REFERENCE TITLE: personal data; processing; security standards
State of Arizona
House of Representatives
Second Regular Session
Representatives DeGrazia: Blanc, Butler, Engel, Epstein, Gabaldón, Peten, Powers Hannley, Rodriguez, Salman, Sierra, Teller, Thorpe
amending Title 18, chapter 5, Arizona Revised Statutes, by adding article 5; relating to personal data.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it enacted by the Legislature of the State of Arizona:
Section 1. Title 18, chapter 5, Arizona Revised Statutes, is amended by adding article 5, to read:
ARTICLE 5. DATA AND SECURITY STANDARDS
In this article, unless the context otherwise requires:
1. "Collect" means receiving and taking, including by automated means, any operation or set of operations to obtain personal data, including purchasing, leasing, assembling, recording, gathering, acquiring or procuring personal data.
2. "Consent" means a clear, affirmative act signifying a specific, informed and unambiguous indication of a consumer's agreement to collect or process the consumer's personal data, such as by a written statement or other clear affirmative action.
3. "Consumer" means:
(a) A natural person who is a resident of this state and who is acting only in an individual, noncommercial or household context.
(b) Does not include a natural person who is acting in a commercial or employment context.
4. "Controller" means the natural or legal person that, alone or jointly with others, determines the purposes and means of processing personal data.
5. "Data broker" means a business, or a unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the personal information of a consumer with whom the business does not have a direct relationship.
6. "Deidentified data" means:
(a) Data that cannot be linked to a known natural person without additional information kept separately.
(b) Data that meets all of the following:
(i) Has been modified to a degree that the risk of reidentification is small.
(ii) Is subject to a public commitment by the controller not to attempt to reidentify the data.
(iii) To which one or more enforceable controls to prevent reidentification have been applied. For the purposes of this item, "enforceable controls" includes legal, administrative, technical or contractual controls.
7. "Disclose" means taking any action, with respect to personal data, including by automated means, to sell, share, provide or otherwise transfer personal data to another entity or person or the general public.
8. "Identified or identifiable natural person" means a person who can be readily identified, directly or indirectly.
9. "Personal data" or "personal information":
(a) Means any information that is linked or reasonably linkable to an identified or identifiable natural person.
(b) Does not include deidentified data or publicly available information.
(c) Includes sensitive data.
10. "Process" or "processing" means collecting, using, storing, disclosing, analyzing, deleting or modifying personal data, including by automated means.
11. "Processor" means a natural or legal person that processes personal data on behalf of the controller.
12. "Profiling" means any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects about a natural person, particularly analyzing or predicting aspects of that natural person's economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
13. "Restriction of processing" means marking stored personal data with the aim of limiting the processing of such personal data in the future.
(a) Means the exchange of personal data for monetary consideration by the controller to a third party, including for the purposes of licensing or selling personal data at the third party's discretion to additional third parties.
(b) Does not include either of the following:
(i) Disclosing personal data to a processor that processes the personal data on behalf of the controller.
(ii) Disclosing personal data to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer's reasonable expectations considering the context in which the consumer provided the personal data to the controller.
15. "Sensitive Data" means:
(a) Personal data that reveals racial or ethnic origins, religious beliefs, mental, physical, behavioral or psychological health conditions or diagnoses or sex life or sexual orientation.
(b) The Processing of genetic or biometric data for the purpose of uniquely identifying a natural person.
(c) The precise geolocation information of a device associated with an individual.
(d) the personal data of a known child.
16. "Targeted advertising":
(a) Means displaying to a consumer advertisements that are selected based on personal data obtained or inferred over time from the consumer's activities across nonaffiliated websites, applications or online services to predict user preferences or interests.
(b) Does not include advertising to a consumer based on the consumer's visits to a website, application or online service that a reasonable consumer would believe to be associated with the publisher in which the advertising is placed based on common branding, trademarks or other indicia of common ownership or in response to the consumer's request for information or feedback.
17. "Verified request" means the process through which a consumer may submit a request to exercise a right or rights set forth in this article and by which a controller can reasonably authenticate the request and the consumer making the request using commercially reasonable means.
18-572. Consumer rights; access to personal data; verified requests; controller's duty
A. A controller shall facilitate verified requests from consumers to exercise consumer rights as follows:
1. On receipt of a verified request from a consumer, a controller shall notify the consumer whether personal data concerning the consumer is being processed, held or sold to data brokers. If personal data is being sold to data brokers, the controller shall notify the consumer of the type and category of personal data that has been sold and to whom the personal data has been sold.
2. On receipt of a verified request for disclosure from a consumer, if personal data concerning the consumer is being processed or held by the controller, the controller shall provide a copy of the personal data that the controller processes or maintains or provide the category or type of personal information that is kept if a copy is unavailable or unattainable. If the consumer makes the request by electronic means, and unless requested by the consumer, the information must be provided in a commonly used electronic form. For any additional copies requested by the consumer, the controller may charge a reasonable fee based on administrative costs.
3. A controller that collects a consumer's personal data, at or before the point of collection, shall inform the consumer of the categories of personal data to be collected and the purposes for which the categories of personal data will be used. A controller may not collect additional categories of personal data or use personal data collected for additional purposes without providing the consumer with notice consistent with this section.
4. A controller shall provide the information specified in this subsection to a consumer only on receipt of a verified request.
B. This section does not require a controller to:
1. Retain any personal data collected for a single, onetime transaction if the information is not sold or retained by the controller.
2. Reidentify or otherwise link any data that, in the ordinary course of the controller, is not maintained in a manner that would be considered personal data.
C. A controller is presumed to have sold personal data if there is an exchange of personal data and if contract terms with the third-party do not limit the use of personal information by the third party.
D. This section does not adversely affect the rights or freedoms of others.
18-573. Correction of information; deletion; request; requirements; exceptions
A. On receipt of a verified request from a consumer, the controller, without undue delay, shall correct inaccurate personal data that the controller maintains in identifiable form concerning the consumer. Taking into account the business purposes of the processing, the controller shall complete incomplete personal data, including by means of providing a supplementary statement if appropriate. If the controller no longer has the consumer's personal data, the controller shall notify the consumer that the personal data no longer exists and may ask if the consumer would like to add the consumer's personal information.
B. A controller that collects personal data about consumers shall disclose to each consumer the right to request the deletion of the consumer's personal data.
C. On receipt of a verified request for deletion from a consumer, a controller shall delete the consumer's personal data without undue delay if one of the following applies:
1. The personal data is no longer necessary in relation to the purposes for which the personal data was collected or otherwise processed.
2. For processing that requires consent, the consumer withdraws consent to processing and there are no business purposes for the processing.
3. The personal data must be deleted to comply with a legal obligation under a federal, state or local law or regulation to which the controller is subject.
4. The controller is required to certify when the deletion was completed.
5. The personal data has been unlawfully processed.
D. A controller or a processor is not required to comply with a consumer's request to delete the consumer's personal data if it is necessary for the controller or processor to maintain the consumer's personal data in order to complete the transaction for which the personal data was collected, provide a good or service requested by the consumer or reasonably anticipated within the context of a controller's ongoing business relationship with the consumer or otherwise perform a contract between the controller and the consumer.
E. If a controller is required to delete personal data that the controller maintains in identifiable form that has been disclosed to third parties by the controller, including data brokers that received the personal data through a sale, the controller shall take reasonable steps to inform other controllers of which it is aware that are processing such personal data and that received such personal data from the controller or are processing such personal data on behalf of the controller that the consumer has requested the deletion by the other controllers of any link to or copy or replication of the personal data. Compliance with this subsection must take into account available technology and cost of implementation.
F. This section does not apply to the extent processing is necessary:
1. For exercising the right of free speech.
2. For compliance with a legal obligation that requires processing of personal data by a federal, state or local law or regulation to which the controller is subject or for performing a task carried out in the public interest or in exercising official authority vested in the controller.
3. For reasons of public interest in the area of public health, if the processing is both of the following:
(a) Subject to suitable and specific measures to safeguard the rights of the consumer.
(b) Under the responsibility of a professional subject to confidentiality obligations under a federal, state or local law or regulation.
4. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, if deleting such personal data is likely to render impossible or seriously impair the achievement of the objectives of the processing.
5. For establishing, exercising or defending legal claims.
6. To detect or respond to security incidents, protect against malicious, deceptive, fraudulent or illegal activity or identify, investigate or prosecute those responsible for that activity.
18-574. Restriction of processing; request; requirements
A. On receipt of a verified request from a consumer, the controller shall restrict processing of personal data if any of the following applies:
1. The accuracy of the personal data is contested by the consumer, for a period enabling the controller to verify the accuracy of the personal data.
2. The processing is unlawful and the consumer opposes the deletion of the personal data and requests the restriction of processing instead.
3. The controller no longer needs the personal data for the purposes of the processing but such personal data is required by the consumer for establishing, exercising or defending legal claims.
4. The consumer objects to the processing pending the verification of whether the legitimate grounds of the controller override those of the consumer.
B. If personal data is subject to a restriction of processing under this section, the personal data, except for storage, may be processed only as follows:
1. With the consumer's consent.
2. To establish, exercise or defend legal claims.
3. To protect the rights of another natural or legal person.
4. For reasons of important public interest under a federal, state or local law or regulation.
C. The controller shall inform a consumer who has obtained restriction of processing pursuant to this section before the restriction of processing is lifted and the proposed legal basis.
18-575. Receiving personal data; request
A. On a verified request from a consumer, the controller shall provide to the consumer, if technically feasible and commercially reasonable, any personal data that the controller maintains in identifiable form concerning the consumer that the consumer has provided to the controller in a structured, commonly used and machine-readable format:
1. If processing the personal data is necessary to perform a contract to which the consumer is a party.
2. In order to take steps at the request of the consumer before entering into a contract.
3. If the processing is carried out by automated means.
B. Requests for personal data under this section must be without prejudice to the consumer's right to delete.
C. The rights provided in this section do not apply to processing necessary to perform a task carried out in the public interest or to exercise official authority vested in the controller and must not adversely affect the rights of others.
18-576. Objection to processing of personal data
A. A consumer may object, through a verified objection, at any time, to the processing of personal data concerning the consumer.
B. On receipt of a consumer's verified objection to processing the consumer's personal data for targeted advertising, which includes the sale of personal data that concerns the consumer to third parties for purposes of targeted advertising, the controller may not process the personal data subject to the objection for such purpose and shall take reasonable steps to communicate the consumer's objection, unless it proves impossible or involves disproportionate effort, regarding any further processing of the consumer's personal data for the purposes to any third parties to whom the controller sold the consumer's personal data for that purpose. Third parties shall honor objection requests pursuant to this section received from third-party controllers.
C. If a consumer objects to processing for any purpose other than targeted advertising, the controller may continue processing the personal data subject to the objection if the controller can demonstrate a legitimate ground to process that personal data that overrides the potential risks to the rights of the consumer associated with the processing or if another exemption in this article applies.
18-577. Controller's responsibilities; exceptions
A. A controller shall communicate any correction, deletion or restriction of processing carried out in accordance with this article to each third-party recipient to whom the controller knows the personal data has been disclosed, including third parties that received the data through a sale, within one year preceding the verified request unless this proves functionally impractical or technically infeasible or involves disproportionate effort or the controller knows or is informed by the third party that the third party is not continuing to use the personal data.
B. A controller shall provide information on action taken on a verified request under this section without undue delay and within thirty days after receipt of the request. The time period may be extended by sixty additional days if reasonably necessary, taking into account the complexity and number of the requests. The controller shall inform the consumer of any such extension within thirty calendar days after receipt of the verified or validated request, together with the reasons for the delay. If the consumer makes the verified or validated request by electronic means, the information must be provided by electronic means if possible, unless otherwise requested by the consumer.
C. If a controller does not take action on the request of a consumer, the controller shall inform the consumer without undue delay and at the latest within thirty days after receipt of the request of the reasons for not taking action and any possibility for internal review of the decision by the controller.
D. The controller shall provide information under this section free of charge to the consumer. If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
1. Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested.
2. Refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request and must detail the categories or types of personal information and the excessive character or nature of the request.
E. If the controller has reasonable doubts concerning the identity of the consumer making a request under this section, the controller may request additional information necessary to confirm the identity of the consumer.
F. A consumer is not subject to a decision based solely on profiling that produces legal effects concerning the consumer or that similarly significantly affects the consumer. Legal or similarly significant effects include denial of consequential services or support, such as financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities and health care services.
G. This section does not apply if the decision is:
1. Necessary for entering into or performing a contract between the consumer and a controller.
2. Authorized by a federal, state or local law or regulation to which the controller is subject and that incorporates suitable measures to safeguard the consumer's rights and legitimate interests, as indicated by the risk assessments required by this article.
3. Based on the consumer's informed consent.
H. Notwithstanding subsection G of this section, the controller shall implement suitable measures to safeguard consumer rights and legitimate interests with respect to decisions based solely on profiling, including providing human review of the decision, to express the consumer's point of view with respect to the decision and to contest the decision.
18-578. Enforcement; violation; civil penalty; consumer privacy fund
A. The attorney general may bring an action in the name of this state, or as parens patriae, on behalf of persons residing in this state, to enforce this article.
B. A controller or processor violates this article if the controller or processor fails to cure any alleged breach of this article within thirty days after receiving notice of alleged noncompliance. Any controller or processor that violates this article is subject to an injunction and is liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.
C. The consumer privacy fund is established consisting of civil penalties imposed under this article. The attorney general shall administer the fund. The fund is subject to legislative appropriation.
18-579. State preemption
The regulation of data security is of statewide concern. The regulation of data security pursuant to this article supersedes any local law or regulation and is not subject to further regulation by a county, city, town or other political subdivision of this state.
A. The obligations imposed on controllers or processors under this article do not restrict a controller's or processor's ability to do any of the following:
1. Comply with federal, state or local laws and regulations.
2. Comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by a federal, state, local or other governmental authority.
3. Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate a federal, state or local law or regulation.
4. Investigate, exercise or defend legal claims.
5. Prevent or detect identity theft, fraud or other criminal activity or verify identities.
B. The obligations imposed on controllers and processors under this article do not apply if compliance by the controller or processor with this article would violate an evidentiary privilege under the laws of this state and do not prevent the controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this state as part of a privileged communication.
C. A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this article is not in violation of this article if the third‑party recipient processes the personal data in violation of this article, if at the time of disclosing the personal data the disclosing controller or processor did not have actual knowledge that the third‑party recipient intended to commit a violation. A third-party recipient that receives personal data from a controller or processor is likewise not liable under this article for the obligations of a controller or processor to which it provides services.
D. This article does not require a controller or processor to do any of the following:
1. Reidentify deidentified data.
2. Retain personal data concerning a consumer that it would not otherwise retain in the ordinary course of business.
3. Comply with a request to exercise any of the rights of this article if the controller is unable to verify, using commercially reasonable efforts, the identity of the consumer making the request.
4. Retain personal data beyond existing legal obligations, rules or laws.
E. Obligations imposed on controllers and processors under this article do not:
1. Adversely affect the rights of any persons.
2. Apply to processing personal data by a natural person in the course of a purely personal or household activity.
A. This article does not serve as the basis for a private right of action under this article or any other law.
B. If more than one controller or processor, or both a controller and a processor, involved in the same processing are in violation of this article, the liability shall be allocated among the parties according to principles of comparative fault, unless such liability is otherwise allocated by contract among the parties.
A. This article applies to a legal entity with an annual gross revenue of at least $25,000,000 that conducts business in this state or produces products or services that are intentionally targeted to residents of this state and that satisfies either of the following thresholds:
1. Controls or processes data of at least one hundred thousand consumers.
2. Derives over thirty-five percent of gross revenue from the sale of personal information and processes or controls personal information of at least twenty-five thousand consumers.
B. This article does not apply to:
1. State and local governments.
2. Personal data sets to the extent that the data sets are regulated by the health insurance portability and accountability act of 1996 (P.L. 104-191), the health information technology for economic and clinical health act (P.L. 111‑5) or the Gramm-Leach-Bliley act of 1999 (P.L. 106‑102).
3. Data sets that are maintained for employment records purposes.
4. Businesses and activities that are covered by the fair credit reporting act (P.L. 90‑321).