Global Data Protection Law Guide  USA - Arizona

Polsinelli PC

 

What law(s) specifically govern personal data / information?

Commercial Electronic Mail Law of 2003

House Bill 2498

Arizona‘s breach notification law under §18-552 of the Arizona Revised Statutes and House Bill 2146 (Breach Notification Law)

A.R.S. § 44-1373

Arizona Genetic Information Privacy Law (H.S. 2069)

 

What are the key data protection principles in this jurisdiction?:

Arizona’s Commercial Electronic Mail Law of 2003 regulates sending unsolicited commercial emails and defines target communications, outlines procedures for recipients to decline further messages, prohibits the sale or transfer of email addresses, requires marking affected emails as advertisements, and requires accuracy of information in the message.

In 2023, Arizona passed House Bill 2498, which prohibits telemarketers from calling or texting numbers on the federal government's do-not-call list.

Arizona’s Breach Notification Law requires businesses to notify affected Arizona residents of a data breach. If a breach requires notification to more than 1,000 individuals, businesses are required to notify the Arizona Attorney General, Arizona Department of Homeland Security, and three largest nationwide consumer reporting agencies.

A.R.S. § 44-1373 prohibits the following activities with respect to an individual’s Social Security number (SSN):

• Communicating an individual’s SSN and make it available to the general public;
• Printing an individual’s SSN or any sequence of more than five numbers that are reasonably identifiable as being part of an individual’s SSN on any card required for the individual to receive products or services;
• Requiring the transmission of an individual’s SSN over the Internet unless the connection is secure or the SSN is encrypted;
• Requiring the use of an individual’s SSN to access a website, unless a password or unique identification is also required to access the website; or
• Printing an individual’s SSN or any sequence of more than five numbers that are reasonably identifiable as being part of an individual’s SSN on any materials that are mailed to the individual, unless state or federal law requires the SSN to be on the document.

Arizona’s Genetic Information Privacy Act mandates direct-to-consumer genetic testing companies to provide detailed privacy notices and obtain consent before processing genetic data.

 

What is the supervisory authority / regulator in charge of data protection?

Arizona Attorney General.

 

Is there a requirement to register with a supervisory authority / regulator?

No requirement to register with a supervisory authority/ regulator.

 

Is there a requirement to notify the supervisory authority / regulator?

There is no general requirement to notify, but data breaches are required to be reported as set forth above.

 

Is it possible to register with / notify the supervisory authority / regulator online?

Yes, companies can notify the Arizona Attorney General of a data breach using an online form at https://www.azag.gov/consumer/data-breach/notification-form.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Arizona does not currently have a comprehensive data protection law in effect, so Arizona data subjects do not have any additional rights beyond those afforded to them in the laws described above.

 

Does your jurisdiction specifically restrict the transfer of personal data out of the jurisdiction? If so, please provide an overview of the restrictions and what transfer tools / mechanisms can be utilised to allow a lawful transfer of personal data.

No, there is no requirement to appoint a data protection officer.

 

Do the data protection laws in this jurisdiction have 'extra-territorial effect' (i.e. do they apply to organisations outside this jurisdiction)?

No, data protection/ privacy impact assessments to not need to be carried out.

 

Does your jurisdiction require a data protection officer (or equivalent) being appointed? If so, in what circumstances?

Yes, please see above.

 

Does your jurisdiction have specific circumstances where a data protection impact assessment is required?

No restrictions apply.

 

Does your jurisdiction have any specific data breach notification requirements? If so, please provide further details (for example, who needs to be notified (the supervisory authority / regulator and/or the data subject) and what is the time frame for doing so).

Yes, if businesses are doing business in the state and collecting or otherwise using personal data of Arizona residents, they will be subject to the above laws relating the use of that data.

 

Does your jurisdiction have any rules specifically dealing with marketing (including electronic marketing via emails and text messages)?

No, they do not.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

See details regarding the Commercial Electronic Mail Law of 2003 and House Bill 2498 above.

 

Does your jurisdiction have any rules specifically dealing with cookies? If so, please provide further details (for example, is there a need to differentiate between the types of cookies used).

None.

 

What are the consequences of non compliance with data protections laws (including marketing laws) within your jurisdiction? Please provide an overview of the level of fines that may be imposed by a supervisory authority/regulator.

Penalties for violating the Commercial Electronic Mail Law of 2003 include statutory damages of USD$10 for each unsolicited email up to USD$25,000.

A knowing and willful violation of Breach Notification Law is considered an unlawful practice and the Attorney General may impose a civil penalty for a violation not exceeding the lesser of USD$10,000 per affected individual or the total amount of economic loss sustained by affected individuals. However, the maximum civil penalty for a breach or series of related breaches may not exceed USD$500,000. The Attorney General is also not prevented from recovering restitution for affected individuals.

A person or entity that violates A.R.S. § 44-1373 is subject to a civil penalty of up to USD$500 for each violation.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Businesses that collect personal data of Arizona residents (even without being located there) should understand the legal requirements under Arizona law to ensure compliance.

 

What upcoming data protection developments should multinational organisations be aware of?

None at this time.

 

Search by:

Need more information?
Contact a member firm:

Greg Leighton

Polsinelli PC

USA - Arizona

Bari Rascoe

Polsinelli PC

USA - Arizona

Disclaimer:

© 2025, Polsinelli PC. All rights reserved by Polsinelli PC as author and the owner of the copyright in this chapter. Polsinelli PC has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2025