← All US breach laws·AZ

Arizona data breach notification law

Arizona's data breach notification requirements under Ariz. Rev. Stat. §18-552. Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
Ariz. Rev. Stat. §18-552
Enforcer
Arizona Attorney General
AG notification
Required
Private right of action
No (AG-only enforcement)

Notification deadlines

Notify affected residents
Within 45 days of determining that a breach has occurred
Notify the state regulator
Yes — within 45 days if more than 1,000 Arizona residents are affected (written notice to AG and all three nationwide CRAs)
Notify consumer reporting agencies
Yes — if more than 1,000 residents, notify all three nationwide consumer reporting agencies

When is notification required?

Trigger / harm threshold
Notification not required if a reasonable investigation determines that a substantial economic loss is not likely to occur
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under Arizona law

First name/initial + last name with SSN, DL/AZ ID, private key for digital signature, financial account + access code, health-insurance ID, medical/mental-health info, taxpayer ID, biometric data, OR username/email + password granting account access

Penalties and enforcement

Civil penalty up to $10,000 per affected individual, capped at $500,000 per breach
Enforced by: Arizona Attorney General. Official regulator page →

Common pitfalls

Arizona's PI definition is among the broadest — includes biometrics, taxpayer ID and private keys — many out-of-state companies under-scope it
The 45-day clock starts at determination of breach, not discovery of the incident — document the difference

Frequently asked questions

How long do I have to notify Arizona residents after a data breach?
Within 45 days of determining that a breach has occurred
Do I have to notify the Arizona Attorney General?
Yes — within 45 days if more than 1,000 Arizona residents are affected (written notice to AG and all three nationwide CRAs)
Does Arizona require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents, notify all three nationwide consumer reporting agencies
Is encrypted data exempt from Arizona's breach notification requirement?
Yes — Arizona has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can Arizona residents sue me directly for a data breach?
No — Arizona's breach statute does not provide a direct private right of action. Residents typically must rely on the AG to enforce, or pursue common-law negligence claims.
What counts as 'personal information' under Arizona law?
First name/initial + last name with SSN, DL/AZ ID, private key for digital signature, financial account + access code, health-insurance ID, medical/mental-health info, taxpayer ID, biometric data, OR username/email + password granting account access
What are the penalties for failing to comply with Arizona's breach notification law?
Civil penalty up to $10,000 per affected individual, capped at $500,000 per breach

Related state breach laws

Alabama (AL)
Ala. Code §§8-38-1 to 8-38-12
Alaska (AK)
Alaska Stat. §§45.48.010–45.48.090
Arkansas (AR)
Ark. Code §§4-110-101 to 4-110-108
California (CA)
Cal. Civ. Code §§1798.29

Pre-empt the Arizona breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against Arizona's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit