Press "Enter" to skip to content

Arizona Privacy Legislation – Right, Left and Center(ish)

data privacy lawsConsumer data privacy appears to be on the minds of legislators in Arizona this session.  As previously mentioned, House Concurrent Resolution 2013 was introduced in Arizona on Jan. 10, 2020, by five Republicans and one Democrat declaring:

  1. That the Members of the Legislature oppose the enactment of laws, the adoption of regulations or the imposition of out-of-state standards that would restrict or otherwise dictate standards related to consumer data privacy, absent a clear nexus with consumer harm.
  2. That the Members of the Legislature believe a single federal standard for comprehensive consumer data privacy regulation is preferable to a state-by-state approach.

Not surprisingly, that sentiment was not universally shared and SB 1614 was introduced on Feb. 5, 2020, by 13 Democrats.  The legislation is CCPA Lite, providing consumers the right to know, delete and opt-out of the sale of information.  The legislation would apply to a for-profit business that “does business in Arizona” and:

  1. Has annual gross revenue in excess of $15 million;
  2. Buys, receives, sells or shares the personal information of 50,000 or more consumers; or
  3. Derives 50% or more of its annual revenue from the sale of consumers’ personal information.

Unlike the CCPA and legislation pending in other states, the bill does not provide any GLBA, HIPAA or FCRA exemptions.

In the event of a breach due to the failure to maintain reasonable security measures, a consumer may file suit for statutory damages of $100 to $750 per consumer per incident, or actual damages.  A 30-day notice and opportunity to cure provision is included but only applies to an action for statutory damages and does not apply if the action is for “actual pecuniary damages.” The attorney general would be authorized to seek civil penalties up to $7,500 per violation.

HB 2729, was introduced on Feb. 10, 2020, by 12 Democrats and one Republican, the Republican being the Chair of the House Committee on Technology.  The applicability of the legislation includes a little GDPR flavoring in that it primarily governs the conduct of “controllers” and “processors.” Controllers are“natural or legal persons that, alone or jointly with others, determines the purposes and means of processing personal data.” Processors are “natural or legal person that processes personal data on behalf of the controller.” It would apply to:

A legal entity with annual gross revenue of at least $25 million that conducts business in [Arizona] or produces products or services that are intentionally targeted to residents of [Arizona] and that satisfies either of the following thresholds:

  1. Controls or processes data of at least 100,000 consumers.
  2. Derives over 35% of gross revenue from the sale of personal information and processes or controls personal information of at least 25,000 consumers.

Consumers would have the right to know, delete and correct their personal data.  The bill does not provide consumers an opt-out of the sale of their personal information.  Instead, consumers would have the right to object to the processing of their personal data. “Processing” is defined as “collecting, using, storing, disclosing, analyzing, deleting or modifying personal data.”

If the objection relates to processing for the purpose of targeted advertising, the controller must cease such processing and communicate the objection “unless it proves impossible or involves disproportionate effort . . .”  If the objection to processing is for any other reason, the processing can continue “if the controller can demonstrate a legitimate ground to process that personal data that overrides the potential risks to the rights of the consumer . . .” 

The legislation exempts “data sets” regulated by HIPAA and GLBA and “businesses and activities” covered by the FCRA.

There would be no private right of action.  Civil penalties may be sought by the Attorney General in the amount of $2,500 per violation, or $7,500 per intentional violation.  Interestingly, the bill specifically provides that if more than one controller and/or processor commit the violation, “liability shall be allocated among the parties according to principles of comparative fault, unless such liability is otherwise allocated by contract among the parties.”

The same sponsors introduced HB 2728 governing the use of biometric data.  The legislation requires notice and consent to “enroll” a consumer’s “biometric identifier in a database for a commercial purpose.” 

Excluded are “activities” subject to HIPAA and “a financial institution or an affiliate of a financial institution” subject to the GLBA.  If only that GLBA exemption had been used in HB 2729.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.