ARIZONA HOUSE OF REPRESENTATIVES

Fifty-fourth Legislature

Second Regular Session

 


HB 2729: personal data; processing; security standards

Sponsor:  Representative DeGrazia, LD 10

Committee on Technology

Overview

Establishes law governing data and security standards for a controller who collects and processes a consumer's personal data.

History

The Statewide Information Security and Privacy Office serves as the strategic planning, facilitation and coordination office for information technology security in Arizona.  The Office must develop, implement, maintain and ensure compliance with each state agency with a coordinated statewide assurance plan for information security and privacy.  Additionally, the Office must: 1) direct information security and privacy protection compliance reviews with each state agency to ensure compliance with standards and effectiveness of security assurance plans; 2) identify information security and privacy protection risks in each budget unit and direct agencies to adopt risk mitigation strategies, methods and procedures to lessen these risks; 3) monitor and report compliance of each budget unit with state information security and privacy protection policies, standards and procedures; 4)  coordinate statewide information security and privacy protection awareness and training programs; and 5) develop other strategies as necessary to protect this state's information technology infrastructure and the data that is stored on or transmitted by the infrastructure (A.R.S. § 18-105).

Provisions

Data and Security Standards (Sec. 1)

1.    Instructs a controller to facilitate verified requests from consumers to exercise consumer rights as follows:

a)    Notify the consumer whether personal data concerning the consumer is being processed, held or sold to data brokers;

b)    Provide a copy of the personal data that the controller processes or provide the category or type of personal information that is kept if a copy is unavailable or unattained;

c)    Inform the consumer, at or before the point of collecting personal data, of the categories of personal data to be collected and the purposes for which the categories of personal data will be used; and

d)    Provide specified information to a consumer only on receipt of a verified request.

2.    Specifies a controller is not required to:

a)    Retain any persona data collected for a single, onetime transaction if the information is not sold or retained by the controller; or

b)    Reidentify any data that, in the ordinary course of the controller, is not maintained in a manner that would be considered person data.

3.    Presumes a controller to have sold personal data if there is an exchange of personal data.

4.    Requires the controller to correct inaccurate personal data that the controller maintains in identifiable form concerning the consumer.

5.    Instructs the controller to complete incomplete personal data.

6.    Requires the controller to notify the consumer that the personal data no longer exists and may ask if the consumer would like to add the consumer's personal information.

7.    Requires a controller to disclose to each consumer the right to request the deletion of the consumer's person data.

8.    Instructs the controller to delete the personal information, if requested by the consumer if specified criteria are met.

9.    Provides circumstances in which the controller is not required to comply with a deletion request.

10.  Stipulates if a controller is required to delete person data the controller must take reasonable steps to inform other controllers that are processing such person data that the consumer has request the deletion by the other controllers.

11.  Outlines circumstances in which the requirements for correcting or deleting personal information do not apply.

12.  Requires the controller to restrict processing of personal data if specified conditions apply.

13.  Outlines how restricted personal data may be processed.

14.  Instructs the controller to inform a consumer who has obtained restriction of processing prior to the restriction of processing is lifted and the proposed legal basis.

15.  Requires the controller to provide to the consumer any person data that the controller maintains in identifiable form concerning the consumer that the consumer has provided to the controller.

16.  Specifies requests for personal data must be without prejudice to the consumer's right to delete.

17.  Asserts the rights provided do not apply to processing necessary to perform a task carried out in the public interest or to exercise official authority vested in the controller.

18.  Allows a consumer to object to the processing of personal data concerning the consumer.

19.  Prohibits a controller, on receipt of an objection to process, from processing the personal data subject to the objection.

20.  Requires the controller to take reasonable steps to communicate the consumer's objection regarding any further processing of the consumer's person data for the purposes to any third parties to whom the controller sold the personal data for that purpose.

21.  Allows the controller to continue processing the personal data subject to the objection:

a)    If a consumer objects to processing for any purpose other than targeted advertising; and

b)    If the controller can demonstrate a legitimate ground to process that data that overrides the potential risks to the rights of the consumer.

22.  Instructs a controller to communicate any correction, deletion or restriction of processing to each third-party recipient to whom the controller knows the data has been disclosed.

23.  Requires the controller to provide information on action taken on a verified request without undue delay and within 30 days after receipt of the request.

a)    Allows for an extension of 60 additional days.

b)    Stipulates the information must be provided by electronic means if possible, as requested.

24.  Requires the controller, who does not act on a request, to inform the consumer within 30 days after receipt of the request of the reasons for not acting.

25.  Specifies the controller to provide the information free of charge to the consumer.

26.  Outlines permissible action by the controller for requests that are manifestly unfounded or excessive.

27.  Allows the controller to request additional information necessary to confirm the identity of the consumer.

28.  Specifies the consumer is not subject to a decision based solely on profiling that produces legal effects concerning the consumer or that similarly significantly affects the consumer.

29.  Specifies the requirements relating to controller responsibilities does not apply if the decision meets certain criteria.

30.  Requires the controller to implement suitable measures to safeguard consumer rights and legitimate interests with respect to decisions based solely on profiling.

31.  Permits the Attorney General to enforce data and security requirements and outlines civil penalties for violations.

32.  Preempts the regulation of data security from any local law or regulation by a local government.

33.  Specifies the obligations imposed on controllers or processors do not restrict their ability to:

a)    Comply with federal, state or local laws;

b)    Comply with a civil, criminal inquiry or investigation by any governmental authority;

c)    Cooperate with law enforcement agencies concerning conduct or activity that the controller believes may violate federal, state or local laws;

d)    Investigate, exercise or defend legal claims; or

e)    Prevent or detect identity theft, fraud or other criminal activity.

34.  Specifies conditions in which the obligations imposed on controllers or processors do not apply.

35.  Provides a condition in which a controller or processor that discloses personal data to a third-party is not in violation of law.

36.  Specifies a controller or processor is not required to:

a)    Reidentify deidentified data;

b)    Retain personal data concerning a consumer that it would not otherwise retain in the ordinary course of business;

c)    Comply with a request to exercise any right if the controller is unable to verify the identity of the consumer making the request; or

d)    Retain person data beyond existing legal obligations, rules or laws.

37.  Asserts obligation imposed on controllers and processors do not:

a)    Adversely affect the rights of any persons; or

b)    Apply to processing personal data by a natural person in the course of a purely personal or household activity.

38.  Specifies these requirements do not serve as the basis for a private right of action.

39.  Assigns liability to parties according to principles of comparative fault unless otherwise allocated by a contract among the parties.

40.  Applies these requirements to a legal entity with an annual gross revenue of at least $25,000,000 that conducts business in this state or produces products or services that are intentionally targeted to residents and that satisfies defined thresholds.

41.  Exempts state and local governments, certain personal data sets and businesses and activities that are covered by the fair credit reporting act.

42.  ☐ Prop 105 (45 votes)	     ☐ Prop 108 (40 votes)      ☐ Emergency (40 votes)	☐ Fiscal NoteDefines pertinent terms.

43.   

44.   

45.  ---------- DOCUMENT FOOTER ---------

46.                    HB 2729

47.  Initials PRB           Page 0 Technology

48.   

49.  ---------- DOCUMENT FOOTER ---------