a penalty of up to $3,000 per violation, plus actual economic damages, court costs, and full reasonable attorney's fees.

Records Disposal Requirements (AS 45.48.500-590)

Alaska law requires businesses and government agencies to take all reasonable measures to protect against unauthorized access to personal information when disposing of records.

AS 45.48.500 specifies three acceptable disposal methods:

• Paper records: Burning, pulverizing, or shredding documents so that personal information cannot be read or reconstructed
• Electronic media: Destroying or erasing electronic media so that personal information cannot be read or reconstructed
• Third-party contractors: Entering into a written contract with a record destruction company after conducting due diligence

Due diligence for third-party disposal includes reviewing independent audits of the contractor's operations, obtaining references, verifying certification by recognized trade associations, and evaluating the contractor's information security policies.

Entities that properly vet and contract with a third-party disposal service are shielded from liability once they hand over the records.

Knowing violations of the records disposal requirements carry a penalty of up to $3,000 per violation, plus actual economic damages, court costs, and full reasonable attorney's fees.

Biometric Data Protections

Alaska has enacted protections for biometric data that place specific requirements on any entity collecting biometric information.

Before collecting biometric data for use in a biometric system, the collector must:

• Notify the individual clearly that biometric data is being collected
• Explain the specific purpose for which the biometric information will be used
• Disclose how long the biometric information will be retained
• Obtain the individual's consent in written, electronic, or other documented form

The law restricts what collectors can do with biometric data after collection. A collector or contractor may not disclose, transfer, or distribute biometric information except to authenticate the identity of the individual or to a contractor working on the collector's behalf. The disclosure must be limited to the original stated purpose.

Selling biometric information is prohibited, with one narrow exception: a contractor may sell its entire business and transfer biometric data to the buyer as part of that transaction.

Genetic Privacy (AS 18.13)

Alaska's Genetic Privacy Act provides robust protections for genetic information under AS 18.13.010 through AS 18.13.100.

The statute strictly limits genetic testing and controls access to, retention of, and disclosure of genetic data. The core requirement is informed and written consent from the individual before any genetic testing can occur.

Alaska law recognizes that both the genetic information itself and the physical DNA samples collected are the property of the individual. This ownership principle means that entities holding genetic data cannot treat it as their own asset.

Violations of Alaska's genetic privacy protections can result in both civil and criminal penalties, making this one of the more strongly enforced privacy provisions in the state.

Credit Report and Security Freeze (AS 45.48.100-290)

Alaska law gives consumers the right to place a security freeze on their credit reports and credit scores. A security freeze prevents a consumer credit reporting agency from releasing your credit information without your express authorization.

How to Place a Freeze

Consumers can request a security freeze by mail, telephone, fax, internet, or other electronic means if the credit reporting agency supports those methods. The agency must place the freeze within five business days of receiving the request.

Fees

Credit reporting agencies may charge up to $2 to temporarily lift a freeze. However, victims of identity theft who provide a law enforcement complaint are exempt from this fee.

Exemptions

Several types of access remain available even when a freeze is in place:

• Review or collection of existing financial obligations
• Court-ordered access
• Child support enforcement by state or municipal agencies
• Fraud investigations by the Department of Health and Social Services
• Tax investigations by the Department of Revenue
• Prescreening permitted under the federal Fair Credit Reporting Act
• Insurance underwriting purposes

Consumers have a private right of action against any entity that violates the security freeze provisions.

Insurance Data Security (AS 21.23)

In 2024, Alaska enacted SB 134, establishing comprehensive data security requirements for the insurance industry under AS 21.23.240 through AS 21.23.399.

The law applies to all licensees and admitted insurers regulated by the Alaska Division of Insurance. It follows the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law framework.

Phased Implementation

SB 134 takes effect on a staggered schedule:

• January 1, 2025: General data security standards and cybersecurity event notification requirements
• January 1, 2026: Risk assessment requirements (AS 21.23.250)
• January 1, 2027: Advanced information security program provisions (AS 21.23.260(c)(7) and (8))

Key Requirements

Insurance licensees must implement an information security program that includes identifying reasonably foreseeable internal and external threats, assessing the likelihood and potential damage of those threats, and evaluating the sufficiency of current safeguards.

Cybersecurity events must be reported to the Director of the Division of Insurance using an electronic form. The Alaska Division of Insurance provides compliance guidance through Bulletin B 24-11.

Identity Theft Protections

Alaska's Personal Information Protection Act includes several provisions aimed at identity theft prevention and recovery:

• Police reports: Victims of identity theft have the right to file a police report (AS 45.48.680)
• Credit card truncation: Businesses must truncate credit card numbers on receipts to prevent theft of full account numbers
• Consumer credit monitoring: Additional protections exist for consumers who have been victims of identity theft
• Court petition: Victims can petition the court for a determination of factual innocence to help clear fraudulent records

Enforcement: Alaska Attorney General Actions

The Alaska Attorney General has been active in enforcing data privacy protections through multistate settlements and consumer advisories.

Blackbaud Settlement (2023)

Alaska joined a $49.5 million multistate settlement with Blackbaud Inc. over a 2020 ransomware attack that exposed sensitive data belonging to customers of nonprofits, schools, healthcare providers, and religious institutions. The breach compromised Social Security numbers, driver's licenses, financial records, and protected health information. Alaska received $358,925 from the settlement. Blackbaud was required to overhaul its data security and breach notification practices.

Marriott Settlement (2024)

Alaska participated in a $52 million multistate settlement with Marriott International over the Starwood guest reservation database breach. Intruders had access to 131.5 million guest records from 2014 through 2018 without detection. Alaska received $376,629. Marriott must now implement zero-trust security principles, data minimization, network segmentation, and undergo independent security assessments every two years for 20 years.

Change Healthcare Advisory (2024)

Attorney General Taylor issued consumer advisories following the February 2024 Change Healthcare cyberattack, one of the largest healthcare data breaches in US history. The AG shared resources for free credit monitoring and identity theft protection services available to affected Alaskans.

No Comprehensive Consumer Privacy Law (Yet)

Alaska does not currently have a comprehensive consumer data privacy law comparable to the California Consumer Privacy Act (CCPA) or the Texas Data Privacy and Security Act (TDPSA).

Governor Dunleavy introduced the Consumer Data Privacy Act in 2021 through HB 159 and SB 116. The proposed law would have granted Alaskans four new rights:

• Right to know when businesses collect personal information
• Right to disclosure about what data businesses hold, covering a five-year lookback period
• Right to delete personal information collected within the past five years
• Right to opt out of the sale of personal information

The bill stalled in committee during the 32nd Legislature and did not advance. As of 2026, no successor bill has been enacted. Alaska residents who want comprehensive consumer privacy protections must rely on federal laws like the FTC Act and sector-specific statutes.

Federal Laws That Apply in Alaska

Because Alaska lacks a comprehensive state privacy law, several federal statutes fill important gaps:

• Health Insurance Portability and Accountability Act (HIPAA): Governs the privacy of health information held by covered entities and business associates
• Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to explain their information-sharing practices and protect sensitive data
• Children's Online Privacy Protection Act (COPPA): Restricts the collection of personal information from children under 13 by online services
• Family Educational Rights and Privacy Act (FERPA): Protects the privacy of student education records
• Fair Credit Reporting Act (FCRA): Regulates the collection, dissemination, and use of consumer credit information
• FTC Act Section 5: Prohibits unfair or deceptive trade practices, including inadequate data security

These federal laws set a baseline that applies in Alaska, supplemented by the state-specific protections described above.

Employee Data Privacy in Alaska

Alaska provides several protections for employee personal data:

Personnel file access. Under AS 23.10.430, employers must permit current and former employees to inspect and copy their personnel files during regular business hours under reasonable rules.

Anti-discrimination protections. AS 18.80.220 prohibits employers from inquiring into sex, disability, marital status, pregnancy, parenthood, age, race, religion, color, or national origin in connection with employment, unless based on a bona fide occupational qualification.

Constitutional privacy. Because Article I, Section 22 restricts government action, public-sector employees in Alaska have stronger workplace privacy protections than private-sector workers. Government employers must satisfy the constitutional balancing test before conducting surveillance or accessing employee data.

Recording laws. Alaska is a one-party consent state for recording conversations, which affects workplace monitoring. Employers should be aware that audio recording of employees without at least one party's consent may violate state wiretapping laws.

More Alaska Laws

• Alaska Whistleblower Laws
• Alaska Child Support Laws
• Alaska Recording Laws
• Alaska Car Seat Laws
• Alaska Sexting Laws
• Alaska Dog Bite Laws
• Alaska Lemon Laws
• Alaska Hit and Run Laws

Sources and References

• Alaska Constitution Article I, Section 22 - Lieutenant Governor of Alaska
• Alaska Personal Information Protection Act (AS 45.48) - Alaska State Legislature
• Alaska Division of Insurance Cyber Security - Department of Commerce
• Blackbaud Data Breach Settlement - Alaska Department of Law
• Marriott Data Breach Settlement - Alaska Department of Law
• Change Healthcare Cyberattack Resources - Alaska Department of Law
• HB 159 Consumer Personal Information Privacy Act - Alaska State Legislature
• Alaska Genetic Privacy Laws (AS 18.13) - Justia
• Alaska Department of Administration Privacy Statement - State of Alaska
• Employee Personnel File Access (AS 23.10.430) - Justia