Alaska Data Privacy Laws: Constitutional Privacy & Breach Rules (2026)

Alaska has no comprehensive consumer data privacy law, but Article I, Section 22 of the Alaska Constitution explicitly guarantees a right to privacy. The Alaska Personal Information Protection Act (AS 45.48) requires businesses to notify residents after a breach, while separate statutes protect biometric data, genetic information, and Social Security numbers.

Alaska takes a distinctive approach to data privacy. Rather than enacting a single comprehensive consumer privacy statute like California or Texas, the state relies on a combination of its constitutional privacy guarantee, targeted data protection statutes, active Attorney General enforcement, and federal law to safeguard personal information.

This guide covers every major Alaska data privacy protection in force as of May 2026, from the constitutional right to privacy through breach notification rules, biometric and genetic safeguards, the new federal TAKE IT DOWN Act, and the pending comprehensive privacy bill.

Alaska's Constitutional Right to Privacy

Alaska is one of a small number of states that explicitly recognizes a right to privacy in its state constitution. Article I, Section 22 of the Alaska Constitution states:

"The right of the people to privacy is recognized and shall not be infringed. The legislature shall implement this section."

This provision was added by amendment in 1972, making Alaska an early adopter of explicit constitutional privacy protections. The language is notably broad compared to other states that have similar provisions.

How Courts Interpret Alaska's Privacy Right

Alaska courts have developed a framework for analyzing privacy claims under Section 22. The right is not absolute. A person asserting a privacy claim must demonstrate a subjective expectation of privacy that society recognizes as reasonable.

Courts apply a balancing test that weighs the individual's privacy interest against competing government or public interests. This analysis considers the nature of the information at stake, the circumstances of the disclosure, and whether less intrusive alternatives exist.

The constitutional privacy right primarily limits government action. It restricts how state and local agencies collect, store, and share personal data about Alaska residents. Private entities are not directly bound by Section 22, but the legislature has enacted several statutes that extend data privacy protections to the private sector.

Article I, Section 14: Search and Seizure Protections

Alaska's constitution also protects privacy through Article I, Section 14, which mirrors the Fourth Amendment but has been interpreted more broadly by Alaska courts. This section protects against unreasonable searches and seizures of persons, houses, property, papers, and effects.

Together, Sections 14 and 22 create a stronger baseline of privacy protection in Alaska than exists under federal law alone.

Alaska Personal Information Protection Act (AS 45.48)

The Alaska Personal Information Protection Act, codified at AS 45.48.010 through AS 45.48.090, is Alaska's primary data breach notification statute. Enacted in 2009, it requires businesses and government agencies to notify Alaska residents when their personal information has been compromised.

What Counts as Personal Information

Under the statute, "personal information" means an individual's first name or initial combined with their last name, plus one or more of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number, combined with any required security code, access code, or password that would permit access to the account
• Passwords, personal identification numbers (PINs), or other access codes for financial accounts

The definition covers information in any format, whether electronic or paper. Information that has been encrypted or redacted is excluded from the definition, provided the encryption key has not been compromised.

Who Must Comply

The breach notification requirements apply to any person conducting business in Alaska or any entity with more than 10 employees that owns, licenses, or maintains personal information about Alaska residents.

This broad scope means that businesses headquartered outside Alaska must still comply if they hold personal data belonging to Alaska residents.

Notification Timing and Methods

When a breach occurs, the entity must notify affected Alaska residents "in the most expeditious time possible and without unreasonable delay." The statute does not set a specific deadline in days, but it does allow time for the entity to determine the scope of the breach and restore the integrity of its systems.

Notification can be provided through:

• Written notice sent to the resident
• Electronic notice, if that is the primary method of communication with the resident or if it complies with federal E-SIGN Act requirements
• Substitute notice, available when the cost of notification exceeds $150,000, the affected group exceeds 300,000 residents, or the entity lacks sufficient contact information

Substitute notice requires email notification where possible, conspicuous posting on the entity's website, and notification through major statewide media.

Attorney General Notification

An entity may determine that notification is not required after conducting an appropriate investigation, but only if it concludes there is no reasonable likelihood that harm has resulted or will result from the breach. The entity must provide written notification to the Alaska Attorney General of this determination.

Large Breach Reporting

If a breach affects more than 1,000 Alaska residents, the entity must also notify all nationwide consumer credit reporting agencies without unreasonable delay. This requirement mirrors provisions in many other state breach notification laws.

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that the notice would impede a criminal investigation. Once law enforcement clears the notice, the entity must proceed with notification.

Penalties for Noncompliance

Violations of the breach notification law carry significant consequences:

Government agencies that fail to comply face civil penalties of up to $500 for each resident who was not properly notified. The total penalty for a single breach is capped at $50,000. The Department of Administration enforces these penalties through administrative procedures.

Non-government entities face the same $500 per person penalty, capped at $50,000. A violation also constitutes an unfair or deceptive trade practice under Alaska consumer protection law, which opens the door to additional enforcement by the Attorney General.

Individual lawsuits are permitted. A person harmed by a breach can bring a civil action to recover actual economic damages up to $500, plus court costs and attorney's fees.

Social Security Number Protections (AS 45.48.400-430)

Alaska has enacted specific protections for Social Security numbers that go beyond the general breach notification requirements.

AS 45.48.400 prohibits any person from:

• Making a Social Security number available to the general public
• Requiring a person to provide a Social Security number to access products or services, including internet access
• Printing a Social Security number on materials mailed to a consumer

These restrictions do not apply to government agencies when the use of the SSN is authorized by law or necessary for the performance of official duties.

AS 45.48.410 further restricts when entities can request and collect Social Security numbers, while AS 45.48.430 limits the disclosure of SSNs except in specifically enumerated circumstances.

Knowing violations of the SSN protection statutes carry a penalty of up to $3,000 per violation, plus actual economic damages, court costs, and full reasonable attorney's fees.

Records Disposal Requirements (AS 45.48.500-590)

Alaska law requires businesses and government agencies to take all reasonable measures to protect against unauthorized access to personal information when disposing of records.

AS 45.48.500 specifies three acceptable disposal methods:

• Paper records: Burning, pulverizing, or shredding documents so that personal information cannot be read or reconstructed
• Electronic media: Destroying or erasing electronic media so that personal information cannot be read or reconstructed
• Third-party contractors: Entering into a written contract with a record destruction company after conducting due diligence

Due diligence for third-party disposal includes reviewing independent audits of the contractor's operations, obtaining references, verifying certification by recognized trade associations, and evaluating the contractor's information security policies.

Entities that properly vet and contract with a third-party disposal service are shielded from liability once they hand over the records.

Knowing violations carry a penalty of up to $3,000 per violation, plus actual economic damages, court costs, and full reasonable attorney's fees.

Biometric Data Protections (AS 18.13.200-270)

Alaska's Biometric Information statute, codified at AS 18.13.200 through AS 18.13.270, places specific requirements on any entity collecting biometric information such as fingerprints, retinal scans, or facial recognition data.

Before collecting biometric data for use in a biometric system, the collector must:

• Notify the individual clearly that biometric data is being collected
• Explain the specific purpose for which the biometric information will be used
• Disclose how long the biometric information will be retained
• Obtain the individual's consent in written, electronic, or other documented form

The law restricts what collectors can do with biometric data after collection. A collector or contractor may not disclose, transfer, or distribute biometric information except to authenticate the identity of the individual or to a contractor working on the collector's behalf. Any disclosure must be limited to the original stated purpose.

Selling biometric information is prohibited under AS 18.13.220, with one narrow exception: a contractor may sell its entire business and transfer biometric data to the buyer as part of that transaction.

Genetic Privacy (AS 18.13.010-100)

Alaska's Genetic Privacy Act, codified at AS 18.13.010 through AS 18.13.100, provides robust protections for genetic information.

The statute strictly limits genetic testing and controls access to, retention of, and disclosure of genetic data. The core requirement is informed and written consent from the individual before any genetic testing can occur.

Alaska law recognizes that both the genetic information itself and the physical DNA samples collected are the property of the individual. This ownership principle means that entities holding genetic data cannot treat it as their own asset.

Violations of Alaska's genetic privacy protections can result in both civil and criminal penalties, making this one of the more strongly enforced privacy provisions in the state.

23andMe Genetic Data Settlement (2025)

The strength of Alaska's genetic privacy law was demonstrated in July 2025, when Attorney General Taylor announced a settlement with TTAM Research Institute, the nonprofit that acquired most of 23andMe's assets in bankruptcy.

Under the settlement, Alaskans received stronger protections than residents of other states. TTAM may only access the information or DNA samples of Alaskans who affirmatively consented to third-party sharing or biobanking. Alaskans who did not opt in to those consents will not have their data shared unless they affirmatively choose to allow it. TTAM agreed to allow all customers to request permanent deletion of their data and samples at any time.

Credit Report and Security Freeze (AS 45.48.100-290)

Alaska law gives consumers the right to place a security freeze on their credit reports and credit scores. A security freeze prevents a consumer credit reporting agency from releasing your credit information without your express authorization.

Consumers can request a security freeze by mail, telephone, fax, internet, or other electronic means if the credit reporting agency supports those methods. The agency must place the freeze within five business days of receiving the request.

Credit reporting agencies may charge up to $2 to temporarily lift a freeze. Victims of identity theft who provide a law enforcement complaint are exempt from this fee.

Several types of access remain available even when a freeze is in place, including review or collection of existing financial obligations, court-ordered access, child support enforcement by state or municipal agencies, fraud investigations, and prescreening permitted under the federal Fair Credit Reporting Act.

Consumers have a private right of action against any entity that violates the security freeze provisions.

Insurance Data Security (AS 21.23)

In 2024, Alaska enacted SB 134, establishing comprehensive data security requirements for the insurance industry under AS 21.23.240 through AS 21.23.399. The law applies to all licensees and admitted insurers regulated by the Alaska Division of Insurance and follows the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law framework.

SB 134 takes effect on a staggered schedule:

• January 1, 2025: General data security standards and cybersecurity event notification requirements
• January 1, 2026: Risk assessment requirements (AS 21.23.250)
• January 1, 2027: Advanced information security program provisions (AS 21.23.260(c)(7) and (8))

Insurance licensees must implement an information security program that identifies reasonably foreseeable internal and external threats, assesses the likelihood and potential damage of those threats, and evaluates the sufficiency of current safeguards. Cybersecurity events must be reported to the Director of the Division of Insurance using an electronic form.

Identity Theft Protections

Alaska's Personal Information Protection Act includes several provisions aimed at identity theft prevention and recovery:

• Police reports: Victims of identity theft have the right to file a police report (AS 45.48.680)
• Credit card truncation: Businesses must truncate credit card numbers on receipts to prevent theft of full account numbers
• Consumer credit monitoring: Additional protections exist for consumers who have been victims of identity theft
• Court petition: Victims can petition the court for a determination of factual innocence to help clear fraudulent records

Enforcement: Alaska Attorney General Actions

The Alaska Attorney General has been active in enforcing data privacy protections through multistate settlements and consumer advisories.

Blackbaud Settlement (2023)

Alaska joined a $49.5 million multistate settlement with Blackbaud Inc. over a 2020 ransomware attack that exposed sensitive data belonging to customers of nonprofits, schools, healthcare providers, and religious institutions. The breach compromised Social Security numbers, driver's licenses, financial records, and protected health information. Alaska received $358,925 from the settlement. Blackbaud was required to overhaul its data security and breach notification practices.

Marriott Settlement (2024)

Alaska participated in a $52 million multistate settlement with Marriott International over the Starwood guest reservation database breach. Intruders had access to 131.5 million guest records from 2014 through 2018 without detection. Alaska received $376,629. Marriott must now implement zero-trust security principles, data minimization, network segmentation, and undergo independent security assessments every two years for 20 years.

Change Healthcare Advisory (2024)

Attorney General Taylor issued consumer advisories following the February 2024 Change Healthcare cyberattack, one of the largest healthcare data breaches in US history. The AG shared resources for free credit monitoring and identity theft protection services available to affected Alaskans.

23andMe Genetic Data Settlement (2025)

In July 2025, AG Taylor secured enhanced protections for Alaskans in the 23andMe bankruptcy sale to TTAM Research Institute. The settlement went beyond what other states obtained: only Alaskans who had affirmatively consented to data sharing or biobanking would have their information transferred. All others retained the right to immediate deletion.

NCII Deepfake Coalition (2025)

In August 2025, AG Taylor joined a bipartisan coalition of attorneys general urging tech companies to stop the spread of deepfake nonconsensual intimate imagery (NCII). The action preceded federal enforcement of the TAKE IT DOWN Act's platform obligations, which take effect May 19, 2026.

No Comprehensive Consumer Privacy Law (Yet)

Alaska does not currently have a comprehensive consumer data privacy law comparable to the California Consumer Privacy Act (CCPA) or the Texas Data Privacy and Security Act (TDPSA).

Prior Legislation: HB 159 / SB 116 (32nd Legislature, 2021)

Governor Dunleavy introduced the Consumer Data Privacy Act in 2021 through HB 159 and SB 116. The proposed law would have granted Alaskans four new rights: the right to know when businesses collect personal information, the right to disclose what data businesses hold, the right to delete personal information, and the right to opt out of the sale of personal information. The bill stalled in committee during the 32nd Legislature.

Current Legislation: HB 367 (34th Legislature, 2025-2026)

A successor bill, HB 367, was introduced in the 34th Legislature and referred to committee on February 23, 2026. Sponsored by Representative Andy Story, the bill would establish the Consumer Data Privacy Act, require businesses to notify consumers before collecting their personal data, create data broker registration requirements, and impose a 100,000-consumer threshold for covered entities.

The House Judiciary Committee voted 3 to 2 on May 8, 2026, to advance HB 367 with amendments, including a "duty of loyalty" provision modeled on recent Utah law. As of May 2026, the bill has been referred to the House Finance Committee. No comprehensive law has been enacted as of the date of this publication.

Federal Laws That Apply in Alaska

Because Alaska lacks a comprehensive state privacy law, several federal statutes fill important gaps.

TAKE IT DOWN Act (2025)

The TAKE IT DOWN Act, Pub. L. 119-12, was signed into law on May 19, 2025. The law creates federal criminal liability for knowingly publishing nonconsensual intimate imagery (NCII), including AI-generated deepfakes. Penalties reach up to two years in prison for crimes against adult victims and three years for crimes against minors.

Platforms must remove reported NCII within 48 hours of a verified request and take reasonable steps to prevent reposting. The platform compliance obligations took effect May 19, 2026, and are enforced by the Federal Trade Commission. For Alaska residents, this federal law fills a significant gap because the state has no dedicated NCII statute of its own.

HIPAA

The Health Insurance Portability and Accountability Act governs the privacy of health information held by covered entities and business associates. HIPAA applies throughout Alaska to health plans, healthcare providers, and their business associates.

GLBA

The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices and protect sensitive data. It applies to Alaska banks, credit unions, and other financial services firms.

COPPA

The Children's Online Privacy Protection Act restricts the collection of personal information from children under 13 by online services. The FTC actively enforces COPPA against operators who knowingly collect children's data without parental consent.

FCRA and FACTA

The Fair Credit Reporting Act regulates the collection, dissemination, and use of consumer credit information. The Fair and Accurate Credit Transactions Act of 2003 added identity theft provisions and the free annual credit report entitlement. Both apply to consumer reporting agencies operating in Alaska.

FTC Act Section 5

The Federal Trade Commission Act prohibits unfair or deceptive trade practices. The FTC has used Section 5 authority to pursue companies that fail to maintain reasonable data security, making it the primary federal privacy enforcement tool for companies not covered by a sector-specific statute.

APRA (Did Not Pass)

The American Privacy Rights Act, a bipartisan federal comprehensive privacy bill, was proposed in the 118th Congress but expired in January 2025 without enactment. No successor bill had been reintroduced as of May 2026. Alaska residents cannot rely on a federal comprehensive privacy law at this time.

Employee Data Privacy in Alaska

Alaska provides several protections for employee personal data.

Personnel file access. Under AS 23.10.430, employers must permit current and former employees to inspect and copy their personnel files during regular business hours under reasonable rules.

Anti-discrimination protections. AS 18.80.220 prohibits employers from inquiring into sex, disability, marital status, pregnancy, parenthood, age, race, religion, color, or national origin in connection with employment, unless based on a bona fide occupational qualification.

Constitutional privacy. Because Article I, Section 22 restricts government action, public-sector employees in Alaska have stronger workplace privacy protections than private-sector workers. Government employers must satisfy the constitutional balancing test before conducting surveillance or accessing employee data.

Recording laws. Alaska is a one-party consent state for recording conversations under AS 42.20.300, which affects workplace monitoring. Employers should be aware that audio recording of employees without at least one party's consent may violate state wiretapping law.

More Alaska Laws

• Alaska AI Meeting Recording Laws
• Alaska Alimony Laws
• Alaska At-Will Employment Laws
• Alaska Car Accident Laws
• Alaska Car Seat Laws
• Alaska Child Custody Laws
• Alaska Child Support Laws
• Alaska Common Law Marriage Laws
• Alaska Deepfake Laws
• Alaska Divorce Laws
• Alaska Dog Bite Laws
• Alaska Emancipation Laws
• Alaska Expungement Laws
• Alaska Hit and Run Laws
• Alaska Landlord-Tenant Laws
• Alaska Lemon Laws