Why This Privacy Law is Important: Although more narrow than the CCPA, HB 2729 shows that Arizona, like many other states, has an interest in passing privacy legislation.
Overview/Status of Bill: Similar to CCPA, HB 2729 would give Arizona residents additional rights and control over how their personal data is being collected and used. Under HB 2729 Arizona residents would be able to request what personal data has been collected and receive a copy of that data. Residents may also ask that companies correct or delete their personal data.
Need to Know Information:
- Who it Applies To: Any company that has a gross annual revenue of more than $25 million that conducts business in Arizona, controls or processes data of at least 100,000 consumers, derives at least 35% of gross revenue from the sale of personal information or processes, or controls personal information of at least 25,000 consumers.
- What is Covered: Information that can be reasonably linked to an identifiable natural person and does not include de-identified data or publicly available information. HB 2729 also includes “sensitive data” such as race, ethnicity, religion, health conditions, sexual orientation, biometric data, geolocation data and the personal data of children.
- How to Comply: If a consumer submits a verified request an organization must notify the consumer whether or not any personal data has been collected and provide them a copy. Organizations must also disclose at the point of collection what personal data will be collected and how it will be used. HB2729 also requires that organizations correct and or delete data upon request.
- Potential Penalties: Unlike CCPA HB 2729 does not include private right of action. Enforcement will be handled by the state attorney general which may impose fines up to $2,500 for violations and $7,500 for intentional violations. HB 2729 also calls for allocating fault amongst collectors and processors through the principles of comparative fault.