Arizona

Privacy Law Status

Comprehensive Privacy Law

Arizona currently does not have a comprehensive consumer data privacy law in effect[1][2][3]. Unlike states such as California, Virginia, or Colorado, Arizona residents do not have broad statutory rights to control how businesses collect, use, or sell their personal information. The state has considered several privacy bills in recent years, but none have successfully passed through the legislature.

While Arizona lacks comprehensive privacy protections, the state does maintain a data breach notification law that requires businesses to inform residents when their personal information has been compromised in a security incident[1][4][5]. This law provides some protection after data breaches occur, but does not regulate ongoing data collection and use practices.

Legislative Activity

Arizona has seen multiple attempts to enact comprehensive privacy legislation. In 2020, Senate Bill 1614 was introduced, which would have provided consumers rights to request disclosure, deletion, and opt-out of personal data sales[6]. This was followed by House Bill 2790 in 2022, which represented the closest the state has come to passing a comprehensive Arizona privacy act, but it failed to meet the committee deadline of February 18, 2022[1][7]. Additionally, Senate Bill 1238 addressing biometric privacy protections has been pending in the state legislature[1][8].

According to privacy advocates, industry lobbyists have been actively working to weaken privacy legislation in states across the country, including Arizona, which may contribute to the challenges in passing comprehensive privacy protections[2]. The legislative landscape remains active, with ongoing discussions about potential future privacy legislation.

In 2025, new legislative efforts emerged with HB 2729 introduced in February and HB 2861 passing the Arizona House in March[9][6].

Implementation Timeline

There is currently no implementation timeline for comprehensive privacy laws in Arizona, as no such legislation has been enacted. The existing data breach notification law has been in effect for several years, with recent amendments in 2022 that added notification requirements to the Arizona Department of Homeland Security for breaches affecting more than 1,000 residents[10][11][12].

Future privacy legislation, if passed, would likely include implementation periods similar to other states, typically ranging from 6 months to 2 years to allow businesses time to develop compliance programs. However, without active legislation currently moving through the state legislature, Arizona residents should not expect comprehensive privacy protections in the immediate future.

Your Rights as an Arizona Resident

Under Arizona’s current legal framework, residents have very limited privacy rights compared to states with comprehensive privacy laws. The primary protections relate to data breach notifications rather than ongoing privacy controls.

Right to breach notification – You must be notified within 45 days if your personal information is compromised in a data breach involving an Arizona business[4][5]
Right to accurate breach information – Breach notifications must include specific details about what information was compromised and steps you can take to protect yourself[5]
Limited biometric protections – Some pending legislation may provide rights regarding biometric data collection, but these are not yet in effect[1][8]
No right to know – Arizona law does not currently require businesses to disclose what personal data they collect about you
No right to delete – Businesses are not required to delete your personal information upon request
No right to opt out – You cannot legally require businesses to stop selling your personal information to third parties
No right to correct data – There is no general right to have businesses correct inaccurate personal information

The absence of these fundamental privacy rights means Arizona residents must rely primarily on federal protections and voluntary business practices rather than strong state-level privacy laws.

Business Requirements

Arizona’s current privacy-related requirements for businesses are limited compared to comprehensive privacy states, focusing primarily on data breach response rather than ongoing privacy practices.

Data breach notification compliance – Businesses that own, maintain, or license personal information of Arizona residents must notify affected individuals within 45 days of determining a breach occurred[4][5]
Government agency notification – Companies must notify the Arizona Attorney General and Department of Homeland Security in writing if more than 1,000 residents are affected by a data breach[4][10][11]
Consumer reporting agency notification – Businesses must notify the three largest nationwide consumer reporting agencies for breaches affecting more than 1,000 residents[4][5]
Limited scope of covered entities – The breach notification law applies to any person conducting business in Arizona who owns, maintains, or licenses unencrypted personal information, with some exceptions for law enforcement and certain federal regulated entities[5]
No ongoing privacy obligations – Unlike comprehensive privacy states, Arizona does not require businesses to provide privacy notices, respond to consumer deletion requests, or limit data collection practices
No data minimization requirements – Businesses face no restrictions on collecting only necessary personal information or limiting data retention periods

The regulatory framework remains focused on post-breach response rather than proactive privacy protection, leaving significant gaps in business accountability for data handling practices.

Practical Impact

Limited daily privacy protection – Arizona residents have minimal legal recourse when businesses collect, use, or sell their personal information without consent, unlike residents of states with comprehensive privacy laws
Breach notification benefits – When data breaches occur, residents do receive timely notifications that can help them take protective steps such as monitoring credit reports or changing passwords[5]
Enforcement limitations – Only the Arizona Attorney General can enforce privacy-related violations, with no private right of action for individual residents to sue companies directly[1][13]
Reliance on federal protections – Arizona residents must depend on federal laws like HIPAA for healthcare data and COPPA for children’s privacy, which provide sector-specific rather than comprehensive protections
Gaps in emerging technology – Areas like biometric data collection, artificial intelligence use, and social media data harvesting have little to no state-level regulation in Arizona
Limited business transparency – Companies are not required to disclose their data collection practices, making it difficult for residents to understand how their information is being used

Comparison Context

Behind leading privacy states – Arizona lacks the comprehensive consumer rights found in California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), and other states with modern privacy laws that provide rights to know, delete, correct, and opt-out
Missing key protections – Unlike states with comprehensive laws, Arizona residents cannot require businesses to disclose data sales, limit targeted advertising, or delete personal information upon request
Limited enforcement mechanisms – While some states provide private rights of action or significant civil penalties, Arizona’s enforcement relies solely on the Attorney General with relatively modest penalties for breach notification violations[4]
No sensitive data categories – Arizona law does not recognize special protections for sensitive personal information like biometric data, precise geolocation, or health information outside of federal frameworks
Weaker business obligations – Companies operating in Arizona face fewer transparency, data minimization, and consumer response requirements compared to businesses in states with comprehensive privacy frameworks
Similar to non-privacy states – Arizona’s current approach aligns more closely with states that have only breach notification laws rather than the growing number of states implementing comprehensive privacy protections

Action Steps for Residents

Monitor breach notifications – Pay attention to data breach notifications you receive and take recommended protective actions like changing passwords and monitoring credit reports
Use available federal protections – Exercise rights under federal laws like opting out of data broker sales through the National Do Not Call Registry and using privacy settings in federally regulated services
Adopt privacy-protective practices – Use privacy-focused browsers, limit social media data sharing, and regularly review and adjust privacy settings on digital services
Contact elected representatives – Advocate for comprehensive privacy legislation by contacting your state legislators and expressing support for stronger privacy protections
Stay informed about legislative developments – Monitor Arizona Legislature proceedings for privacy bills and participate in public comment processes when available
Report privacy violations to available authorities – File complaints with the Arizona Attorney General’s consumer protection office for potential violations of existing laws or unfair business practices
Consider voluntary privacy tools – Use available consumer tools and services that help manage data broker opt-outs and privacy requests, though these provide limited protection compared to legal rights

Official Resources and Contact Information

Arizona State Legislature

To contact your state representatives about privacy legislation or to stay informed about upcoming bills, you can reach Arizona’s 30 State Senators and 60 State Representatives through the main legislative contact system. The Legislature’s website provides access to bill texts, legislator information, and committee schedules for tracking privacy-related legislation.

General Legislative Contact:
Phone: 800-352-8404
Mail: 1700 W Washington Street, Phoenix, AZ 85007
Website: Arizona Legislature

To find your specific district and representatives, use the Legislature’s district finder tools available on their website. When contacting legislators about privacy issues, include specific bill numbers if available and clearly state your position on privacy legislation.

Arizona Attorney General – Consumer Protection

The Arizona Attorney General’s Office handles consumer complaints and enforces the state’s data breach notification law. They investigate deceptive business practices and can take enforcement action against companies that violate consumer protection laws.

Consumer Protection Office:
Phoenix Metro: (602) 542-5763
In-state Toll-free: (800) 352-8431
Online Complaints: File a Consumer Complaint
Data Breach Notifications: data.breach@azag.gov

Legislative Districts and Representatives

Arizona is divided into 30 legislative districts, each with one senator and two representatives. To find your specific legislators and their contact information, you can use district lookup tools or contact the League of Arizona Cities and Towns, which maintains current legislator contact information to assist with advocacy efforts.

District Information:
League of Arizona Cities and Towns: Contact Your Legislators
This resource provides updated contact information and guidance for effectively communicating with state legislators about policy issues.

Data Breach Notifications

If you need to report a data breach or have questions about breach notification requirements, the Arizona Attorney General maintains specific procedures and forms for data breach reporting.

Breach Reporting:
Data Breach Information: Arizona’s Data-Breach Notification Law FAQ
This resource explains consumer rights under the existing breach notification law and provides guidance on what to do if your personal information is compromised.

Sources and Citations

[1] www.centraleyes.com/privacy-laws/arizona/

[2] kiowacountypress.net/content/report-arizona-has-no-data-privacy-law-expert-says-its-time-take-action

[3] www.dataguidance.com/jurisdictions/arizona

[4] lewisbrisbois.com/privacy/US/Arizona/data-breach

[5] www.azag.gov/consumer/data-breach/faq

[6] www.azleg.gov/legtext/54leg/2r/bills/sb1614p.htm

[7] www.azleg.gov/legtext/55leg/2r/bills/hb2790p.htm

[8] legiscan.com/AZ/text/SB1238/id/2661136

[9] www.bclplaw.com/a/web/963/Arizona-DataSecurityReqs5-06.pdf

[10] www.hunton.com/privacy-and-information-security-law/arizona-adds-breach-notification-obligation

[11] klinedinstlaw.com/practice/privacy-data-security/arizona

[12] www.azleg.gov/legtext/55leg/2R/summary/H.HB2146_0121722_HOUSEENGROSSED.DOCX.htm

[13] www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20220222-state-comprehensive-privacy-law-update-february-22-2022

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.