	Global Data Privacy Guide
	USA, Arizona
	(United States) Firm Snell & Wilmer Updated 07 Aug 2025
1. What is the key legislation?	Arizona's key legislation for data breaches is found in A.R.S. § 18-552. These statutes establish the requirements for breach notification, investigation, mitigation, and cooperation with Arizona regulators. In addition, A.R.S. § 18-551 defines key terms such as "breach", "security incident", and "encrypt."
2. What are the key decisions applying that legislation?	Arizona courts have not issued significant guidance interpreting Arizona’s data breach legislation. However, some Arizona courts have reiterated the statutory terms. See, e.g., In re FCC Adopts Updated Data Breach Notification Rules to Protect Consumers, 38 FCC Rcd. 12523, 12553 n.150 (2023) (citing Ariz. Rev. Stat. Ann. §§ 18-551 to -552 for statutory definitions and the risk-of-harm carveout). In addition, the Arizona Attorney General publishes an “FAQ” on Arizona’s Data-Breach Notification Law. See link: https://www.azag.gov/consumer/data-breach/faq?utm_source=chatgpt.com
1. How are “personal data” and “sensitive data” defined?	Pursuant to A.R.S. § 18 551(7)), in Arizona “personal information” means any of the following: (i) An individual's first name or first initial and last name in combination with one or more specified data elements. (ii) An individual's user name or e-mail address, in combination with a password or security question and answer, that allows access to an online account. o Specified data elements include: (a) An individual's social security number. (b) The number on an individual's driver license issued pursuant to section 28-3166 or nonoperating identification license issued pursuant to section 28-3165. (c) A private key that is unique to an individual and that is used to authenticate or sign an electronic record. (d) An individual's financial account number or credit or debit card number in combination with any required security code, access code or password that would allow access to the individual's financial account. (e) An individual's health insurance identification number. (f) Information about an individual's medical or mental health treatment or diagnosis by a health care professional. (g) An individual's passport number. (h) An individual's taxpayer identification number or an identity protection personal identification number issued by the United States internal revenue service. (i) Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account. “Sensitive data” is undefined by Arizona data breach statutes.
2. How is the defined data protected?	A.R.S. § 18 552 protects personal information by requiring notification to affected individuals following a security system breach of unencrypted/unredacted data. In certain circumstances, notification must also be provided to the Arizona Attorney General’s office and largest 3 nationwide consumer reporting agencies.
3. Who is subject to privacy obligations?	Covered entities under A.R.S. § 18 552(A) includes any “person” who conducts business in Arizona and owns, maintains, or licenses unencrypted and unredacted computerized personal information. “Person” means a natural person, corporation, business trust, estate, trust, partnership, association, joint venture, government or governmental subdivision or agency or any other legal or commercial entity. It does not include the department of public safety, a county sheriff's department, a municipal police department, a prosecution agency or a court. Entities covered by HIPAA or GLBA Title V are exempt from the notification obligations (A.R.S. § 18 552(N)).
4. How is “data processing” defined?	“Data processing” is undefined by Arizona data breach statutes.
5. What are the principles applicable to personal data processing?	There are no principles applicable to personal data processing outlined in Arizona’s data breach statutes.
6. How is the processing of personal data regulated?	The processing of personal information is not broadly regulated in Arizona’s data breach statutes.
7. How are storage, security and retention of personal data regulated?	Again, storage, security and retention of personal data are not addressed in A.R.S. §§ 18 551–552—no statutory standards on data retention or security measures beyond investigation and notification following a breach. However, there is safe-harbor recognition: • If data is encrypted or redacted, the statute does not apply (A.R.S. § 18 552(A)) • Entities with internal breach-notification policies or complying with federal regulators’ guidelines are deemed compliant with notification rules (A.R.S. § 18 552(H–I))
8. What are the data subjects' rights under the data legislation?	A.R.S. § 18 552 only governs notification obligations by entities suffering a data breach, and only the Attorney General may enforce the statute. No private right of action exists.
9. What are the consent requirements for data subjects?	None—the breach notification scheme does not require seeking consent before collection, processing, or breach response.
10. How is authorization for use of data handled?	Authorization for use of general data is not mentioned in the Arizona data breach statutes.
11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?	No, in Arizona cross-border data transfers are not regulated.
12. How are data "incidents" and "breaches" defined?	A “security incident” (defined in A.R.S. § 18 551(10)) means an event that creates reasonable suspicion that a person's information systems or computerized data may have been compromised or that measures put in place to protect the person's information systems or computerized data may have failed. "Breach" or "security system breach" defined in A.R.S. § 18 551(1): (a) Means an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals. (b) Does not include a good faith acquisition of personal information by a person's employee or agent for the purposes of the person if the personal information is not used for a purpose unrelated to the person and is not subject to further unauthorized disclosure.
13. Are there any notification requirements for incidents and/or data breaches?	Yes. Arizona data breach statutes require: • Covered persons must investigate promptly upon awareness of an incident (§ 18 552(A)) • If a breach is determined, they must notify affected individuals within 45 days (§ 18 552(B)(1)) • If more than 1,000 Arizona residents are affected, must also notify: • The three largest national credit reporting agencies • The Arizona Attorney General and AZ Department of Homeland Security in prescribed form or copy of notice (§ 18 552(B)(2)) The content of the notifications is also governed by § 18 552(E), and the notices must include: • Approximate breach date • Description of data types exposed • Contact info for consumer reporting agencies • FTC or federal identity-theft assistance agency info The following delivery, methods are allowable and outlined in ARS 18-552(F) 1. Written notice. 2. An email notice if the person has email addresses for the individuals who are subject to the notice. 3. Telephonic notice, if telephonic contact is made directly with the affected individuals and is not through a prerecorded message. 4. Substitute notice if the person demonstrates that the cost of providing notice pursuant to paragraph 1, 2 or 3 of this subsection would exceed $50,000, that the affected class of subject individuals to be notified exceeds one hundred thousand individuals or that the person does not have sufficient contact information. Substitute notice consists of all of the following: (a) A written letter to the attorney general that demonstrates the facts necessary for substitute notice. (b) Conspicuous posting of the notice for at least forty-five days on the website of the person if the person maintains one.
14. Who is/are the privacy regulator(s)?	The Attorney General of Arizona is the sole privacy regulator or enforcement authority under the state breach notification statute. Only the Arizona Attorney General may enforce violations and pursue penalties under A.R.S. § 18 552(L)–(M).
15. What are the consequences of a data breach?	The consequences of a data breach under Arizona law include mandatory notification obligations, potential civil penalties, and restitution for affected individuals, with certain exceptions and compliance alternatives available under specific circumstances. More specifically, under Arizona law, when a data breach occurs, the impacted entity must promptly investigate to determine whether a breach has in fact occurred. If it is determined that a breach involving personal information has happened, the entity must notify affected Arizona residents within 45 days. For breaches affecting more than 1,000 residents, the entity must also notify the Arizona Attorney General, the Arizona Department of Homeland Security, and the three largest nationwide consumer reporting agencies. Notification may be delayed if a law enforcement agency advises that notice would impede an investigation, but once that concern no longer exists, the 45-day clock resumes. Only the Arizona Attorney General is authorized to enforce the statute. Civil penalties for noncompliance may be assessed at up to $10,000 per affected individual or the amount of economic loss, with a maximum penalty of $500,000 for a series of related breaches. The Attorney General may also seek restitution on behalf of affected individuals.
16. How is electronic marketing regulated?	Electronic marketing in Arizona is regulated under A.R.S. § 44-1372.01, which establishes specific prohibitions and requirements for commercial electronic mail messages. The statute applies to any person conducting business in Arizona and includes restrictions on sending commercial electronic mail messages from a computer located in Arizona, to an email address held by a resident of Arizona, or to an interactive computer service with equipment or a principal place of business in Arizona. Non-compliance with these provisions is considered an unlawful practice under A.R.S. § 44-1522, and the Arizona Attorney General is authorized to investigate and take appropriate enforcement actions A.R.S. § 44-1372.01.
17. Are there sector-specific or industry-specific privacy requirements?	While Arizona lacks state sector-specific or industry-specific privacy law, in Arizona specific sectors are governed by federal statutes: • HIPAA (healthcare) • GLBA (financial institutions) • FERPA (educational records) • COPPA (children’s online data)
18. What are the requirements for appointing Data Protection Officers or similar roles?	Arizona law contains no requirement to appoint a Data Protection Officer or similar role.
19. What are the record-keeping and documentation obligations?	Arizona does not impose broad record-keeping or documentation obligations under A.R.S. § 18 551–552—it only mandates internal investigation and breach determination procedures.
20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?	There is no statutory requirement in Arizona for conducting DPIAs or similar assessments.
21. What are the requirements for third-party vendor management and data sharing?	If a third party maintains unencrypted and unredacted computerized personal information under an agreement with the owner or licensee, it must notify the owner or licensee of any security system breach as soon as practicable. The third party must also cooperate with the owner or licensee by sharing information relevant to the breach. However, the third party is not required to notify affected Arizona residents unless the agreement specifies otherwise. See A.R.S. § 18-552(C).
22. What are the penalties and enforcement mechanisms for non-compliance?	Under Arizona's data breach laws, the enforcement mechanism is primarily through the state attorney general. The attorney general has the authority to bring an action against entities for willful and knowing violations of the data breach notification statute. Penalties for non-compliance include actual damages for affected individuals and civil penalties. The civil penalty is capped at $10,000 per affected individual or the total amount of economic loss sustained by affected individuals, with a maximum limit of $500,000 for a breach or series of related breaches. Additionally, the attorney general may recover restitution for affected individuals. See Ariz. Rev. Stat. § 18-552. Notably, the Arizona data breach statute also specifies that the penalties are applicable for violations that involve unauthorized acquisition or access that materially compromise the security or confidentiality of unencrypted and unredacted computerized personal information. However, good faith acquisition of personal information by an employee or agent for legitimate purposes, without further unauthorized disclosure, is excluded from the definition of a breach.
23. What are the ongoing compliance and audit requirements?	Arizona does not have mandated ongoing compliance, audits, or reporting obligations for personal data beyond breach events.
24. Are there any recent developments or expected reforms?	No comprehensive privacy legislation has been enacted in Arizona to date. Moreover, there is no actively pending state-level bills targeting broad data protection akin to CCPA/CPRA. Thus, Arizona currently remains limited to its breach-focused statutes.

Global Data Privacy Guide

Back XLS

1. What is the key legislation?

Arizona's key legislation for data breaches is found in A.R.S. § 18-552. These statutes establish the requirements for breach notification, investigation, mitigation, and cooperation with Arizona regulators. In addition, A.R.S. § 18-551 defines key terms such as "breach", "security incident", and "encrypt."

2. What are the key decisions applying that legislation?

Arizona courts have not issued significant guidance interpreting Arizona’s data breach legislation. However, some Arizona courts have reiterated the statutory terms. See, e.g., In re FCC Adopts Updated Data Breach Notification Rules to Protect Consumers, 38 FCC Rcd. 12523, 12553 n.150 (2023) (citing Ariz. Rev. Stat. Ann. §§ 18-551 to -552 for statutory definitions and the risk-of-harm carveout).

In addition, the Arizona Attorney General publishes an “FAQ” on Arizona’s Data-Breach Notification Law. See link: https://www.azag.gov/consumer/data-breach/faq?utm_source=chatgpt.com

1. How are “personal data” and “sensitive data” defined?

Pursuant to A.R.S. § 18 551(7)), in Arizona “personal information” means any of the following:
(i) An individual's first name or first initial and last name in combination with one or more specified data elements.
(ii) An individual's user name or e-mail address, in combination with a password or security question and answer, that allows access to an online account.
o Specified data elements include:
(a) An individual's social security number.
(b) The number on an individual's driver license issued pursuant to section 28-3166 or nonoperating identification license issued pursuant to section 28-3165.
(c) A private key that is unique to an individual and that is used to authenticate or sign an electronic record.
(d) An individual's financial account number or credit or debit card number in combination with any required security code, access code or password that would allow access to the individual's financial account.
(e) An individual's health insurance identification number.
(f) Information about an individual's medical or mental health treatment or diagnosis by a health care professional.
(g) An individual's passport number.
(h) An individual's taxpayer identification number or an identity protection personal identification number issued by the United States internal revenue service.
(i) Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.
“Sensitive data” is undefined by Arizona data breach statutes.

2. How is the defined data protected?

A.R.S. § 18 552 protects personal information by requiring notification to affected individuals following a security system breach of unencrypted/unredacted data. In certain circumstances, notification must also be provided to the Arizona Attorney General’s office and largest 3 nationwide consumer reporting agencies.

3. Who is subject to privacy obligations?

Covered entities under A.R.S. § 18 552(A) includes any “person” who conducts business in Arizona and owns, maintains, or licenses unencrypted and unredacted computerized personal information.

“Person” means a natural person, corporation, business trust, estate, trust, partnership, association, joint venture, government or governmental subdivision or agency or any other legal or commercial entity. It does not include the department of public safety, a county sheriff's department, a municipal police department, a prosecution agency or a court.

Entities covered by HIPAA or GLBA Title V are exempt from the notification obligations (A.R.S. § 18 552(N)).

4. How is “data processing” defined?

“Data processing” is undefined by Arizona data breach statutes.

5. What are the principles applicable to personal data processing?

There are no principles applicable to personal data processing outlined in Arizona’s data breach statutes.

6. How is the processing of personal data regulated?

The processing of personal information is not broadly regulated in Arizona’s data breach statutes.

7. How are storage, security and retention of personal data regulated?

Again, storage, security and retention of personal data are not addressed in A.R.S. §§ 18 551–552—no statutory standards on data retention or security measures beyond investigation and notification following a breach.

However, there is safe-harbor recognition:
• If data is encrypted or redacted, the statute does not apply (A.R.S. § 18 552(A))
• Entities with internal breach-notification policies or complying with federal regulators’ guidelines are deemed compliant with notification rules (A.R.S. § 18 552(H–I))

8. What are the data subjects' rights under the data legislation?

A.R.S. § 18 552 only governs notification obligations by entities suffering a data breach, and only the Attorney General may enforce the statute. No private right of action exists.

9. What are the consent requirements for data subjects?

None—the breach notification scheme does not require seeking consent before collection, processing, or breach response.

10. How is authorization for use of data handled?

Authorization for use of general data is not mentioned in the Arizona data breach statutes.

11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?

No, in Arizona cross-border data transfers are not regulated.

12. How are data "incidents" and "breaches" defined?

A “security incident” (defined in A.R.S. § 18 551(10)) means an event that creates reasonable suspicion that a person's information systems or computerized data may have been compromised or that measures put in place to protect the person's information systems or computerized data may have failed.

"Breach" or "security system breach" defined in A.R.S. § 18 551(1):
(a) Means an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals.
(b) Does not include a good faith acquisition of personal information by a person's employee or agent for the purposes of the person if the personal information is not used for a purpose unrelated to the person and is not subject to further unauthorized disclosure.

13. Are there any notification requirements for incidents and/or data breaches?

Yes. Arizona data breach statutes require:

• Covered persons must investigate promptly upon awareness of an incident (§ 18 552(A))
• If a breach is determined, they must notify affected individuals within 45 days (§ 18 552(B)(1))
• If more than 1,000 Arizona residents are affected, must also notify:
• The three largest national credit reporting agencies
• The Arizona Attorney General and AZ Department of Homeland Security in prescribed form or copy of notice (§ 18 552(B)(2))

The content of the notifications is also governed by § 18 552(E), and the notices must include:
• Approximate breach date
• Description of data types exposed
• Contact info for consumer reporting agencies
• FTC or federal identity-theft assistance agency info

The following delivery, methods are allowable and outlined in ARS 18-552(F)

1. Written notice.
2. An email notice if the person has email addresses for the individuals who are subject to the notice.
3. Telephonic notice, if telephonic contact is made directly with the affected individuals and is not through a prerecorded message.
4. Substitute notice if the person demonstrates that the cost of providing notice pursuant to paragraph 1, 2 or 3 of this subsection would exceed $50,000, that the affected class of subject individuals to be notified exceeds one hundred thousand individuals or that the person does not have sufficient contact information. Substitute notice consists of all of the following:
(a) A written letter to the attorney general that demonstrates the facts necessary for substitute notice.
(b) Conspicuous posting of the notice for at least forty-five days on the website of the person if the person maintains one.

14. Who is/are the privacy regulator(s)?

The Attorney General of Arizona is the sole privacy regulator or enforcement authority under the state breach notification statute. Only the Arizona Attorney General may enforce violations and pursue penalties under A.R.S. § 18 552(L)–(M).

15. What are the consequences of a data breach?

The consequences of a data breach under Arizona law include mandatory notification obligations, potential civil penalties, and restitution for affected individuals, with certain exceptions and compliance alternatives available under specific circumstances.

More specifically, under Arizona law, when a data breach occurs, the impacted entity must promptly investigate to determine whether a breach has in fact occurred. If it is determined that a breach involving personal information has happened, the entity must notify affected Arizona residents within 45 days. For breaches affecting more than 1,000 residents, the entity must also notify the Arizona Attorney General, the Arizona Department of Homeland Security, and the three largest nationwide consumer reporting agencies.

Notification may be delayed if a law enforcement agency advises that notice would impede an investigation, but once that concern no longer exists, the 45-day clock resumes. Only the Arizona Attorney General is authorized to enforce the statute.

Civil penalties for noncompliance may be assessed at up to $10,000 per affected individual or the amount of economic loss, with a maximum penalty of $500,000 for a series of related breaches. The Attorney General may also seek restitution on behalf of affected individuals.

16. How is electronic marketing regulated?

Electronic marketing in Arizona is regulated under A.R.S. § 44-1372.01, which establishes specific prohibitions and requirements for commercial electronic mail messages.

The statute applies to any person conducting business in Arizona and includes restrictions on sending commercial electronic mail messages from a computer located in Arizona, to an email address held by a resident of Arizona, or to an interactive computer service with equipment or a principal place of business in Arizona. Non-compliance with these provisions is considered an unlawful practice under A.R.S. § 44-1522, and the Arizona Attorney General is authorized to investigate and take appropriate enforcement actions A.R.S. § 44-1372.01.

17. Are there sector-specific or industry-specific privacy requirements?

While Arizona lacks state sector-specific or industry-specific privacy law, in Arizona specific sectors are governed by federal statutes:
• HIPAA (healthcare)
• GLBA (financial institutions)
• FERPA (educational records)
• COPPA (children’s online data)

18. What are the requirements for appointing Data Protection Officers or similar roles?

Arizona law contains no requirement to appoint a Data Protection Officer or similar role.

19. What are the record-keeping and documentation obligations?

Arizona does not impose broad record-keeping or documentation obligations under A.R.S. § 18 551–552—it only mandates internal investigation and breach determination procedures.

20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?

There is no statutory requirement in Arizona for conducting DPIAs or similar assessments.

21. What are the requirements for third-party vendor management and data sharing?

If a third party maintains unencrypted and unredacted computerized personal information under an agreement with the owner or licensee, it must notify the owner or licensee of any security system breach as soon as practicable. The third party must also cooperate with the owner or licensee by sharing information relevant to the breach. However, the third party is not required to notify affected Arizona residents unless the agreement specifies otherwise. See A.R.S. § 18-552(C).

22. What are the penalties and enforcement mechanisms for non-compliance?

Under Arizona's data breach laws, the enforcement mechanism is primarily through the state attorney general. The attorney general has the authority to bring an action against entities for willful and knowing violations of the data breach notification statute. Penalties for non-compliance include actual damages for affected individuals and civil penalties. The civil penalty is capped at $10,000 per affected individual or the total amount of economic loss sustained by affected individuals, with a maximum limit of $500,000 for a breach or series of related breaches. Additionally, the attorney general may recover restitution for affected individuals. See Ariz. Rev. Stat. § 18-552.

Notably, the Arizona data breach statute also specifies that the penalties are applicable for violations that involve unauthorized acquisition or access that materially compromise the security or confidentiality of unencrypted and unredacted computerized personal information. However, good faith acquisition of personal information by an employee or agent for legitimate purposes, without further unauthorized disclosure, is excluded from the definition of a breach.

23. What are the ongoing compliance and audit requirements?

Arizona does not have mandated ongoing compliance, audits, or reporting obligations for personal data beyond breach events.

24. Are there any recent developments or expected reforms?

No comprehensive privacy legislation has been enacted in Arizona to date. Moreover, there is no actively pending state-level bills targeting broad data protection akin to CCPA/CPRA. Thus, Arizona currently remains limited to its breach-focused statutes.

Global Data Privacy Guide

USA, Arizona

Global Data Privacy Guide

USA, Arizona