There is currently no comprehensive Arizona consumer privacy act in effect. Although there have been recent attempts at Arizona data privacy law legislation, no bill for comprehensive privacy regulation has been introduced in the state legislature this year.
On Feb. 8, 2022, Arizona HB 2790 was introduced in the state legislature. This was the closest the state got to a comprehensive Arizona privacy act. It did not make it past the committee deadline of Feb. 18, 2022.
Existing Arizona Privacy Legislation
Arizona does have some privacy-related laws and regulations in segregated areas. We’ll outline them below.
Data Breach Notification Law
Arizona has a data breach notification law that requires businesses and government entities to notify individuals if their personal information is reasonably believed to have been compromised in a data breach. The law outlines requirements for the timing, content, and methods of notification.
Arizona recently changed the standards for breach notice by amending its breach notice legislation. Depending on the severity of the occurrence, the Arizona Department of Homeland Security must be informed beginning in July 2022. As revised, notice must be given to the three biggest consumer reporting agencies, the Arizona attorney general, and the Arizona Department of Homeland Security if more than 1,000 people in Arizona are informed of a breach. Previously, the only parties that had to be alerted if that threshold was reached were the consumer reporting agencies and the Arizona AG. Arizona is one of the few states that demands notification to numerous state regulatory bodies, along with New York.
Pending Arizona Privacy Laws
Arizona Biometric Privacy Law
SB 1238 is currently pending in the state legislature. The bill establishes statutory requirements for a private entity in possession of biometric identifiers or biometric information relating to the collection, retention, and destruction of biomarker identifiers and information.
- Private entities that handle biometric information must write a policy detailing retention schedule and destruction guidelines.
- The bill specifies when biometric information must be destroyed
- Requires that biometric data may not be obtained or collected by a private business without first:
- letting someone know about the collection or storage
- educating people about the intentions behind and timeframe for the collection, storage, and use
- getting approval.
- Biometric data cannot be sold, leased, traded, or used for financial gain by private entities.
- Unless the person gives their consent or another exception exists, private entities are not permitted to share or distribute a person’s biometric information.
- In line with industry-specific standards of care and in a way that is at least as protective as that used for other confidential and sensitive information, private entities are required to store, transmit, and safeguard biometric information.
- Private right of action is established.
What are Comprehensive Consumer Privacy Laws?
Privacy is considered a basic human right, and laws are essential to protect individuals’ privacy rights, promote trust and confidence in the digital realm, mitigate risks associated with data breaches, and establish a framework that supports responsible data handling practices.
Comprehensive privacy laws generally regulate the collection, use, and disclosure of personal information by businesses and provide an express set of consumer rights for collected data, such as the right to access, correct, and delete personal information collected by businesses.
Protection of Personal Information
Privacy laws help safeguard individuals’ personal information from unauthorized access, use, or disclosure. They establish guidelines and requirements for organizations handling personal data, ensuring that individuals’ privacy rights are respected and their personal information is adequately protected.
Individual Privacy Rights
Privacy laws recognize and protect the fundamental right to privacy. They give individuals control over their personal information, allowing them to know how their data is collected, used, and shared. Privacy regulations often include provisions for obtaining consent, accessing personal information, and requesting its deletion or correction.
Mitigating Data Breaches and Identity Theft
Privacy laws typically require organizations to implement security measures to protect personal information from data breaches. By setting standards for data security, privacy regulations aim to minimize the risk of unauthorized access, identity theft, fraud, and other forms of cybercrime.
Building Consumer Trust
Clear and enforceable privacy laws can foster trust between individuals and organizations. When people know their privacy rights are protected and that organizations are held accountable for mishandling personal information, they are more likely to engage in online transactions, share data, and interact with businesses, contributing to a healthy digital economy.
Balancing Innovation and Privacy
Privacy regulations need to strike a balance between protecting privacy rights and fostering innovation. By providing clear guidelines, privacy laws help businesses navigate the collection and use of personal data while encouraging responsible data practices that respect privacy concerns.
Centraleyes State Privacy Tracker
Stay with Centraleyes as we provide day-to-day updates on new developments in the area of state privacy laws.