HB2790 - 552R - I Ver

 

 

 

REFERENCE TITLE: personal data; processing; security standards

 

 

 

 

State of Arizona

House of Representatives

Fifty-fifth Legislature

Second Regular Session

2022

 

 

 

HB 2790

 

Introduced by

Representatives DeGrazia: Andrade, Cano, Mathis, Pawlik, Powers Hannley

 

 

AN ACT

 

amending Title 18, chapter 5, Arizona Revised Statutes, by adding article  5; relating to personal data.

 

 

(TEXT OF BILL BEGINS ON NEXT PAGE)

 

Be it enacted by the Legislature of the State of Arizona:

Section  1. Title 18, chapter 5, Arizona Revised Statutes, is amended by adding article 5, to read:

ARTICLE 5. DATA AND SECURITY STANDARDS

START_STATUTE18-571. Definitions

In this article, unless the context otherwise requires:

1. "Collect" means receiving and taking, including by automated means, any operation or set of operations to obtain personal data, including purchasing, leasing, assembling, recording, gathering, acquiring or procuring personal data.

2. "Consent" means a clear, affirmative act signifying a specific, informed and unambiguous indication of a consumer's agreement to collect or process the consumer's personal data, such as by a written statement or other clear affirmative action.

3. "Consumer":

(a) Means a natural person who is a resident of this state and who is acting only in an individual, noncommercial or household context.

(b) Does not include a natural person who is acting in a commercial or employment context.

4. "Controller" means the natural or legal person that, alone or jointly with others, determines the purposes and means of processing personal data.

5. "Data broker" means a business, or a unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the personal information of a consumer with whom the business does not have a direct relationship.

6. "Deidentified data" means:

(a) Data that cannot be linked to a known natural person without additional information kept separately.

(b) Data that meets all of the following:

(i) Has been modified to a degree that the risk of reidentification is small.

(ii) Is subject to a public commitment by the controller not to attempt to reidentify.

(iii) To which one or more enforceable controls have been applied to prevent reidentification. For the purposes of this item, "enforceable controls" includes legal, administrative, technical or contractual controls.

7. "Disclose" means taking any action, with respect to personal data, including by automated means, to sell, share, provide or otherwise transfer personal data to another entity or person or the general public.

8. "Identified or identifiable natural person" means a person who can be readily identified, directly or indirectly.

9. "Personal data" or "personal information":

(a) Means any information that is or can reasonably be linked to an identified or identifiable natural person.

(b) Includes sensitive data.

(c) Does not include deidentified data or publicly available information.

10. "Process" or "processing" means collecting, using, storing, disclosing, analyzing, deleting or modifying personal data, including by automated means.

11. "Processor" means a natural or legal person that processes personal data on behalf of the controller.

12. "Profiling" means any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects about a natural person, particularly analyzing or predicting aspects of that natural person's economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

13. "Restriction of processing" means marking stored personal data with the aim of limiting the processing of such personal data in the future.

14. "Sale":

(a) Means the exchange of personal data for monetary consideration by the controller to a third party, including for the purposes of licensing or selling personal data at the third party's discretion to additional third parties.

(b) Does not include Disclosing personal data to either of the following:

(i) A processor that processes the personal data on behalf of the controller.

(ii) A third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with the consumer's reasonable expectations considering the context in which the consumer provided the personal data to the controller.

15. "Sensitive Data" means:

(a) Personal data that reveals a natural person's racial or ethnic origins, religious beliefs, mental, physical, behavioral or psychological health conditions or diagnoses or sex life or sexual orientation.

(b) Genetic or biometric data that is processed to uniquely identify a natural person.

(c) The precise geolocation information of a device associated with a natural person.

(d) the personal data of a known child.

16. "Targeted advertising":

(a) Means displaying to a consumer advertisements that are selected based on personal data obtained or inferred over time from the consumer's activities across nonaffiliated websites, applications or online services to predict user preferences or interests.

(b) Does not include advertising to a consumer based on the consumer's visits to a website, application or online service that a reasonable consumer would believe to be associated with the publisher in which the advertising is placed based on common branding, trademarks or other indicia of common ownership or in response to the consumer's request for information or feedback.

17. "Verified request" means the process through which a consumer may submit a request to exercise a right or rights set forth in this article and by which a controller can reasonably authenticate the request and the consumer making the request using commercially reasonable means. END_STATUTE

START_STATUTE18-572. Consumer rights; access to personal data; verified requests; controller's duty

A. A controller shall facilitate verified requests from consumers to exercise consumer rights as follows:

1. On receipt of a verified request from a consumer, the controller shall notify the consumer whether personal data concerning the consumer is being processed, held or sold to data brokers.  If personal data is being sold to data brokers, the controller shall notify the consumer of the type and category of personal data that has been sold and to whom the personal data has been sold.

2. On receipt of a verified request for disclosure from a consumer, if personal data concerning the consumer is being processed or held by the controller, the controller shall provide a copy of the personal data that the controller processes or maintains or provide the category or type of personal information that is kept if a copy is unavailable or unattainable.   If the consumer makes the request by electronic means, and unless requested by the consumer, the information must be provided in a commonly used electronic form.   For any additional copies requested by the consumer, the controller may charge a reasonable fee based on administrative costs.

3. A controller that collects a consumer's personal data, at or before the point of collection, shall inform the consumer of the categories of personal data to be collected and the purposes for which the categories of personal data will be used.   The controller may not collect additional categories of personal data or use personal data collected for additional purposes without providing the consumer with notice consistent with this section.

4. The controller shall provide the information specified in this subsection to a consumer only on receipt of a verified request.

B. This section does not require a controller to:

1. Retain any personal data collected for a single, onetime transaction if the controller does not sell or retain the information.

2. Reidentify or otherwise link any data that, in the ordinary course of the controller, is not maintained in a manner that would be considered personal data.

C. A controller is presumed to have sold personal data if there is an exchange of personal data and if contract terms with the third party do not limit the use of personal information by the third party.

D. This section does not adversely affect the rights or freedoms of others. END_STATUTE

START_STATUTE18-573. Personal data; correction; deletion; verified requests; requirements; exceptions

A. On receipt of a verified request from a consumer, the controller, without undue delay, shall correct inaccurate personal data concerning the consumer that the controller maintains in identifiable form. Taking into account the business purposes of the processing, the controller shall complete incomplete personal data, including by means of providing a supplementary statement if appropriate. If the controller no longer has the consumer's personal data, the controller shall notify the consumer that the personal data no longer exists and may ask if the consumer would like to add the consumer's personal information.

B. A controller that collects personal data about consumers shall disclose to each consumer the right to request the deletion of the consumer's personal data.

C. On receipt of a verified request for deletion from a consumer, a controller shall delete the consumer's personal data without undue delay if any of the following applies:

1. The personal data no longer relates to the purposes for which the personal data was collected or otherwise processed.

2. For processing that requires consent, the consumer withdraws consent to processing and there are no business purposes for the processing.

3. The personal data must be deleted to comply with a legal obligation under a federal, state or local law or regulation to which the controller is subject.

4. The controller is required to certify when the deletion was completed.

5. The personal data has been unlawfully processed.

D. A controller or processor is not required to comply with a consumer's request to delete the consumer's personal data if it is necessary for the controller or processor to maintain the consumer's personal data in order to complete the transaction for which the personal data was collected, provide a good or service requested by the consumer or reasonably anticipated within the context of a controller's ongoing business relationship with the consumer or otherwise perform a contract between the controller and the consumer.

E. If a controller is required to delete personal data that the controller maintains in identifiable form that has been disclosed to third parties by the controller, including data brokers that received the personal data through a sale, the controller shall take reasonable steps to inform other controllers of which it is aware that process such personal data and that received such personal data from the controller or process such personal data on behalf of the controller that the consumer has requested the other controllers to delete any link to or copy or replication of the personal data. Compliance with this subsection must take into account available technology and cost of implementation.

F. This section does not apply to the extent that processing is necessary:

1. For exercising the right of free speech.

2. For complying with a legal obligation that requires processing of personal data by a federal, state or local law or regulation to which the controller is subject or for performing a task carried out in the public interest or in exercising official authority vested in the controller.

3. For reasons of public interest in the area of public health, if the processing is both of the following:

(a) Subject to suitable and specific measures to safeguard the rights of the consumer.

(b) Under the responsibility of a professional subject to confidentiality obligations under a federal, state or local law or regulation.

4. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, if deleting such personal data is likely to render impossible or seriously impair the achievement of the objectives of the processing.

5. For establishing, exercising or defending legal claims.

6. To detect or respond to security incidents, protect against malicious, deceptive, fraudulent or illegal activity or identify, investigate or prosecute those responsible for that activity. END_STATUTE

START_STATUTE18-574. Restriction of processing; verified requests; requirements

A. On receipt of a verified request from a consumer, the controller shall restrict processing of personal data if any of the following applies:

1. The accuracy of the personal data is contested by the consumer, for a period enabling the controller to verify the accuracy of the personal data.

2. The processing is unlawful and the consumer opposes the deletion of the personal data and instead requests the restriction of processing.

3. The controller no longer needs the personal data for the purposes of the processing but such personal data is required by the consumer for establishing, exercising or defending legal claims.

4. The consumer objects to the processing pending the verification of whether the legitimate grounds of the controller override those of the consumer.