Official Summary Text
HB2311 - 572R - Senate Fact Sheet
Assigned to
ATT����������������������������������������������������������������������������������������������������� AS
PASSED BY ADD COW
ARIZONA STATE SENATE
Fifty-Seventh
Legislature, Second Regular Session
AMENDED #2
FACT SHEET FOR
H.B. 2311
artificial
intelligence service; disclosures; requirements
Purpose
Effective
October 1, 2027, prescribes requirements and prohibitions that an operator of a
publicly available conversational artificial intelligence (AI) service must
comply with, including requirements relating to the use of a conversational AI
service by minor account holders.
Background
The federal
National Artificial Intelligence Initiative Act of 2020 (Act) codified the
establishment of a national AI initiative and associated federal offices and
committees. The Act directed the Secretary of Commerce, in coordination with
other federal agencies, including the National Institute of Standards and
Technology, the Department of Energy and the Department of Homeland Security,
to establish guidelines and best practices for developing safe, secure and
trustworthy AI systems, with the aim of promoting consensus industry standards.
Artificial Intelligence
is a machine-based system that can, for a given
set of human-defined objectives, make predictions, recommendations or decisions
influencing real or virtual environments. AI systems use machine and
human-based inputs to: 1) perceive real and virtual environments; 2) abstract
such perceptions into models through analysis in an automated manner; and 3)
use model inference to formulate options for information or action (
15
U.S.C. �� 9401 et seq
).
There is no anticipated fiscal impact to the state General Fund
associated with this legislation.
Provisions
1.
Requires each operator of a publicly available conversational AI service
to clearly and conspicuously disclose to each account holder that the account
holder is interacting with a conversational AI service by use of a persistent
visible disclaimer or a disclaimer at the beginning of each session and
appearing at least every three hours during a continuous interaction with the
AI service.
2.
Prohibits an operator from providing an account holder with points or
similar rewards at unpredictable intervals with the intent to encourage
increased engagement with the conversational AI service, if the operator knows
that the account holder is a minor.
3.
Requires
each operator to institute reasonable measures to prevent a conversational AI
service from performing certain actions for account holders, including:
a)
producing visual material of sexual conduct;
b)
generating direct statements that the account holder should engage in
sexual conduct; and
c)
generating
statements that sexually objectify the account holder.
4.
Requires
an operator to institute, for minor account holders, reasonable measures to
prevent a conversational AI service from generating statements that would lead
a reasonable person to believe that the person is interacting with a human,
including:
a)
explicit claims that the conversational AI service is sentient or human;
b)
statements that simulate emotional dependence;
c)
statements that simulate romantic or sexual innuendos; and
d)
role-playing of adult-minor romantic relationships.
5.
Requires
each operator to offer tools to manage the account holder's privacy and account
settings for minor account holders and the minor's parent or guardian, if the
minor is under 13 years old or as appropriate based on relevant risks.
6.
Specifies
that the tools for managing a minor account holder's privacy and account
settings may be local to a device or the account and may not require a digital
identification system.
7.
Instructs
each operator to adopt a protocol for a conversational AI service to respond to
an account holder's prompt regarding suicidal ideation or self-harm, including
reasonable efforts to provide a response that refers the account holder to
crisis service providers.
8.
Requires
an operator to institute reasonable measures to prevent the conversational AI
service from generating statements that encourage, glorify or instruct an
account holder to commit suicide or self-harm.
9.
Prohibits
an operator from knowingly and intentionally causing or programming a
conversational AI service to make any representation or statement that
explicitly indicates that that the AI service is designed to provide
professional mental or behavioral health care.
10.
Prohibits an operator from conditioning
access to a conversational AI service on the use of a digital identification
system for age verification, unless expressly required by federal law.
11.
Stipulates that an operator
must provide a privacy-preserving alternative that provides equivalent access
to the conversational AI service if the operator voluntarily offers a digital
identification system.
12.
Limits an age assurance
method to collecting only the minimum amount of data that is reasonably
necessary.
13.
Prohibits data collected by
an age assurance method from being repurposed for advertising, profiling or
unrelated analytics.
14.
Requires data collected by
an age assurance method to be deleted or irreversibly de-identified after the
compliance purpose is satisfied.
15.
Specifies that the outlined
requirements relating to digital identification systems and age assurance
methods do not require an operator to mandate account creation or prohibit
anonymous or pseudonymous use.
16.
Requires an operator to implement
reasonable safeguards that protect personal and age-related data that is
collected for compliance with the prescribed conversational AI service requirements
and to provide a security system breach notification when prescribed
requirements necessitate such notification.
17.
Prohibits
any data that is collected solely for compliance with the conversational AI service
requirements from being used, sold or shared for targeted advertising,
behavioral profiling or any secondary monetization.
18.
Prohibits
a government entity from compelling an operator to disclose personal or
age-related data that is collected solely to comply with the conversational AI
service requirements, unless a warrant is issued for the data by a court of
competent jurisdiction on a showing of probable cause.
19.
Requires
an operator that receives a warrant from a government entity to notify the
affected account holder within 72 hours after the disclosure, unless a court
order specifically prohibits the notification.
20.
Prohibits
an operator from transferring, licensing or making available to a government
entity any data, model, analytics or profile that is derived from compliance
with the conversational AI service requirements, whether directly or through a
third-party intermediary, unless required by a warrant as outlined.
21.
Instructs each operator, by
April 1 of each year, to:
a)
certify in writing, under penalty of perjury, that all collected
personal or age-related data is destroyed or irreversibly de-identified after
compliance with the conversational AI service requirements is satisfied; and
b)
publish
a publicly accessible, aggregate report that identifies any age-assurance
methods the operator uses, states whether a digital identification system is
offered and states any available alternative methods.
22.
Subjects
an operator who violates the outlined conversational AI service requirements
and prohibitions to an injunction and liability for the greater of actual
damages or civil penalties of $1,000 per violation, up to $500,000 per
operator.
23.
Specifies
that a violation of the outlined AI requirements and prohibitions is punishable
by a civil penalty only to be sought by the Attorney General.
24.
Specifies
that the outlined conversational AI requirements and prohibitions do not create
a private right of action for enforcement or for support of a private right of
action under any other law.
25.
Prohibits
the Attorney General from adopting any rule, guidance or enforcement action or
entering into a settlement agreement that expands a conversational AI service
requirement beyond the requirements that are expressly prescribed, including an
identity verification or bulk data reporting requirement.
26.
Excludes
a developer of an AI model from liability for a violation of the outlined AI
requirements and prohibitions by a conversational AI service that is made
available to the public by a third-party operator.
27.
Requires
the conversational AI service requirements to be construed in the least
intrusive manner that is consistent with the right to privacy as prescribed by
the Arizona Constitution.
28.
Prohibits the conversational
AI service requirements from being used to implement a system that tracks any of
an account holder's online activity.
29.
Specifies that the
prescribed conversational AI service requirements:
a)
do not authorize the regulation of lawful political, religious or other
protected speech;
b)
may not be cited or used as a predicate or justification to require
digital identification for general internet access, device access or online
activity that is unrelated to a conversational AI service;
c)
may not be construed to require or authorize an operating system
provider, application store, internet service provider or device manufacturer
to implement an age-assurance method or identity authentication at the device,
operating system or network level on behalf of an operator; and
d)
may not be cited or used to create or enforce a social scoring system,
social credit system, or any system that rates, ranks or restricts access to a
service based on an individual's behavior, expressions or associations, regardless
of whether such behaviors, expressions or associations relate to a
conversational AI service.
30.
Defines terms.
31.
Becomes effective on October
1, 2027.
Amendments
Adopted by Additional Committee of the Whole
1.
Requires
each operator of a conversational AI service to clearly and conspicuously
disclose to each account holder, rather than only to minor account holders,
that the person is interacting with a conversational AI service as outlined.
2.
Specifies
that the tools for managing a minor account holder's privacy and account
settings may be local to the device or account and do not require a digital
identification system.
3.
Modifies
the list of reasonable measures that an operator must implement for a
conversational AI service by including measures that prevent the conversational
AI service from generating statements that encourage, glorify or instruct an
account holder to commit suicide or self-harm.
4.
Outlines
requirements and prohibitions on the use of digital identification systems and
age assurance methods relating to compliance with the conversational AI service
requirements, including requirements relating to data collection and retention,
privacy and reporting.
5.
Prohibits
age assurance or digital identification data collected solely for compliance
with the conversational AI service requirements from being used, sold or shared
for specified purposes.
6.
Prohibits
an operator from transferring, licensing or making available certain
information derived from compliance with the conversational AI service
requirements to a government entity, unless a warrant for the information is
issued as prescribed.
7.
Prohibits
the Attorney General from expanding any conversational AI service requirement
beyond the requirements that are expressly prescribed.
8.
Specifies
that the outlined conversational AI service requirements:
a)
do not authorize the regulation of lawful political, religious or other
protected speech; and
b)
may
not be construed to authorize or require certain providers, manufacturers or
application stores to implement an age-assurance method or identity
authentication on behalf of an operator.
9.
Requires the conversational AI service requirements to be construed in
the least intrusive manner as outlined.
10.
Prohibits
the conversational AI service requirements from being cited as a predicate for
requiring digital identification for general internet access, device access, or
online activity that does not relate to a conversational AI service.
11.
Modifies the definition of
conversational
AI service
by excluding applications, web interfaces and computer programs
that:
a)
incorporate, rather than function as, a speaker and voice command
interface or text interface and act as a text-activated or voice-activated
virtual assistant for a consumer electronic device; and
b)
are
used by state or local government agencies solely for customer service or to
strictly provide users with information about available services or products that
are provided by the agency, customer service account information or other
information that is strictly related to the agency's customer service.
12.
Defines
age-assurance
method as any technical or administrative mechanism that
is used solely to determine whether an account holder is a minor.
13.
Defines
digital identification system
as a process that uses government-issued
identification, facial recognition, facial age-estimation or age-classification
technology, biometrics or another uniquely identifying credential to
authenticate an account holder's real-world identity or to estimate an account
holder's age.
14.
Removes
the definition of
visual depiction
.
15.
Makes
technical and conforming changes.
Amendments Adopted by
Additional Committee of the Whole #2
1.
Replaces the prohibition on an operator from requiring a digital
identification system solely to determine whether an account holder is a minor
with the prohibition on an operator from conditioning access to a
conversational AI service on the use of a digital identification system for age
verification, except as required by federal law.
2.
Prohibits the conversational AI service requirements from being used to
implement a system that tracks any, rather than all, of an account holder's
online activity.
3.
Prohibits the outlined conversational AI service requirements from being
cited or used to establish or enforce a social scoring system, social credit
system or system that rates, ranks, or restricts access to a service based on
an individual's behavior, expressions or associations.
4.
Makes technical changes.
House Action
����������������������������������������������������������
Senate
Action
AII����������������� 2/12/26����� DPA��� 7-0-0-0�������������� ATT���������������� 3/17/26����� DP������������� 7-2-1
3
rd
Read��������� 2/24/26����������������� 43-13-4
Prepared by Senate Research
June 11, 2026
LMM/KS/ci
Current Bill Text
Read the full stored bill text
HB2311 - 572R - S Ver
Senate Engrossed
House Bill
artificial
intelligence service; disclosures; requirements
State of Arizona
House of Representatives
Fifty-seventh Legislature
Second Regular Session
2026
HOUSE BILL 2311
AN
ACT
amending title 18, Arizona Revised
Statutes, by adding chapter 8; relating to information technology.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it
enacted by the Legislature of the State of Arizona:
Section 1. Title 18, Arizona Revised Statutes,
is amended by adding chapter 8, to read:
CHAPTER
8
ARTIFICIAL
INTELLIGENCE
ARTICLE
1. GENERAL PROVISIONS
START_STATUTE
18-801.
Definitions
In this chapter, unless the text
otherwise requires:
1. "Account
holder" means an individual who has, or opens, an account or profile to
use a conversational AI service.
2. "Age-Assurance
method" means any technical or administrative mechanism that is used
solely to determine whether an account holder is a minor.
3.
"Conversational
AI service":
(
a
) Means
an artificial intelligence software application, web interface or computer
program that is accessible to the general public and that primarily simulates
human conversation and interaction through textual, visual or aural
communications.
(
b
) Does
not include an application, web interface or computer program that meets any of
the following:
(
i
) Is
primarily designed and marketed for use by developers or researchers.
(
ii
) Is a
feature within another software application, web interface or computer program
that is not a conversational AI service.
(
iii
) Is
designed to provide outputs relating to a narrow and discrete topic.
(
iv
) Is
primarily designed and marketed for commercial use by business entities.
(
v
)
incorporates
a speaker and
voice command interface or
a text interface and acts as a text-activated
or
voice-activated
virtual assistant for a consumer electronic device.
(
vi
) Is
used by a business
entity
solely
for internal purposes.
(
vii
) Is used
by a business entity solely for customer service or to strictly provide users
with information about available commercial services or products provided by
the business entity, customer service account information or other information
strictly related to the business entity's customer service.
(
viii
) is used
by a state or local government agency solely for customer service or to
STRICTLY provide users with information about available services or products
provided by the agency, customer service account information or other
information strictly related to the agency's customer service.
(
ix
)
Is used solely to provide commerce-related or
transactional assistance, including product or service recommendations,
shopping, ordering, payments, delivery, returns or customer support.
4. "Digital identification
system" means a process that uses government-issued identification,
facial recognition, facial age-estimation or age-classification
technology, biometrics or another uniquely identifying credential to
authenticate an account holder's real-world identity or estimate an
account holder's age.
5. "Individual" means a
natural person.
6.
"Minor"
means an individual under circumstances in which an operator has actual
knowledge or reasonable certainty that the individual is under eighteen years
of age.
7.
"Minor account
holder" means an account holder who is a minor.
8.
"Operator":
(
a
) Means
a person that makes available a conversational AI service to the public.
(
b
) Does
not include a mobile application store or search engine solely because the
application or engine provides access to a conversational AI service.
9.
"Person"
means a natural person or legal entity.
10.
"Sexual
conduct" has the same meaning prescribed in section 13-3551.
END_STATUTE
START_STATUTE
18-802.
Artificial intelligence; account holder notices and disclosures;
conversational AI services; prohibited uses; safety and privacy tools; minors;
civil penalty; enforcement by attorney general
A. Each operator shall
clearly and conspicuously disclose to
each
account holder in either of the
following ways that the
account holder
is interacting with
a conversational AI
service
:
1. As a persistent
visible disclaimer.
2. At the beginning of
each session and appearing at least every three hours in a continuous
conversational AI service interaction.
B. If an operator knows
that an account holder is a minor, the operator may not provide the
account holder
with points or
similar rewards at unpredictable intervals with the intent to encourage
increased engagement with the conversational AI service.
C. Each operator shall
institute reasonable measures to prevent the conversational AI service from
doing any of the following for
an
account
holder
:
1. Producing visual
material of sexual conduct.
2. Generating direct
statements that the account holder should engage in sexual conduct.
3. Generating
statements that sexually objectify the account holder.
D. For minor account
holders, the operator shall institute reasonable measures to prevent the
conversational AI service from generating statements that would lead a
reasonable person to believe that the person is interacting with a human, including
any of the following:
1. Explicit claims that
the conversational AI service is sentient or human.
2. Statements that
simulate emotional dependence.
3. Statements that
simulate romantic or sexual innuendos.
4. Role-playing of
adult-minor romantic relationships.
E.
Each operator shall
offer tools for minor account holders and, if the account holder is under
thirteen years of age,
for
the account holder's parent or
guardian to manage the account holder's privacy and account settings. �An
operator shall also offer related tools to the parent or guardian of a minor
account holder who
is
at
least
thirteen years of age, as appropriate based on relevant risks. �
The tools may be
local to the device or account and do not require a digital identification
system.
F.
Each operator shall
adopt a protocol for the conversational AI service to respond to a user prompt
regarding suicidal ideation or self-harm, including making reasonable
efforts to provide a response to the
account holder
that refers the
account holder
to crisis service
providers
,
such as a suicide
hotline, crisis text line or other appropriate crisis service.
The operator shall
institute reasonable measures that prevent the conversational AI service from
generating statements that encourage or instruct an account holder to commit
suicide or self-harm or that glorify suicide or self-harm.
G.
An operator shall not
knowingly and intentionally cause or program a conversational AI service to
make any representation or statement that explicitly indicates that the
conversational AI service is designed to provide professional mental or behavioral
health care.
H. Unless a federal law
expressly requires, an operator may not require a digital identification system
solely to determine whether an account holder is a minor. If the
operator voluntarily offers a digital identification system, the operator shall
make available a privacy-preserving alternative that provides equivalent
access. An age-assurance method may collect only the minimum
amount of data that is reasonably necessary. The collected data may
not be repurposed for advertising, profiling or unrelated analytics and must be
deleted or irreversibly de-identified after the compliance purpose is
satisfied. �This subsection does not require an operator to mandate account
creation or prohibit anonymous or pseudonymous use.
I. An operator shall
implement reasonable safeguards that protect personal or age-related data
that is collected solely for compliance with this section and shall provide a
security system breach notification as prescribed in section 18-552. Any
data that is collected solely for compliance with this section may not be used,
sold or shared for targeted advertising, behavioral profiling or any secondary
monetization.
J. A
governmental entity may not compel an operator to disclose personal or age-related
data that is collected solely to comply with this section UNLESS the data is
pursuant to a warrant issued by a court of competent jurisdiction on a showing
of probable cause. �An operator that receives a warrant from a governmental
entity shall notify the affected account holder within seventy-two hours
after the disclosure UNLESS the court order specifically prohibits the
notification.
K. An operator may not
transfer, license or make available to a governmental entity any data, model,
analytics or profile that is derived from complying with this section, whether
directly or through a third-party intermediary, except as REQUIRED by a
warrant issued as prescribed in subsection J of this section.
L. On or before April 1
of each year, each operator shall do both of the following:
1. If the operator
collects personal or age-related data for compliance with this section,
certify in writing, under penalty of perjury, that all of the data is destroyed
or irreversibly de-identified within the time period required by
subsection H of this section.
2. Publish a publicly accessible
report, in aggregate form, that identifies any age-assurance methods the
operator uses and that states whether a digital identification system is
offered and whether any alternative methods are available.
M.
An operator that
violates this chapter is subject to an injunction and is liable for the greater
of either:
1. Actual damages.
2. Civil penalties of
$1,000 per violation, not to exceed $500,000 per operator.
N.
A violation of this
section is punishable by a civil penalty, to be sought by the attorney general
only. �this section does not create a private right of action to enforce this
section or to support a private right of action under any other law. �
The attorney
general may not adopt a rule or any guidance or enforcement action or enter
into a settlement agreement that expands a requirement that is included in this
section beyond the requirements that are expressly included in this section,
including a requirement for identity verification or bulk data reporting.
O.
This section
:
1.
does not create
liability for the developer of an artificial intelligence model for any
violation of this section by
a conversational AI service
that is
made available to
the public
by a
third-party
operator
.
END_STATUTE
2. Shall be construed
in the least intrusive manner consistent with Article II, section 8,
Constitution of Arizona, and may not be used to implement a system that tracks
all of an account holder's online activity.
3. Does not authorize
the regulation of lawful political, religious or other protected speech.
4. May not be cited or
used as a predicate or justification to require digital identification for
general internet access, device access or online activity that is not related
to a conversational AI service.
5. May not be construed
to require or authorize an operating system provider, application store,
internet service provider or device manufacturer to implement an age-assurance
method or identity authentication at the device, operating system or network
level on behalf of an operator.
Sec. 2.
Effective date
Title 18, chapter 8, Arizona Revised
Statutes, as added by this act, is effective from and after September 30, 2027.