open-agreements 0.7.6 → 0.8.0

package/skills/legal-explainers/data-privacy-law-explainer/content/alaska.md

@@ -0,0 +1,155 @@
+---
+jurisdiction: "Alaska"
+slug: alaska
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/alaska
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/alaska · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Alaska Consumer Privacy Law[^about]
+
+Alaska has no comprehensive consumer-privacy statute. Article 1 of the Personal Information Protection Act (AS 45.48.010–.090) governs breach notice and routes violations into the unfair-trade-practices act with a $500 private-damages cap; the Genetic Privacy Act and the federal overlay fill out the rest of this Alaska privacy note.
+
+
+## At a glance
+
+| Question | Alaska |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | Alaska has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative law covered here is Article 1 of the Personal Information Protection Act, which requires breach notice in the most expeditious time possible and makes a violation an unfair trade practice — but caps private damages at $500 of actual economic loss. The Genetic Privacy Act is the sharp edge of Alaska law, conditioning DNA collection on informed written consent and backing that with $5,000 or $100,000 statutory damages. Everything else in this Alaska-facing program note comes from the federal and sectoral overlay — FTC Act § 5, GLBA, HIPAA, and COPPA — so build to those plus the breach statute, and the program upgrades rather than restarts if Alaska enacts an omnibus law later. |
+| **Main law** | Alaska Personal Information Protection Act Article 1, AS 45.48.010–.090 — breach notification plus a deemed unfair-trade-practice enforcement bridge; Alaska has no comprehensive consumer-privacy law |
+| **Privacy policy required?** | No Alaska statute mandates a general consumer privacy policy or fixes its contents; contents are driven by FTC Act § 5 (a policy that misstates practices is deceptive) and by GLBA, HIPAA, and COPPA where the business is in scope |
+| **Who does it cover?** | Any covered person — a person doing business, a governmental agency, or a person with more than 10 employees — that owns or licenses personal information on Alaska residents; no revenue or consumer-volume threshold |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | Only for certain data types |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Yes, but tightly capped — a breach-notice violation is an unfair trade practice under AS 45.50.471, with private damages limited to actual economic damages not exceeding $500; the Genetic Privacy Act (AS 18.13) separately allows $5,000 or $100,000 statutory damages |
+| **Who enforces it?** | Alaska Attorney General (Department of Law); the Department of Administration enforces breach-notice violations by state agencies |
+
+## Which privacy laws apply to your business in Alaska? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive Alaska consumer-privacy law. The operative breach-notification statute covered here is Article 1 of the Alaska Personal Information Protection Act (PIPA), which applies to any *covered person* — a person doing business, a governmental agency, or a person with more than 10 employees [^pipa-covered-person] — that owns or licenses personal information on an Alaska resident [^q1-pipa-trigger]. It carries no revenue or consumer-volume threshold, and it governs breach response rather than day-to-day data handling. Alongside it sits the Genetic Privacy Act, which conditions DNA collection, analysis, retention, and disclosure on informed and written consent [^q1-gpa-consent].
+
+Alaska has not enacted an omnibus privacy statute, so its residents do not have general state-law rights to access, delete, correct, or opt out of the sale of their personal data, and businesses are not subject to state notice-at-collection, consent, universal-opt-out, or data-protection-assessment duties. A 2026 bill would have created an omnibus regime of consumer rights and business duties, but no comprehensive Alaska privacy act is in force.
+
+Two other pieces of state law frame this note. The Alaska Constitution is background rather than a private-business checklist here; the source-carded compliance duties below come from statutes and the federal overlay. And the Unfair Trade Practices and Consumer Protection Act (UTPCPA) supplies the enforcement machinery: as developed in the enforcement prong below, a PIPA Article 1 breach-notice violation is deemed an unfair trade practice, though with damages limits unique to the breach-notice article.
+
+The rest of an Alaska-facing privacy program rides the federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; the Children's Online Privacy Protection Act governs services directed to children under 13; and CAN-SPAM and the TCPA govern email and SMS marketing. None of those is an Alaska statute, but together with PIPA Article 1 and the Genetic Privacy Act they are what this note treats as the enforceable Alaska-facing privacy program today. If Alaska enacts a comprehensive law in a future session, a program built to this overlay upgrades rather than restarts.
+
+## What must your Alaska privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No Alaska statute requires a general consumer privacy policy or fixes what it must say. For most businesses, the policy is governed not by a state checklist but by the rule that whatever you publish has to be true: Section 5 of the FTC Act declares unfair or deceptive practices unlawful [^fed-ftc5-deceptive], and Alaska's UTPCPA reaches misleading conduct and misrepresentations in sales or advertising [^ak-utpcpa-deception]. A policy mismatch can be pursued under those general deceptive-practices theories. Where a sectoral regime applies, that regime supplies the contents instead — a HIPAA covered entity, for example, must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^fed-hipaa-notice].
+
+In practice the drafting question in Alaska is less what must be included and more does the policy match actual practice. Build the policy from the federal and sectoral overlay: the GLBA privacy-notice rules if you are a financial institution, the HIPAA Notice of Privacy Practices if you are a covered entity or business associate, and a COPPA notice if your service is directed to children under 13. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because the enforceable obligation is consistency between the statement and the conduct. One Alaska-specific drafting note: if you collect genetic data of any kind, do not rely on a privacy policy at all — the Genetic Privacy Act requires informed and written consent, and a general disclosure cannot substitute for it, a point developed in the genetic-data prong below. There is no Alaska-mandated policy checklist to cite here, which is itself the point: the contents are overlay-driven, not state-statute-driven.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** Alaska has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. The one Alaska statute that touches the vendor relationship is PIPA: a vendor that maintains personal information on another business's behalf (an *information recipient*) is excused from notifying residents directly, but must immediately notify the business that owns or licensed the data (the *information distributor*) after discovering a breach and cooperate so that business can give the required notices [^pipa-recipient-notify].
+
+Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract and to require them to implement appropriate safeguards [^fed-glba-safeguards]; HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before sharing protected health information [^fed-hipaa-baa]. Outside those verticals, the prudent move is to carry the same protections forward as a matter of best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement — even though no Alaska statute compels them.
+
+PIPA's recipient-distributor mechanics are worth writing into the contract rather than leaving to the statute. The statutory duty runs from the vendor to you *immediately* after discovery, and once you are notified, you must give resident notices as if the breach had happened on your own systems. A well-drafted Alaska vendor clause therefore fixes a short notification window, requires the vendor to share information relevant to the breach (the statute's cooperation duty carves out only confidential business information and trade secrets), and allocates the cost of notice and credit-agency reporting. That is a breach-response duty, not a general DPA mandate — there is no Alaska source to cite for omnibus vendor terms, so the rest of the clause set is overlay- and best-practice-driven.
+
+## When must you notify people of a data breach in Alaska? {#breach-notification}
+
+**Short answer.** After discovering or being notified of a breach, a covered person must disclose it to each Alaska resident whose personal information was subject to the breach [^pipa-trigger]. The notice must be made in the most expeditious time possible and without unreasonable delay — Alaska sets no fixed day count — allowing only the time needed to determine the breach's scope and restore the system's integrity [^pipa-timing], or a delay requested in connection with a criminal investigation [^pipa-le-delay]. There is one exception: notice is not required if, after an appropriate investigation and *written notification to the attorney general*, the covered person determines there is not a reasonable likelihood of harm to consumers — a determination that must be documented and kept for five years [^pipa-harm-exception].
+
+This is the prong where Alaska imposes a hard statutory duty, so it is the center of any Alaska incident-response plan. A *breach of the security* is the unauthorized acquisition — or reasonable belief of unauthorized acquisition — of personal information that compromises its security, confidentiality, or integrity, whether the data was taken by computer, by photocopy, or by any other method [^pipa-breach-def]. *Personal information* is a resident's name combined with an unencrypted, unredacted data element such as a Social Security number, driver's license or state ID number, account or card number plus any required personal code, or passwords and access codes for financial accounts — and encrypted data still counts if the encryption key was also accessed or acquired [^pipa-personal-info].
+
+Note the unusual shape of Alaska's attorney-general involvement: there is no general duty to report a breach to the attorney general. The written notification runs to the attorney general only when you invoke the no-likelihood-of-harm exception to skip resident notice — so deciding not to notify is itself a regulatory filing, and the statute makes that filing non-public.
+
+Notice may be given by written document to the resident's most recent address, by electronic means where that is the primary channel or e-signature rules are satisfied, or — where notice would cost more than $150,000, the affected class exceeds 300,000 residents, or contact information is insufficient — by the substitute route of email, conspicuous website posting, and notice to major statewide media [^pipa-methods]. If more than 1,000 residents must be notified, the nationwide consumer credit reporting agencies must also be told of the timing, distribution, and content of the notices [^pipa-cra-notice], except for entities subject to the Gramm-Leach-Bliley Act. And none of this can be contracted around: a waiver of the breach-notice article is void and unenforceable [^pipa-waiver].
+
+## Does Alaska have special rules for DNA and genetic data? {#genetic-data}
+
+**Short answer.** Yes — and they are the strictest privacy rules on Alaska's books. Under the Genetic Privacy Act, a person may not collect a DNA sample, perform a DNA analysis, retain a sample or its results, or disclose the results without first obtaining the person's informed and written consent [^gpa-consent]. The statute goes further than consent: a DNA sample and the results of its analysis are the exclusive property of the person sampled or analyzed [^gpa-property]. Violations carry a private right of action with statutory damages of $5,000 — or $100,000 if the violation produced profit or monetary gain [^gpa-pra] — and knowing violations are a class A misdemeanor [^gpa-misdemeanor].
+
+For any business that touches genetic data — direct-to-consumer testing, health and wellness products, research, even workplace testing — this chapter is the dominant Alaska compliance risk, because the exposure scales per violation without proof of actual loss. The consent must be informed and *written*; a general authorization for the release of medical records does not qualify, and a person may revoke or amend consent at any time. The Department of Health may adopt a uniform consent form, and using it confers a liability safe harbor [^gpa-consent-form].
+
+The prohibitions carry a short list of exceptions: DNA work under Alaska's law-enforcement DNA-registration system or comparable laws, law-enforcement identification purposes, paternity determination, newborn screening required by law, and emergency medical treatment [^gpa-exceptions]. Notably absent is any general research or commercial-convenience exception — if the use case is not on the list, the answer is written consent or nothing. The definition of *DNA analysis* is tailored to genetic typing and testing for genetic characteristics, and expressly excludes routine clinical tests such as drug, alcohol, cholesterol, or HIV testing, so ordinary lab work does not trip the statute [^gpa-dna-analysis-def].
+
+## Can a consumer sue your business in Alaska over privacy? {#consumer-lawsuit}
+
+**Short answer.** Yes, but for breach-notice violations the recovery is unusually small. PIPA builds a bridge into Alaska's consumer-protection act: a violation of the breach-notification article by a non-governmental information collector *is* an unfair or deceptive act or practice under the Unfair Trade Practices and Consumer Protection Act [^pipa-udap-bridge]. But the bridge comes with a cap — in a private action over a PIPA violation, damages are limited to actual economic damages, and under the main private-action section they may not exceed $500 [^pipa-damages-cap]. The state's recovery is capped too: in place of ordinary UTPCPA civil penalties, the information collector is liable for up to $500 for each resident who was not notified, with a $50,000 total ceiling [^pipa-ag-penalty]. The exposure that is *not* capped sits in the Genetic Privacy Act, whose private action carries $5,000 or $100,000 statutory damages per violation [^q6-gpa-pra].
+
+The cap is what makes Alaska's enforcement architecture distinctive. In an ordinary UTPCPA case, a person who suffers an ascertainable loss may recover, for each unlawful act, three times actual damages or $500, whichever is greater [^utpa-private-action] — a treble-damages remedy that makes the statute a workhorse for Alaska consumer plaintiffs. PIPA deliberately walls breach-notice claims off from that remedy: the violation is deemed unfair or deceptive [^pipa-udap-bridge], which opens the UTPCPA's procedural doors, but the recoverable damages shrink to actual economic loss with a $500 ceiling [^pipa-damages-cap]. The practical effect is that one-off private suits over a missed breach notice are rarely economic, while the attorney general — whose UTPCPA authority rests on the act's general declaration that unfair or deceptive practices in trade or commerce are unlawful [^utpa-unlawful] — carries the realistic enforcement threat through the per-resident penalty, plus injunctive relief.
+
+Two further doors stay open. First, the UTPCPA separately allows any victim of an unlawful act — whether or not the person suffered actual damages — to seek an injunction against its continuation after written notice to the seller [^utpa-injunction], a remedy the PIPA cap does not erase. Second, the Genetic Privacy Act's private action has no PIPA-style limitation: statutory damages of $5,000 per violation, or $100,000 where the violator profited, accrue on top of actual damages [^q6-gpa-pra], which is why genetic data, not breach response, is where Alaska private-suit exposure concentrates. For violations by state and local agencies, enforcement runs through the Department of Administration rather than the UTPCPA. The durable takeaway: build the incident-response program for the attorney general and the per-resident penalty math, and treat any genetic-data processing as the place where plaintiffs, not regulators, set the price.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Alaska. This article synthesizes Alaska primary law and is not legal advice from a Alaska-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^pipa-covered-person]: **AS 45.48.090** — "‘covered person’ means a (A) person doing business; (B) governmental agency; or (C) person with more than 10 employees;" *AS 45.48.090(2).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^q1-pipa-trigger]: **AS 45.48.010** — "If a covered person owns or licenses personal information in any form that includes personal information on a state resident, and a breach of the security of the information system that contains personal information occurs, the covered person shall, after discovering or being notified of the breach, disclose the breach to each state resident whose personal information was subject to the breach." *AS 45.48.010(a).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^q1-gpa-consent]: **AS 18.13.010** — "a person may not collect a DNA sample from a person, perform a DNA analysis on a sample, retain a DNA sample or the results of a DNA analysis, or disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person, or the person's legal guardian or authorized representative, for the collection, analysis, retention, or disclosure;" *AS 18.13.010(a)(1).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^ak-utpcpa-deception]: **AS 45.50.471** — "The terms ‘unfair methods of competition’ and ‘unfair or deceptive acts or practices’ include the following acts" *AS 45.50.471(b)(11)-(12).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.50.471&secEnd=45.50.471>
+
+[^fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^pipa-recipient-notify]: **AS 45.48.070** — "If a breach of the security of the information system containing personal information on a state resident that is maintained by an information recipient occurs, the information recipient is not required to comply with AS 45.48.010 — 45.48.030." *AS 45.48.070(a)-(b).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,with%20respect%20to%20such%20information%3B>
+
+[^pipa-trigger]: **AS 45.48.010** — "If a covered person owns or licenses personal information in any form that includes personal information on a state resident, and a breach of the security of the information system that contains personal information occurs, the covered person shall, after discovering or being notified of the breach, disclose the breach to each state resident whose personal information was subject to the breach." *AS 45.48.010(a).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-timing]: **AS 45.48.010** — "An information collector shall make the disclosure required by (a) of this section in the most expeditious time possible and without unreasonable delay, except as provided in AS 45.48.020 and as necessary to determine the scope of the breach and restore the reasonable integrity of the information system." *AS 45.48.010(b).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-le-delay]: **AS 45.48.020** — "An information collector may delay disclosing the breach under AS 45.48.010 if an appropriate law enforcement agency determines that disclosing the breach will interfere with a criminal investigation. However, the information collector shall disclose the breach to the state resident in the most expeditious time possible and without unreasonable delay after the law enforcement agency informs the information collector in writing that disclosure of the breach will no longer interfere with the investigation." *AS 45.48.020.* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-harm-exception]: **AS 45.48.010** — "Notwithstanding (a) of this section, disclosure is not required if, after an appropriate investigation and after written notification to the attorney general of this state, the covered person determines that there is not a reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or will result from the breach. The determination shall be documented in writing, and the documentation shall be maintained for five years. The notification required by this subsection may not be considered a public record open to inspection by the public." *AS 45.48.010(c).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-breach-def]: **AS 45.48.090** — "‘breach of the security’ means unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector;" *AS 45.48.090(1).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-personal-info]: **AS 45.48.090** — "‘personal information’ means information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of (A) an individual's name; in this subparagraph, ‘individual's name’ means a combination of an individual's (i) first name or first initial; and (ii) last name; and (B) one or more of the following information elements: (i) the individual's social security number; (ii) the individual's driver's license number or state identification card number; (iii) except as provided in (iv) of this subparagraph, the individual's account number, credit card number, or debit card number; (iv) if an account can only be accessed with a personal code, the number in (iii) of this subparagraph and the personal code; in this sub-subparagraph, ‘personal code’ means a security code, an access code, a personal identification number, or a password; (v) passwords, personal identification numbers, or other access codes for financial accounts." *AS 45.48.090(7).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-methods]: **AS 45.48.030** — "An information collector shall make the disclosure required by AS 45.48.010 (1) by a written document sent to the most recent address the information collector has for the state resident; (2) by electronic means if the information collector's primary method of communication with the state resident is by electronic means or if making the disclosure by the electronic means is consistent with the provisions regarding electronic records and signatures required for notices legally required to be in writing under 15 U.S.C. 7001 et seq. (Electronic Signatures in Global and National Commerce Act); or (3) if the information collector demonstrates that the cost of providing notice would exceed $150,000, that the affected class of state residents to be notified exceeds 300,000, or that the information collector does not have sufficient contact information to provide notice, by (A) electronic mail if the information collector has an electronic mail address for the state resident; (B) conspicuously posting the disclosure on the Internet website of the information collector if the information collector maintains an Internet website; and (C) providing a notice to major statewide media." *AS 45.48.030.* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-cra-notice]: **AS 45.48.040** — "If an information collector is required by AS 45.48.010 to notify more than 1,000 state residents of a breach, the information collector shall also notify without unreasonable delay all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis and provide the agencies with the timing, distribution, and content of the notices to state residents." *AS 45.48.040(a).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-waiver]: **AS 45.48.060** — "A waiver of AS 45.48.010 — 45.48.090 is void and unenforceable." *AS 45.48.060.* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^gpa-consent]: **AS 18.13.010** — "a person may not collect a DNA sample from a person, perform a DNA analysis on a sample, retain a DNA sample or the results of a DNA analysis, or disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person, or the person's legal guardian or authorized representative, for the collection, analysis, retention, or disclosure;" *AS 18.13.010(a)(1).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^gpa-property]: **AS 18.13.010** — "a DNA sample and the results of a DNA analysis performed on the sample are the exclusive property of the person sampled or analyzed." *AS 18.13.010(a)(2).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^gpa-pra]: **AS 18.13.020** — "A person may bring a civil action against a person who collects a DNA sample from the person, performs a DNA analysis on a sample, retains a DNA sample or the results of a DNA analysis, or discloses the results of a DNA analysis in violation of this chapter. In addition to the actual damages suffered by the person, a person violating this chapter shall be liable to the person for damages in the amount of $5,000 or, if the violation resulted in profit or monetary gain to the violator, $100,000." *AS 18.13.020.* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^gpa-misdemeanor]: **AS 18.13.030** — "A person commits the crime of unlawful DNA collection, analysis, retention, or disclosure if the person knowingly collects a DNA sample from a person, performs a DNA analysis on a sample, retains a DNA sample or the results of a DNA analysis, or discloses the results of a DNA analysis in violation of this chapter" *AS 18.13.030(a), (c).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^gpa-consent-form]: **AS 18.13.010** — "A general authorization for the release of medical records or medical information may not be construed as the informed and written consent required by this section. The Department of Health may by regulation adopt a uniform informed and written consent form to assist persons in meeting the requirements of this section. A person using that uniform informed and written consent is exempt from civil or criminal liability for actions taken under the consent form. A person may revoke or amend their informed and written consent at any time." *AS 18.13.010(c).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^gpa-exceptions]: **AS 18.13.010** — "The prohibitions of (a) of this section do not apply to DNA samples collected and analyses conducted (1) under AS 44.41.035 or comparable provisions of another jurisdiction; (2) for a law enforcement purpose, including the identification of perpetrators and the investigation of crimes and the identification of missing or unidentified persons or deceased individuals; (3) for determining paternity; (4) to screen newborns as required by state or federal law; (5) for the purpose of emergency medical treatment." *AS 18.13.010(b).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^gpa-dna-analysis-def]: **AS 18.13.100** — "‘DNA analysis’ means DNA or genetic typing and testing to determine the presence or absence of genetic characteristics in an individual, including tests of nucleic acids or chromosomes in order to diagnose or identify a genetic characteristic; ‘DNA analysis’ does not include a routine physical measurement, a test for drugs, alcohol, cholesterol, or the human immunodeficiency virus, a chemical, blood, or urine analysis, or any other diagnostic test that is widely accepted and in use in clinical practice;" *AS 18.13.100(2).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^pipa-udap-bridge]: **AS 45.48.080** — "If an information collector who is not a governmental agency violates AS 45.48.010 — 45.48.090 with regard to the personal information of a state resident, the violation is an unfair or deceptive act or practice under AS 45.50.471 — 45.50.561." *AS 45.48.080(b).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-damages-cap]: **AS 45.48.080** — "damages that may be awarded against the information collector under (A) AS 45.50.531 are limited to actual economic damages that do not exceed $500; and (B) AS 45.50.537 are limited to actual economic damages." *AS 45.48.080(b)(2).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-ag-penalty]: **AS 45.48.080** — "the information collector is not subject to the civil penalties imposed under AS 45.50.551 but is liable to the state for a civil penalty of up to $500 for each state resident who was not notified under AS 45.48.010 — 45.48.090, except that the total civil penalty may not exceed $50,000" *AS 45.48.080(b)(1).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^q6-gpa-pra]: **AS 18.13.020** — "In addition to the actual damages suffered by the person, a person violating this chapter shall be liable to the person for damages in the amount of $5,000 or, if the violation resulted in profit or monetary gain to the violator, $100,000." *AS 18.13.020.* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^utpa-private-action]: **AS 45.50.531** — "A person who suffers an ascertainable loss of money or property as a result of another person's act or practice declared unlawful by AS 45.50.471 may bring a civil action to recover for each unlawful act or practice three times the actual damages or $500, whichever is greater." *AS 45.50.531(a).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.50.531&secEnd=45.50.535>
+
+[^utpa-unlawful]: **AS 45.50.471** — "Unfair methods of competition and unfair or deceptive acts or practices in the conduct of trade or commerce are declared to be unlawful." *AS 45.50.471(a).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.50.471&secEnd=45.50.471>
+
+[^utpa-injunction]: **AS 45.50.535** — "Subject to (b) of this section and in addition to any right to bring an action under AS 45.50.531 or other law, any person who was the victim of the unlawful act, whether or not the person suffered actual damages, may bring an action to obtain an injunction prohibiting a seller or lessor from continuing to engage in an act or practice declared unlawful under AS 45.50.471" *AS 45.50.535(a)-(b).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.50.531&secEnd=45.50.535>

package/skills/legal-explainers/data-privacy-law-explainer/content/arizona.md

@@ -0,0 +1,181 @@
+---
+jurisdiction: "Arizona"
+slug: arizona
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/arizona
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/arizona · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Arizona Consumer Privacy Law[^about]
+
+Arizona has no comprehensive consumer-privacy statute. The operative state laws are the 45-day breach-notification article (A.R.S. §§ 18-551, 18-552), the Consumer Fraud Act, and the Genetic Information Privacy Act for DNA testing companies; the rest of an Arizona privacy program rides the federal overlay.
+
+
+## At a glance
+
+| Question | Arizona |
+| --- | --- |
+| **Law coverage** | Specific data types only |
+| **Summary** | Arizona has no comprehensive consumer-privacy law — despite a circulating vendor claim, none took effect on January 1, 2026 — so the operative state framework is the 45-day breach-notification statute, the Consumer Fraud Act, and the 2021 Genetic Information Privacy Act for DNA testing companies. |
+| **Main law** | A.R.S. §§ 18-551 to 18-552 (data-breach notification) plus the Consumer Fraud Act, A.R.S. §§ 44-1521 et seq. — Arizona has no comprehensive consumer-privacy law; sectoral statutes and a federal overlay are the operative framework |
+| **Privacy policy required?** | No Arizona statute requires a commercial privacy policy — the only state mandates cover state-agency websites and direct-to-consumer genetic testing companies; contents are otherwise driven by FTC Act § 5 and Consumer Fraud Act deception risk |
+| **Who does it cover?** | Any person conducting business in Arizona that owns, maintains, or licenses computerized personal information of Arizona residents — no revenue or consumer-volume threshold; the Genetic Information Privacy Act adds duties for direct-to-consumer genetic testing companies |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy required only for specific data |
+| **Consent for sensitive data?** | Only for certain data types |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Not under the breach statute or the Genetic Information Privacy Act — both are Attorney General-enforced; other consumer theories, including Consumer Fraud Act or common-law claims, remain fact-specific and untested for pure privacy claims |
+| **Who enforces it?** | Arizona Attorney General |
+
+## Which privacy laws apply to your business in Arizona? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive Arizona consumer-privacy law. The closest thing to a general state data duty is the breach-notification article, which applies to any person that conducts business in Arizona and that owns, maintains, or licenses unencrypted and unredacted computerized personal information — with no revenue or consumer-volume threshold [^stat-breach-scope]. Day-to-day data practices are policed instead through the Consumer Fraud Act, which declares any deception, deceptive or unfair act or practice, or material omission in connection with the sale or advertisement of any merchandise an unlawful practice [^stat-cfa-unlawful]. The breach article does not reach everyone: persons subject to the Gramm-Leach-Bliley Act and HIPAA covered entities and business associates are exempt from it entirely [^stat-breach-exempt].
+
+One persistent piece of misinformation is worth clearing away first: a claim circulating in compliance-vendor trackers that an Arizona comprehensive privacy law took effect on January 1, 2026 is false — Arizona has never enacted an omnibus privacy statute, and the 2026 proposals (S.B. 1815, which would have created a controller-and-processor framework, and S.B. 1790, which would have regulated data brokers) died in committee without a hearing.
+
+Because no omnibus law exists, Arizona residents have no general state-law rights to access, delete, or correct their personal data or to opt out of its sale or use for targeted advertising, businesses face no notice-at-collection, consent, or data-protection-assessment duties, and universal opt-out signals such as Global Privacy Control have no Arizona statute to hook into. What exists instead is a sectoral patchwork: the breach-notification article sets the one statewide incident-response clock; the Consumer Fraud Act supplies the deception backstop; the Genetic Information Privacy Act regulates direct-to-consumer genetic testing companies; an older article makes genetic-test results confidential and privileged; and narrow statutes restrict Social Security number use and the disposal of paper records. State agencies — but not businesses — must post website privacy-policy statements. Criminal and public-library reader-record rules sit outside this commercial-practice note. The rest of an Arizona-facing program rides the federal overlay: Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide, the Gramm-Leach-Bliley Act governs financial institutions, HIPAA governs covered health entities, and the Children's Online Privacy Protection Act governs services directed to children under 13. Businesses with multistate programs can usually layer any future Arizona omnibus obligations onto this federal-and-sectoral baseline.
+
+## What must your Arizona privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No Arizona statute requires a commercial website or business to post a consumer privacy policy or fixes what one must say. The state's only privacy-policy mandates are narrowly scoped: every state-agency website must contain a privacy policy statement disclosing its information-gathering and dissemination practices [^stat-agency-policy], and a direct-to-consumer genetic testing company must make available both a high-level privacy policy overview and a prominent, publicly available privacy notice covering its collection, consent, use, disclosure, security, retention, and deletion practices [^q2-gipa-notice]. For everyone else, the governing rule is that whatever you publish must be true: Section 5 of the FTC Act supplies the federal unfair-or-deceptive-practices hook [^fed-ftc5-deceptive], and the Consumer Fraud Act reaches privacy-policy misrepresentations or material omissions tied to the sale or advertisement of merchandise as a matter of state law [^q2-cfa-deception].
+
+In practice the drafting question in Arizona is less what must be included and more does the policy match actual practice. Arizona courts may use FTC Act interpretations as a guide when construing the Consumer Fraud Act, so FTC privacy-deception precedent is a strong analogue rather than an automatic mapping [^q2-cfa-ftc-guide]. Build the policy from the sectoral overlay that applies to you: GLBA privacy notices if you are a financial institution, a COPPA notice if your service is directed to children under 13, and for a HIPAA covered entity a notice of the uses and disclosures of protected health information and of the individual's rights and the entity's duties [^fed-hipaa-notice]. For businesses outside those verticals, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — then honor it, because the enforceable obligation in Arizona is consistency between the statement and the conduct, not conformity to a state checklist.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** Arizona has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general commercial contracts. The one statewide vendor duty is breach-specific: a vendor that maintains computerized personal information it does not own or license must notify the owner or licensee as soon as practicable after discovering a breach and cooperate, including by sharing information relevant to the breach [^stat-breach-vendor].
+
+Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract and to require them to implement appropriate safeguards [^fed-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before sharing protected health information [^fed-hipaa-baa]. Outside those verticals, the prudent move is to carry the same protections forward as best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business on a clock tighter than the statute's, and return or deletion of data at the end of the engagement — even though no Arizona statute compels them. Note one allocation point in the breach statute worth handling by contract: a vendor that maintains data under an agreement with the owner is not itself required to notify individuals unless the agreement says so, which means the notification burden defaults to you and the contract is where you set the vendor's discovery-to-notice timeline and cooperation duties.
+
+## When must you notify people of a data breach in Arizona? {#breach-notification}
+
+**Short answer.** Arizona runs on a hard 45-day clock. After becoming aware of a *security incident*, a business must promptly investigate whether a *security system breach* occurred [^q4-breach-investigate] — a breach being an unauthorized acquisition of and access to unencrypted, unredacted computerized personal information that materially compromises its security or confidentiality [^stat-breach-def]. If the investigation determines there was a breach, the business must notify affected individuals within forty-five days after the determination, and if more than one thousand individuals must be notified, it must also notify the three largest nationwide consumer reporting agencies, the Attorney General, and the director of the Arizona Department of Homeland Security in writing [^stat-breach-timing].
+
+The notice itself has statutorily fixed contents: the approximate date of the breach, a brief description of the personal information involved, contact details for the three largest nationwide consumer reporting agencies, and contact details for the FTC or another federal identity-theft agency [^stat-breach-contents]. Permitted methods are written, email, or live non-prerecorded telephone notice; substitute notice is allowed only when direct notice would cost more than $50,000, the affected class exceeds one hundred thousand individuals, or contact information is insufficient, and it requires a letter to the Attorney General plus conspicuous website posting for at least 45 days if the person maintains a website [^stat-breach-methods]. *Personal information* is broader than the classic name-plus-SSN pairing: it includes health-insurance ID numbers, medical or mental-health treatment or diagnosis information, passport numbers, taxpayer IDs, biometric authentication data, and online-account credentials [^stat-breach-pi-elements]. For a credential-only breach, the business may direct the individual to reset passwords and should not rely on the breached email account as the compliance notice channel when the breached credentials are for an email account furnished by the business [^stat-breach-credentials]. Three outs matter in practice. Encryption and redaction are built into the breach definition, so properly encrypted data generally does not trigger notice. A business that follows its own consistent notification procedures, or its primary or functional federal regulator's rules, is deemed compliant [^stat-breach-safe-harbors]. And no notice at all is required if the business, an independent third-party forensic auditor, or law enforcement determines after a reasonable investigation that the breach is not reasonably likely to result in substantial economic loss to affected individuals [^stat-breach-exception] — an economic-loss trigger that is narrower than the harm-based formulations many other states use. Enforcement is Attorney General-only: a *knowing and wilful* violation is an unlawful practice under the Consumer Fraud Act, with a civil penalty capped at the lesser of $10,000 per affected individual or the individuals' total economic loss, and a $500,000 maximum per breach or series of related breaches [^q4-breach-penalty].
+
+## What are the rules for genetic data and DNA test kits in Arizona? {#genetic-data}
+
+**Short answer.** Genetic data is the one area where Arizona has real, modern consumer-privacy law — through two distinct regimes. The Genetic Information Privacy Act covers entities that offer genetic testing products or services directly to consumers and collect genetic data or biological samples for analysis [^gipa-company-scope]. A covered company must obtain initial express consent that describes the uses of the genetic data, plus separate express consent for transfers to outsiders, for uses beyond the primary testing purpose, and for retaining the biological sample [^gipa-consent]. The company may never disclose genetic data to a health, life, or long-term-care insurer or to the consumer's employer [^gipa-insurer-ban]. Separately, an older confidentiality article makes genetic-test results confidential and privileged: outside enumerated exceptions, no one may disclose or be compelled to disclose the identity of a person tested or results that allow identification [^genetic-confidential].
+
+The Genetic Information Privacy Act is built around layered consent, but it also imposes operational duties: a comprehensive security program and a requirement of valid legal process before genetic data goes to law enforcement or any other government agency without express written consent [^gipa-government-security]. The company also must provide a consumer process to access genetic data, delete the account and genetic data, and obtain destruction of the biological sample [^gipa-process]. Research transfers need informed consent meeting the federal human-subjects rules, and genetic-data-based marketing needs its own express consent [^gipa-research-marketing]. The act exempts HIPAA-governed protected health information, samples and data generated for medical screening, treatment, or diagnosis, and institutions of higher education [^gipa-exceptions]; combined with the direct-to-consumer definition, those exemptions leave the act focused on consumer DNA-kit services rather than clinical care. Enforcement belongs to the Attorney General, with a civil penalty of up to $2,500 per violation plus consumers' actual damages [^gipa-enforcement]; there is no private right of action under the act.
+
+The older genetic-testing confidentiality article reaches further than DNA-kit companies. It also requires parental or guardian consent before genetic testing of an unemancipated minor [^genetic-minor-consent] and, outside narrow research and public-health circumstances, bars a health care provider from conducting a genetic test without first obtaining written informed consent [^genetic-informed-consent]. State and local agencies must keep genetic-testing records confidential and out of public-records inspection [^genetic-public-records]. One gap worth knowing: the confidentiality article states duties but contains no express penalty or enforcement provision, so how a violation would be remedied — negligence theories, the Consumer Fraud Act, or privacy torts — remains unresolved.
+
+## Does Arizona restrict how you handle Social Security numbers and discard old records? {#ssn-and-records-disposal}
+
+**Short answer.** Yes — two narrow but long-standing statutes apply to nearly every business. Since January 1, 2005, no person or entity may make an individual's Social Security number available to the general public, print it on access cards, require its transmission over the internet unless the connection is secure or the number is encrypted, use it as a website login without an additional authenticator, or print a known Social Security number on mailed materials except within statutory carveouts [^stat-ssn-restrictions]. And an entity may not knowingly discard records containing a name combined with a complete Social Security number, payment-card number, retirement or financial-account number, or driver-license number without first redacting the information or destroying the records [^stat-disposal].
+
+Both statutes are enforced by public officials rather than consumers. Under the Social Security number statute, only the Attorney General or a county attorney may commence a legal action [^stat-ssn-enforcement]. The disposal statute is likewise enforced by the Attorney General or county attorneys [^stat-disposal-enforcement], with tiered civil penalties per incident — up to $500 for a first violation, $1,000 for a second, and $5,000 for a third or subsequent violation [^stat-disposal-penalty]. Scope limits matter on both: the SSN statute grandfathers continuous pre-2005 uses subject to annual disclosure and opt-out duties, and the disposal statute applies only to paper records — electronic data disposal is untouched by it — with an own-procedures safe harbor and exemptions for GLBA, HIPAA, and FCRA-regulated entities [^stat-disposal-limits]. Neither statute creates an express consumer lawsuit in these quoted enforcement provisions, but sloppy SSN handling or dumpster-diving incidents can still surface in Attorney General consumer-protection practice, and a public SSN exposure that contradicts your stated security practices carries independent Consumer Fraud Act and FTC Act deception risk.
+
+## Can a consumer sue your business in Arizona over privacy? {#consumer-lawsuit}
+
+**Short answer.** Not under Arizona's privacy-specific statutes. The breach-notification article is enforceable only by the Attorney General, with a civil penalty capped at the lesser of $10,000 per affected individual or the individuals' total economic loss, up to $500,000 per breach or related series [^q7-breach-penalty]. The Genetic Information Privacy Act is also Attorney General-enforced, with penalties up to $2,500 per violation plus consumers' actual damages [^q7-gipa-enforcement]. The broader exposure runs through the Consumer Fraud Act: the Attorney General can obtain injunctions, restoration of money or property, and disgorgement of profits for any unlawful practice [^q7-cfa-remedies], and can recover a civil penalty of up to $10,000 per wilful violation [^q7-cfa-penalty] — *wilful* meaning the business knew or should have known its conduct was prohibited.
+
+None of these statutes gives a business a cure period — there is no statutory right to fix a violation before the Attorney General acts, only the practical mitigation of cooperating once an inquiry starts. The Attorney General also recovers costs and reasonable attorney fees in Consumer Fraud Act actions [^q7-cfa-costs].
+
+Private litigation is not entirely off the table, but the privacy-specific statutes quoted here do not create a consumer action. A plaintiff trying to plead a statutory privacy-misrepresentation theory would likely start with the Consumer Fraud Act's unlawful-practice language [^q7-cfa-unlawful]; whether that theory works for a pure privacy misrepresentation — a privacy policy that overpromises, a broken security commitment — is untested in Arizona's appellate courts, and the breach statute's text leaves breach-notification enforcement to the Attorney General [^q7-breach-penalty]. Plaintiffs can also plead common-law theories such as negligence or invasion of privacy after an incident, but those face the usual standing and damages hurdles absent actual misuse of the data. The operational takeaway: Arizona privacy exposure today is regulator-shaped — manage it by keeping the privacy policy truthful, hitting the 45-day breach clock, and treating genetic data under its dedicated consent regime.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Arizona. This article synthesizes Arizona primary law and is not legal advice from a Arizona-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^stat-breach-scope]: **A.R.S. § 18-552** — "If a person that conducts business in this state and that owns, maintains or licenses unencrypted and unredacted computerized personal information becomes aware of a security incident, the person shall conduct an investigation to promptly determine whether there has been a security system breach." *A.R.S. § 18-552(A).* <https://www.azleg.gov/ars/18/00552.htm>
+
+[^stat-cfa-unlawful]: **A.R.S. § 44-1522** — "The act, use or employment by any person of any deception, deceptive or unfair act or practice, fraud, false pretense, false promise, misrepresentation, or concealment, suppression or omission of any material fact with intent that others rely on such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise whether or not any person has in fact been misled, deceived or damaged thereby, is declared to be an unlawful practice." *A.R.S. § 44-1522(A).* <https://www.azleg.gov/ars/44/01522.htm>
+
+[^stat-breach-exempt]: **A.R.S. § 18-552** — "This article does not apply to either of the following: 1. A person that is subject to title V of the Gramm-Leach-Bliley act (P.L. 106-102; 113 Stat. 1338; 15 United States Code sections 6801 through 6809). 2. A covered entity or business associates as defined under regulations implementing the health insurance portability and accountability act of 1996, 45 Code of Federal Regulations section 160.103 (2013) or a charitable fundraising foundation or nonprofit corporation whose primary purpose is to support a specified covered entity, if the charitable fundraising foundation or nonprofit corporation complies with any applicable provision of the health insurance portability and accountability act of 1996 and its implementing regulations." *A.R.S. § 18-552(N).* <https://www.azleg.gov/ars/18/00552.htm>
+
+[^stat-agency-policy]: **A.R.S. § 18-202** — "An agency web site provided by this state shall contain a privacy policy statement to disclose the information gathering and dissemination practices related to the internet." *A.R.S. § 18-202.* <https://www.azleg.gov/ars/18/00202.htm>
+
+[^q2-gipa-notice]: **A.R.S. § 44-8002** — "Provide clear and complete information regarding the company's policies and procedures for collecting, using or disclosing genetic data by making available to a consumer both of the following: (a) A high-level privacy policy overview that includes basic, essential information about the company's collection, use or disclosure of genetic data. (b) A prominent, publicly available privacy notice that includes information about the company's data collection, consent, use, access, disclosure, transfer, security and retention and deletion practices." *A.R.S. § 44-8002(A)(1).* <https://www.azleg.gov/ars/44/08002.htm>
+
+[^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q2-cfa-deception]: **A.R.S. § 44-1522** — "The act, use or employment by any person of any deception, deceptive or unfair act or practice, fraud, false pretense, false promise, misrepresentation, or concealment, suppression or omission of any material fact with intent that others rely on such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise whether or not any person has in fact been misled, deceived or damaged thereby, is declared to be an unlawful practice." *A.R.S. § 44-1522(A).* <https://www.azleg.gov/ars/44/01522.htm>
+
+[^q2-cfa-ftc-guide]: **A.R.S. § 44-1522** — "It is the intent of the legislature, in construing subsection A, that the courts may use as a guide interpretations given by the federal trade commission and the federal courts to 15 United States Code sections 45, 52 and 55(a)(1)." *A.R.S. § 44-1522(C).* <https://www.azleg.gov/ars/44/01522.htm>
+
+[^fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^stat-breach-vendor]: **A.R.S. § 18-552** — "A person that maintains unencrypted and unredacted computerized personal information that the person does not own or license shall notify, as soon as practicable, the owner or licensee of the information on discovering any security system breach and cooperate with the owner or the licensee of the personal information, including sharing information relevant to the breach with the owner or licensee." *A.R.S. § 18-552(C).* <https://www.azleg.gov/ars/18/00552.htm>
+
+[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(d)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information; (E) Make available protected health information in accordance with § 164.524; (F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with § 164.526; (G) Make available the information required to provide an accounting of disclosures in accordance with § 164.528; (H) To the extent the business associate is to carry out a covered entity's obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation. (I) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and (J) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible." *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,destruction%20of%20the%20information%20infeasible.>
+
+[^q4-breach-investigate]: **A.R.S. § 18-552** — "If a person that conducts business in this state and that owns, maintains or licenses unencrypted and unredacted computerized personal information becomes aware of a security incident, the person shall conduct an investigation to promptly determine whether there has been a security system breach." *A.R.S. § 18-552(A).* <https://www.azleg.gov/ars/18/00552.htm>
+
+[^stat-breach-def]: **A.R.S. § 18-551** — "Means an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals." *A.R.S. § 18-551(1)(a).* <https://www.azleg.gov/ars/18/00551.htm>
+
+[^stat-breach-timing]: **A.R.S. § 18-552** — "If the investigation results in a determination that there has been a security system breach, the person that owns or licenses the computerized data, within forty-five days after the determination, shall: 1. Notify the individuals affected pursuant to subsection E of this section and subject to the needs of law enforcement as provided in subsection D of this section. 2. If the breach requires notification of more than one thousand individuals, notify both: (a) The three largest nationwide consumer reporting agencies. (b) The attorney general and the director of the Arizona department of homeland security, in writing, in a form prescribed by rule or order of the attorney general or the director of the Arizona department of homeland security or by providing the attorney general or the director of the Arizona department of homeland security with a copy of the notification provided pursuant to paragraph 1 of this subsection." *A.R.S. § 18-552(B).* <https://www.azleg.gov/ars/18/00552.htm>
+
+[^stat-breach-contents]: **A.R.S. § 18-552** — "The notification required by subsection B, paragraph 1 of this section shall include at least the following: 1. The approximate date of the breach. 2. A brief description of the personal information included in the breach. 3. The toll-free numbers and addresses for the three largest nationwide consumer reporting agencies. 4. The toll-free number, address and website address for the federal trade commission or any federal agency that assists consumers with identity theft matters." *A.R.S. § 18-552(E).* <https://www.azleg.gov/ars/18/00552.htm>
+
+[^stat-breach-methods]: **A.R.S. § 18-552** — "The notification required by subsection B, paragraph 1 of this section shall be provided by one of the following methods: 1. Written notice. 2. An email notice if the person has email addresses for the individuals who are subject to the notice. 3. Telephonic notice, if telephonic contact is made directly with the affected individuals and is not through a prerecorded message. 4. Substitute notice if the person demonstrates that the cost of providing notice pursuant to paragraph 1, 2 or 3 of this subsection would exceed $50,000, that the affected class of subject individuals to be notified exceeds one hundred thousand individuals or that the person does not have sufficient contact information. Substitute notice consists of all of the following: (a) A written letter to the attorney general that demonstrates the facts necessary for substitute notice. (b) Conspicuous posting of the notice for at least forty-five days on the website of the person if the person maintains one." *A.R.S. § 18-552(F).* <https://www.azleg.gov/ars/18/00552.htm>
+
+[^stat-breach-pi-elements]: **A.R.S. § 18-551** — "7. ‘Personal information’: (a) Means any of the following: (i) An individual's first name or first initial and last name in combination with one or more specified data elements. (ii) An individual's user name or e-mail address, in combination with a password or security question and answer, that allows access to an online account. (b) Does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. 8. ‘Prosecution agency’ means the attorney general, a county attorney or a municipal prosecutor. 9. ‘Redact’ means to alter or truncate a number so that not more than the last four digits are accessible and at least two digits have been removed. 10. ‘Security incident’ means an event that creates reasonable suspicion that a person's information systems or computerized data may have been compromised or that measures put in place to protect the person's information systems or computerized data may have failed. 11. ‘Specified data element’ means any of the following: (a) An individual's social security number. (b) The number on an individual's driver license issued pursuant to section 28-3166 or nonoperating identification license issued pursuant to section 28-3165. (c) A private key that is unique to an individual and that is used to authenticate or sign an electronic record. (d) An individual's financial account number or credit or debit card number in combination with any required security code, access code or password that would allow access to the individual's financial account. (e) An individual's health insurance identification number. (f) Information about an individual's medical or mental health treatment or diagnosis by a health care professional. (g) An individual's passport number. (h) An individual's taxpayer identification number or an identity protection personal identification number issued by the United States internal revenue service. (i) Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account." *A.R.S. § 18-551(7), (11).* <https://www.azleg.gov/ars/18/00551.htm>
+
+[^stat-breach-credentials]: **A.R.S. § 18-552** — "If a breach involves personal information as prescribed in section 18-551, paragraph 7, subdivision (a), item (ii) for an online account and does not involve personal information as defined in section 18-551, paragraph 7, subdivision (a), item (i), the person may comply with this section by providing the notification in an electronic or other form that directs the individual whose personal information has been breached to promptly change the individual's password and security question or answer, as applicable, or to take other steps that are appropriate to protect the online account with the person and all other online accounts for which the individual whose personal information has been breached uses the same user name and email address and password or security question or answer. If the breach of personal information as prescribed in section 18-551, paragraph 7, subdivision (a), item (ii) is for login credentials of an email account furnished by the person, the person is not required to comply with this section by providing the notification to that email address, but may comply with this section by providing notification by another method described in this subsection or by providing clear and conspicuous notification delivered to the individual online when the individual is connected to the online account from an internet protocol address or online location from which the person knows the individual customarily accesses the account. The person satisfies the notification requirement with regard to the individual's account with the person by requiring the individual to reset the individual's password or security question and answer for that account, if the person also notifies the individual to change the same password or security question and answer for all other online accounts for which the individual uses the same user name or email address and password or security question or answer." *A.R.S. § 18-552(G).* <https://www.azleg.gov/ars/18/00552.htm>
+
+[^stat-breach-safe-harbors]: **A.R.S. § 18-552** — "A person that maintains the person's own notification procedures as part of an information security policy for the treatment of personal information and that is otherwise consistent with the requirements of this article, including the forty-five-day notification period required by subsection B of this section, is deemed to be in compliance with the notification requirements of subsection B, paragraph 1 of this section if the person notifies subject individuals in accordance with the person's policies if a security system breach occurs. I. A person that complies with the notification requirements or security system breach procedures pursuant to the rules, regulations, procedures, guidance or guidelines established by the person's primary or functional federal regulator is deemed to be in compliance with the requirements of subsection B, paragraph 1 of this section." *A.R.S. § 18-552(H)-(I).* <https://www.azleg.gov/ars/18/00552.htm>
+
+[^stat-breach-exception]: **A.R.S. § 18-552** — "A person is not required to make the notification required by subsection B of this section if the person, an independent third-party forensic auditor or a law enforcement agency determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals." *A.R.S. § 18-552(J).* <https://www.azleg.gov/ars/18/00552.htm>
+
+[^q4-breach-penalty]: **A.R.S. § 18-552** — "A knowing and wilful violation of this section is an unlawful practice pursuant to section 44-1522, and only the attorney general may enforce such a violation by investigating and taking appropriate action pursuant to title 44, chapter 10, article 7. The attorney general may impose a civil penalty for a violation of this article not to exceed the lesser of $10,000 per affected individual or the total amount of economic loss sustained by affected individuals, but the maximum civil penalty from a breach or series of related breaches may not exceed $500,000. This section does not prevent the attorney general from recovering restitution for affected individuals." *A.R.S. § 18-552(L).* <https://www.azleg.gov/ars/18/00552.htm>
+
+[^gipa-company-scope]: **A.R.S. § 44-8001** — "‘Direct-to-consumer genetic testing company’ or ‘company’ means an entity that offers genetic testing products or services directly to consumers that involve collecting from a consumer of either genetic data or biological samples and from which the company derives genetic data for analysis." *A.R.S. § 44-8001(4).* <https://www.azleg.gov/ars/44/08001.htm>
+
+[^gipa-consent]: **A.R.S. § 44-8002** — "Obtain a consumer's consent for collecting, using or disclosing the consumer's genetic data, including: (a) Initial express consent that clearly describes the uses of the genetic data collected through the genetic testing product or service and that specifies who has access to test results and how the genetic data may be shared. (b) Separate express consent for any of the following: (i) Transferring or disclosing the consumer's genetic data to any person other than the company's vendors and service providers. (ii) Using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses. (iii) Retaining any biological sample provided by the consumer following completion of the initial testing service requested by the consumer." *A.R.S. § 44-8002(A)(2).* <https://www.azleg.gov/ars/44/08002.htm>
+
+[^gipa-insurer-ban]: **A.R.S. § 44-8002** — "Notwithstanding any other provision in this section, a direct-to-consumer genetic testing company may not disclose a consumer's genetic data to any entity offering health insurance, life insurance or long-term care insurance or to any employer of the consumer." *A.R.S. § 44-8002(B).* <https://www.azleg.gov/ars/44/08002.htm>
+
+[^genetic-confidential]: **A.R.S. § 12-2802** — "A person shall not disclose or be compelled to disclose the identity of any person on whom a genetic test is performed or the results of a genetic test in a manner that allows identification of the person tested except to the persons specified in the circumstances set forth in subsection A of this section." *A.R.S. § 12-2802(C).* <https://www.azleg.gov/ars/12/02802.htm>
+
+[^gipa-government-security]: **A.R.S. § 44-8002** — "3. Require a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express written consent. 4. Develop, implement and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use or disclosure." *A.R.S. § 44-8002(A)(3)-(4).* <https://www.azleg.gov/ars/44/08002.htm>
+
+[^gipa-process]: **A.R.S. § 44-8002** — "Provide a process for a consumer to do all of the following: (a) Access the consumer's genetic data. (b) Delete the consumer's account and genetic data. (c) Request and obtain the destruction of the consumer's biological sample." *A.R.S. § 44-8002(A)(5).* <https://www.azleg.gov/ars/44/08002.htm>
+
+[^gipa-research-marketing]: **A.R.S. § 44-8002** — "(c) Informed consent in compliance with the federal policy for the protection of human research subjects prescribed by 45 Code of Federal Regulations part 46 for transferring or disclosing the consumer's genetic data to third-party persons for research purposes or research conducted under the control of the company for the purpose of publication or generalizable knowledge. (d) Express consent for marketing to a consumer based on the consumer's genetic data or for marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service. For the purposes of this subdivision, marketing does not include providing customized content or offers on websites or through applications or services provided by the direct-to-consumer genetic testing company with the first-party relationship to the consumer." *A.R.S. § 44-8002(A)(2)(c)-(d).* <https://www.azleg.gov/ars/44/08002.htm>
+
+[^gipa-exceptions]: **A.R.S. § 44-8003** — "This chapter does not apply to any of the following: 1. Protected health information that is collected by a covered entity or business associate governed by the privacy, security and breach notification rules issued by the United States department of health and human services under 45 Code of Federal Regulations parts 160 and 164. 2. Biological samples that are obtained or genetic data that is generated for the purposes of an individual's medical screening, treatment or diagnosis. 3. Genetic data that is generated by analyses or tests described in section 12-2801, paragraph 1, subdivision (b). 4. A public or private institution of higher education or an entity that is owned or operated by a public or private institution of higher education." *A.R.S. § 44-8003.* <https://www.azleg.gov/ars/44/08003.htm>
+
+[^gipa-enforcement]: **A.R.S. § 44-8004** — "The attorney general may bring an action to enforce this chapter. A person who violates this chapter is subject to: 1. A civil penalty of up to $2,500 for each violation. 2. The payment of actual damages incurred by consumers as a result of the violation. 3. Costs and reasonable attorney fees incurred by the office of the attorney general." *A.R.S. § 44-8004.* <https://www.azleg.gov/ars/44/08004.htm>
+
+[^genetic-minor-consent]: **A.R.S. § 12-2803** — "A genetic test shall not be conducted on an unemancipated minor without the consent of the parent or legal guardian of the minor except for testing under the newborn screening program pursuant to section 36-694." *A.R.S. § 12-2803(A).* <https://www.azleg.gov/ars/12/02803.htm>
+
+[^genetic-informed-consent]: **A.R.S. § 12-2803** — "Except for the circumstances prescribed in section 12-2802, subsection A, paragraph 4, 7 or 9, a health care provider shall not conduct a genetic test on a person unless the health care provider first obtains written informed consent from the person to be tested or from the person's authorized representative." *A.R.S. § 12-2803(C).* <https://www.azleg.gov/ars/12/02803.htm>
+
+[^genetic-public-records]: **A.R.S. § 12-2804** — "Information and records held by a state agency or a local health authority relating to genetic testing information are confidential and are exempt from the public copying and inspection requirements of title 39, chapter 1, article 2. B. A state agency or a local health authority shall not release or make available to the public genetic testing information and records." *A.R.S. § 12-2804.* <https://www.azleg.gov/ars/12/02804.htm>
+
+[^stat-ssn-restrictions]: **A.R.S. § 44-1373** — "Except as otherwise specifically provided by law, beginning on January 1, 2005, a person or entity shall not: 1. Intentionally communicate or otherwise make an individual's social security number available to the general public. 2. Print an individual's social security number on any card required for the individual to receive products or services provided by the person or entity. 3. Require the transmission of an individual's social security number over the internet unless the connection is secure or the social security number is encrypted. 4. Require the use of an individual's social security number to access an internet web site, unless a password or unique personal identification number or other authentication device is also required to access the site. 5. Print a number that the person or entity knows to be an individual's social security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed. This paragraph does not prohibit the mailing of documents that include social security numbers sent as part of an application or enrollment process or to establish, amend or terminate an account, contract or policy or to confirm the accuracy of the social security number. In a transaction involving or otherwise relating to an individual, if a person or entity receives a number from a third party, the person or entity has no duty to inquire or otherwise determine if the number is or includes that individual's social security number. The person or entity may print that number on materials that are mailed to the individual, unless the person or entity that received the number has actual knowledge that the number is or includes the individual's social security number. This paragraph does not prohibit the mailing to the individual of any copy or reproduction of a document that includes a social security number if the social security number was included on the original document before January 1, 2005." *A.R.S. § 44-1373(A).* <https://www.azleg.gov/ars/44/01373.htm>
+
+[^stat-disposal]: **A.R.S. § 44-7601** — "An entity shall not knowingly discard or dispose of records or documents without redacting the information or destroying the records or documents if the records or documents contain an individual's first and last name or first initial and last name in combination with a corresponding complete: 1. Social security number. 2. Credit card, charge card or debit card number. 3. Retirement account number. 4. Savings, checking or securities entitlement account number. 5. Driver license number or nonoperating identification license number." *A.R.S. § 44-7601(A).* <https://www.azleg.gov/ars/44/07601.htm>
+
+[^stat-ssn-enforcement]: **A.R.S. § 44-1373** — "Only the attorney general or a county attorney, or both, may commence a legal action for a violation of this section." *A.R.S. § 44-1373(H).* <https://www.azleg.gov/ars/44/01373.htm>
+
+[^stat-disposal-enforcement]: **A.R.S. § 44-7601** — "This section may be enforced by either of the following: 1. A county attorney in the county in which the records or documents were wrongfully discarded or disposed. If a violation occurs by the same entity in multiple counties, a county attorney in a county in which records or documents were improperly discarded or disposed of, after filing a notice of intent to enforce this section, may send a copy of the notice to the county attorney in each county in which records or documents were not properly discarded or disposed of and may request that the actions be consolidated. 2. The attorney general." *A.R.S. § 44-7601(B).* <https://www.azleg.gov/ars/44/07601.htm>
+
+[^stat-disposal-penalty]: **A.R.S. § 44-7601** — "A civil penalty shall be imposed for each violation of subsection A of this section arising out of one incident. The civil penalty shall not exceed: 1. Five hundred dollars for a first violation. 2. One thousand dollars for a second violation. 3. Five thousand dollars for a third or subsequent violation." *A.R.S. § 44-7601(C).* <https://www.azleg.gov/ars/44/07601.htm>
+
+[^stat-disposal-limits]: **A.R.S. § 44-7601** — "An entity that maintains and complies with the entity's own procedures for the discarding or disposing of records or documents containing the information listed in subsection A of this section that is consistent with the requirements of this section shall be deemed to be in compliance with this section. E. This section does not apply to any of the following: 1. An entity subject to title V of the Gramm-Leach-Bliley act (P.L. 106-102; 113 Stat. 1338; 15 United States Code sections 6801 through 6809). 2. Covered entities and business associates as defined under regulations implementing the health insurance portability and accountability act, 45 Code of Federal Regulations section 160.103 (2003). 3. An entity subject to the federal fair credit reporting act (15 United States Code section 1681x). F. This section only applies to paper records and paper documents." *A.R.S. § 44-7601(D)-(F).* <https://www.azleg.gov/ars/44/07601.htm>
+
+[^q7-breach-penalty]: **A.R.S. § 18-552** — "A knowing and wilful violation of this section is an unlawful practice pursuant to section 44-1522, and only the attorney general may enforce such a violation by investigating and taking appropriate action pursuant to title 44, chapter 10, article 7. The attorney general may impose a civil penalty for a violation of this article not to exceed the lesser of $10,000 per affected individual or the total amount of economic loss sustained by affected individuals, but the maximum civil penalty from a breach or series of related breaches may not exceed $500,000. This section does not prevent the attorney general from recovering restitution for affected individuals." *A.R.S. § 18-552(L).* <https://www.azleg.gov/ars/18/00552.htm>
+
+[^q7-gipa-enforcement]: **A.R.S. § 44-8004** — "The attorney general may bring an action to enforce this chapter. A person who violates this chapter is subject to: 1. A civil penalty of up to $2,500 for each violation. 2. The payment of actual damages incurred by consumers as a result of the violation. 3. Costs and reasonable attorney fees incurred by the office of the attorney general." *A.R.S. § 44-8004.* <https://www.azleg.gov/ars/44/08004.htm>
+
+[^q7-cfa-remedies]: **A.R.S. § 44-1528** — "Following an investigation made pursuant to section 44-1524 and when it appears to the attorney general that a person has engaged in or is engaging in any practice declared to be unlawful by this article, the attorney general may seek and obtain in an action in a court of competent jurisdiction an injunction prohibiting the person from continuing the practices or engaging in the practice or doing any acts in furtherance of the practice after notice as is required by the rules of civil procedure. The court may make such orders or judgments as may be necessary to: 1. Prevent the use or employment by a person of any unlawful practices. 2. Restore to any person in interest any monies or property, real or personal, which may have been acquired by means of any practice in this article declared to be unlawful, including the appointment of a receiver. 3. Require that any profits, gain, gross receipts or other benefit obtained by means of any practice in this article declared to be unlawful be disgorged and paid to the state for deposit in the consumer remediation subaccount of the consumer restitution and remediation revolving fund established by section 44-1531.02." *A.R.S. § 44-1528(A).* <https://www.azleg.gov/ars/44/01528.htm>
+
+[^q7-cfa-penalty]: **A.R.S. § 44-1531** — "If a court finds that any person has wilfully violated section 44-1522, the attorney general upon petition to the court may recover from the person on behalf of the state a civil penalty of not more than ten thousand dollars per violation. B. For purposes of this section, a wilful violation occurs when the party committing the violation knew or should have known that his conduct was of the nature prohibited by section 44-1522." *A.R.S. § 44-1531(A)-(B).* <https://www.azleg.gov/ars/44/01531.htm>
+
+[^q7-cfa-costs]: **A.R.S. § 44-1534** — "In any action brought under the provisions of this article, the attorney general is entitled to recover costs, which in the discretion of the court may include a sum representing reasonable attorney's fees for the services rendered, for the use of the state." *A.R.S. § 44-1534.* <https://www.azleg.gov/ars/44/01534.htm>
+
+[^q7-cfa-unlawful]: **A.R.S. § 44-1522** — "The act, use or employment by any person of any deception, deceptive or unfair act or practice, fraud, false pretense, false promise, misrepresentation, or concealment, suppression or omission of any material fact with intent that others rely on such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise whether or not any person has in fact been misled, deceived or damaged thereby, is declared to be an unlawful practice." *A.R.S. § 44-1522(A).* <https://www.azleg.gov/ars/44/01522.htm>