Editor's Note: This article was originally published on the Maurice Wutscher blog and is republished here with permission.
Consumer data privacy appears to be on the minds of legislators in Arizona this session. As previously mentioned, House Concurrent Resolution 2013 was introduced in Arizona on Jan. 10, 2020, by five Republicans and one Democrat declaring:
- That the Members of the Legislature oppose the enactment of laws, the adoption of regulations or the imposition of out-of-state standards that would restrict or otherwise dictate standards related to consumer data privacy, absent a clear nexus with consumer harm.
- That the Members of the Legislature believe a single federal standard for comprehensive consumer data privacy regulation is preferable to a state-by-state approach.
Not surprisingly, that sentiment was not universally shared and SB 1614 was introduced on Feb. 5, 2020, by 13 Democrats. The legislation is CCPA Lite, providing consumers the right to know, delete and opt-out of the sale of information. The legislation would apply to a for-profit business that “does business in Arizona” and:
- Has annual gross revenue in excess of $15 million;
- Buys, receives, sells or shares the personal information of 50,000 or more consumers; or
- Derives 50% or more of its annual revenue from the sale of consumers’ personal information.
Unlike the CCPA and legislation pending in other states, the bill does not provide any GLBA, HIPAA or FCRA exemptions.
In the event of a breach due to the failure to maintain reasonable security measures, a consumer may file suit for statutory damages of $100 to $750 per consumer per incident, or actual damages. A 30-day notice and opportunity to cure provision is included but only applies to an action for statutory damages and does not apply if the action is for “actual pecuniary damages.” The attorney general would be authorized to seek civil penalties up to $7,500 per violation.
HB 2729, was introduced on Feb. 10, 2020, by 12 Democrats and one Republican, the Republican being the Chair of the House Committee on Technology. The applicability of the legislation includes a little GDPR flavoring in that it primarily governs the conduct of “controllers” and “processors.” Controllers are“natural or legal persons that, alone or jointly with others, determines the purposes and means of processing personal data.” Processors are “natural or legal person that processes personal data on behalf of the controller.” It would apply to:
A legal entity with annual gross revenue of at least $25 million that conducts business in [Arizona] or produces products or services that are intentionally targeted to residents of [Arizona] and that satisfies either of the following thresholds:
- Controls or processes data of at least 100,000 consumers.
- Derives over 35% of gross revenue from the sale of personal information and processes or controls personal information of at least 25,000 consumers.
Consumers would have the right to know, delete and correct their personal data. The bill does not provide consumers an opt-out of the sale of their personal information. Instead, consumers would have the right to object to the processing of their personal data. “Processing” is defined as “collecting, using, storing, disclosing, analyzing, deleting or modifying personal data.”
If the objection relates to processing for the purpose of targeted advertising, the controller must cease such processing and communicate the objection “unless it proves impossible or involves disproportionate effort . . .” If the objection to processing is for any other reason, the processing can continue “if the controller can demonstrate a legitimate ground to process that personal data that overrides the potential risks to the rights of the consumer . . .”
The legislation exempts “data sets” regulated by HIPAA and GLBA and “businesses and activities” covered by the FCRA.
There would be no private right of action. Civil penalties may be sought by the Attorney General in the amount of $2,500 per violation, or $7,500 per intentional violation. Interestingly, the bill specifically provides that if more than one controller and/or processor commit the violation, “liability shall be allocated among the parties according to principles of comparative fault, unless such liability is otherwise allocated by contract among the parties.”
The same sponsors introduced HB 2728 governing the use of biometric data. The legislation requires notice and consent to “enroll” a consumer’s “biometric identifier in a database for a commercial purpose.”
Excluded are “activities” subject to HIPAA and “a financial institution or an affiliate of a financial institution” subject to the GLBA. If only that GLBA exemption had been used in HB 2729.