HB2737 - 572R

Be it enacted by the Legislature of the State of Arizona:

Section 1. Title 44, chapter 9, Arizona Revised Statutes, is amended by adding article 27, to read:

ARTICLE 27. CHATBOt regulations

START_STATUTE44-1383. Definitions

In this article, unless the context otherwise requires:

1. "Advertisement":

(a) Means Any written or oral statement, illustration or depiction that is displayed in exchange for monetary or other valuable consideration if the written or oral statement, illustration or depiction does either of the following:

(i) Promotes the sale or use of a good or service.

(ii) Is designed to increase interest in a brand, good or service.

(b) Includes access to data between the chatbot provider and a brand, good or service.

2. "Affirmative consent":

(a) means a clear affirmative act that signifies a user's freely given information and unambiguous authorization for an act or practice in response to a specific request from a chatbot provider, if:

(i) The request is provided to the user in a clear and conspicuous stand-alone disclosure.

(ii) The request includes a description that is written in easily understandable language.

(iii) The request is made in a manner that is reasonably accessible and available by users with disabilities.

(iv) The request is made available to the user in each language in which the chatbot provider provides a chatbot.

(v) The option to decline consent is at least as prominent as the option to give consent, and the option to decline consent takes the same or fewer number of steps as the option to give consent.

(vi) Affirmative consent to an act or practice may not be inferred from the inaction of the user or the user's continued use of a chatbot.

(b) Does not include:

(i) Acceptance given by general or broad terms of use.

(ii) Hovering over, muting, pausing or closing a given piece of content.

(iii) An agreement that is obtained through the use of a false, fraudulent or materially misleading statement or representation.

(iv) An agreement that is obtained through the use of other dark patterns.

3. "Chatbot":

(a) Means an algorithmic or automated system that generates information through text, audio, image or video in a manner that simulates interpersonal interactions or conversation.

(b) Includes artificial intelligence.

4. "Chatbot provider" means any person that creates, distributes or otherwise makes a chatbot available to a user.

5. "Chat log" means both of the following:

(a) Input data or a record of the input data.

(b) Output data that is generated by a chatbot or from interactions with a chatbot.

6. "Dark pattern" means a user interface that is designed or manipulated to subvert or impair a user's autonomy, decision-making or choice.

7. "De-identified data" Means information that:

(a) cannot reasonably be used to infer or derive the identity of a user.

(b) does not identify a user.

8. "Input data":

(a) Means information.

(b) Includes:

(i) Texts.

(ii) Photos.

(iii) Audio files.

(iv) Video files.

(v) Any type of file that is provided to a chatbot by a user.

9. "Model" means an engineered or machine-based system underlying a chatbot and that is based on the input data that it RECEIVES and that can infer how to generate output data that can influence physical or virtual environments.

10. "Personal data":

(a) Means either of the following:

(i) Any information, including derived data, that is linked or reasonably linkable either by itself or in combination with other information to an identified or identifiable user.

(ii) A device that identifies or is linked or is reasonably linkable to a user.

(b) Does not include de-identified data or publicly available information.

11. "Publicly available information":

(a) Means information that has been lawfully made available to the public subject to a public records request pursuant to title 39, chapter 1.

(b) Does not include:

(i) Obscene items as prescribed in title 13, chapter 35.

(ii) Biometric data.

(iii) Personal data that is created through the combination of personal data and publicly available information.

(iv) Genetic data, unless the genetic data was made available to the public by the user to whom the genetic data pertains.

(v) Information that is made available to the public by a user who uses a website or online platform on which the user has restricted the information to a specific audience.

(vi) Intimate images that are either authentic or computer generated and that are known to be nonconsensual.

12. "Process" or "processing":

(a) Means any operation or set of operations that are performed on personal data or input data.

(b) Includes the use, storage, disclosure, analysis, deletion or modification of personal data or input data.

13. "Profiling":

(a) Means to process personal data or input data to classify or designate personality traits and behavioral characteristics of a user.

(b) Does not include processing chat logs for user safety or to otherwise comply with this article.

14. "Sell":

(a) Means either of the following:

(i) The exchange of personal data or input data for monetary or other valuable consideration.

(ii) To make personal data or input data available to a third party for monetary or other valuable consideration.

(b) Does not include any of the following:

(i) The disclosure of personal data or input data to a third party that processes the personal data or input data on behalf of the chatbot provider.

(ii) The disclosure of personal data or input data where the user provides affirmative consent and directs the chatbot provider to disclose the personal data or input data or intentionally uses the chatbot provider to interact with a third party.

(iii) The disclosure of personal data or input data that the user intentionally made available to the public through social media and did not restrict the information to a specific audience.

15. "Training":

(a) Means the use of input data to adjust or modify a model.

(b) Does not include:

(i) Tests that are used to identify risk of harm to users.

(ii) Adjustments or modifications that are made to address identified risk of harm to users.

(iii) Any action that is necessary to comply with this article or as otherwise required by law.

16. "User" means any natural person regardless of age.END_STATUTE

START_STATUTE44-1383.01. Chatbot provider; data security; personal data; prohibitions; requirements

A. A chatbot provider may not:

1. Process personal data to inform a chatbot output unless processing personal data is necessary to fulfill an express request that is made by a user and the user provides affirmative consent.

2. Process a user's chat log:

(a) To determine whether to display an advertisement for a product or service to a user.

(b) To determine a product or service or category of a product or service to advertise to a user.

3. Process a user's chat log and personal data:

(a) If the chatbot provider knows or reasonably should have known that based on knowledge of objective circumstances the user is a minor and the user's parent or legal guardian did not provide affirmative consent.

(b) For training purposes if the chatbot provider knows or reasonably should have known that based on knowledge of objective circumstances the user is a minor and the user's parent or legal guardian did not provide affirmative consent.

(d) To engage in profiling beyond what is necessary to fulfill an express request.

4. Profile a user based on any classification or designation of the user's personality or behavioral characteristic beyond what is necessary to fulfill an express request made by the user.

5. Sell a user's chat logs.

6. Retain a user's chat log for more than ten years, unless retention is necessary to comply with this article or otherwise required by law.

7. Discriminate or retaliate against a user, including:

(a) Denying products or services to the user.

(b) Charging different prices or rates for products or services to the user.

(c) Providing lower quality products or service to the user for refusing to consent to the use of chat logs or personal data for training purposes.

B. A user has a right to access the user's own chat logs at any time. A chatbot provider shall provide A user's own chat log on request by the user and shall provide the chat log in a downloadable and easy to read format. A chatbot provider may not discriminate or retaliate against a user pursuant to subsection a paragraph 7 of this section that requests the user's chat.

C. A government entity may not compel the production of or access to input data or chat logs from a chatbot provider, except as pursuant to a wiretap warrant.

D. A chatbot provider shall develop, implement and maintain a comprehensive data security program that contains administrative, technical and physical safeguards that are proportionate to the volume and nature of personal data and chat logs that are maintained by the chatbot provider. The program shall be written and made publicly AVAILABLE on the chatbot provider's website.

E. A chatbot provider shall take the necessary physical, administrative and technical measures to prevent de-identified data from being re-identified and to process, retain and transfer de-identified data without any reasonable means of re-identification.END_STATUTE

START_STATUTE44-1383.02. Chatbot provider; advertising; prohibitions; notice requirements

A. A chatbot provider may not:

1. Use any term, letter or phrase in the advertising, interface or output data of a chatbot that states or implies that the advertising, interface or output data of a chatbot is endorsed by or equivalent to any of the following:

(a) Any certified, registered or licensed professional pursuant to title 32.

(b) A licensed legal professional.

(d) An investment advisor or an investment adviser representative as defined in section 44-3101.

(e) A licensed fiduciary as prescribed in title 14, chapter 5, article 7.

2. Include any representation in the advertising, interface or output data of a chatbot that states or implies the user's input data or chat log is confidential.

B. A chatbot provider shall provide clear, conspicuous and explicit notice to a user that the user is interacting with a chatbot rather than a natural person before the chatbot may generate any output data. The chatbot provider shall include this notice at the beginning of each chatbot communication with a user, every hour thereafter and each time a user asks whether the chatbot is a natural person. the text of the notice:

1. shall be written in the same language that the chatbot communicates with the user and shall appear in a font size that is easily readable by an average user and is not smaller than the largest font size used for other chatbot communications.

2. must comply with the rules adopted by the attorney general pursuant to section 44-1383.03.

C. In compliance with the rules adopted by the attorney general pursuant to section 44-1383.03, A chatbot provider shall:

1. On a monthly basis:

(a) Evaluate its chatbot for potential risk of harm to users.

(b) Make information about its chatbot publicly available on its website.

2. Mitigate any risk of harm to users.END_STATUTE

START_STATUTE44-1383.03. Attorney general; rulemaking

A. The attorney general shall adopt rules to implement this article. the rules shall:

1. Describe the form and content of the notice that is required pursuant to section 44-1383.02.

2. Provide an example template for the notice that is required pursuant to section 44-1383.02.

3. Describe any potential risk of harm to users.

4. Provide requirements for a chatbot provider to implement to reduce the risk of harm to users.

B. The attorney general may adopt any other rules necessary to implement this article. END_STATUTE

START_STATUTE44-1383.04. Chatbots; products liability; injury to user

A. A chatbot is considered a product for the purposes of a product liability action as prescribed in title 12, chapter 6, article 9.

B. A chatbot provider has a duty to ensure that the use of the chatbot provider's does not cause injury to a user.

C. A chatbot provider is liable for any injury that the chatbot causes to a user if either of the following occurs:

1. The chatbot provider exercised all reasonable care in the design and distribution of the chatbot.

2. The chatbot provider did not directly distribute the chatbot to the user or otherwise enter into a contractual relationship with the user.END_STATUTE

START_STATUTE44-1383.05. Attorney general; county attorney; violation; civil action; enforcement; private right of action; civil penalty

A. The attorney general or a county attorney may bring a civil action against a chatbot provider that violates this article and that includes any of the following:

1. Enjoining an act or practice in violation of this article.

2. Enforcing compliance with this article or a rule adopted pursuant to this article.

3. Obtaining damages, civil penalties, restitution or other remedies.

4. Obtaining reasonable attorney fees and other litigation costs.

B. A violation of section 44-1383.01 or 44-1383.02 constitutes an injury in fact to a user.

C. A user who is injured by a violation of section 44-1383.01 or 44-1383.02 may bring a civil action against the chatbot provider, and a court of competent jurisdiction may award a prevailing plaintiff any of the following:

1. A civil penalty of not more than $5,000 per violation of this article.

2. Punitive damages for reckless and knowing conduct.

3. Injunctive relief.

4. Declaratory RELIEF.

5. Reasonable attorney fees and litigation costs. END_STATUTE

Sec. 2. Short title

This act may be cited as the "ChatBot Protection Act".