Arizona lawmakers frequently ignore the long overdue need for comprehensive privacy protections for our residents. The lack of protections for Arizona residents permits intrusion of our individual freedom without our consent. Privacy is a non-partisan issue and everyone should be concerned about how companies use it. As a Certified Information Privacy Manager (CIPM), I take this very serious. Before we discuss the policy plan, we need to reform the definition of what “Personal Information” is.
An individual’s first name or initial and last name in combination with other data elements such as:
- Social Security number or full date of birth;
- Driver’s license, state identification card, student, passport, health insurance policy or identification number;
- Account, credit or debit card number (in combination with any required security code, access code, or password that would permit access to an individual’s financial account);
- Private key that is unique to an individual and that is used to authenticate or sign an electronic record, medical information and bio-metric information;
- Username, email address, or any other account holder identifying information (in combination with any password or security question and answer that would permit access to an online account);
- Dissociated data that, if linked, would constitute personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data (to include such things as IP addresses, device IDs, cookie IDS, and psycho-graphic profiles based on customers’ preferences, characteristics, behavior, interests and other variables)
Protect and secure the personal information & data of Arizona residents.
In addition to reforming the definition of Personal Information, four policy changes are needed to address weak privacy protections in Arizona. They are Data Privacy, Internet Privacy, Data Security and Data Breach Notifications.
- Data Privacy: Require immediate disclosures when personal information is obtained by businesses, offer consumers the option to opt-out and clearly detail how they plan to use it when opting in.
- Internet Privacy: Customers have the right for removal of personal information from non-government websites within 90 days of request submission.
- Data Security: Mandate annual risk assessments for businesses that manage or work with personal information.
- Data Breach Notifications: Breaches that affect personal information of 100 or more residents in the state are required to provide notification to all affected individuals within 30 days of the breach detection.
Protecting our personal information is vital. We must enact logical privacy protections that ensure Arizonans are not being exploited nor taken advantage of. This policy plan is a starting point for ongoing changes we must continue to make as technological advancements continue.