KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to Arizona

SB1790 • 2026

personal data collection; business; requirements

SB1790 - personal data collection; business; requirements

Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Lauren Kuby, Theresa Hatathlie, Brian Garcia, Aaron Márquez
Last action
2026-02-10
Official status
Senate second read
Effective date
Not listed

Plain English Breakdown

The bill summary and text do not provide specific details on enforcement mechanisms or penalties, leaving some aspects unclear.

Data Protection Rules for Businesses

This bill sets rules for businesses in Arizona that collect and use personal data about people, especially those who act as 'data brokers'.

What This Bill Does

  • Defines what 'personal data' means, including sensitive information like health records or financial details.
  • Requires certain businesses to register if they are a 'data broker', meaning they collect, process, or transfer personal data not directly from individuals.
  • Limits how data brokers can use and share certain types of personal data, such as biometric data (like fingerprints) and genetic data.

Who It Names or Affects

  • Businesses in Arizona that act as 'data brokers'.
  • Individuals whose personal data is collected by businesses in Arizona.

Terms To Know

Data broker
A business entity that collects, processes or transfers personal data that the business did not collect directly from individuals.
Sensitive data
Information like health records, financial details, biometric data (like fingerprints), genetic data, and other types of information that need extra protection because of its nature.

Limits and Unknowns

  • The bill does not specify the exact penalties for businesses that break these rules.
  • It is unclear how this will be enforced and what resources will be provided to enforce it.

Bill History

  1. 2026-02-10 Senate

    Senate second read

  2. 2026-02-09 Senate

    Senate Rules: None

  3. 2026-02-09 Senate

    Senate Regulatory Affairs and Government Efficiency: None

  4. 2026-02-09 Senate

    Senate first read

Official Summary Text

SB1790 - personal data collection; business; requirements

Current Bill Text

Read the full stored bill text 
SB1790 - 572R - I Ver

REFERENCE TITLE:
personal data collection; business; requirements

State of Arizona

Senate

Fifty-seventh Legislature

Second Regular Session

2026

SB 1790

Introduced by

Senators
Kuby: Hatathlie;� Representatives Garcia, M�rquez

AN
ACT

amending title 44, Arizona Revised
Statutes, by adding chapter 42; relating to commerce.

(TEXT OF BILL BEGINS ON NEXT PAGE)

Be it enacted by the Legislature of the State of Arizona:

Section 1. Title 44, Arizona Revised Statutes,
is amended by adding chapter 42, to read:

CHAPTER 42

DATA BROKERS

ARTICLE 1. GENERAL PROVISIONS

START_STATUTE
44-8041.

Definitions

In this chapter, unless the context otherwise
requires:

1. "Biometric data" means
data generated by automatic measurements of an individual's biological patterns
or characteristics, including fingerprint, voiceprint, retina or iris scan,
information pertaining to an individual's Deoxyribonucleic acid or other unique
biological pattern or characteristic that is used to identify a specific
individual.

2. "Child" means an
individual who is less than sixteen years of age.

3. "Collect" in the context
of data, means to obtain, receive, access or otherwise acquire the data by any
means, including by purchasing or renting the data.

4. "Data broker" means a
business entity that collects, processes or transfers personal data that the
business entity did not collect directly from the individual who is linked or
linkable to the data.

5. "Deidentified data"
means data that cannot reasonably be linked to an identified or identifiable
individual or to a device linked to that individual.

6. "Employee":

(
a
) Includes an
individual who is a director, officer, staff member, trainee, volunteer or
intern of an employer or an individual who is working as an independent
contractor for an employer, regardless of whether the individual is paid,
unpaid or employed on a temporary basis.

(
b
) Does not
include an individual contractor who is a service provider.

7. "Employee data" means
information collected, processed or transferred by an employer if the
information is related to any of the following:

(
a
) A job
applicant and is collected during the course of the hiring and application
process and is collected, processed or transferred solely relating to the
status of the employee as a current or former job applicant of the employer.

(
b
) An employee
who is acting in a professional capacity for the employer, including the
employee's business contact information such as the employee's name, position,
title, business telephone number, business address or business email address,
and is collected, processed or transferred solely relating to the professional
activities of the employee on behalf of the employer.

(
c
) An
employee's emergency contact information and is collected, processed or
transferred solely for the purpose of having an emergency contact on file for
the purpose of transferring the information in case of an emergency.

(
d
) An employee
or the employee's spouse, dependent, covered family member or beneficiary and
is collected, processed or transferred solely for The purpose of administering
benefits to which the employee described is entitled or to which another person
described by this subdivision is entitled on the basis of the employee's
position with the employer.

8. "Genetic data":

(
a
) Means any
data, regardless of format, concerning an individual's genetic characteristics.

(
b
) Includes
both:

(
i
) Raw
sequence data derived from sequencing all or a portion of an individual's
extracted DNA.

(
ii
) Genotypic
and phenotypic information obtained from analyzing an individual's raw sequence
data.

9. "Individual" means a
natural person who resides in this state.

10. "known child" means a
child under circumstances in which a data broker has knowledge of, or wilfully
disregards obtaining knowledge of, or should know, or reasonably should haVE
known of, the child's age.

11."Personal data":

(
a
) Means any
information, including sensitive data, that is linked or reasonably linkable to
an identified or identifiable individual.

(
b
) Includes
pseudonymous data if the information is used by a controller or processor in
conjunction with additional information that reasonably links the information
to an identified or identifiable individual.

(
c
) Does not
include deidentified data, employee data or publicly available information.

12. "Precise geolocation
data":

(
a
) Means
information accessed on a device or technology that shows the past or present
physical location of an individual or the individual's device with sufficient
precision to identify ground level location information of the individual or device
in a range of not more than one thousand eight hundred fifty feet.

(
b
) Does not
include location information regarding an individual or device that is
identifiable or derived solely from the visual content of a legally obtained
image, including the location of a device that captured the image.

13. "Process" in the
context of data, means an operation or set of operations that are performed,
whether by manual or automated means, on personal data or on sets of personal
data, such as the collection, use, storage, disclosure, analysis, deletion or
modification of personal data.

14. "Publicly available
information" means information that is any of the following:

(
a
) Is lawfully
made available through government records.

(
b
) a business
has a reasonable basis to believe is lawfully available to the general public
through widely distributed media.

(
c
) Is lawfully
made available by a consumer, or by a person to whom a consumer has disclosed
the information, unless the consumer has restricted access to the information
for a specific audience.

15. "Sensitive data" means:

(
a
) a
government-issued identifier that is not required by law to be publicly
available, including:

(
i
) a social
security number.

(
ii
) a passport
number.

(
iii
) a driver
license number.

(
b
) information
that describes or reveals an individual's mental or physical health diagnosis,
condition or treatment.

(
c
) An
individual's financial information, except the last four digits of a debit or
credit card number, including:

(
i
) a financial
account number.

(
ii
) a credit
or debit card number.

(
iii
) Information
that describes or reveals the income level or bank account balances of the
individual.

(
iv
) transaction
history.

(
v
) electronic
payment numbers or histories.

(
vi
) accounts
related to digital payment networks.

(
vii
) mobile
payment SERVICES or similar types of services or networks.

(
viii
) payment
of health care services or related debt collection.

(
d
) Biometric
data.

(
e
) Genetic
data.

(
f
) Precise
geolocation data.

(
g
) An
individual's private communication that:

(
i
) If made
using a device, the device is not provided by the individual's employer and
does not provide conspicuous notice to the individual that the employer may
access communication made using the device.

(
ii
) Includes,
unless the data broker is the sender or an intended recipient of the
communication, any form of messages sent from a communication system and the
individual's voicemails, emails, texts, direct messages or mail, information
that identifies the parties involved in the communications and information that
relates to the transmission of the communications, including telephone numbers
called, telephone numbers from which calls are placed, the time calls are made,
call duration and location information of the parties to the call.

(
h
) a log-in
credential, security code or access code for an account or device.

(
i
) information
identifying the sexual behavior of the individual.

(
j
) Calendar
information, address book information, phone or text logs, photos, audio recordings
or videos that both:

(
i
) Are
maintained for private use by an individual and stored on the individual's
device or in another location.

(
ii
) are not
communicated using a device provided by the individual's employer. This item
does not apply if the employee communicates on a device provided by the
employer and the employer notifies the employee that the employer may access
communication made using the device.

(
k
) a
photograph, film, video recording or other similar medium that shows the
individual or a part of the individual nude or wearing undergarments.

(
l
) information
revealing the video content requested or selected by an individual.

(
m
) Information
regarding a known child.

(
n
) Information
revealing an individual's racial or ethnic origin, color, sex, gender,
citizenship, immigration status, religious beliefs or union membership.

(
o
) Information
identifying an individual's online activities accessing multiple Internet
websites or online services.

(
p
) Information
collected, processed or transferred for the purpose of identifying information
described by this paragraph.

16. "Service provider"
means a person that is bound by contractual obligations or an agreement
receives, collects, processes or transfers personal data on behalf of and only
at the direction of a business or governmental entity, including a business or
governmental entity that is another service provider, so the person may perform
a service or function with or on behalf of the business or governmental entity
and to the extent a person processes personal data for the person's own purposes,
the person is not acting as a service provider.

17. "Transfer" means to
disclose, release, share, disseminate, make available, sell or license data by
any means or medium.
END_STATUTE

START_STATUTE
44-8042.

Applicability to data

A. Except as provided in Subsection b
of this section, this chapter applies to personal data that is collected,
transferred or processed from an individual by a data broker.

b. This chapter does not apply to the
following data:

1. Deidentified data, if the data
broker:

(
a
) Takes
reasonable technical measures to ensure that the data is not able to be used to
identify an individual with whom the data is associated.

(
b
) Publicly
commits in a clear and conspicuous manner to both:

(
i
) Process and
transfer the data solely in a deidentified form without any reasonable means
for reidentification.

(
ii
) Not
attempt to identify the information to an individual with whom the data is
associated.

(
c
) Contractually
obligates a person that receives the information from the provider to both:

(
i
) Comply with
this paragraph with respect to the information.

(
ii
) Require
that the contractual obligations be included in any subsequent transfer of the
data to another person.

2. Employee data.

3. Publicly available information.

4. Inferences made exclusively from
multiple independent sources of publicly available information that do not
reveal sensitive data with respect to an individual.
END_STATUTE

START_STATUTE
44-8043.

Applicability to entities

A. Except as provided in Subsection b
of this section, this chapter applies only to a data broker that, in a
twelve-month period, makes either:

1. More than fifty percent of the
data broker's revenue directly from processing or transferring personal data
that is not collected by the data broker directly from the individuals to whom
the data pertains.

2. Revenue directly from processing
or transferring the personal data of more than fifty thousand individuals if
the data broker does not collect the data directly from the individuals to whom
the data pertains.

B. This chapter does not apply to:

1. A service provider, including a
service provider that engages in the business of processing employee data for
an employer for the sole purpose of providing benefits to the employer's
employees.

2. A federal, state, tribal,
territorial or local governmental entity, including a body, authority, board,
bureau, commission, district, agency or political subdivision of a governmental
entity.

3. An entity that serves as a
congressionally designated nonprofit, national resource center or clearinghouse
to provide assistance to victims, families, child-serving professionals and the
general public on missing and exploited children issues.

4. A consumer reporting agency or
other person that furnishes information for inclusion in a consumer credit
report or obtains a consumer credit report, but only to the extent that the
consumer reporting agency or the person engages in activity regulated or
authorized by the Fair Credit Reporting Act (15 United States Code Sections
1681 through 1681
x
), including the collection,
maintenance, disclosure, sale, communication or use of any personal information
bearing on a consumer's creditworthiness, credit standing, credit capacity,
character, general reputation, personal characteristics or mode of living.
END_STATUTE

START_STATUTE
44-8044.

Notice on website or mobile application

A data broker that maintains an Internet website
or mobile application shall post a conspicuous notice on the website or
application that:

1. States that the entity maintaining
the website or application is a data broker.

2. Is clear, not misleading and
readily accessible by the general public, including individuals with a
disability.

3. Contains language as prescribed by
the secretary of state in rule for inclusion in the notice.

4. Informs a consumer how to exercise
any consumer rights the consumer may have under this chapter, which is KNOWN AS
the arizona consumer data protection act, or Chapter 10, article 7 of this
title.
END_STATUTE

START_STATUTE
44-8045.

Registration; fees; renewal

A. To conduct business in this state,
a data broker must register with the secretary of state by filing a
registration statement and paying a registration fee in an amount to be
determined by the secretary of state.

b. The registration statement must
include:

1. The legal name of the data broker.

2. A contact person and the primary
physical address, email address, telephone number and website address for the
data broker.

3. A description of the categories of
data that the data broker processes and transfers.

4. A statement of whether the data
broker implements a purchaser credentialing process.

5. If the data broker has knowledge,
should have knowledge or reasonably should have knowledge, that the data broker
possesses sensitive data, including personal data of a known child:

(
a
) A statement
detailing the data collection practices, databases, sales activities and opt
out policies that are applicable to the personal data.

(
b
) A statement
on how the data broker complies with applicable federal and state laws
regarding the collection, use or disclosure of sensitive data, including
personal data from and about a child on the Internet.

6. The number of security breaches
the data broker has experienced during the year immediately preceding the year
in which the registration is filed, and if known, the total number of consumers
affected by each breach.

C. A registration of a data broker
may include any additional information or explanation the data broker chooses
to provide to the secretary of state concerning the data broker's data
collection practices.

D. A registration certificate expires
on the first anniversary of the registration certificate's date of issuance.� A
data broker may renew a registration certificate by filing a renewal
application, in the form prescribed by the secretary of state, and paying a
renewal fee in an amount determined by the secretary of state.
END_STATUTE

START_STATUTE
44-8046.

Registry of data brokers

The secretary of state shall establish and
maintain on the secretary of state's website a searchable, central registry of
data brokers registered under Section 44-8045.� The registry must
include:

1. A search feature that allows a
person that is searching the registry to identify a specific data broker.

2. For each data broker, the
information prescribed in Section 44-8045, subsection b.
END_STATUTE

START_STATUTE
44-8047.

Protection of personal data

A. A data broker that is conducting
business in this state shall protect personal data that the data broker holds.

b. A data broker shall develop,
implement and maintain a comprehensive information security plan that is
written in one or more readily accessible parts and contains administrative,
technical and physical safeguards that are appropriate for all of the
following:

1. the data broker's size, scope and
type of business.

2. the amount of resources available
to the data broker.

3. the amount of data stored by the
data broker.

4. the need for security and
confidentiality of personal data stored by the data broker.

c. The comprehensive information
security plan required by this section must:

1. Incorporate safeguards that are
consistent with the safeguards for protection of personal data and information
of a similar character under state or federal laws applicable to the data
broker.

2. include the designation of one or
more employees of the data broker to maintain the plan.

3. require the identification and
assessment of reasonably foreseeable internal and external risks to the
security, confidentiality and integrity of any electronic, paper or other
record containing personal data and the establishment of a process for
evaluating and improving, as necessary, the effectiveness of the current
safeguards for limiting those risks, including by:

(
a
) requiring
ongoing employee and contractor education and training, including education and
training for temporary employees and contractors of the data broker, on the
proper use of security procedures and protocols and the importance of personal
data security.

(
b
) mandating
employee compliance with policies and procedures established under the plan.

(
c
) providing a
means for detecting and preventing security system failures.

4. include security policies for the
data broker's employees relating to the storage, access and transportation of
records containing personal data outside of the broker's physical business
premises.

5. provide disciplinary measures for
violations of a policy or procedure established under the plan.

6. include measures for preventing a
terminated employee from accessing records containing personal data.

7. provide policies for the
supervision of third-party service providers that include:

(
a
) taking
reasonable steps to select and retain third-party service providers that are
capable of maintaining appropriate security measures to protect personal data
consistent with applicable law.

(
b
) requiring
third-party service providers by contract to implement and maintain appropriate
security and privacy measures for personal data.

8. provide reasonable restrictions on
physical access to records containing personal data, including by requiring the
records containing the data to be stored in a locked facility, storage area or
container.

9. include regular monitoring to
ensure that the plan is operating in a manner reasonably calculated to prevent
unauthorized access to or unauthorized use of personal data and, as necessary,
upgrading information safeguards to limit the risk of unauthorized access to or
unauthorized use of personal data.

10. require the regular review of the
scope of the plan's security measures that must occur both:

(
a
) at least
annually.

(
b
) whenever
there is a material change in the data broker's business practices that may
reasonably affect the security and privacy or integrity of records containing
personal data.

11. require the documentation of
responsive actions taken in connection with any incident involving a breach of
security, including a mandatory post-incident review of each event and the
actions taken, if any, to make changes in business practices relating to
protection of personal data in response to that event.

12. to the extent technically
feasible, include the following procedures and protocols with respect to
computer system security requirements or procedures and protocols providing a
higher degree of security for the protection of personal data:

(
a
) the use of
secure user authentication protocols that include each of the following
features:

(
i
) controlling
user login credentials and other identifiers.

(
ii
) using a
reasonably secure method of assigning and selecting passwords or using unique
identifier technologies, including biometrics or token devices.

(
iii
) controlling
data security passwords to ensure that the passwords are kept in a location and
format that do not compromise the security of the data that the passwords
protect.

(
iv
) restricting
access to only active users and active user accounts.

(
v
) blocking
access to user credentials or identification after multiple unsuccessful
attempts to gain access.

(
b
) the use of
secure access control measures, including:

(
i
) restricting
access to records and files containing personal data to only employees or
contractors who need access to that personal data to perform the job duties of
the employees or contractors.

(
ii
) assigning
to each employee or contractor who has access to a computer containing personal
data a unique identification and a password that may not be a vendor-supplied
default password or using another protocol reasonably designed to maintain the
integrity of the security of the access controls to personal data.

(
c
) encryption
of:

(
i
) transmitted
records and files containing personal data that travels across public networks.

(
ii
) data
containing personal data that is transmitted wirelessly.

(
d
) reasonable
monitoring of systems for unauthorized use of or access to personal data.

(
e
) encryption
of all personal data stored on laptop computers or other portable devices.

(
f
) for files
containing personal data on a system that is connected to the Internet, the use
of reasonably current firewall protection and operating system security patches
that are reasonably designed to maintain the integrity of the personal data.

(
g
) the use of
either:

(
i
) a
reasonably current version of system security agent software that must include
malware protection and reasonably current patches and virus definitions.

(
ii
) a version
of system security agent software that is supportable with current patches and
virus definitions and is set to receive the most current security updates on a
regular basis.
END_STATUTE

START_STATUTE
44-8048.

Violation; civil penalty; attorney general action

A. A
data broker that violates Section 44-8044 or 44-8045 is subject to a civil
penalty as follows:

1. $100
for each day that the violation continues.

2. An amount equal to the amount of
unpaid registration fees for each year that the entity fails to register in
violation of Section 44-8045.

3. An amount not to exceed $10,000 in
a twelve-month period.

B. The attorney general may bring an
action to recover a civil penalty imposed under this section.� The attorney
general may recover reasonable attorney fees and court costs incurred in
bringing the action.
END_STATUTE

START_STATUTE
44-8049.

Unfair trade practice

A violation of Section 44-8047 constitutes an
unfair trade practice pursuant to section 44-1522.
END_STATUTE

START_STATUTE
44-8050.

Rulemaking

THe secretary of state may adopt rules pursuant
to title 41, chapter 6 to carry out this chapter.
END_STATUTE

Sec. 2.
Short title

This act may be cited as the
"Arizona Consumer Data Protection Act".