Tuesday, February 11, 2020

Last week, the Arizona House of Representatives proposed HB 2729, a new privacy law. HB 2729 is more narrow than the California Consumer Privacy Act (CCPA) in several ways, and has a few kinks to be ironed out. However, it shows that Arizona, like many states, has an interest in passing privacy legislation in 2020. Let’s take a closer look at HB 2729.

Who would HB 2729 apply to?

HB 2729 primarily regulates “controllers” and “processors” of personal data. “Controllers” are defined as entities that individually, or with others, “determines the purposes and means of processing personal data.” Use of the term “controllers” shows the goal of HB 2729 is to regulate decision-makers in the collection and processing of personal data. “Processors” are separately defined as entities that collect, use, store, disclose, analyze, delete, or modify personal data.

In order to fall within HB 2729’s jurisdiction, an entity must have $25,000,000 in annual gross revenue or intentionally target products or services to Arizona residents. Next, the entity must either control or process data of at least 100,000 residents or derive 35 percent of its gross revenue from selling personal data and process or control the personal data of at least 25,000 residents.

Although HB 2729 is not focused on the sale of data, it is noteworthy that the definition of sale in HB 2729 is much more narrow than the CCPA, and it is limited to the transfer of personal data for monetary consideration.

Similar to other privacy laws, HB 2729 would not apply to controllers collecting several specific categories of data, such as employment data, data subject to HIPAA, and data collected pursuant to the Fair Credit Reporting Act (FCRA). HB 2729 also would not apply to state or local governments.

How does HB 2729 define “personal data?”

Personal data under HB 2729 is more narrow than the expansive definition under the CCPA. Personal data under HB 2729 includes information that can be reasonably linked to an identifiable natural person and does not include de-identified data or publicly available information. The exemption for publicly available data raises questions about whether data containing names, phone numbers, and addresses, which can usually be found online, qualifies as personal data.

HB 2729 also includes a subset of personal data referred to as “sensitive data.” This includes information regarding race, ethnicity, religion, health conditions, sexual orientation, biometric data, geolocation data, and the personal data of children. Currently, HB 2729 does not include any obligations or heightened liability with respect to sensitive data specifically.

What would HB 2729 require?

HB 2729 would afford consumers a series of rights similar to those under the CCPA and General Data Protection Regulation (GDPR). If a consumer submits a verified request, controllers must notify the consumer of whether personal data is collected and provide the consumer with a copy of the personal data collected. Likewise, collectors must disclose, at the point of collection, what personal data will be collected and what it will be used for. HB 2729 also requires collectors to correct data if a consumer notifies them of a mistake and delete data upon request. This section of HB 2729 includes some exemptions for personal data required to complete a transaction with the consumer, required to be preserved by state or federal law, or required for exercising the right of free speech.

Although HB 2729 defines “processors” separately from “controllers,” there aren’t presently any express provisions that impose obligations on processors. However, the definitions are not mutually exclusive and an entity could fit into both definitions. Further, the liability provisions of HB 2729 apply to both processors and controllers, suggesting that both can be liable for failing to comply with the act. Hopefully, later drafts of HB 2729 will provide more clarity into the obligations of processors.

How will HB 2729 be enforced?

Unlike the CCPA, HB 2729 does not include a private right of action. Thus, Arizona businesses will not face civil lawsuits directly from consumers for mishandling personal data. Instead, enforcement is delegated to the state attorney general. HB 2729 also calls for allocating fault amongst collectors and processors through the principles of comparative fault. The attorney general may impose fines of up to $2,500 for violations and $7,500 for intentional violations.

The takeaway:

While not a perfect piece of legislation, HB 2729 represents a significant step towards Arizona enacting privacy legislation in 2020. Arizona businesses that collect personal data will want to carefully track this legislation and be ready to implement policies and procedures for compliance in the near future.

You can read HB 2729 here.