Arizona Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Arizona does not have a standalone biometric privacy law. Unlike Illinois, Texas, and Washington, the state has not enacted legislation that comprehensively regulates how private businesses collect, store, use, or share biometric identifiers such as fingerprints, facial geometry, or iris scans.

What Arizona does have is a breach notification law that includes biometric data in its definition of protected personal information, a student biometric data protection statute, and pending legislative proposals that could expand protections. These existing protections are limited compared to states with dedicated biometric statutes, but they create real obligations for businesses that handle biometric data in Arizona.

This guide explains the current legal framework, what protections exist, where the gaps are, and what proposed legislation could change.

For broader context on Arizona's overall privacy framework, see the parent guide to Arizona Data Privacy Laws.

How Arizona Defines Biometric Data

Arizona's Data Breach Notification Law defines biometric data under ARS 18-551 as "unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account."

This definition is notably narrow. It only covers biometric data used to authenticate access to an online account. Biometric data used for physical access control (such as a fingerprint scanner at a door), timekeeping (fingerprint time clocks), or surveillance (facial recognition cameras) falls outside this statutory definition.

The law requires that the biometric data be paired with an individual's first name (or first initial) and last name to qualify as protected "personal information."

Arizona Data Breach Notification Law (ARS 18-551 and 18-552)

Arizona's primary biometric protection comes from the Data Breach Notification Law, originally enacted in 2006 and significantly amended in 2018 by HB 2154 and again in 2022 by HB 2146. The 2018 amendments added biometric data to the list of specified data elements.

What the Law Requires

Any person that owns, maintains, or licenses unencrypted and unredacted computerized data that includes personal information of Arizona residents must follow these requirements.

Investigation. After discovering a security system breach, the entity must conduct a reasonable investigation to promptly determine if there has been a breach that is reasonably likely to cause substantial harm.

Individual notification within 45 days. If a breach compromises biometric data combined with an individual's name, the entity must notify affected Arizona residents within 45 days after determining that a breach occurred (ARS 18-552).

Attorney General and credit agency notification. If the breach affects more than 1,000 individuals, the entity must notify the Arizona Attorney General and the three largest nationwide consumer reporting agencies in writing.

Department of Homeland Security notification. Under the 2022 amendments, entities must also notify the Arizona Department of Homeland Security when a reportable breach occurs.

Penalties for Non-Compliance

A knowing and willful violation of the notification law is classified as an unlawful practice under ARS 44-1522 (the Arizona Consumer Fraud Act).

The Attorney General may impose civil penalties up to $10,000 per affected individual, or the total amount of economic loss sustained by affected individuals, whichever is less. The maximum civil penalty for a single breach or series of related breaches is capped at $500,000.

The Attorney General may also recover restitution for affected individuals on top of civil penalties.

Only the Attorney General may enforce violations. The statute does not create a private right of action for individuals.

Exemptions

The law includes several important exemptions. Encrypted or redacted data is excluded from the definition of personal information. The notification requirements also do not apply to persons subject to Title V of the Gramm-Leach-Bliley Act or entities that maintain breach notification procedures under HIPAA.

Student Biometric Protections

Arizona has enacted specific protections for student biometric data. The original ARS 15-109 required schools to provide written notice at least 30 days before collecting biometric information from students and mandated written parental consent.

The statute defined "biometric information" broadly as the noninvasive electronic measurement and evaluation of any physical characteristics attributable to a single person, including fingerprint characteristics, eye characteristics, hand characteristics, vocal characteristics, facial characteristics, and any other physical characteristics used for electronic identification.

These student data privacy protections have been updated and consolidated under ARS 15-1046, which establishes broader student data privacy standards including protections for biometric information collected by schools and education technology providers.

What Arizona Law Does Not Cover

Arizona's existing laws leave significant gaps in biometric privacy protection for adults.

No general consent requirement for adults. Outside the school context, Arizona does not require businesses or employers to obtain consent before collecting biometric data from adults. An employer can implement fingerprint time clocks or facial recognition systems without notifying employees or getting their approval.

Narrow online-only definition. The breach notification law only covers biometric data used to authenticate access to online accounts. Biometric data used for physical security, timekeeping, or surveillance falls outside the statute.

No retention or destruction timelines. The state does not mandate specific retention schedules or destruction timelines for biometric data held by private entities.

No restrictions on biometric data sales. Arizona does not prohibit or restrict the sale or sharing of biometric data with third parties under existing law.

No private right of action. There is no state law allowing individuals to sue because a company collected their biometric data without consent or failed to protect it.

Employer Use of Biometric Data in Arizona

Arizona has no state law that restricts employers from collecting biometric data from employees. Companies operating in Arizona that use fingerprint scanners for timekeeping, facial recognition for building access, or other biometric systems are not required by state law to:

• Provide written notice before collecting biometric data
• Obtain employee consent
• Establish data retention or destruction policies
• Limit sharing of employee biometric data with vendors or third parties

This stands in sharp contrast to Illinois, where employers face statutory damages of $1,000 to $5,000 per violation of the Biometric Information Privacy Act.

Employers should still implement reasonable security measures. If a breach occurs that exposes employee biometric data used for online account authentication alongside names, the employer must comply with the 45-day notification requirement or face penalties up to $500,000.

Pending Legislation

Arizona has seen several legislative attempts to expand biometric privacy protections.

SB 1238 (56th Legislature, 1st Regular Session). This bill proposes a comprehensive biometric identifiers law modeled in part on Illinois BIPA. Key provisions would require private entities to develop written retention and destruction policies, obtain written consent before collecting biometric identifiers, prohibit selling or profiting from biometric data, and mandate destruction of data within three years of an individual's last interaction or when the original purpose is fulfilled. As of March 2026, SB 1238 has been introduced but has not been enacted.

HB 2478 (54th Legislature). This earlier bill also proposed regulating biometric identifiers but did not advance into law.

If SB 1238 passes, it would bring Arizona significantly closer to the protections available in Illinois, creating consent requirements, retention limits, and restrictions on commercial use of biometric data.

Federal Protections That Apply in Arizona

Because Arizona lacks a comprehensive biometric privacy law, federal statutes provide additional protections for residents.

Section 5 of the FTC Act allows the Federal Trade Commission to take enforcement action against companies engaged in unfair or deceptive practices involving biometric data.

HIPAA protects biometric data collected or used by covered healthcare entities and their business associates under the Privacy Rule.

COPPA requires parental consent before collecting biometric data from children under 13, enforced by the FTC.

How Arizona Compares to Other States

Arizona falls into a lower tier of states for biometric privacy protection. While the inclusion of biometric data in the breach notification law is meaningful, the narrow online-account-only definition and lack of collection-level protections place it behind more protective states.

• Illinois has the strongest biometric law in the nation (BIPA), with a private right of action and statutory damages of $1,000 to $5,000 per violation
• Texas and Washington have biometric-specific statutes enforced by their attorneys general
• States with comprehensive privacy laws (Colorado, Connecticut, Virginia) classify biometric data as sensitive and require opt-in consent
• Arizona protects biometric data only through a narrowly defined breach notification law and student data privacy standards

More Arizona Laws

• Arizona Recording Laws
• Arizona Recording Laws
• Arizona Data Privacy Laws
• Arizona Recording Laws
• Arizona Recording Laws
• Arizona Recording Laws
• Arizona Recording Laws
• Arizona Recording Laws

This article provides general legal information about Arizona biometric privacy laws. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Arizona for advice about your specific situation.