Two bills being proposed in the Arizona legislature would add extra layers of data privacy protections for Arizonans, as well as give them the power to hold those who collect it accountable.
Rep. Domingo DeGrazia, D-Tucson, has been working on House Bill 2729 for about a year, holding stakeholder meetings with a variety of groups, researching similar laws and watching how similar bills in previous years have moved through the process.
“I wanted to write the best bill I could that would be the most protective for citizens without burdening businesses,” DeGrazia told Arizona Mirror.
The bill ended up pulling provisions from data privacy bills in other states, as well as the European Union’s General Data Protection Regulation, DeGrazia said.
DeGrazia is a certified information privacy professional and has professional experience in aerospace and computers, and his wife works in the cybersecurity field, which he said put him in a strong place to craft legislation.
His proposal would give Arizona residents some additional abilities in regards to how they can control how the data that is collected on them is used.
Any company that has a gross annual revenue of more than $25 million that conducts business in Arizona, controls or processes data of at least one hundred thousand consumers, derives at least 35% of gross revenue from the sale of personal information or processes, or controls personal information of at least 25,000 consumers would have to abide by the new data regulations laid out by DeGrazia’s bill.
Arizona residents would be able to request what personal data has been collected and get a copy of that data.
Companies would also be required to notify consumers if their data is being held or sold to data brokers and what type of data is being sold.
Recently, The New York Times reported on how data brokers are selling location information from cell phones. Using data leaked to the paper, the journalists were able to identify individual people – and even were able to track President Donald Trump’s movements by finding the phone of a Secret Service agent.
DeGrazia’s bill would also restrict companies from adding new types of data collection without first notifying consumers of the new type of data they are collecting first.
Residents would also be able to ask companies to delete data that is stored on them, something that is difficult to do.
The Mirror used new data protocols on Facebook to see what data the company collects. Since the passage of California’s Consumer Privacy Act, many websites have had to add new features that allow consumers to access their data for download, even if they don’t live in California.
The Mirror downloaded 14 years worth of Facebook data for one of its reporters and found a folder titled “Ads and businesses”. Within that folder was a file that contained a list titled “Advertisers Who Uploaded a Contact List With Your Information.”
The list was described by Facebook as “advertisers who run ads using a contact list they uploaded that includes contact info you shared with them or with one of their data partners.”
The list included 2,883 companies, many of which were not in Arizona, and some of which were not even in the United States. Among those advertisers was the Department of Information Technologies of Moscow, an arm of the Russian government that recently signed a deal with a company to bring facial recognition to cameras in Moscow.
The reporter was able to stop sharing some information, but the process to delete or disable much of what Facebook shares with third parties is vague and unclear.
DeGrazia said his bill would address that, and could help Arizona consumers have the ability to regain control of that information. It would require a company to provide consumers with a statement that the information is no longer available and make it clear how to delete their data.
Arizona consumers also would be able to object to processing of their data for targeted advertising, under HB2729.
But the sweeping data protection bill isn’t DeGrazia’s only data protection bill. He is also sponsoring House Bill 2728, which is similar to a bill proposed last year by Arizona Speaker of the House Rusty Bowers, R-Mesa, that would protect the biometric data of Arizona residents.
The bill requires a company to obtain consent from an individual before putting them in a biometric database for a commercial purpose and allows the attorney general to investigate an unlawful use.
Bowers ended up dropping his bill last session due to industry concerns, something DeGrazia is less concerned about this time around.
“I’m less concerned about how business feels about it and more concerned about getting it into the daylight and seeing how we want to deal with this as a society going forward,” DeGrazia said, adding that he has been talking with stakeholders already about both bills.