Arizona Data Privacy Laws: Breach Rules & Consumer Rights (2026)

Arizona does not have a comprehensive consumer data privacy statute comparable to the California Consumer Privacy Act or the Virginia Consumer Data Protection Act. Multiple attempts to pass broad privacy legislation, including HB 2790 in 2022, have failed to advance through the Arizona Legislature.

That does not mean Arizona residents lack legal protections. The state enforces a robust data breach notification law, sector-specific privacy statutes covering genetic data and student records, a consumer fraud act that applies to deceptive data practices, and federal frameworks that fill key gaps for healthcare and financial data.

This guide covers every Arizona-specific data privacy protection currently in effect, the obligations businesses face, and the rights residents can exercise when their personal information is compromised.

Arizona Data Breach Notification Law (A.R.S. § 18-552)

The centerpiece of Arizona's data privacy framework is the data breach notification statute found at A.R.S. §§ 18-551 and 18-552. Originally enacted in 2006 and significantly strengthened by HB 2146 in 2022, this law sets clear deadlines and penalties for businesses that experience security breaches involving personal information.

The 2022 amendments added the mandatory 45-day notification timeline, expanded the definition of personal information, and introduced notification requirements to the Arizona Department of Homeland Security.

Who Must Comply

The law applies to any person or entity that conducts business in Arizona and owns, maintains, or licenses unencrypted and unredacted computerized personal information. This includes corporations, partnerships, sole proprietors, government agencies, and nonprofit organizations.

The key phrase is "conducts business in Arizona." A company does not need to be headquartered in the state. Any business that collects or processes the personal data of Arizona residents must comply with the notification requirements if a breach occurs.

What Counts as Personal Information

Under A.R.S. § 18-551, personal information means an individual's first name or first initial and last name combined with one or more of the following specified data elements:

• Social Security number
• Driver's license or non-operating identification license number issued under A.R.S. § 28-3166 or § 28-3165
• Financial account number or credit/debit card number combined with any required security code, access code, or password
• Health insurance identification number
• Medical or mental health treatment information
• Taxpayer identification number or identity protection personal identification number issued by the IRS
• Unique biometric data generated from measurements of a biological characteristic (fingerprint, retina, iris)
• A private key unique to an individual used to authenticate or sign an electronic record
• Passport number
• A username or email address combined with a password or security question and answer that would permit access to an online account

The statute specifies that personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

The 45-Day Notification Timeline

When a person conducting business in Arizona becomes aware of a security incident, they must promptly investigate to determine whether a security system breach has occurred. If the investigation confirms a breach, the person who owns or licenses the data must notify affected individuals within 45 days of that determination.

Notification may be provided in one of three ways:

• Written notice sent to the individual's mailing address
• Telephone notification directly to the affected individual
• Email notice if the individual has previously provided an email address

There is also a substitute notice option available if the cost of standard notification exceeds $50,000, the affected class exceeds 100,000 individuals, or the entity does not have sufficient contact information. Substitute notice requires sending a letter to the Arizona Attorney General demonstrating the necessity and posting notice conspicuously on the entity's website for at least 45 days.

Large Breach Reporting Requirements

If a breach requires notification of more than 1,000 individuals, the entity must also provide written notice to:

1. The three largest nationwide consumer reporting agencies (Equifax, Experian, and TransUnion)
2. The Arizona Attorney General
3. The Director of the Arizona Department of Homeland Security

The notification to the Attorney General must follow the form prescribed by rule or order of the AG, or the entity may provide a copy of the notification sent to affected individuals. All notifications to the Director of the Department of Homeland Security are treated as confidential.

When Notification Is Not Required

A covered entity is not required to send breach notifications if the entity, an independent third-party forensic auditor, or a law enforcement agency determines after a reasonable investigation that the breach has not resulted in and is not reasonably likely to result in substantial economic loss to affected individuals.

Law enforcement may also delay notification if it determines that the notification would impede a criminal investigation. The delay must be requested in writing and lasts only as long as the investigation requires.

Penalties for Violations

A knowing and willful violation of A.R.S. § 18-552 is classified as an unlawful practice under A.R.S. § 44-1522 of the Arizona Consumer Fraud Act. Only the Arizona Attorney General may enforce these violations.

The AG may seek:

• Civil penalties up to $500,000 for knowing and willful violations
• Restitution to affected individuals
• Injunctive relief to prevent ongoing violations

There is no private right of action under the breach notification statute. Individual consumers cannot sue businesses directly for failing to provide timely notification.

HIPAA and GLBA Exemptions

Entities already regulated by certain federal laws are exempt from Arizona's breach notification requirements:

• HIPAA-covered entities: Healthcare providers, health plans, and healthcare clearinghouses subject to the federal Health Insurance Portability and Accountability Act do not need to comply with the state law, provided they follow federal breach notification rules
• GLBA-regulated entities: Financial institutions subject to Title V of the Gramm-Leach-Bliley Act are exempt from the Arizona statute

These exemptions exist because federal law already imposes breach notification requirements on these industries that meet or exceed the state standard.

State Preemption

Arizona's breach notification statute explicitly preempts all municipal and county laws, charters, ordinances, and rules relating to security system breach notification. This means cities like Phoenix, Tucson, and Mesa cannot impose additional local breach notification requirements beyond what the state law mandates.

Reasonable Security Requirements

While Arizona does not have a standalone data security law, A.R.S. § 18-552 imposes a duty on businesses to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information they handle.

This reasonable security standard is not prescriptive. The statute does not list specific technical controls or security frameworks that businesses must adopt. Instead, it ties the obligation to the nature and sensitivity of the data, the size and complexity of the business, and the cost of available tools to improve security.

Businesses that fail to maintain reasonable security and suffer a breach as a result face enforcement action by the Attorney General, including the civil penalties outlined above.

Arizona Consumer Fraud Act and Data Privacy

The Arizona Consumer Fraud Act (A.R.S. § 44-1522) provides an additional layer of data privacy protection. The law declares it unlawful to employ deception, deceptive or unfair acts, fraud, false pretenses, misrepresentation, or concealment of material facts in connection with the sale or advertisement of merchandise.

This statute has been applied to data privacy violations. The Arizona Attorney General has used it to pursue companies that made false or misleading claims about their data collection and privacy practices. A notable example involved enforcement action against Google over deceptive location tracking practices related to Android phones and user accounts.

The Consumer Fraud Act gives the Attorney General broad authority to investigate and prosecute businesses that:

• Make false claims about how they collect, use, or share personal data
• Fail to disclose material data collection practices to consumers
• Misrepresent the security measures protecting consumer information
• Violate their own published privacy policies

Genetic Information Privacy Act (HB 2069)

Arizona enacted one of the nation's more detailed genetic data privacy laws when HB 2069 took effect on September 29, 2021. The law targets direct-to-consumer genetic testing companies that collect and process DNA, chromosomes, genes, or gene products.

Key Requirements for Testing Companies

Privacy notices. Companies must provide a clear, publicly available privacy notice that describes their data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices. A high-level privacy policy overview must also be available.

Express consent. Companies must obtain the consumer's express consent before collecting, using, or disclosing genetic data. The consent must clearly describe the intended uses and specify who will have access to test results.

Separate consent for research. If the company wants to use genetic data for research, product development, or sharing with third parties, it must obtain separate opt-in consent beyond the initial testing consent.

Data security. Companies must develop, implement, and maintain a comprehensive security program to protect genetic data against unauthorized access, use, or disclosure.

Law enforcement restrictions. Companies cannot disclose genetic data to law enforcement or government agencies without the consumer's express written consent, unless they receive a valid legal process such as a warrant or court order.

Consumer Rights Under the Genetic Privacy Act

Arizona residents who use direct-to-consumer genetic testing services have the right to:

• Access their genetic data held by the company
• Delete their account and all associated genetic data
• Request destruction of their biological samples

Prohibited Disclosures

The law specifically prohibits genetic testing companies from disclosing consumer genetic data to:

• Health insurance companies
• Life insurance companies
• Long-term care insurance companies
• Employers of the consumer

Enforcement and Penalties

The Attorney General enforces the Genetic Information Privacy Act. Violations can result in civil penalties of up to $2,500 per violation, plus the Attorney General's damages, costs, and attorney fees.

Student Data Privacy Protections

Arizona has enacted specific protections for student data through A.R.S. § 15-1046 and related statutes.

Biometric Data in Schools

Under Arizona law, schools in school districts and charter schools cannot collect biometric information from a student unless the student's parent or guardian gives written permission. Schools must provide written notice to parents at least 30 days before collecting biometric information.

The definition of student data under Arizona law is broad and includes:

• First and last name, home address, telephone number, and email address
• Discipline records and grades
• Test results and evaluations
• Special education data
• Medical records and health records
• Social Security number
• Biometric information
• Juvenile dependency records
• Socioeconomic information
• Photos, voice recordings, and geographic information

These protections supplement the federal Family Educational Rights and Privacy Act (FERPA), which gives parents rights to access their children's education records and limits disclosure without consent.

Insurance Data Privacy (A.R.S. § 20-2104)

Arizona requires insurers and insurance producers to provide privacy notices to applicants and policyholders under A.R.S. § 20-2104.

Notice Requirements

Insurance companies must deliver a notice of information practices no later than when they deliver the insurance policy or certificate, or when they first collect personal information from a source other than the applicant or public records.

For ongoing relationships, the notice must be provided at least annually during the continuation of the policyholder relationship, with certain exceptions.

Required Content

The privacy notice must disclose:

• Whether personal information may be collected from persons other than the proposed insured
• The types of personal information that may be collected and the sources and investigative techniques used
• A description of consumer rights under A.R.S. §§ 20-2108 and 20-2109 and how to exercise those rights

Insurance privacy notices must comply with the requirements of Section 503 of the federal Gramm-Leach-Bliley Act or include the specific disclosures required by Arizona statute.

Federal Privacy Laws That Apply in Arizona

Because Arizona lacks a comprehensive privacy law, several federal statutes serve as the primary privacy framework for specific sectors.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA protects the privacy of individually identifiable health information held by covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. Arizona healthcare organizations must comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions operating in Arizona must comply with GLBA, which requires written data protection policies, employee training on data security, and privacy notices to consumers explaining how their financial information is collected, shared, and protected.

Children's Online Privacy Protection Act (COPPA)

Websites and online services directed at children under 13 that operate in or reach Arizona residents must comply with COPPA's parental consent and data minimization requirements.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects student education records at institutions receiving federal funding. Arizona schools, colleges, and universities must comply with FERPA's requirements for access rights and disclosure limitations.

Fair Credit Reporting Act (FCRA)

The FCRA regulates the collection, dissemination, and use of consumer credit information. Consumer reporting agencies, users of credit reports, and furnishers of credit data in Arizona must all comply with FCRA requirements.

How to Report a Data Breach in Arizona

If you are a business or organization that has experienced a data breach affecting Arizona residents, you must follow these steps:

1. Investigate promptly to determine whether a security system breach has occurred
2. Notify affected individuals within 45 days of determining a breach occurred, using written notice, telephone, or email
3. Notify the Attorney General if more than 1,000 individuals are affected, using the AG notification form
4. Notify the Director of the Arizona Department of Homeland Security if more than 1,000 individuals are affected
5. Notify the three major credit reporting agencies (Equifax, Experian, TransUnion) if more than 1,000 individuals are affected

If You Are a Consumer Affected by a Breach

Arizona residents who believe their personal information has been compromised can:

• File a consumer complaint with the Arizona Attorney General's Office
• Place a fraud alert or credit freeze with the three major credit reporting agencies
• Monitor financial accounts and credit reports for unauthorized activity
• Report identity theft to the Federal Trade Commission at IdentityTheft.gov

The Future of Data Privacy in Arizona

As of March 2026, Arizona remains one of the states without comprehensive consumer data privacy legislation. While 20 states have enacted comprehensive privacy laws, Arizona has not yet followed.

The closest the state came was HB 2790, introduced in February 2022, which would have created a comprehensive Arizona Privacy Act. The bill did not advance past committee before the deadline.

Several factors suggest continued legislative activity:

• Growing national momentum toward state-level privacy laws
• Increasing consumer awareness of data rights
• Pressure from businesses seeking regulatory consistency across states
• The Arizona Attorney General's active enforcement of existing consumer protection laws in data privacy contexts

Until comprehensive legislation passes, Arizona residents rely on the breach notification law, sector-specific statutes, the Consumer Fraud Act, and applicable federal privacy frameworks.

More Arizona Laws

• Arizona Car Seat Laws
• Arizona Statute of Limitations
• Arizona Sexting Laws
• Arizona Hit and Run Laws
• Arizona Dog Bite Laws
• Arizona Whistleblower Laws
• Arizona Lemon Laws
• Arizona Recording Laws

Sources and References

• A.R.S. § 18-552: Notification of Security System Breaches - Arizona State Legislature
• A.R.S. § 18-551: Definitions - Arizona State Legislature
• Data Privacy & Data Breach Reporting - Arizona Attorney General
• Arizona's Data-Breach Notification Law FAQ - Arizona Attorney General
• HB 2146: Data Security Breach Notification Amendments - Arizona State Legislature (2022)
• HB 2069: Genetic Information Privacy Act - Arizona State Legislature (2021)
• A.R.S. § 44-1522: Consumer Fraud Act - Arizona State Legislature
• A.R.S. § 15-1046: Student Data Privacy - Arizona State Legislature
• A.R.S. § 20-2104: Insurance Information Practices - Arizona State Legislature
• Data Breach Notification Form - Arizona Attorney General