KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to Arizona

HB2737 • 2026

chatbot regulations; personal data; requirements

HB2737 - chatbot regulations; personal data; requirements

Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Quantá Crews, Cesar Aguilar, Sarah Liguori, Christopher Mathis, Mariana Sandoval, Stephanie Simacek, Stacey Travers, Betty J Villegas
Last action
2026-01-21
Official status
House second read
Effective date
Not listed

Plain English Breakdown

The bill text does not provide details about penalties or enforcement mechanisms for violations.

Chatbot Regulations and Personal Data Protection

This bill sets rules for companies that make chatbots, focusing on how they handle users' personal information and interactions.

What This Bill Does

  • Defines what a chatbot is and the terms related to it like 'personal data', 'dark pattern', and 'affirmative consent'.
  • Requires chatbot providers to get clear permission from users before using their personal data or chat logs for advertising, training, or selling.
  • Limits how long chatbot companies can keep user information and stops them from discriminating against users who don't want their data used.

Who It Names or Affects

  • Chatbot providers
  • Users of chatbots

Terms To Know

Affirmative consent
A clear and unambiguous agreement given by a user for specific actions or practices.
Dark pattern
A design that tricks users into doing something they might not want to do, like agreeing to terms of service.

Limits and Unknowns

  • The bill does not specify how chatbot providers should handle data if the user is a minor.
  • It's unclear what happens if a chatbot provider violates these rules.

Bill History

  1. 2026-01-21 House

    House second read

  2. 2026-01-20 House

    House Rules: None

  3. 2026-01-20 House

    House Artificial Intelligence & Innovation: None

  4. 2026-01-20 House

    House first read

Official Summary Text

HB2737 - chatbot regulations; personal data; requirements

Current Bill Text

Read the full stored bill text 
HB2737 - 572R - I Ver

REFERENCE TITLE:
chatbot regulations; personal data; requirements

State of Arizona

House of Representatives

Fifty-seventh Legislature

Second Regular Session

2026

HB 2737

Introduced by

Representatives
Crews: Aguilar, Liguori, Mathis, Sandoval, Simacek, Travers, Villegas

AN
ACT

amending title 44, chapter 9, arizona
revised statutes, by adding article 27; relating to commerce.

(TEXT OF BILL BEGINS ON NEXT PAGE)

Be it enacted by the Legislature of the State of Arizona:

Section 1. Title 44, chapter 9, Arizona Revised
Statutes, is amended by adding article 27, to read:

ARTICLE 27. CHATBOt
regulations

START_STATUTE
44-1383.

Definitions

In this article, unless the context otherwise
requires:

1. "Advertisement":

(
a
) Means Any
written or oral statement, illustration or depiction that is displayed in
exchange for monetary or other valuable consideration if the written or oral
statement, illustration or depiction does either of the following:

(
i
) Promotes
the sale or use of a good or service.

(
ii
) Is
designed to increase interest in a brand, good or service.�

(
b
) Includes
access to data between the chatbot provider and a brand, good or service.

2. "Affirmative consent":

(
a
) means a
clear affirmative act that signifies a user's freely given information and
unambiguous authorization for an act or practice in response to a specific
request from a chatbot provider, if:

(
i
) The request
is provided to the user in a clear and conspicuous stand-alone
disclosure.

(
ii
) The
request includes a description that is written in easily understandable
language.

(
iii
) The
request is made in a manner that is reasonably accessible and available by
users with disabilities.

(
iv
) The
request is made available to the user in each language in which the chatbot
provider provides a chatbot.

(
v
) The option
to decline consent is at least as prominent as the option to give consent, and
the option to decline consent takes the same or fewer number of steps as the
option to give consent.

(
vi
) Affirmative
consent to an act or practice may not be inferred from the inaction of the user
or the user's continued use of a chatbot.

(
b
) Does not
include:

(
i
) Acceptance
given by general or broad terms of use.

(
ii
) Hovering
over, muting, pausing or closing a given piece of content.

(
iii
) An
agreement that is obtained through the use of a false, fraudulent or materially
misleading statement or representation.

(
iv
) An
agreement that is obtained through the use of other dark patterns.

3. "Chatbot":

(
a
) Means an
algorithmic or automated system that generates information through text, audio,
image or video in a manner that simulates interpersonal interactions or
conversation.

(
b
) Includes
artificial intelligence.

4. "Chatbot provider" means
any person that creates, distributes or otherwise makes a chatbot available to
a user.

5. "Chat log" means both of
the following:

(
a
) Input data
or a record of the input data.

(
b
) Output data
that is generated by a chatbot or from interactions with a chatbot.

6. "Dark pattern" means a
user interface that is designed or manipulated to subvert or impair a user's
autonomy, decision-making or choice.

7. "De-identified
data" Means information that:

(
a
) cannot
reasonably be used to infer or derive the identity of a user.

(
b
) does not
identify a user.

(
c
) is not
linked or is reasonably linkable to a user.

8. "Input data":

(
a
) Means
information.

(
b
) Includes:

(
i
) Texts.

(
ii
) Photos.

(
iii
) Audio
files.

(
iv
) Video
files.

(
v
) Any type of
file that is provided to a chatbot by a user.

9. "Model" means an
engineered or machine-based system underlying a chatbot and that is based
on the input data that it RECEIVES and that can infer how to generate output
data that can influence physical or virtual environments.

10. "Personal data":

(
a
)
Means either of the following:

(
i
) Any
information, including derived data, that is linked or reasonably linkable
either by itself or in combination with other information to an identified or
identifiable user.

(
ii
) A device
that identifies or is linked or is reasonably linkable to a user.

(
b
) Does not
include de-identified data or publicly available information.

11. "Publicly available
information":

(
a
) Means
information that has been lawfully made available to the public subject to
a public records request pursuant to title 39, chapter 1.

(
b
) Does not
include:

(
i
) Obscene
items as prescribed in title 13, chapter 35.

(
ii
) Biometric
data.

(
iii
) Personal
data that is created through the combination of personal data and publicly
available information.

(
iv
) Genetic
data, unless the genetic data was made available to the public by the user to
whom the genetic data pertains.�

(
v
) Information
that is made available to the public by a user who uses a website or online
platform on which the user has restricted the information to a specific
audience.

(
vi
) Intimate
images that are either authentic or computer generated and that are known to be
nonconsensual.

12. "Process" or
"processing":

(
a
) Means any
operation or set of operations that are performed on personal data or input
data.

(
b
) Includes
the use, storage, disclosure, analysis, deletion or modification of personal
data or input data.

13. "Profiling":

(
a
) Means to
process personal data or input data to classify or designate personality traits
and behavioral characteristics of a user.

(
b
) Does not
include processing chat logs for user safety or to otherwise comply with this
article.

14. "Sell":

(
a
) Means
either of the following:

(
i
) The
exchange of personal data or input data for monetary or other valuable
consideration.

(
ii
) To make
personal data or input data available to a third party for monetary or other
valuable consideration.

(
b
) Does not
include any of the following:

(
i
) The
disclosure of personal data or input data to a third party that processes the
personal data or input data on behalf of the chatbot provider.

(
ii
) The
disclosure of personal data or input data where the user provides affirmative
consent and directs the chatbot provider to disclose the personal data or input
data or intentionally uses the chatbot provider to interact with a third party.

(
iii
) The
disclosure of personal data or input data that the user intentionally made
available to the public through social media and did not restrict the
information to a specific audience.

15. "Training":

(
a
) Means the
use of input data to adjust or modify a model.

(
b
) Does not
include:

(
i
) Tests that
are used to identify risk of harm to users.

(
ii
) Adjustments
or modifications that are made to address identified risk of harm to users.

(
iii
) Any
action that is necessary to comply with this article or as otherwise required
by law.

16. "User" means any
natural person regardless of age.
END_STATUTE

START_STATUTE
44-1383.01.

Chatbot provider; data security; personal data; prohibitions;
requirements

A. A
chatbot provider may not:

1. Process personal data to inform a
chatbot output unless processing personal data is necessary to fulfill an
express request that is made by a user and the user provides affirmative
consent.

2. Process a user's chat log:

(
a
) To
determine whether to display an advertisement for a product or service to a
user.

(
b
) To
determine a product or service or category of a product or service to advertise
to a user.

(
c
) To
customize an advertisement for presentation to a user.

3. Process a user's chat log and
personal data:

(
a
) If the
chatbot provider knows or reasonably should have known that based on knowledge
of objective circumstances the user is a minor and the user's parent or legal
guardian did not provide affirmative consent.�

(
b
) For
training purposes if the chatbot provider knows or reasonably should have known
that based on knowledge of objective circumstances the user is a minor and the
user's parent or legal guardian did not provide affirmative consent.

(
c
) for
training purposes if the user is an adult, unless the chatbot provider first
obtains affirmative consent.

(
d
) To engage
in profiling beyond what is necessary to fulfill an express request.

4. Profile a user based on any
classification or designation of the user's personality or behavioral
characteristic beyond what is necessary to fulfill an express request made by
the user.

5. Sell a user's chat logs.

6. Retain a user's chat log for more
than ten years, unless retention is necessary to comply with this article or
otherwise required by law.

7. Discriminate or retaliate against
a user, including:

(
a
) Denying
products or services to the user.

(
b
) Charging
different prices or rates for products or services to the user.

(
c
) Providing
lower quality products or service to the user for refusing to consent to the
use of chat logs or personal data for training purposes.

B. A user has a right to access the
user's own chat logs at any time.� A chatbot provider shall provide A user's
own chat log on request by the user and shall provide the chat log in a
downloadable and easy to read format.� A chatbot provider may not discriminate
or retaliate against a user pursuant to subsection a paragraph 7 of this
section that requests the user's chat.

C. A government entity may not compel
the production of or access to input data or chat logs from a chatbot provider,
except as pursuant to a wiretap warrant.

D. A chatbot provider shall develop,
implement and maintain a comprehensive data security program that contains
administrative, technical and physical safeguards that are proportionate to the
volume and nature of personal data and chat logs that are maintained by the
chatbot provider.� The program shall be written and made publicly AVAILABLE on
the chatbot provider's website.

E. A chatbot provider shall take the
necessary physical, administrative and technical measures to prevent de-identified
data from being re-identified and to process, retain and transfer de-identified
data without any reasonable means of re-identification.
END_STATUTE

START_STATUTE
44-1383.02.

Chatbot provider; advertising; prohibitions; notice requirements

A. A chatbot provider may not:

1. Use any term, letter or phrase in
the advertising, interface or output data of a chatbot that states or implies
that the advertising, interface or output data of a chatbot is endorsed by or
equivalent to any of the following:

(
a
) Any
certified, registered or licensed professional pursuant to title 32.

(
b
) A licensed
legal professional.

(
c
) A certified
public accountant as defined in section 32-701.

(
d
) An
investment advisor or an investment adviser representative as defined in
section 44-3101.

(
e
) A licensed
fiduciary as prescribed in title 14, chapter 5, article 7.

2. Include any representation in the
advertising, interface or output data of a chatbot that states or implies the
user's input data or chat log is confidential.

B. A chatbot provider shall provide
clear, conspicuous and explicit notice to a user that the user is interacting
with a chatbot rather than a natural person before the chatbot may generate any
output data. The chatbot provider shall include this notice at the
beginning of each chatbot communication with a user, every hour thereafter and
each time a user asks whether the chatbot is a natural person.� the text of the
notice:

1. shall be written in the same
language that the chatbot communicates with the user and shall appear in a font
size that is easily readable by an average user and is not smaller than the
largest font size used for other chatbot communications.

2. must comply with the rules adopted
by the attorney general pursuant to section 44-1383.03.

C. In compliance with the rules
adopted by the attorney general pursuant to section 44-1383.03, A chatbot
provider shall:

1. On a monthly basis:

(
a
) Evaluate
its chatbot for potential risk of harm to users.

(
b
) Make
information about its chatbot publicly available on its website.

2. Mitigate any risk of harm to
users.
END_STATUTE

START_STATUTE
44-1383.03.

Attorney general; rulemaking

A. The attorney general shall adopt
rules to implement this article.� the rules shall:

1. Describe the form and content of
the notice that is required pursuant to section 44-1383.02.

2. Provide an example template for
the notice that is required pursuant to section 44-1383.02.

3. Describe any potential risk of
harm to users.

4. Provide requirements for a chatbot
provider to implement to reduce the risk of harm to users.

B. The attorney general may adopt any
other rules necessary to implement this article.
END_STATUTE

START_STATUTE
44-1383.04.

Chatbots; products liability; injury to user

A. A chatbot is considered a product
for the purposes of a product liability action as prescribed in title 12,
chapter 6, article 9.

B. A chatbot provider has a duty to
ensure that the use of the chatbot provider's does not cause injury to a user.

C. A chatbot provider is liable for
any injury that the chatbot causes to a user if either of the following occurs:

1. The chatbot provider exercised all
reasonable care in the design and distribution of the chatbot.

2. The chatbot provider did not
directly distribute the chatbot to the user or otherwise enter into a
contractual relationship with the user.
END_STATUTE

START_STATUTE
44-1383.05.

Attorney general; county attorney; violation; civil action;
enforcement; private right of action; civil penalty

A. The attorney general or a county
attorney may bring a civil action against a chatbot provider that violates this
article and that includes any of the following:

1. Enjoining an act or practice in
violation of this article.

2. Enforcing compliance with this
article or a rule adopted pursuant to this article.

3. Obtaining damages, civil
penalties, restitution or other remedies.

4. Obtaining reasonable attorney fees
and other litigation costs.

B. A violation of section 44-1383.01
or 44-1383.02 constitutes an injury in fact to a user.

C. A user who is injured by a
violation of section 44-1383.01 or 44-1383.02 may bring a civil
action against the chatbot provider, and a court of competent jurisdiction may
award a prevailing plaintiff any of the following:

1. A civil penalty of not more than
$5,000 per violation of this article.

2. Punitive damages for reckless and
knowing conduct.

3. Injunctive relief.

4. Declaratory RELIEF.

5. Reasonable attorney fees and
litigation costs.
END_STATUTE

Sec. 2.
Short title

This act may be cited as the
"ChatBot Protection Act".