Arizona is one of the states that has not yet passed comprehensive consumer data privacy legislation. However, that doesn't mean Arizona residents are without protections. The state has several targeted privacy laws covering data breaches, genetic information, and student data. Here's what you need to know about your privacy rights in Arizona.
Arizona's Current Privacy Landscape
As of 2026, more than 20 states have enacted comprehensive consumer data privacy laws. Arizona is not yet among them, though a consumer data privacy bill (SB 1815) was introduced in the Arizona Senate in 2026. Until such legislation passes, Arizona residents rely on a patchwork of targeted statutes for protection.
Data Breach Notification Law
The cornerstone of Arizona's data privacy framework is its data breach notification statute, found at A.R.S. §§ 18-551 and 18-552. Originally enacted in 2006 and significantly strengthened by HB 2146 in 2022, this law sets clear requirements for businesses that experience security breaches.
Key Requirements
- 45-day notification deadline — businesses must notify affected Arizona residents within 45 days of discovering a breach
- Attorney General notification — if a breach affects more than 1,000 individuals, the business must also notify the Arizona Attorney General
- Content requirements — breach notifications must include a description of the incident, the types of personal information involved, and steps consumers can take to protect themselves
What Counts as Personal Information
Arizona's breach notification law covers a broad range of data, including:
- Social Security numbers
- Driver's license or state ID numbers
- Financial account numbers with access codes
- Health insurance or medical ID numbers
- Biometric data (fingerprints, retina scans, etc.)
- Passport numbers
- Taxpayer identification numbers
What to Do If You Receive a Breach Notice
If an Arizona company notifies you of a data breach, immediately freeze your credit with all three bureaus, change passwords for affected accounts, monitor your financial statements, and consider signing up for identity theft monitoring.
Genetic Information Privacy
Arizona enacted the Genetic Information Privacy Act to regulate direct-to-consumer genetic testing companies like 23andMe, AncestryDNA, and similar services. This is one of the stronger privacy protections available to Arizona residents.
The law requires genetic testing companies to:
- Obtain your express consent before collecting, using, or sharing your genetic data
- Get separate consent for sharing data with third parties
- Get separate consent for using data beyond the primary testing purpose
- Get separate consent for retaining your biological sample after testing is complete
- Get separate consent for marketing to you based on your genetic results
This layered consent approach gives you meaningful control over one of the most sensitive types of personal data.
Student Data Privacy
Arizona law restricts how schools handle student data, particularly biometric information:
- Schools cannot collect biometric information from students without written parental or guardian consent
- Schools must provide written notice to parents at least 30 days before collecting biometric data
- These protections apply to school districts and charter schools
What Arizona Lacks
Arizona residents currently do not have broad statutory rights to access, correct, or delete their personal data held by private businesses. There is no state-level right to opt out of data sales, no data portability right, and no private right of action for privacy violations. These rights are commonly found in comprehensive privacy laws like California's CCPA.
The Push for Comprehensive Legislation
Arizona legislators have introduced consumer data privacy bills in recent sessions, and SB 1815 in 2026 represented the most recent effort. If passed, such legislation would likely grant Arizona residents:
- The right to know what personal data companies collect about them
- The right to delete their personal data
- The right to opt out of data sales
- The right to correct inaccurate data
- Protection against discrimination for exercising privacy rights
Until then, Arizona residents must rely on federal laws like the Fair Credit Reporting Act and targeted state statutes for protection.
Protecting Yourself Without a Comprehensive Law
The absence of a comprehensive privacy law means Arizona residents need to be more proactive about protecting their own data. Here are the most important steps you can take:
- Opt out of data brokers manually — you can submit removal requests directly to sites like Spokeo, BeenVerified, Whitepages, and others
- Freeze your credit — this prevents new accounts from being opened in your name
- Use privacy-focused tools — VPNs, encrypted messaging apps, and password managers all help reduce your exposure
- Monitor for breaches — services like PrivacyOn include dark web monitoring to alert you when your data appears in breach databases
PrivacyOn makes data broker removal automatic. We continuously monitor over 100 data brokers and people-search sites, submit opt-out requests on your behalf, and verify that your information stays removed — providing the kind of ongoing protection that Arizona law doesn't yet require businesses to give you.