Arizona Data Privacy Laws: Breach Rules & Consumer Rights (2026)

Arizona has no comprehensive consumer data privacy law as of 2026, but businesses must notify affected residents of a breach within 45 days under A.R.S. § 18-552, with civil penalties reaching $500,000 for knowing violations. Sector-specific protections cover genetic data, student records, and insurance information.

Arizona does not have a comprehensive consumer data privacy statute comparable to the California Consumer Privacy Act or the Virginia Consumer Data Protection Act. As of May 2026, the state has introduced SB 1815 in the 57th Legislature's second regular session, but no comprehensive privacy bill has passed.

Arizona residents are not without protection. The state enforces a robust data breach notification law with a hard 45-day deadline, sector-specific privacy statutes covering genetic data, student records, and insurance information, a consumer fraud act that the AG has used to bring major enforcement actions, and federal frameworks that fill key gaps for healthcare and financial data.

This guide covers every Arizona-specific data privacy protection currently in force, the obligations businesses face, and the rights residents can exercise when their personal information is compromised. For recording-consent rules in Arizona, see Arizona Recording Laws.

Arizona Data Breach Notification Law (A.R.S. § 18-552)

The centerpiece of Arizona's data privacy framework is the data breach notification statute at A.R.S. §§ 18-551 and 18-552. Originally enacted in 2006 and significantly strengthened by HB 2146 in 2022, this law sets clear deadlines and penalties for businesses that experience security breaches involving personal information. The 2022 amendments added the mandatory 45-day notification timeline, expanded the definition of personal information, and introduced notification requirements to the Arizona Department of Homeland Security.

Who Must Comply

The law applies to any person or entity that conducts business in Arizona and owns, maintains, or licenses unencrypted and unredacted computerized personal information. This includes corporations, partnerships, sole proprietors, government agencies, and nonprofit organizations.

The key phrase is "conducts business in Arizona." A company does not need to be headquartered in the state. Any business that collects or processes the personal data of Arizona residents must comply with the notification requirements if a breach occurs.

What Counts as Personal Information

Under A.R.S. § 18-551, personal information means an individual's first name or first initial and last name combined with one or more of the following specified data elements:

• Social Security number
• Driver's license or non-operating identification license number issued under A.R.S. § 28-3166 or § 28-3165
• Financial account number or credit or debit card number combined with any required security code, access code, or password
• Health insurance identification number
• Medical or mental health treatment information
• Taxpayer identification number or identity protection personal identification number issued by the IRS
• Unique biometric data generated from measurements of a biological characteristic (fingerprint, retina, iris)
• A private key unique to an individual used to authenticate or sign an electronic record
• Passport number
• A username or email address combined with a password or security question and answer that would permit access to an online account

The statute specifies that personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

The 45-Day Notification Timeline

When a person conducting business in Arizona becomes aware of a security incident, they must promptly investigate to determine whether a security system breach has occurred. If the investigation confirms a breach, the person who owns or licenses the data must notify affected individuals within 45 days of that determination.

Notification may be provided in one of three ways:

• Written notice sent to the individual's mailing address
• Telephone notification directly to the affected individual
• Email notice if the individual has previously provided an email address

A substitute notice option is available if the cost of standard notification exceeds $50,000, the affected class exceeds 100,000 individuals, or the entity does not have sufficient contact information. Substitute notice requires sending a letter to the Arizona Attorney General demonstrating the necessity and posting notice conspicuously on the entity's website for at least 45 days.

Large Breach Reporting Requirements

If a breach requires notification of more than 1,000 individuals, the entity must also provide written notice to:

1. The three largest nationwide consumer reporting agencies (Equifax, Experian, and TransUnion)
2. The Arizona Attorney General
3. The Director of the Arizona Department of Homeland Security

The notification to the Attorney General must follow the form prescribed by rule or order of the AG, or the entity may provide a copy of the notification sent to affected individuals. All notifications to the Director of the Department of Homeland Security are treated as confidential.

When Notification Is Not Required

A covered entity is not required to send breach notifications if an independent forensic auditor or law enforcement agency determines after a reasonable investigation that the breach has not resulted in and is not reasonably likely to result in substantial economic loss to affected individuals.

Law enforcement may delay notification if it determines that notification would impede a criminal investigation. The delay must be requested in writing and lasts only as long as the investigation requires.

Penalties for Violations

A knowing and willful violation of A.R.S. § 18-552 is classified as an unlawful practice under A.R.S. § 44-1522 of the Arizona Consumer Fraud Act. Only the Arizona Attorney General may enforce these violations.

The AG may seek:

• Civil penalties not to exceed the lesser of $10,000 per affected individual or the total economic loss sustained by affected individuals, with a cap of $500,000 per breach or series of related breaches
• Restitution to affected individuals
• Injunctive relief to prevent ongoing violations

There is no private right of action under the breach notification statute. Individual consumers cannot sue businesses directly for failing to provide timely notification.

HIPAA and GLBA Exemptions

Entities already regulated by certain federal laws are exempt from Arizona's breach notification requirements:

• HIPAA-covered entities: Healthcare providers, health plans, and healthcare clearinghouses subject to the federal Health Insurance Portability and Accountability Act do not need to comply with state law, provided they follow federal breach notification rules
• GLBA-regulated entities: Financial institutions subject to Title V of the Gramm-Leach-Bliley Act are exempt from the Arizona statute

These exemptions exist because federal law already imposes breach notification requirements on these industries that meet or exceed the state standard.

State Preemption

Arizona's breach notification statute explicitly preempts all municipal and county laws, charters, ordinances, and rules relating to security system breach notification. Cities like Phoenix, Tucson, and Mesa cannot impose additional local breach notification requirements.

Reasonable Security Requirements

While Arizona does not have a standalone data security law, A.R.S. § 18-552 imposes a duty on businesses to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information they handle.

This reasonable security standard is not prescriptive. The statute does not list specific technical controls or security frameworks that businesses must adopt. Instead, it ties the obligation to the nature and sensitivity of the data, the size and complexity of the business, and the cost of available tools to improve security.

Businesses that fail to maintain reasonable security and suffer a breach as a result face enforcement action by the Attorney General.

Arizona Consumer Fraud Act and Data Privacy

The Arizona Consumer Fraud Act (A.R.S. § 44-1522) declares it unlawful to employ deception, deceptive or unfair acts, fraud, false pretenses, misrepresentation, or concealment of material facts in connection with the sale or advertisement of merchandise. The AG has used this statute to bring significant data-privacy enforcement actions.

The Consumer Fraud Act gives the Attorney General authority to investigate and prosecute businesses that:

• Make false claims about how they collect, use, or share personal data
• Fail to disclose material data collection practices to consumers
• Misrepresent the security measures protecting consumer information
• Violate their own published privacy policies

Google Location Tracking Settlement (2022)

In October 2022, then-Arizona Attorney General Mark Brnovich secured an $85 million settlement with Google over deceptive location tracking practices. Arizona's lawsuit followed an investigation showing that Google continued to track the location of Android devices even after users disabled the Location History setting, relying on a separate Web and App Activity setting to access location data for targeted advertising. The $85 million settlement was the largest per-capita privacy settlement of its kind at the time, and constituted a standalone Arizona recovery on top of a separate $391.5 million multistate settlement with 40 states announced the same month.

Temu Lawsuit (December 2025)

On December 2, 2025, Arizona Attorney General Kris Mayes filed suit against Temu and its parent company PDD Holdings in Maricopa County Superior Court, alleging violations of the Arizona Consumer Fraud Act. The complaint alleges that the Temu app is designed to harvest sensitive user data without users' knowledge or consent, including precise physical location, microphone and camera access, and private activity on other apps installed on the device. The app allegedly uses multiple layers of encryption to evade front-end security review. The lawsuit also alleges deceptive trade practices including false advertising, misappropriated intellectual property, and a pattern of refusing to participate in consumer arbitration. As of May 2026, the litigation is pending.

Arizona Computer Crimes Act (A.R.S. § 13-2316)

Arizona's Computer Crimes Act at A.R.S. § 13-2316 prohibits unauthorized access to computer systems with the intent to disrupt, alter, damage, delete, or destroy data or programs. The statute encompasses computer tampering, unlawful possession of an access device, and unauthorized release of proprietary or confidential computer security information.

Violations are classified as class 3 or class 4 felonies depending on the nature of the conduct. While the statute addresses anti-hacking conduct rather than consumer privacy directly, it provides criminal liability for the unauthorized access to personal data held by businesses and government agencies. Prosecutors have used A.R.S. § 13-2316 in cases involving unauthorized access to databases containing personal information.

Voyeurism and Nonconsensual Intimate Images (A.R.S. § 13-1424)

Arizona's voyeurism statute at A.R.S. § 13-1424 prohibits knowingly invading another person's privacy without their knowledge for the purpose of sexual stimulation. The statute covers photographing or filming a person in a private state and disclosing, displaying, distributing, or publishing such images. Violation is a class 5 felony.

The federal TAKE IT DOWN Act (discussed below) now supplements state voyeurism law by adding criminal penalties for nonconsensual intimate images, including AI-generated deepfakes, and imposing platform removal obligations.

Genetic Information Privacy Act (HB 2069)

Arizona enacted one of the nation's more detailed genetic data privacy laws when HB 2069 took effect on September 29, 2021. The law targets direct-to-consumer genetic testing companies that collect and process DNA, chromosomes, genes, or gene products.

Key Requirements for Testing Companies

Privacy notices. Companies must provide a clear, publicly available privacy notice describing their data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices. A high-level privacy policy overview must also be available.

Express consent. Companies must obtain the consumer's express consent before collecting, using, or disclosing genetic data. The consent must clearly describe the intended uses and specify who will have access to test results.

Separate consent for research. If the company wants to use genetic data for research, product development, or sharing with third parties, it must obtain separate opt-in consent beyond the initial testing consent.

Data security. Companies must develop, implement, and maintain a comprehensive security program to protect genetic data against unauthorized access, use, or disclosure.

Law enforcement restrictions. Companies cannot disclose genetic data to law enforcement or government agencies without the consumer's express written consent unless they receive a valid legal process such as a warrant or court order.

Consumer Rights Under the Genetic Privacy Act

Arizona residents who use direct-to-consumer genetic testing services have the right to:

• Access their genetic data held by the company
• Delete their account and all associated genetic data
• Request destruction of their biological samples

Prohibited Disclosures

The law specifically prohibits genetic testing companies from disclosing consumer genetic data to:

• Health insurance companies
• Life insurance companies
• Long-term care insurance companies
• Employers of the consumer

Violations can result in civil penalties of up to $2,500 per violation, plus the Attorney General's damages, costs, and attorney fees.

Student Data Privacy Protections

Arizona has enacted specific protections for student data through A.R.S. § 15-1046 and related statutes.

Biometric Data in Schools

Under Arizona law, schools in school districts and charter schools cannot collect biometric information from a student unless the student's parent or guardian gives written permission. Schools must provide written notice to parents at least 30 days before collecting biometric information.

Student data protected under Arizona law includes first and last name, home address, telephone number, email address, discipline records, grades, test results, evaluations, special education data, medical and health records, Social Security number, biometric information, juvenile dependency records, socioeconomic information, photos, voice recordings, and geographic information.

These protections supplement the federal Family Educational Rights and Privacy Act (FERPA), which gives parents rights to access education records and limits disclosure without consent.

Insurance Data Privacy (A.R.S. § 20-2104)

Arizona requires insurers and insurance producers to provide privacy notices to applicants and policyholders under A.R.S. § 20-2104. Insurance companies must deliver a notice of information practices no later than when they deliver the insurance policy or when they first collect personal information from a source other than the applicant or public records.

For ongoing relationships, the notice must be provided at least annually during the continuation of the policyholder relationship. Insurance privacy notices must comply with Section 503 of the federal Gramm-Leach-Bliley Act or include the specific disclosures required by Arizona statute.

Federal Privacy Laws That Apply in Arizona

Because Arizona lacks a comprehensive privacy law, several federal statutes serve as the primary privacy framework for specific sectors.

TAKE IT DOWN Act (May 2025)

The Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (TAKE IT DOWN Act), Pub. L. 119-12, was signed by President Trump on May 19, 2025. The criminal prohibition on publishing nonconsensual intimate images (NCII), including AI-generated deepfakes, took effect immediately. Platform obligations under Section 3 of the Act, which require covered platforms to implement a notice-and-removal process for NCII requests and to remove flagged content within 48 hours of a valid request, became enforceable on May 19, 2026, when the FTC began active enforcement. Platforms that fail to reasonably comply face FTC enforcement action, with civil penalties of up to $53,088 per violation.

Arizona residents who are victims of nonconsensual intimate image sharing can now submit removal requests directly to covered platforms under the federal framework, supplementing the state voyeurism statute at A.R.S. § 13-1424.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA protects the privacy of individually identifiable health information held by covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. Arizona healthcare organizations must comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule.

The importance of HIPAA protections for Arizona residents was underscored in June 2025, when AG Mayes joined a 19-state coalition suing the Trump administration over HHS's mass transfer of Medicaid personal health records to the Department of Homeland Security, alleging violations of HIPAA, the Social Security Act, the Privacy Act, and the Administrative Procedure Act.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions operating in Arizona must comply with GLBA, which requires written data protection policies, employee training on data security, and privacy notices to consumers explaining how their financial information is collected, shared, and protected.

Children's Online Privacy Protection Act (COPPA)

Websites and online services directed at children under 13 that operate in or reach Arizona residents must comply with COPPA's parental consent and data minimization requirements.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects student education records at institutions receiving federal funding. Arizona schools, colleges, and universities must comply with FERPA's requirements for access rights and disclosure limitations.

Fair Credit Reporting Act (FCRA)

The FCRA regulates the collection, dissemination, and use of consumer credit information. Consumer reporting agencies, users of credit reports, and furnishers of credit data in Arizona must comply with FCRA requirements.

FTC Act Section 5

The FTC enforces the prohibition on unfair or deceptive acts or practices under Section 5 of the FTC Act (15 U.S.C. § 45). This provides a federal backstop for data privacy violations not covered by sector-specific statutes, including deceptive privacy policies and inadequate data security practices.

American Privacy Rights Act (APRA)

The American Privacy Rights Act was introduced in Congress in 2024 as a bipartisan comprehensive federal privacy bill. It did not pass. A revised version circulated in 2025 under the label APRA 2.0. As of May 2026, no federal comprehensive consumer data privacy law has been enacted. Until one passes, state-by-state rules remain the primary framework for consumer privacy rights.

Pending Arizona Legislation

Arizona has consistently failed to pass comprehensive consumer privacy legislation. The most recent comprehensive attempt was HB 2790, introduced in February 2022, which did not advance past committee.

In the 57th Legislature's second regular session (2026), SB 1815, titled "Personal data; consumers; controllers; requirements," was introduced on February 10, 2026 and received a second Senate reading. The bill has not passed as of May 2026 and no comprehensive privacy law is currently on a path to enactment this session.

Arizona's House passed HB 2861 (social media protections for minors) during the 57th Legislature's first regular session in 2025. That bill, which would require social media platforms to enable high-level privacy protections by default for minor users, moved to the Senate but its final signed status was not confirmed in available legislative records at the time of this update.

The national trend toward state privacy legislation, combined with active AG enforcement under existing consumer fraud authority, suggests continued legislative activity in future sessions.

How to Report a Data Breach in Arizona

If you are a business or organization that has experienced a data breach affecting Arizona residents:

1. Investigate promptly to determine whether a security system breach has occurred
2. Notify affected individuals within 45 days of determining a breach occurred, using written notice, telephone, or email
3. Notify the Attorney General if more than 1,000 individuals are affected, using the AG notification form
4. Notify the Director of the Arizona Department of Homeland Security if more than 1,000 individuals are affected
5. Notify the three major credit reporting agencies (Equifax, Experian, TransUnion) if more than 1,000 individuals are affected

If You Are a Consumer Affected by a Breach

Arizona residents who believe their personal information has been compromised can:

• File a consumer complaint with the Arizona Attorney General's Office
• Place a fraud alert or credit freeze with the three major credit reporting agencies
• Monitor financial accounts and credit reports for unauthorized activity
• Report identity theft to the Federal Trade Commission at IdentityTheft.gov

Compliance Steps for Arizona Businesses

Arizona businesses that collect personal information should take these practical steps:

Map your data. Know what personal information you hold, where it lives, and who has access to it. The definition of personal information under A.R.S. § 18-551 is specific; make sure your inventory covers all covered categories.

Implement reasonable security. While Arizona does not prescribe specific controls, the AG can bring enforcement action against businesses that suffer a breach due to inadequate security. Aligning with a recognized framework such as the NIST Cybersecurity Framework or CIS Controls provides a defensible baseline.

Prepare an incident response plan. The 45-day notification clock starts on the day you determine a breach occurred. Without a tested plan, that deadline is difficult to meet. Include legal counsel, forensic investigators, and notification vendors in your plan.

Review your privacy policy. The Consumer Fraud Act reaches businesses that violate their own published privacy policies. Ensure your policy accurately describes your data practices.

Check your vendor contracts. Third-party processors that handle personal information on your behalf can trigger your notification obligations if they suffer a breach. Contracts should require prompt notification and specify their security standards.

Know your federal obligations. If you are a HIPAA covered entity, a GLBA financial institution, or a company marketing to children, federal law governs your privacy and breach obligations. These federal requirements supplement, and in many cases replace, Arizona's state breach notification law.

More Arizona Laws

• Arizona AI Meeting Recording Laws
• Arizona Alimony Laws
• Arizona At-Will Employment Laws
• Arizona Car Accident Laws
• Arizona Car Seat Laws
• Arizona Child Custody Laws
• Arizona Child Support Laws
• Arizona Common Law Marriage Laws
• Arizona Deepfake Laws
• Arizona Divorce Laws
• Arizona Dog Bite Laws
• Arizona Emancipation Laws
• Arizona Expungement Laws
• Arizona Hit and Run Laws
• Arizona Landlord-Tenant Laws
• Arizona Lemon Laws