Which privacy laws apply to your business in Alaska?
There is no comprehensive Alaska consumer-privacy law. The operative breach-notification statute covered here is Article 1 of the Alaska Personal Information Protection Act (PIPA), which applies to any covered person — a person doing business, a governmental agency, or a person with more than 10 employees — that owns or licenses personal information on an Alaska resident . It carries no revenue or consumer-volume threshold, and it governs breach response rather than day-to-day data handling. Alongside it sits the Genetic Privacy Act, which conditions DNA collection, analysis, retention, and disclosure on informed and written consent .
Alaska has not enacted an omnibus privacy statute, so its residents do not have general state-law rights to access, delete, correct, or opt out of the sale of their personal data, and businesses are not subject to state notice-at-collection, consent, universal-opt-out, or data-protection-assessment duties. A 2026 bill would have created an omnibus regime of consumer rights and business duties, but no comprehensive Alaska privacy act is in force.
Two other pieces of state law frame this note. The Alaska Constitution is background rather than a private-business checklist here; the source-carded compliance duties below come from statutes and the federal overlay. And the Unfair Trade Practices and Consumer Protection Act (UTPCPA) supplies the enforcement machinery: as developed in the enforcement prong below, a PIPA Article 1 breach-notice violation is deemed an unfair trade practice, though with damages limits unique to the breach-notice article.
The rest of an Alaska-facing privacy program rides the federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; the Children's Online Privacy Protection Act governs services directed to children under 13; and CAN-SPAM and the TCPA govern email and SMS marketing. None of those is an Alaska statute, but together with PIPA Article 1 and the Genetic Privacy Act they are what this note treats as the enforceable Alaska-facing privacy program today. If Alaska enacts a comprehensive law in a future session, a program built to this overlay upgrades rather than restarts.
Sources for this answer
Primary law
A.1 AS 45.48.090PIPA Article 1 applies to any covered person — a person doing business, a governmental agency, or a person with more than 10 employees — with no revenue threshold.
“covered person” means a (A) person doing business; (B) governmental agency; or (C) person with more than 10 employees;
See AS 45.48.090(2).
Primary law
A.2 AS 45.48.010PIPA Article 1's core duty attaches when a covered person that owns or licenses personal information on an Alaska resident suffers a breach of the security of the information system.
If a covered person owns or licenses personal information in any form that includes personal information on a state resident, and a breach of the security of the information system that contains personal information occurs, the covered person shall, after discovering or being notified of the breach, disclose the breach to each state resident whose personal information was subject to the breach.
See AS 45.48.010(a).
Primary law
A.3 AS 18.13.010Alaska's Genetic Privacy Act prohibits collecting a DNA sample, performing or retaining a DNA analysis, or disclosing its results without the person's informed and written consent.
a person may not collect a DNA sample from a person, perform a DNA analysis on a sample, retain a DNA sample or the results of a DNA analysis, or disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person, or the person's legal guardian or authorized representative, for the collection, analysis, retention, or disclosure;
See AS 18.13.010(a)(1).
What must your Alaska privacy policy contain?
No Alaska statute requires a general consumer privacy policy or fixes what it must say. For most businesses, the policy is governed not by a state checklist but by the rule that whatever you publish has to be true: Section 5 of the FTC Act declares unfair or deceptive practices unlawful , and Alaska's UTPCPA reaches misleading conduct and misrepresentations in sales or advertising . A policy mismatch can be pursued under those general deceptive-practices theories. Where a sectoral regime applies, that regime supplies the contents instead — a HIPAA covered entity, for example, must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties .
In practice the drafting question in Alaska is less what must be included and more does the policy match actual practice. Build the policy from the federal and sectoral overlay: the GLBA privacy-notice rules if you are a financial institution, the HIPAA Notice of Privacy Practices if you are a covered entity or business associate, and a COPPA notice if your service is directed to children under 13. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because the enforceable obligation is consistency between the statement and the conduct. One Alaska-specific drafting note: if you collect genetic data of any kind, do not rely on a privacy policy at all — the Genetic Privacy Act requires informed and written consent, and a general disclosure cannot substitute for it, a point developed in the genetic-data prong below. There is no Alaska-mandated policy checklist to cite here, which is itself the point: the contents are overlay-driven, not state-statute-driven.
Sources for this answer
Primary law
B.1 FTC Act § 5Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful.
Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.
See 15 U.S.C. § 45(a)(1).
Primary law
B.2 AS 45.50.471Alaska's UTPCPA includes misleading conduct and misrepresentations in connection with the sale or advertisement of goods or services among unfair or deceptive acts or practices.
The terms "unfair methods of competition" and "unfair or deceptive acts or practices" include the following acts ... (11) engaging in any other conduct creating a likelihood of confusion or of misunderstanding and that misleads, deceives, or damages a buyer or a competitor in connection with the sale or advertisement of goods or services; (12) using or employing deception, fraud, false pretense, false promise, misrepresentation, or knowingly concealing, suppressing, or omitting a material fact with intent that others rely upon the concealment, suppression, or omission in connection with the sale or advertisement of goods or services whether or not a person has in fact been misled, deceived, or damaged;
See AS 45.50.471(b)(11)-(12).
Primary law
B.3 HIPAA Notice of Privacy PracticesA HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.
an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information
See 45 C.F.R. § 164.520.
What must your contracts with vendors say?
Alaska has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. The one Alaska statute that touches the vendor relationship is PIPA: a vendor that maintains personal information on another business's behalf (an information recipient) is excused from notifying residents directly, but must immediately notify the business that owns or licensed the data (the information distributor) after discovering a breach and cooperate so that business can give the required notices .
Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract and to require them to implement appropriate safeguards ; HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before sharing protected health information . Outside those verticals, the prudent move is to carry the same protections forward as a matter of best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement — even though no Alaska statute compels them.
PIPA's recipient-distributor mechanics are worth writing into the contract rather than leaving to the statute. The statutory duty runs from the vendor to you immediately after discovery, and once you are notified, you must give resident notices as if the breach had happened on your own systems. A well-drafted Alaska vendor clause therefore fixes a short notification window, requires the vendor to share information relevant to the breach (the statute's cooperation duty carves out only confidential business information and trade secrets), and allocates the cost of notice and credit-agency reporting. That is a breach-response duty, not a general DPA mandate — there is no Alaska source to cite for omnibus vendor terms, so the rest of the clause set is overlay- and best-practice-driven.
Sources for this answer
Primary law
C.1 AS 45.48.070A vendor holding personal information on another business's behalf need not notify residents itself, but must immediately notify the business that owns or licensed the data, cooperate by sharing relevant non-confidential information, and allow that business to comply as if the breach occurred on its own system.
If a breach of the security of the information system containing personal information on a state resident that is maintained by an information recipient occurs, the information recipient is not required to comply with AS 45.48.010 — 45.48.030. However, immediately after the information recipient discovers the breach, the information recipient shall notify the information distributor who owns the personal information or who licensed the use of the personal information to the information recipient about the breach and cooperate with the information distributor as necessary to allow the information distributor to comply with (b) of this section. In this subsection, "cooperate" means sharing with the information distributor information relevant to the breach, except for confidential business information or trade secrets ... (b) If an information recipient notifies an information distributor of a breach under (a) of this section, the information distributor shall comply with AS 45.48.010 — 45.48.030 as if the breach occurred to the information system maintained by the information distributor.
See AS 45.48.070(a)-(b).
Primary law
C.2 GLBA Safeguards RuleThe GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.
Requiring your service providers by contract to implement and maintain such safeguards
See 16 C.F.R. § 314.4(f)(2).
Primary law
C.3 HIPAA Business Associate ContractsHIPAA requires a written business-associate contract that establishes permitted uses and disclosures, requires safeguards, breach reporting, and downstream-subcontractor flow-down terms.
A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;
See 45 C.F.R. § 164.504(e)(2).
When must you notify people of a data breach in Alaska?
After discovering or being notified of a breach, a covered person must disclose it to each Alaska resident whose personal information was subject to the breach . The notice must be made in the most expeditious time possible and without unreasonable delay — Alaska sets no fixed day count — allowing only the time needed to determine the breach's scope and restore the system's integrity , or a delay requested in connection with a criminal investigation . There is one exception: notice is not required if, after an appropriate investigation and written notification to the attorney general, the covered person determines there is not a reasonable likelihood of harm to consumers — a determination that must be documented and kept for five years .
This is the prong where Alaska imposes a hard statutory duty, so it is the center of any Alaska incident-response plan. A breach of the security is the unauthorized acquisition — or reasonable belief of unauthorized acquisition — of personal information that compromises its security, confidentiality, or integrity, whether the data was taken by computer, by photocopy, or by any other method . Personal information is a resident's name combined with an unencrypted, unredacted data element such as a Social Security number, driver's license or state ID number, account or card number plus any required personal code, or passwords and access codes for financial accounts — and encrypted data still counts if the encryption key was also accessed or acquired .
Note the unusual shape of Alaska's attorney-general involvement: there is no general duty to report a breach to the attorney general. The written notification runs to the attorney general only when you invoke the no-likelihood-of-harm exception to skip resident notice — so deciding not to notify is itself a regulatory filing, and the statute makes that filing non-public.
Notice may be given by written document to the resident's most recent address, by electronic means where that is the primary channel or e-signature rules are satisfied, or — where notice would cost more than $150,000, the affected class exceeds 300,000 residents, or contact information is insufficient — by the substitute route of email, conspicuous website posting, and notice to major statewide media . If more than 1,000 residents must be notified, the nationwide consumer credit reporting agencies must also be told of the timing, distribution, and content of the notices , except for entities subject to the Gramm-Leach-Bliley Act. And none of this can be contracted around: a waiver of the breach-notice article is void and unenforceable .
Sources for this answer
Primary law
D.1 AS 45.48.010A covered person that owns or licenses personal information on Alaska residents must, after discovering or being notified of a breach, disclose the breach to each affected resident.
If a covered person owns or licenses personal information in any form that includes personal information on a state resident, and a breach of the security of the information system that contains personal information occurs, the covered person shall, after discovering or being notified of the breach, disclose the breach to each state resident whose personal information was subject to the breach.
See AS 45.48.010(a).
Primary law
D.2 AS 45.48.010The disclosure must be made in the most expeditious time possible and without unreasonable delay, allowing only for scope determination, system restoration, and the statute's law-enforcement delay.
An information collector shall make the disclosure required by (a) of this section in the most expeditious time possible and without unreasonable delay, except as provided in AS 45.48.020 and as necessary to determine the scope of the breach and restore the reasonable integrity of the information system.
See AS 45.48.010(b).
Primary law
D.3 AS 45.48.020Notice may be delayed if a law enforcement agency determines that disclosure would interfere with a criminal investigation, with notice resuming once the agency clears it in writing.
An information collector may delay disclosing the breach under AS 45.48.010 if an appropriate law enforcement agency determines that disclosing the breach will interfere with a criminal investigation. However, the information collector shall disclose the breach to the state resident in the most expeditious time possible and without unreasonable delay after the law enforcement agency informs the information collector in writing that disclosure of the breach will no longer interfere with the investigation.
See AS 45.48.020.
Primary law
D.4 AS 45.48.010Resident notice is excused only if, after an appropriate investigation and written notification to the attorney general, the covered person determines there is no reasonable likelihood of harm; the determination must be documented for five years, and the attorney-general notification is non-public.
Notwithstanding (a) of this section, disclosure is not required if, after an appropriate investigation and after written notification to the attorney general of this state, the covered person determines that there is not a reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or will result from the breach. The determination shall be documented in writing, and the documentation shall be maintained for five years. The notification required by this subsection may not be considered a public record open to inspection by the public.
See AS 45.48.010(c).
Primary law
D.5 AS 45.48.090A breach of the security is the unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises its security, confidentiality, or integrity.
“breach of the security” means unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector;
See AS 45.48.090(1).
Primary law
D.6 AS 45.48.090Personal information is a resident's name combined with an unencrypted or unredacted data element such as a Social Security number, driver's license or state ID number, account or card number plus any required personal code, or passwords and access codes for financial accounts — and encryption is no safe harbor if the key was also accessed or acquired.
"personal information" means information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of (A) an individual's name; in this subparagraph, "individual's name" means a combination of an individual's (i) first name or first initial; and (ii) last name; and (B) one or more of the following information elements: (i) the individual's social security number; (ii) the individual's driver's license number or state identification card number; (iii) except as provided in (iv) of this subparagraph, the individual's account number, credit card number, or debit card number; (iv) if an account can only be accessed with a personal code, the number in (iii) of this subparagraph and the personal code; in this sub-subparagraph, "personal code" means a security code, an access code, a personal identification number, or a password; (v) passwords, personal identification numbers, or other access codes for financial accounts.
See AS 45.48.090(7).
Primary law
D.7 AS 45.48.030Notice is given by written document or qualifying electronic means, with a substitute route (email, website posting, and statewide media) available where notice would cost over $150,000, the affected class exceeds 300,000 residents, or contact information is insufficient.
An information collector shall make the disclosure required by AS 45.48.010 (1) by a written document sent to the most recent address the information collector has for the state resident; (2) by electronic means if the information collector's primary method of communication with the state resident is by electronic means or if making the disclosure by the electronic means is consistent with the provisions regarding electronic records and signatures required for notices legally required to be in writing under 15 U.S.C. 7001 et seq. (Electronic Signatures in Global and National Commerce Act); or (3) if the information collector demonstrates that the cost of providing notice would exceed $150,000, that the affected class of state residents to be notified exceeds 300,000, or that the information collector does not have sufficient contact information to provide notice, by (A) electronic mail if the information collector has an electronic mail address for the state resident; (B) conspicuously posting the disclosure on the Internet website of the information collector if the information collector maintains an Internet website; and (C) providing a notice to major statewide media.
See AS 45.48.030.
Primary law
D.8 AS 45.48.040If more than 1,000 Alaska residents must be notified, the information collector must also notify the nationwide consumer credit reporting agencies of the timing, distribution, and content of the notices.
If an information collector is required by AS 45.48.010 to notify more than 1,000 state residents of a breach, the information collector shall also notify without unreasonable delay all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis and provide the agencies with the timing, distribution, and content of the notices to state residents.
See AS 45.48.040(a).
Primary law
D.9 AS 45.48.060The breach-notification article cannot be waived by contract — any waiver is void and unenforceable.
A waiver of AS 45.48.010 — 45.48.090 is void and unenforceable.
See AS 45.48.060.
Does Alaska have special rules for DNA and genetic data?
Yes — and they are the strictest privacy rules on Alaska's books. Under the Genetic Privacy Act, a person may not collect a DNA sample, perform a DNA analysis, retain a sample or its results, or disclose the results without first obtaining the person's informed and written consent . The statute goes further than consent: a DNA sample and the results of its analysis are the exclusive property of the person sampled or analyzed . Violations carry a private right of action with statutory damages of $5,000 — or $100,000 if the violation produced profit or monetary gain — and knowing violations are a class A misdemeanor .
For any business that touches genetic data — direct-to-consumer testing, health and wellness products, research, even workplace testing — this chapter is the dominant Alaska compliance risk, because the exposure scales per violation without proof of actual loss. The consent must be informed and written; a general authorization for the release of medical records does not qualify, and a person may revoke or amend consent at any time. The Department of Health may adopt a uniform consent form, and using it confers a liability safe harbor .
The prohibitions carry a short list of exceptions: DNA work under Alaska's law-enforcement DNA-registration system or comparable laws, law-enforcement identification purposes, paternity determination, newborn screening required by law, and emergency medical treatment . Notably absent is any general research or commercial-convenience exception — if the use case is not on the list, the answer is written consent or nothing. The definition of DNA analysis is tailored to genetic typing and testing for genetic characteristics, and expressly excludes routine clinical tests such as drug, alcohol, cholesterol, or HIV testing, so ordinary lab work does not trip the statute .
Sources for this answer
Primary law
E.1 AS 18.13.010The Genetic Privacy Act prohibits collecting a DNA sample, performing or retaining a DNA analysis, or disclosing its results without the person's prior informed and written consent.
a person may not collect a DNA sample from a person, perform a DNA analysis on a sample, retain a DNA sample or the results of a DNA analysis, or disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person, or the person's legal guardian or authorized representative, for the collection, analysis, retention, or disclosure;
See AS 18.13.010(a)(1).
Primary law
E.2 AS 18.13.010Alaska law makes a DNA sample and the results of its analysis the exclusive property of the person sampled or analyzed.
a DNA sample and the results of a DNA analysis performed on the sample are the exclusive property of the person sampled or analyzed.
See AS 18.13.010(a)(2).
Primary law
E.3 AS 18.13.020The Genetic Privacy Act gives the person a civil action with statutory damages of $5,000, or $100,000 if the violation resulted in profit or monetary gain to the violator, on top of actual damages.
A person may bring a civil action against a person who collects a DNA sample from the person, performs a DNA analysis on a sample, retains a DNA sample or the results of a DNA analysis, or discloses the results of a DNA analysis in violation of this chapter. In addition to the actual damages suffered by the person, a person violating this chapter shall be liable to the person for damages in the amount of $5,000 or, if the violation resulted in profit or monetary gain to the violator, $100,000.
See AS 18.13.020.
Primary law
E.4 AS 18.13.030A knowing violation of the Genetic Privacy Act is the crime of unlawful DNA collection, analysis, retention, or disclosure — a class A misdemeanor.
A person commits the crime of unlawful DNA collection, analysis, retention, or disclosure if the person knowingly collects a DNA sample from a person, performs a DNA analysis on a sample, retains a DNA sample or the results of a DNA analysis, or discloses the results of a DNA analysis in violation of this chapter ... Unlawful DNA collection, analysis, retention, or disclosure is a class A misdemeanor.
See AS 18.13.030(a), (c).
Primary law
E.5 AS 18.13.010A general medical-records authorization does not satisfy the Genetic Privacy Act's informed written consent requirement; the Department of Health may adopt a uniform consent form, use of that form provides a liability safe harbor, and consent may be revoked or amended at any time.
A general authorization for the release of medical records or medical information may not be construed as the informed and written consent required by this section. The Department of Health may by regulation adopt a uniform informed and written consent form to assist persons in meeting the requirements of this section. A person using that uniform informed and written consent is exempt from civil or criminal liability for actions taken under the consent form. A person may revoke or amend their informed and written consent at any time.
See AS 18.13.010(c).
Primary law
E.7 AS 18.13.100DNA analysis means genetic typing and testing for genetic characteristics, but excludes routine physical measurements and common clinical tests such as drug, alcohol, cholesterol, HIV, chemical, blood, urine, and widely accepted diagnostic tests.
"DNA analysis" means DNA or genetic typing and testing to determine the presence or absence of genetic characteristics in an individual, including tests of nucleic acids or chromosomes in order to diagnose or identify a genetic characteristic; "DNA analysis" does not include a routine physical measurement, a test for drugs, alcohol, cholesterol, or the human immunodeficiency virus, a chemical, blood, or urine analysis, or any other diagnostic test that is widely accepted and in use in clinical practice;
See AS 18.13.100(2).
Primary law
E.6 AS 18.13.010The consent requirement does not apply to DNA samples collected for the state DNA-registration system, law-enforcement identification purposes, paternity determination, newborn screening, or emergency medical treatment.
The prohibitions of (a) of this section do not apply to DNA samples collected and analyses conducted (1) under AS 44.41.035 or comparable provisions of another jurisdiction; (2) for a law enforcement purpose, including the identification of perpetrators and the investigation of crimes and the identification of missing or unidentified persons or deceased individuals; (3) for determining paternity; (4) to screen newborns as required by state or federal law; (5) for the purpose of emergency medical treatment.
See AS 18.13.010(b).
Can a consumer sue your business in Alaska over privacy?
Yes, but for breach-notice violations the recovery is unusually small. PIPA builds a bridge into Alaska's consumer-protection act: a violation of the breach-notification article by a non-governmental information collector is an unfair or deceptive act or practice under the Unfair Trade Practices and Consumer Protection Act . But the bridge comes with a cap — in a private action over a PIPA violation, damages are limited to actual economic damages, and under the main private-action section they may not exceed $500 . The state's recovery is capped too: in place of ordinary UTPCPA civil penalties, the information collector is liable for up to $500 for each resident who was not notified, with a $50,000 total ceiling . The exposure that is not capped sits in the Genetic Privacy Act, whose private action carries $5,000 or $100,000 statutory damages per violation .
The cap is what makes Alaska's enforcement architecture distinctive. In an ordinary UTPCPA case, a person who suffers an ascertainable loss may recover, for each unlawful act, three times actual damages or $500, whichever is greater — a treble-damages remedy that makes the statute a workhorse for Alaska consumer plaintiffs. PIPA deliberately walls breach-notice claims off from that remedy: the violation is deemed unfair or deceptive , which opens the UTPCPA's procedural doors, but the recoverable damages shrink to actual economic loss with a $500 ceiling . The practical effect is that one-off private suits over a missed breach notice are rarely economic, while the attorney general — whose UTPCPA authority rests on the act's general declaration that unfair or deceptive practices in trade or commerce are unlawful — carries the realistic enforcement threat through the per-resident penalty, plus injunctive relief.
Two further doors stay open. First, the UTPCPA separately allows any victim of an unlawful act — whether or not the person suffered actual damages — to seek an injunction against its continuation after written notice to the seller , a remedy the PIPA cap does not erase. Second, the Genetic Privacy Act's private action has no PIPA-style limitation: statutory damages of $5,000 per violation, or $100,000 where the violator profited, accrue on top of actual damages , which is why genetic data, not breach response, is where Alaska private-suit exposure concentrates. For violations by state and local agencies, enforcement runs through the Department of Administration rather than the UTPCPA. The durable takeaway: build the incident-response program for the attorney general and the per-resident penalty math, and treat any genetic-data processing as the place where plaintiffs, not regulators, set the price.
Sources for this answer
Primary law
F.1 AS 45.48.080A breach-notification violation by a non-governmental information collector is deemed an unfair or deceptive act or practice under the Unfair Trade Practices and Consumer Protection Act.
If an information collector who is not a governmental agency violates AS 45.48.010 — 45.48.090 with regard to the personal information of a state resident, the violation is an unfair or deceptive act or practice under AS 45.50.471 — 45.50.561.
See AS 45.48.080(b).
Primary law
F.2 AS 45.48.080In a private UTPCPA action over a PIPA violation, damages are limited to actual economic damages — capped at $500 under the main private-action section.
damages that may be awarded against the information collector under (A) AS 45.50.531 are limited to actual economic damages that do not exceed $500; and (B) AS 45.50.537 are limited to actual economic damages.
See AS 45.48.080(b)(2).
Primary law
F.3 AS 45.48.080In place of ordinary UTPCPA civil penalties, a violating information collector is liable to the state for up to $500 per resident not notified, with a $50,000 total ceiling.
the information collector is not subject to the civil penalties imposed under AS 45.50.551 but is liable to the state for a civil penalty of up to $500 for each state resident who was not notified under AS 45.48.010 — 45.48.090, except that the total civil penalty may not exceed $50,000
See AS 45.48.080(b)(1).
Primary law
F.6 AS 45.50.471The UTPCPA declares unfair methods of competition and unfair or deceptive acts or practices in trade or commerce unlawful — the foundation for attorney-general privacy enforcement in Alaska.
Unfair methods of competition and unfair or deceptive acts or practices in the conduct of trade or commerce are declared to be unlawful.
See AS 45.50.471(a).
Primary law
F.5 AS 45.50.531The UTPCPA's ordinary private remedy is three times actual damages or $500, whichever is greater, for each unlawful act or practice — the baseline from which PIPA's cap carves down.
A person who suffers an ascertainable loss of money or property as a result of another person's act or practice declared unlawful by AS 45.50.471 may bring a civil action to recover for each unlawful act or practice three times the actual damages or $500, whichever is greater.
See AS 45.50.531(a).
Primary law
F.7 AS 45.50.535Any victim of an unlawful act under the UTPCPA — whether or not the person suffered actual damages — may sue to enjoin its continuation after giving written notice.
Subject to (b) of this section and in addition to any right to bring an action under AS 45.50.531 or other law, any person who was the victim of the unlawful act, whether or not the person suffered actual damages, may bring an action to obtain an injunction prohibiting a seller or lessor from continuing to engage in an act or practice declared unlawful under AS 45.50.471 ... (b) A person may not bring an action under (a) of this section unless (1) the person first provides written notice to the seller or lessor who engaged in the unlawful act or practice that the person will seek an injunction against the seller or lessor if the seller or lessor fails to promptly stop the unlawful act or practice; and (2) the seller or lessor fails to promptly stop the unlawful act or practice after receiving the notice.
See AS 45.50.535(a)-(b).
Primary law
F.4 AS 18.13.020The Genetic Privacy Act's private right of action carries statutory damages of $5,000 — or $100,000 where the violation produced profit or monetary gain — on top of actual damages, with no PIPA-style cap.
In addition to the actual damages suffered by the person, a person violating this chapter shall be liable to the person for damages in the amount of $5,000 or, if the violation resulted in profit or monetary gain to the violator, $100,000.
See AS 18.13.020.