Arizona is one of the states most frequently cited as being on the verge of passing comprehensive data privacy legislation. Multiple bills have advanced further through the legislative process than in most states without a law — clearing committees with bipartisan support and generating broad consensus on most provisions. The most recent serious attempt was HB 2774 in the 2023–2024 session, which closely mirrored Virginia's Consumer Data Protection Act (CDPA) model. The bill had support from both Republican and Democratic legislators and was seen as a reasonable middle ground between consumer protections and business flexibility. It stalled in the final stages due to disagreements over the scope of exemptions for small businesses and the cure period duration. Arizona's situation is notable because, unlike states where ideological disagreement creates gridlock, most Arizona legislators on both sides broadly agree that a privacy law is needed. The disputes are largely technical — about thresholds, exemptions, and enforcement mechanisms — rather than fundamental. This makes Arizona one of the most likely next states to enact a comprehensive privacy law.
Arizona introduces its first serious comprehensive privacy bills in both chambers, generating significant attention as an early non-coastal state to take the issue seriously.
Revised bills clear both the House and Senate Commerce Committees with strong bipartisan votes, the furthest any Arizona privacy bill had advanced.
A Virginia-model bill advances through the House with minimal opposition. Senate version stalls over exemption language in the final weeks of session.
Revised bill introduced addressing previous concerns. Industry and consumer groups have reached tentative agreement on most provisions. A floor vote is anticipated.
Arizona is widely considered among the next states most likely to enact comprehensive privacy legislation, potentially in the 2025 legislative session.
Arizona's proposed privacy legislation is modeled primarily on Virginia's Consumer Data Protection Act (CDPA) — the same framework adopted by Iowa, Indiana, Kentucky, and several other states. The bill would provide standard consumer rights (access, correction, deletion, portability, opt-out of sale and targeted advertising) and require opt-in consent for sensitive personal data. Arizona's proposed thresholds — 100,000 consumers or 25,000 consumers with data sales generating over 25% of revenue — align with the national majority approach. The bill includes a 30-day cure period before penalties can be imposed, and enforcement would rest exclusively with the Arizona Attorney General with no private right of action.
If enacted as currently drafted, Arizona residents would receive the following privacy rights:
Confirm whether a business processes your personal data and request a copy of it.
Request correction of inaccurate personal data a business holds about you.
Request deletion of personal data that has been collected about you.
Receive your data in a portable, machine-readable format.
Prevent businesses from selling your personal data to third parties.
Stop businesses from using your data for cross-context behavioral advertising.
Opt out of automated decision-making in significant life decisions.
Businesses cannot penalize you for exercising your privacy rights.
The rights listed above are proposed, not enacted. They reflect the bill's current draft language and may change significantly before passage — or the bill may not pass at all. Until Arizona enacts a comprehensive privacy law, residents have limited state-level data privacy rights. Check our Active Laws page to see which states have enacted protections.
Arizona's delays have been largely technical rather than ideological. The main sticking points in recent sessions have been: (1) Small business exemptions — how to define the revenue/data threshold so that truly small businesses aren't burdened while still covering the major data processors; (2) Cure period length — business groups have pushed for a permanent cure period (allowing companies to fix violations before paying fines indefinitely) while consumer advocates argue this eliminates accountability; (3) Nonprofit exemptions — whether nonprofit data collectors (including hospitals, universities, and advocacy organizations that process large amounts of personal data) should be fully exempt. These are resolvable differences, and observers widely expect Arizona to enact a law within one to two legislative sessions.
| Feature | Arizona (Proposed) | Virginia (Active) | California (Active) |
|---|---|---|---|
| Comprehensive privacy rights | Proposed | ✅ Yes | ✅ Yes |
| Right to delete | Proposed | ✅ Yes | ✅ Yes |
| Opt out of sale of data | Proposed | ✅ Yes | ✅ Yes |
| Sensitive data protections | Proposed | ✅ Yes | ✅ Yes |
| Enforcement agency | TBD | VA Attorney General | CA Privacy Protection Agency |
| Private right of action | TBD | No | Yes (breach only) |
| Currently enforceable | ❌ No | ✅ Yes | ✅ Yes |
Even though Arizona does not yet have a comprehensive privacy law, you are not without options:
Privacy laws pass because constituents demand them. If you believe Arizona residents deserve strong data privacy rights, contact your state legislature. Find your representatives at OpenStates.org — it takes only a few minutes to send a message that matters.
Use our Opt-Out Guide to see what rights you have today and get direct opt-out links for major companies.
Privacy legislation moves quickly. Subscribe to our newsletter and we'll alert you the moment Arizona passes a new privacy bill, a vote is scheduled, or a major amendment changes the bill's scope. You'll also receive our monthly digest of all U.S. privacy law changes — free, always.