REFERENCE TITLE: consumer data; privacy
State of Arizona
Second Regular Session
Senators Bowie: Alston, Bradley, Contreras, Dalessandro, Gonzales, Mendez, Navarrete, Otondo, Peshlakai, Quezada, Rios, Steele
amending title 18, Arizona Revised Statutes, by adding chapter 7; relating to personal data.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it enacted by the Legislature of the State of Arizona:
Section 1. Title 18, Arizona Revised Statutes, is amended by adding chapter 7, to read:
CONSUMER DATA PRIVACY
ARTICLE 1. GENERAL PROVISIONS
18-701. Consumer data privacy; collection of personal information; requirements; civil action; state preemption; definitions
A. A consumer may request that a business that collects personal information about the consumer disclose to the consumer the following:
1. The categories of personal information the business has collected about that consumer.
2. The categories of sources from which the personal information is collected.
3. The business or commercial purpose for collecting or selling personal information.
4. The categories of third parties with whom the business shares personal information.
5. The specific personal information the business has collected about that consumer.
B. A business that collects personal information about a consumer shall disclose to the consumer the information specified in subsection A of this section on receipt of a verifiable request from the consumer.
C. This section does not require a business to do either of the following:
1. Retain any personal information about a consumer collected for a single onetime transaction if, in the ordinary course of business, that information about the consumer is not retained.
2. Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
D. A consumer may request that a business that sells the consumer's personal information or that discloses personal information for a business purpose disclose to that consumer the following information:
1. The categories of personal information that the business collected about the consumer.
2. The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold by category or categories of personal information for each third party to whom the personal information was sold.
3. The categories of personal information that the business disclosed about the consumer for a business purpose.
E. A consumer may request that a business delete any personal information about the consumer that the business has collected from the consumer. A business that collects personal information about consumers shall disclose pursuant to subsection L of this section the consumer's rights to request the deletion of the consumer's personal information. A business that receives a verifiable request from a consumer to delete the consumer's personal information shall delete the consumers personal information from its records and direct any service providers to delete the consumer's personal information from their records. A business or a service provider is not required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information in order to:
1. Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer or reasonably anticipated within the context of a business's ongoing business relationship with the consumer or otherwise perform a contract between the business and the consumer.
2. Detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity or prosecute those responsible for that activity.
3. Debug to identify and repair errors that impair existing intended functionality.
4. Exercise free speech, ensure the right of another consumer to exercise the person's right of free speech or exercise another right provided for by law.
5. Engage in public‑reviewed or peer‑reviewed scientific, historical or statistical research in the public interest that adheres to all other applicable ethics and privacy laws if the businesses's deletion of the information is likely to render impossible or seriously impair the achievement of the research, if the consumer has provided informed consent.
6. Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business.
7. Comply with a legal obligation.
F. A business that sells personal information about a consumer or that discloses a consumer's personal information for a business purpose shall disclose the information specified in subsection E of this section to the consumer on receipt of a verifiable request from the consumer. A third party may not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out.
G. A consumer, at any time, may direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information. This right may be referred to as the right to opt out.
H. A business that sells consumers' personal information to third parties shall provide notice to consumers that this information may be sold and that consumers may opt out of the sale of their personal information. A business that has received direction from a consumer not to sell the consumer's personal information or, in the case of a minor consumer's personal information, has not received consent to sell the minor consumer's personal information is prohibited from selling the consumer's personal information after its receipt of the consumer's direction, unless the consumer subsequently provides express authorization to sell the consumer's personal information.
I. Notwithstanding subsections G and H of this section, a business may not sell the personal information of consumers if the business has actual knowledge that the consumer is under sixteen years of age, unless the consumer, in the case of consumers who are at least thirteen but under sixteen years of age, or the consumer's parent or guardian in the case of consumers who are under thirteen years of age, has affirmatively authorized the sale of the consumer's personal information. A business that wilfully disregards the consumer's age is deemed to have had actual knowledge of the consumer's age.
J. A business may not discriminate against a consumer because the consumer exercised any of the consumer's rights under this section, including any of the following:
1. Denying goods or services to the consumer.
2. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
3. Providing a different level or quality of goods or services to the consumer.
4. Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
K. This section does not prohibit a business from charging a consumer a different price or rate or from providing a different level or quality of goods or services to the consumer if that difference is reasonably related to the value provided to the consumer by the consumer's data.
L. In order to comply with the notice requirements of this section, a business shall:
1. In a form that is reasonably accessible to consumers, make available to consumers two or more designated methods for submitting requests for information required to be disclosed, including, at a minimum, a toll-free telephone number and, if the business maintains a website, a website address.
2. In a form that is reasonably accessible to consumers, disclose and deliver the required information to a consumer free of charge within forty‑five days after receiving a verifiable request from the consumer. The time period to provide the required information may be extended once by an additional forty‑five days when reasonably necessary, if the consumer is provided notice of the extension within the first forty‑five‑day period.
3. In a form that is reasonably accessible to consumers, provide a clear and conspicuous link on the business's home page entitled "do not sell my personal information" to a web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer's personal information. A business may not require a consumer to create an account to direct the business not to sell the consumer's personal information.
4. Include a description of a consumer's rights along with a separate link to the "do not sell my personal information" web page in:
(b) Any description of consumers' privacy rights.
5. Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices are informed of all requirements of this section and how to direct consumers to exercise their rights.
6. For consumers who opt out of the sale of their personal information, refrain from selling personal information collected by the business about the consumer.
7. For a consumer who has opted out of the sale of the consumer's personal information, respect the consumer's decision to opt out for at least twelve months before requesting that the consumer authorize the sale of the consumer's personal information.
8. Use any personal information collected from the consumer in connection with submitting the consumer's opt-out request solely for the purposes of complying with the opt-out request.
M. This section does not require a business to comply with this section by including the required links and text on the home page that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to consumers and that includes the required links and text and takes reasonable steps to ensure that consumers are directed to the home page for consumers and not the home page made available to the public generally.
N. The obligations imposed on businesses by this section do not restrict a business's ability to:
1. Comply with federal, state or local laws.
2. Comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state or local authorities.
3. Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider or third party reasonably and in good faith believes may violate federal, state or local law.
4. Exercise or defend legal claims.
5. Collect, use, retain, sell or disclose consumer information that is deidentified or in the aggregate consumer information.
6. Collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of this state. For purposes of this paragraph, commercial conduct takes place wholly outside of this state if the business collected that information while the consumer was outside of this state, no part of the sale of the consumer's personal information occurred in this state and no personal information collected while the consumer was in this state is sold. This paragraph does not allow a business to store, including on a device, personal information about a consumer when the consumer is in this state and then collect that personal information when the consumer and stored personal information are outside of this state.
O. Any consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft or disclosure as a result of a business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
1. Recovery of damages in an amount of at least $100 and not more than $750 per consumer per incident or actual damages, whichever is greater.
2. Injunctive or declaratory relief.
3. Any other relief the court deems proper.
P. In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the wilfulness of the defendant's misconduct and the defendant's assets, liabilities and net worth. A consumer may bring an Action pursuant to this section if, before initiating any action against a business for statutory damages on an individual or class-wide basis, the consumer provides a business thirty days' written notice that identifies the specific provisions of this section the consumer alleges have been or are being violated. If a cure is possible and if within the thirty days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations will occur, an action for individual statutory damages or class-wide statutory damages may not be initiated against the business. A notice is not required before an individual consumer initiates an action solely for actual pecuniary damages suffered as a result of the alleged violations of this section. If a business continues to violate this section in breach of the express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of this section that postdates the written statement. Any business or third party may seek the opinion of the attorney general for guidance on how to comply with this section. A business is in violation of this section if the business fails to cure any alleged violation within thirty days after being notified of alleged noncompliance. Any business, service provider or other person that violates this section is liable for a civil penalty in a civil action brought in the name of this state by the attorney general of up to $7,500 for each violation.
Q. The regulation of consumer data privacy is of statewide concern. This section supersedes and preempts all regulation of consumer data privacy and is not subject to further regulation by a county, city, town or other political subdivision of this state.
R. For the purposes of this section:
1. "Business" means a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of processing consumers' personal information, that does business in this state and that satisfies one or more of the following thresholds:
(a) Has annual gross revenues in excess of $15,000,000.
(b) Alone or in combination, annually buys, receives for the business' commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of fifty thousand or more consumers, households or devices.
(c) Derives fifty percent or more of its annual revenues from selling consumers' personal information.
2. "Personal information":
(a) Means information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household, including:
(i) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier internet protocol address, email address, account name, social security number, driver license number, passport number or other similar identifier.
(ii) Characteristics of protected classifications under state or federal law.
(iii) Commercial information, including records of personal property, products or services purchased, obtained or considered or other purchasing or consuming histories or tendencies.
(iv) Biometric information.
(v) Internet or other electronic network activity information, including browsing history, search history and information regarding a consumer's interaction with a website, application or advertisement.
(vi) Geolocation data.
(vii) Audio, electronic, visual, thermal, olfactory or similar information.
(viii) Professional or employment-related information.
(ix) Education information, defined as information that is not publicly available personally identifiable information as defined in the family educational rights and privacy act of 1974 (P.L. 93‑380; 80 Stat. 57; 20 United States Code section 1232g).
(x) Inferences drawn from any of the information identified in this section to create a profile about a consumer that reflects the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
(b) Does not include:
(i) Publicly available information.
(ii) Biometric information collected by a business about a consumer without the consumer's knowledge.
3. "Publicly available":
(a) Means information that is lawfully made available from federal, state or local government records, as restricted by any conditions associated with such information.
(b) Does not include:
(i) Information if the data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.
Sec. 2. Legislative findings
A. The legislature finds:
1. That it is an important and substantial state interest to protect consumers' private, personal data in this state.
2. That, with the increasing use of technology and data in everyday life, there is an increasing amount of private, personal data being shared by consumers with businesses as a part of everyday transactions and online and other activities.
3. That the increasing collection, storage, use and sale of personal data creates increased risks of identity theft, financial loss and other misuse of private personal data.
4. That many consumers do not know, understand or have appropriate authority over the distribution, use, sale or disclosure of their personal data.
B. The legislature intends that consumers should have the right to:
1. Know what personal information is being collected about them.
2. Know whether their personal information is sold or disclosed and to whom.
3. Decline or opt out of the sale of their personal information.
4. Access their personal information that has been collected.
5. Receive equal service and price, even if they exercise their rights.