🌐 CCPA and Out-of-State Privacy Laws: What Arizona Companies Must Comply With
Think data privacy laws only apply to businesses based in California or New York? Think again. If your Arizona company collects personal data from out-of-state consumers, you may be subject to strict privacy laws like the California Consumer Privacy Act (CCPA), CPRA, and others.
Here’s what Arizona business owners need to know about complying with out-of-state privacy laws—even if your business isn’t located there.
Why Out-of-State Laws Apply to Arizona Businesses
Many privacy laws—including the CCPA/CPRA—are based on where your customers live, not where your business operates.
So if your business:
Sells goods or services to California residents
Collects or tracks personal data online (via cookies, forms, etc.)
Or works with third-party vendors who do…
…you may be required to comply—even if you’ve never stepped foot in California.
Who Must Comply With CCPA/CPRA?
You must comply if your business meets any of the following:
Annual gross revenue over $25 million, OR
Buys, receives, or sells the personal info of 100,000+ California residents, OR
Derives 50% or more of revenue from selling or sharing personal info
📌 Note: Even if you're under these thresholds, businesses that work with larger entities (e.g., as a vendor) may be contractually required to comply.
Key Requirements Under CCPA/CPRA
If you’re subject to the law, you must:
Disclose what personal data you collect and how it’s used
Provide consumers the right to:
Access their data
Correct inaccuracies
Delete personal info
Opt out of sale/sharing of data
Update your privacy policy with specific language
Implement data security safeguards
Sign data processing agreements with third-party vendors
📌 Failure to comply can result in fines up to $7,500 per violation—and lawsuits if there’s a data breach.
Other State Laws That May Apply to Arizona Businesses
While Arizona doesn’t yet have its own consumer privacy law, these states do (or soon will):
California (CCPA/CPRA)
Colorado Privacy Act (CPA)
Virginia Consumer Data Protection Act (VCDPA)
Connecticut Data Privacy Act
Utah Consumer Privacy Act
📌 If you serve or market to customers in these states, you may need to adjust your data practices even if you're based in Arizona.
What About HIPAA?
Healthcare businesses are often already regulated by HIPAA. But HIPAA does not preempt CCPA or state privacy laws when it comes to:
Marketing communications
Employee data
Website cookies and tracking tools
📌 A medical practice with a website contact form collecting data from California residents could still trigger CCPA obligations.
How Arizona Businesses Can Stay Compliant
Map your data – Know what personal information you collect, how it’s stored, and who you share it with
Update your website’s privacy policy – Include state-specific disclosures for California, Colorado, and others
Use cookie banners – For tracking consent, especially for California or EU visitors
Review contracts with vendors – Make sure data processing agreements are in place
Consult a privacy attorney – Especially if you do business online or collect large volumes of data
Final Thoughts
Just because your business is based in Arizona doesn’t mean you’re off the hook for out-of-state privacy laws. With privacy enforcement ramping up nationwide, compliance is no longer optional for data-driven businesses.
Need help reviewing your privacy policy or assessing your risk under CCPA, CPRA, or other state laws? I help Arizona businesses navigate compliance with clear, practical legal guidance.
Hurley Law Group
Privacy & Compliance Counsel for Arizona Businesses and Healthcare Providers
📞 308-383-1867
🌐 hurleylawgroup.com
✉️ eric@hurleylawgroup.com