 |
ARIZONA STATE SENATE
Fifty-Seventh Legislature, Second Regular Session
AMENDED #2
artificial intelligence service; disclosures; requirements
Purpose
Effective October 1, 2027, prescribes requirements and prohibitions that an operator of a publicly available conversational artificial intelligence (AI) service must comply with, including requirements relating to the use of a conversational AI service by minor account holders.
Background
The federal National Artificial Intelligence Initiative Act of 2020 (Act) codified the establishment of a national AI initiative and associated federal offices and committees. The Act directed the Secretary of Commerce, in coordination with other federal agencies, including the National Institute of Standards and Technology, the Department of Energy and the Department of Homeland Security, to establish guidelines and best practices for developing safe, secure and trustworthy AI systems, with the aim of promoting consensus industry standards. Artificial Intelligence is a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations or decisions influencing real or virtual environments. AI systems use machine and human-based inputs to: 1) perceive real and virtual environments; 2) abstract such perceptions into models through analysis in an automated manner; and 3) use model inference to formulate options for information or action (15 U.S.C. §§ 9401 et seq).
There is no anticipated fiscal impact to the state General Fund associated with this legislation.
Provisions
1. Requires each operator of a publicly available conversational AI service to clearly and conspicuously disclose to each account holder that the account holder is interacting with a conversational AI service by use of a persistent visible disclaimer or a disclaimer at the beginning of each session and appearing at least every three hours during a continuous interaction with the AI service.
2. Prohibits an operator from providing an account holder with points or similar rewards at unpredictable intervals with the intent to encourage increased engagement with the conversational AI service, if the operator knows that the account holder is a minor.
3. Requires each operator to institute reasonable measures to prevent a conversational AI service from performing certain actions for account holders, including:
a) producing visual material of sexual conduct;
b) generating direct statements that the account holder should engage in sexual conduct; and
c) generating statements that sexually objectify the account holder.
4. Requires an operator to institute, for minor account holders, reasonable measures to prevent a conversational AI service from generating statements that would lead a reasonable person to believe that the person is interacting with a human, including:
a) explicit claims that the conversational AI service is sentient or human;
b) statements that simulate emotional dependence;
c) statements that simulate romantic or sexual innuendos; and
d) role-playing of adult-minor romantic relationships.
5. Requires each operator to offer tools to manage the account holder's privacy and account settings for minor account holders and the minor's parent or guardian, if the minor is under 13 years old or as appropriate based on relevant risks.
6. Specifies that the tools for managing a minor account holder's privacy and account settings may be local to a device or the account and may not require a digital identification system.
7. Instructs each operator to adopt a protocol for a conversational AI service to respond to an account holder's prompt regarding suicidal ideation or self-harm, including reasonable efforts to provide a response that refers the account holder to crisis service providers.
8. Requires an operator to institute reasonable measures to prevent the conversational AI service from generating statements that encourage, glorify or instruct an account holder to commit suicide or self-harm.
9. Prohibits an operator from knowingly and intentionally causing or programming a conversational AI service to make any representation or statement that explicitly indicates that that the AI service is designed to provide professional mental or behavioral health care.
10. Prohibits an operator from conditioning access to a conversational AI service on the use of a digital identification system for age verification, unless expressly required by federal law.
11. Stipulates that an operator must provide a privacy-preserving alternative that provides equivalent access to the conversational AI service if the operator voluntarily offers a digital identification system.
12. Limits an age assurance method to collecting only the minimum amount of data that is reasonably necessary.
13. Prohibits data collected by an age assurance method from being repurposed for advertising, profiling or unrelated analytics.
14. Requires data collected by an age assurance method to be deleted or irreversibly de-identified after the compliance purpose is satisfied.
15. Specifies that the outlined requirements relating to digital identification systems and age assurance methods do not require an operator to mandate account creation or prohibit anonymous or pseudonymous use.
16. Requires an operator to implement reasonable safeguards that protect personal and age-related data that is collected for compliance with the prescribed conversational AI service requirements and to provide a security system breach notification when prescribed requirements necessitate such notification.
17. Prohibits any data that is collected solely for compliance with the conversational AI service requirements from being used, sold or shared for targeted advertising, behavioral profiling or any secondary monetization.
18. Prohibits a government entity from compelling an operator to disclose personal or age-related data that is collected solely to comply with the conversational AI service requirements, unless a warrant is issued for the data by a court of competent jurisdiction on a showing of probable cause.
19. Requires an operator that receives a warrant from a government entity to notify the affected account holder within 72 hours after the disclosure, unless a court order specifically prohibits the notification.
20. Prohibits an operator from transferring, licensing or making available to a government entity any data, model, analytics or profile that is derived from compliance with the conversational AI service requirements, whether directly or through a third-party intermediary, unless required by a warrant as outlined.
21. Instructs each operator, by April 1 of each year, to:
a) certify in writing, under penalty of perjury, that all collected personal or age-related data is destroyed or irreversibly de-identified after compliance with the conversational AI service requirements is satisfied; and
b) publish a publicly accessible, aggregate report that identifies any age-assurance methods the operator uses, states whether a digital identification system is offered and states any available alternative methods.
22. Subjects an operator who violates the outlined conversational AI service requirements and prohibitions to an injunction and liability for the greater of actual damages or civil penalties of $1,000 per violation, up to $500,000 per operator.
23. Specifies that a violation of the outlined AI requirements and prohibitions is punishable by a civil penalty only to be sought by the Attorney General.
24. Specifies that the outlined conversational AI requirements and prohibitions do not create a private right of action for enforcement or for support of a private right of action under any other law.
25. Prohibits the Attorney General from adopting any rule, guidance or enforcement action or entering into a settlement agreement that expands a conversational AI service requirement beyond the requirements that are expressly prescribed, including an identity verification or bulk data reporting requirement.
26. Excludes a developer of an AI model from liability for a violation of the outlined AI requirements and prohibitions by a conversational AI service that is made available to the public by a third-party operator.
27. Requires the conversational AI service requirements to be construed in the least intrusive manner that is consistent with the right to privacy as prescribed by the Arizona Constitution.
28. Prohibits the conversational AI service requirements from being used to implement a system that tracks any of an account holder's online activity.
29. Specifies that the prescribed conversational AI service requirements:
a) do not authorize the regulation of lawful political, religious or other protected speech;
b) may not be cited or used as a predicate or justification to require digital identification for general internet access, device access or online activity that is unrelated to a conversational AI service;
c) may not be construed to require or authorize an operating system provider, application store, internet service provider or device manufacturer to implement an age-assurance method or identity authentication at the device, operating system or network level on behalf of an operator; and
d) may not be cited or used to create or enforce a social scoring system, social credit system, or any system that rates, ranks or restricts access to a service based on an individual's behavior, expressions or associations, regardless of whether such behaviors, expressions or associations relate to a conversational AI service.
30. Defines terms.
31. Becomes effective on October 1, 2027.
Amendments Adopted by Additional Committee of the Whole
1. Requires each operator of a conversational AI service to clearly and conspicuously disclose to each account holder, rather than only to minor account holders, that the person is interacting with a conversational AI service as outlined.
2. Specifies that the tools for managing a minor account holder's privacy and account settings may be local to the device or account and do not require a digital identification system.
3. Modifies the list of reasonable measures that an operator must implement for a conversational AI service by including measures that prevent the conversational AI service from generating statements that encourage, glorify or instruct an account holder to commit suicide or self-harm.
4. Outlines requirements and prohibitions on the use of digital identification systems and age assurance methods relating to compliance with the conversational AI service requirements, including requirements relating to data collection and retention, privacy and reporting.
5. Prohibits age assurance or digital identification data collected solely for compliance with the conversational AI service requirements from being used, sold or shared for specified purposes.
6. Prohibits an operator from transferring, licensing or making available certain information derived from compliance with the conversational AI service requirements to a government entity, unless a warrant for the information is issued as prescribed.
7. Prohibits the Attorney General from expanding any conversational AI service requirement beyond the requirements that are expressly prescribed.
8. Specifies that the outlined conversational AI service requirements:
a) do not authorize the regulation of lawful political, religious or other protected speech; and
b) may not be construed to authorize or require certain providers, manufacturers or application stores to implement an age-assurance method or identity authentication on behalf of an operator.
9. Requires the conversational AI service requirements to be construed in the least intrusive manner as outlined.
10. Prohibits the conversational AI service requirements from being cited as a predicate for requiring digital identification for general internet access, device access, or online activity that does not relate to a conversational AI service.
11. Modifies the definition of conversational AI service by excluding applications, web interfaces and computer programs that:
a) incorporate, rather than function as, a speaker and voice command interface or text interface and act as a text-activated or voice-activated virtual assistant for a consumer electronic device; and
b) are used by state or local government agencies solely for customer service or to strictly provide users with information about available services or products that are provided by the agency, customer service account information or other information that is strictly related to the agency's customer service.
12. Defines age-assurance method as any technical or administrative mechanism that is used solely to determine whether an account holder is a minor.
13. Defines digital identification system as a process that uses government-issued identification, facial recognition, facial age-estimation or age-classification technology, biometrics or another uniquely identifying credential to authenticate an account holder's real-world identity or to estimate an account holder's age.
14. Removes the definition of visual depiction.
15. Makes technical and conforming changes.
Amendments Adopted by Additional Committee of the Whole #2
1. Replaces the prohibition on an operator from requiring a digital identification system solely to determine whether an account holder is a minor with the prohibition on an operator from conditioning access to a conversational AI service on the use of a digital identification system for age verification, except as required by federal law.
4. Makes technical changes.
House Action Senate Action
AII 2/12/26 DPA 7-0-0-0 ATT 3/17/26 DP 7-2-1
3rd Read 2/24/26 43-13-4
Prepared by Senate Research
June 11, 2026
LMM/KS/ci