Arizona Tech Sovereignty Act
One-Page Summary
Problems: Solutions
Federal government preempts state regulation of AI: State can still use it—but the company must open up: auditability, monitoring, testing, open source code
Open source transparency adds contractor costs: Open source companies get a 10% bid advantage—rewarding transparency and accountability
State data leaves state control: Data stays on state hardware. Contractors get access only to do their specific job
Contractors keep state data after contracts end: They must declare it and pay the state fair market value if allowed to retain it
FISA surveillance data mixing with state data: Firewall required. Separate computers, separate people, auditable logs. No cross-access. We can inspect anytime.
Universities have unique expertise but no path to compete: Explicitly authorized to bid as research projects. Students get experience. Research gets published. State gets accountable technology.
Data obtained without warrant: Contractors need a warrant if the state would need one. The Constitution follows the data
AI harms Arizonans with no recourse: Free agency complaints; Attorney General can sue; private lawsuits with fee-shifting
"Black box" AI with no accountability: Lack of auditability creates presumption of intent
Your data is misused: You can sue and collect $5,000 per violation, plus lawyer fees
-
Who it helps: Any Arizonan whose data is mishandled or who is harmed by an automated system—denied housing, denied benefits, discriminated against, privacy violated, or subjected to warrantless surveillance. Also, university students who get hands-on experience building accountable AI.
What it costs: Minimal. Uses existing agencies. Private enforcement through fee-shifting. University research leverages existing federal and state research funding.
What it does not do: Ban any technology. Punish lobbying. Create new criminal laws. Prohibit contractors from having FISA data—they just need to keep it separate. Block universities from competing—it explicitly invites them.
Bottom line: Arizona data stays in Arizona. FISA data stays separate—different computers, different people, auditable logs. Universities can compete as research projects, building the next generation of accountable AI. Companies that open their technology get a better shot at state contracts. If they hurt people or misuse data, they pay. And the Constitution follows the data.
AN ACT
TITLE: Arizona Tech Sovereignty Act
AMENDING TITLE 41, CHAPTER 1, ARIZONA REVISED STATUTES, BY ADDING ARTICLE [X]; AMENDING TITLE 13, CHAPTER 23, ARIZONA REVISED STATUTES, BY ADDING SECTION 13-2314.05; RELATING TO GOVERNMENT PROCUREMENT, AUTOMATED SYSTEMS, DATA SOVEREIGNTY, CIVIL LIABILITY, AND UNIVERSITY RESEARCH.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ARIZONA:
---
PLAIN LANGUAGE SUMMARY
What this bill does in plain English:
- If the feds say Arizona can't regulate a technology, the state can still use it—but the company must open up. The company must show how it works, let people test it, and make the code public. No black boxes allowed.
- Open source companies get a better shot at state contracts. If a company opens up its technology—shares the code, training data, testing, and fairness checks—their bid score goes up by up to 10%. This rewards transparency and accountability.
- Arizona data stays in Arizona. Any company handling state data must keep it on state-controlled hardware. Contractors get access only to do their specific job. They cannot move, copy, or keep the data.
- If a contractor keeps state data after a contract ends, they must pay the state for it. The state owns its data. If a contractor finds value in it, they pay fair market value.
- No contractor can get data the state couldn't keep under the Constitution. If the state would need a warrant, the contractor needs a warrant too. The Constitution follows the data.
- FISA data must stay separate from state data. If a contractor handles both FISA spying data and Arizona state data, they must keep them on separate computers, with separate people, and keep auditable logs. No mixing. No cross-access. We can inspect anytime.
- Universities can compete for these contracts as research projects. If ASU, UA, or NAU wants to build or test accountable AI systems, they can submit bids. Students get hands-on experience. Research findings are published. The state gets technology that works and knowledge that lasts.
- If an automated system hurts you, you can get help for free. File a complaint with a state agency. They investigate. The Attorney General can sue on your behalf. If you hire a lawyer and win, the other side pays.
- Black box systems are presumed to intend the harm they cause. If a company uses an AI no one can audit, test, or monitor, the law presumes they meant whatever harm it caused. They can fight that if they have a good reason.
- You can sue if your data is misused. If a contractor misuses your data, you can collect $5,000 per violation, plus your lawyer fees.
- Not a ban. Private citizens and businesses can still use any technology they want. This only affects government purchases and creates accountability when systems hurt people.
---
SECTION 1. LEGISLATIVE FINDINGS
The Legislature finds:
1. Arizona has the right to decide what technology its own government uses and how its citizens' data is handled.
2. When the federal government says Arizona cannot make rules about a technology, Arizona can still require transparency and accountability from companies that want state contracts.
3. Automated systems—like artificial intelligence—are making important decisions about people's lives: who gets housing, who gets benefits, who gets insurance, and more.
4. When these systems make mistakes or discriminate, people need a way to get help that does not require hiring a lawyer.
5. Companies that build systems no one can understand or test should be responsible when those systems hurt people.
6. State data belongs to the people of Arizona. When contractors keep that data, they should pay fair value for it, and they should never use it in ways the state itself could not under the Constitution.
7. Federal surveillance authorities like FISA should not be used to gather data that Arizona contractors then use in state government. If contractors handle both, they must maintain complete separation—separate computers, separate people, auditable logs.
8. Open source technology benefits the public by allowing verification, reducing vendor lock-in, and increasing competition. Companies that provide open source access should receive a preference in state contracting.
9. Arizona's public universities possess unique expertise in artificial intelligence, software development, data security, and technology transfer. Engaging universities in the development and validation of accountable technology serves a public purpose by creating educational opportunities for students, advancing research on AI accountability, developing open source solutions, and building a workforce trained in accountable AI practices.
10. This law does not ban any technology. It only sets rules for government purchases, protects state data, creates a way for people to seek justice when automated systems harm them, and harnesses university research for the public good.
---
SECTION 2. TITLE 41, CHAPTER 1, ARIZONA REVISED STATUTES, IS AMENDED BY ADDING ARTICLE [X], TO READ:
ARTICLE [X]: TECHNOLOGY ACCOUNTABILITY
---
41-1XX. Definitions
In this law, the following terms will adhere to the supplied definitions:
1. "Automated system." Any computer program, artificial intelligence, or algorithm that makes decisions or takes actions that affect people in Arizona. This includes systems that approve or deny applications, set prices, or sort people into categories.
2. "Deployer." Any person or company that uses an automated system in Arizona or sells services that use an automated system to people in Arizona.
3. "Federal preemption." A federal law, rule, or order that says Arizona cannot make its own rules about a specific technology.
4. "Political subdivision." Any city, county, town, school district, or other local government in Arizona.
5. "Prohibited technology." Any technology that the federal government says Arizona cannot regulate, where the federal action happened after January 1, 2025.
6. "Rights violation." Any action that breaks the Arizona Constitution, United States Constitution, a Federal or Arizona law that protects individual rights, or a right recognized by Arizona courts. This includes violations of privacy, discrimination, fraud, or unfair treatment.
7. "Contractor." Any private company that does business with the state or a local government.
8. "State-gathered data." Any data collected, generated, or processed by or on behalf of the state or a political subdivision, including personal information, government records, communications, transaction records, and any data derived from automated systems operating on behalf of the state.
9. "State-controlled hardware." Any computer, server, storage device, network, or facility owned, leased, or operated by the state or a political subdivision, where the state or political subdivision retains exclusive control over access, security, and data management.
10. "FISA data." Any data obtained through or derived from any authority granted under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. § 1801 et seq.), including electronic surveillance, physical searches, pen register and trap and trace devices, access to business records, and any orders issued by the Foreign Intelligence Surveillance Court or the Foreign Intelligence Surveillance Court of Review.
11. "University." Any of the universities under the jurisdiction of the Arizona Board of Regents, including Arizona State University, the University of Arizona, and Northern Arizona University.
---
41-1XX.1. Federal preemption does not limit civil liability
Nothing in this article shall be construed to limit or preempt any civil action for damages, injunctive relief, or other remedy available under Arizona law for rights violations caused by automated systems. Federal preemption of state regulatory authority does not immunize any person or entity from liability for harm caused to Arizona residents.
---
41-1XX.2. Arizona Guidelines for the use of technologies whose state regulation is preempted by federal action.
A. If the federal government issues a law, rule, or order that preempts Arizona's authority to regulate a specific technology (a "prohibited technology"), state agencies may continue to use or acquire that technology only if the technology meets the requirements of this section.
B. Before a state agency may use or acquire a prohibited technology, the deployer of that technology must demonstrate due diligence by providing to the agency, in writing and under penalty of perjury:
1. A complete description of the technology, including:
- What the technology does
- What data it collects, stores, and shares
- Who has access to the data
- How decisions are made by the technology
2. A certification that the technology is auditable, meaning:
- The deployer can explain how any decision was made
- An independent third party can examine the system
- The deployer will provide access for such audits upon request
3. A certification that the technology is monitorable, meaning:
- The deployer can track what the system does in real time
- Records are kept for at least three years
- The deployer will provide access to records upon request
4. A certification that the technology is testable with repeatable results, meaning:
- The same input produces the same output
- The deployer will allow independent testing upon request
5. A disclosure of any known rights violations caused by the technology in any jurisdiction
6. A disclosure of any federal or state enforcement actions against the deployer related to the technology
C. Before a state agency may use or acquire a prohibited technology, the deployer must also provide open source access to the technology's essential components as follows:
1. For any technology that makes decisions affecting Arizonans' rights, the deployer must make available in open source format:
- The source code of the decision-making algorithms
- The training data used to develop the algorithms (with personally identifiable information removed)
- The documentation of how the system was tested and validated
- Any fairness or bias assessments conducted
2. This open source material must be:
- Published on a publicly accessible website maintained by the deployer
- Updated whenever the system is materially changed
- Maintained for the duration of the contract and for five years thereafter
3. The deployer may redact trade secrets that are not essential to understanding how the system makes decisions affecting rights. Any redaction must be justified in writing and approved by the Attorney General.
D. Public review period. Before a state agency may enter into a contract for a prohibited technology, the agency must:
1. Publish the deployer's due diligence materials on the agency's website
2. Provide a 60-day public comment period
3. Consider any comments received
4. Publish a written response explaining how comments were addressed
---
41-1XX.3. Local governments follow the same rules
A. Political subdivisions may use or acquire prohibited technology only if they comply with the same due diligence and open source requirements as state agencies under Section 41-1XX.2.
B. The Attorney General shall provide technical assistance to political subdivisions in evaluating due diligence submissions.
C. A political subdivision that uses a prohibited technology without meeting these requirements shall forfeit any state-shared revenues for the fiscal year in which the violation occurred, unless the violation is cured within 30 days of notice.
---
41-1XX.4. Contractors using prohibited technology
A. The state and political subdivisions may contract with deployers of prohibited technology only if the deployer has complied with the due diligence and open source requirements of Section 41-1XX.2.
B. Any contract for prohibited technology must include:
1. A requirement that the deployer maintain open source access for the duration of the contract
2. A requirement that the deployer provide quarterly reports on any rights violations caused by the technology
3. A right for the state or political subdivision to terminate the contract immediately if the deployer fails to maintain compliance
C. The state and political subdivisions shall give preference in procurement to deployers who:
1. Have a demonstrated history of transparency and accountability
2. Have not been found liable for rights violations caused by their automated systems
3. Have not lobbied for federal preemption of state technology regulation
---
41-1XX.5. Exemptions
The requirements of Sections 41-1XX.2 through 41-1XX.4 do not apply if:
1. The prohibited technology is used exclusively for non-public, internal administrative functions that do not affect individual rights, as certified by the Attorney General.
2. The technology is needed to respond to an imminent threat to public safety or critical infrastructure, and the Governor issues a temporary waiver. Any such waiver lasts no more than 90 days and may be renewed only once.
3. The cost of open source compliance would exceed 50% of the total contract value, and the agency head certifies that no reasonable alternative exists. In such cases, the deployer must still comply with all due diligence requirements and must provide access for independent auditing by the Attorney General.
4. Offsite storage of data for continuity of operations purposes as authorized by Section 41-1XX.7(F) and (G).
---
41-1XX.6. Public registry of compliant technology
A. The Attorney General shall maintain a public, searchable online registry of all deployers who have submitted due diligence materials under this article.
B. For each deployer, the registry must include:
1. The deployer's name and contact information
2. The technology covered by the due diligence submission
3. A link to the open source materials
4. Any known rights violations or enforcement actions
5. The date of the most recent compliance review
C. State agencies and political subdivisions shall consult the registry before contracting for prohibited technology and shall give preference to deployers with a demonstrated history of compliance.
---
41-1XX.7. Arizona data stays on Arizona hardware
A. Data sovereignty. Any automated system used by the state or a political subdivision must retain all state-gathered data on hardware owned, controlled, and physically located within facilities operated by the state or political subdivision.
1. No state-gathered data may be transferred, stored, processed, or transmitted to any hardware, server, cloud, or facility not owned and controlled by the state or political subdivision, except as provided in subsection C of this section.
B. Contractor access limited to scope of work. Any contractor providing services involving automated systems or data processing for the state or a political subdivision shall be subject to the following restrictions:
1. Contractors may access state-gathered data only to the extent necessary to perform the specific tasks described in their contract.
2. Contractors may NOT:
- Transfer state-gathered data to any location, server, or facility outside the state's direct control
- Store state-gathered data on any hardware not owned by the state
- Process state-gathered data using systems not approved in advance by the contracting agency
- Transmit state-gathered data to any third party, affiliate, subsidiary, or subcontractor not explicitly named in the contract
- Use state-gathered data for any purpose other than fulfilling the contract
- Retain state-gathered data after the contract ends
3. Any contractor that accesses state-gathered data must:
- Provide the agency with a complete list of all personnel who will have access, including their roles and qualifications
- Require all personnel with access to complete annual training on data security and privacy
- Allow the agency to conduct unannounced audits of their data handling practices
- Certify quarterly that no data has been transferred, stored, or processed outside the scope of the contract
C. Limited exceptions. The requirements of this section do not apply if:
1. The data is anonymized to the extent that it cannot be reasonably linked to any specific individual, and the anonymization is certified by the Attorney General and due consideration is given to the state;
2. The data is required by federal law to be stored or processed on specific hardware or locations not controlled by the state, and the state agency certifies in writing that no alternative exists; or
3. The Governor, in consultation with the Attorney General, issues a temporary waiver for a period not to exceed 90 days for a specific emergency or critical infrastructure need.
D. Enforcement. The Attorney General may bring an action in superior court against any contractor that violates this section. Upon a finding of violation, the court may:
1. Order immediate cessation of the unauthorized data transfer, storage, processing, or transmission
2. Order the return or deletion of any state-gathered data improperly transferred
3. Impose civil penalties of up to $50,000 per violation, plus $1,000 per day for each day the violation continues
4. Order the contractor to pay the costs of investigation and remediation
5. Bar the contractor from doing business with the state for up to five years
E. Contract requirements. Every contract for automated systems or data processing services entered into by the state or a political subdivision after the effective date of this act must include provisions requiring compliance with this section. Any contract that does not include such provisions is voidable by the state.
F. That data is otherwise publicly accessible and a full copy of said data remains under direct physical state control as a master copy for all state uses.
G. That data is stored off-site for continuity of operations purposes and is otherwise only accessible by state employees or contractors operating on behalf of the state to update the offsite data with the current state master copy and restore damaged or lost data to the state master copy.
---
41-1XX.8. Data rights, retention, and constitutional protections
A. Data retention requires declaration and consideration. Any contractor that retains any state-gathered data after the termination or completion of a contract, or that uses state-gathered data for any purpose beyond the explicit scope of the contract, must:
1. Declare the retention. Provide a written declaration to the contracting agency and the Attorney General stating:
- What data is being retained
- The purpose of retention
- The duration of retention
- How the data will be stored and protected
- Whether the data will be shared with any third party
2. Provide due consideration. The contractor must provide fair and reasonable consideration to the state for the value of the retained data. Consideration may include:
- A reduction in contract price
- A direct payment to the state
- Provision of services or technology to the state at no cost
- Any other form of consideration agreed to by the contracting agency and approved by the Attorney General
3. Obtain written approval. No contractor may retain state-gathered data without the express written approval of:
- The contracting agency head, and
- The Attorney General
B. FISA data segregation; no commingling with state data.
1. Definitions. For purposes of this section:
- "FISA data" means any data obtained through or derived from any authority granted under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. § 1801 et seq.), including electronic surveillance, physical searches, pen register and trap and trace devices, access to business records, and any orders issued by the Foreign Intelligence Surveillance Court or the Foreign Intelligence Surveillance Court of Review.
- "FISA personnel" means any employee, contractor, or agent of a contractor who has access to FISA data.
- "State data personnel" means any employee, contractor, or agent of a contractor who has access to state-gathered data.
2. Total data segregation required. Any contractor that handles state-gathered data and also handles FISA data must maintain complete and auditable segregation between the two data sets. This segregation must include:
a. Physical or logical separation. FISA data and state-gathered data must be stored on separate hardware, servers, or logically isolated partitions that prevent any cross-access.
b. No commingling. FISA data and state-gathered data may not be stored in the same database, processed by the same systems, transmitted through the same unsecured channels, or combined in any way.
c. Personnel separation. No person may have access to both FISA data and state-gathered data. FISA personnel and state data personnel must be separate individuals with separate credentials, no cross-access privileges, and auditable logs showing no crossover.
d. System separation. The systems used to process FISA data and state-gathered data must be operated on separate infrastructure with separate access controls, no shared administrative privileges, and auditable separation maintained at all times.
3. Auditable firewall required. Any contractor subject to this section must:
a. Maintain detailed, unalterable logs showing all access to FISA data, all access to state-gathered data, any attempted cross-access, all personnel with access to either data set, and any changes to personnel access privileges.
b. Provide the Attorney General and the contracting agency with real-time access to all logs upon request, the ability to conduct unannounced audits of segregation controls, access to all systems and personnel involved, and quarterly certification under penalty of perjury that segregation is maintained.
c. Retain all logs for a minimum of ten years and provide them to the Attorney General immediately upon request.
4. Certification required. Before entering into any contract for automated systems or data processing services, a state agency or political subdivision shall require the prospective contractor to certify under penalty of perjury that:
- The contractor has implemented total data segregation as required by this section, if applicable
- No personnel have access to both FISA data and state-gathered data
- The contractor will maintain auditable logs and provide access as required
- The contractor will notify the contracting agency and the Attorney General within 24 hours of any breach or attempted breach of segregation
- The contractor will notify the contracting agency and the Attorney General within 10 days of any change in their status regarding FISA data
5. No waiver of constitutional rights. Nothing in this section shall be construed to waive or diminish any constitutional rights or protections applicable to state-gathered data, including the Fourth Amendment, Article II, Section 8 of the Arizona Constitution, and any privacy or due process protections otherwise applicable.
6. Exception for emergency waivers. The Governor may issue a temporary waiver of the requirements of this section for a period not to exceed 90 days upon a written finding that:
- There exists an imminent threat to national security or critical infrastructure
- No alternative contractor exists that can meet the need
- The Attorney General has reviewed and concurred in the finding
- The waiver is reported immediately to the Legislature
- The waiver includes a plan for maintaining the maximum possible segregation during the waiver period
Any such waiver must be accompanied by a classified briefing to the President of the Senate and the Speaker of the House of Representatives.
7. No state assistance to warrantless surveillance. Nothing in this section shall be construed to authorize or require the state or any political subdivision to assist in, facilitate, or provide cover for any surveillance activity that would be unlawful if conducted by the state directly. The requirements of this section are intended to create a firewall, not a conduit.
C. Prohibition on receiving data the state could not lawfully retain. No contractor may receive, access, retain, store, process, or transmit any state-gathered data that the state itself would not be lawfully permitted to retain, analyze, or transmit under:
1. The Fourth Amendment to the United States Constitution. Data that would require a warrant for the state to obtain or retain may not be transferred to a contractor without the same warrant or legal process that would be required of the state.
2. Article II, Section 8 of the Arizona Constitution. Data protected against unreasonable searches and seizures under the Arizona Constitution enjoys the same protections when transferred to contractors.
3. Established privacy precedents. Data protected by:
- The privacy provisions of the Arizona Constitution
- The Health Insurance Portability and Accountability Act (HIPAA) for medical information
- The Family Educational Rights and Privacy Act (FERPA) for educational records
- The Driver's Privacy Protection Act for motor vehicle records
- Any other state or federal privacy law that would restrict the state's own retention or use of such data
4. Due process protections. Data that would be subject to due process requirements under the Fourteenth Amendment or Article II, Section 4 of the Arizona Constitution may not be transferred to a contractor in a manner that would circumvent those protections.
D. Contractor as state actor. For purposes of constitutional protections, any contractor accessing, retaining, or using state-gathered data shall be deemed a state actor subject to the same constitutional limitations as the state itself, including:
1. The Fourth Amendment's prohibition on unreasonable searches and seizures
2. The Fifth Amendment's protection against self-incrimination
3. The Fourteenth Amendment's due process and equal protection guarantees
4. Article II of the Arizona Constitution, including Sections 4 (due process), 8 (search and seizure), and 10 (self-incrimination)
5. The prohibition on warrantless surveillance under FISA that would violate these constitutional protections
E. Warrant requirement for sensitive data. Before any contractor may access, retain, or process data that would require a warrant if retained by the state, the state must:
1. Obtain a warrant or court order based on probable cause, or
2. Demonstrate that an exception to the warrant requirement applies under established constitutional precedent
Any data obtained by a contractor without satisfying this requirement shall be inadmissible in any criminal or civil proceeding and shall be subject to immediate deletion and return to the state.
F. Prohibition on data arbitrage. No contractor may:
1. Sell, license, or otherwise transfer state-gathered data to any third party without the express written consent of the Attorney General and the contracting agency
2. Use state-gathered data to train, develop, or improve automated systems or artificial intelligence models except as explicitly authorized in the contract and with the written approval of the Attorney General
3. Retain state-gathered data for the purpose of creating derivative datasets, models, or algorithms that incorporate or are derived from state-gathered data, unless the state receives:
- Full disclosure of the derivative works
- A perpetual, irrevocable, royalty-free license to use such derivative works
- Fair consideration for the value derived from state data
G. Notice to individuals. Any contract that involves the collection, retention, or processing of personal information of Arizona residents must:
1. Provide clear notice to affected individuals describing:
- What data will be collected
- Who will have access to the data
- How long the data will be retained
- Whether the data may be used for any purpose beyond the specific service provided
- The rights of individuals to access, correct, or delete their data
2. Obtain affirmative consent from individuals before their data is used for any purpose beyond the specific service for which it was collected
3. Provide a mechanism for individuals to revoke consent and have their data deleted
H. Enforcement and remedies. In addition to any other remedies available under this article:
1. Any contractor that retains state-gathered data without complying with subsection A of this section shall forfeit any right to such data and shall be required to pay to the state the greater of:
- Three times the market value of the data, or
- $50,000 per violation, plus $1,000 per day for each day the data is retained without compliance
2. Any contractor that receives or uses data in violation of subsection B, C, D, E, or F of this section shall be subject to:
- Immediate termination of all contracts with the state
- Permanent debarment from future state contracts
- Civil penalties of up to $100,000 per violation
- Payment of all costs of investigation and remediation
3. Individuals whose data is obtained, retained, or used in violation of this section may bring a private right of action for:
- Actual damages or statutory damages of $5,000 per violation, whichever is greater
- Injunctive relief
- Reasonable attorney fees and costs
- Punitive damages upon a showing of willful or reckless conduct
I. Annual audit. The Attorney General shall conduct or contract for an annual audit of all contracts involving state-gathered data to ensure compliance with this section. The results of the audit shall be reported to the Governor and the Legislature.
---
41-1XX.9. When an automated system hurts you, you can get help
A. If an automated system injures you or harms your business or property by violating your rights, you can sue the company that deployed it. If you win, the company pays your damages, court costs, and lawyer fees.
B. If you win, the company pays your lawyer fees. If the company wins, you only pay their lawyer fees if your case was frivolous—meaning you filed it with no reasonable basis.
C. You do not have to post a bond or pay large upfront costs to file a case. If you cannot afford the filing fee, the court will waive it.
---
41-1XX.10. How intent is proved
A. The law presumes that a company intended the harm its automated system caused if any of these things are true:
1. No one can audit the system. That means no one—not even the company—can look inside to see how it makes decisions.
2. No one can monitor the system. That means there is no way to watch what the system is doing in real time or check its records later.
3. The system does not give repeatable results. That means if you put in the same information twice, you might get different answers.
4. The system breaks state rules. That means the company did not follow Arizona laws about testing or running automated systems.
B. A company can fight this presumption. To do so, they must prove all of these things with clear and convincing evidence:
1. They tried to make the system auditable, monitorable, and testable before they used it.
2. They used the best methods available at the time to make it transparent and accountable.
3. They cooperated when people asked to audit, monitor, or test the system.
4. They did not intentionally use a "black box" system to hide from responsibility.
C. Here is what these words mean:
- "Auditable" means a qualified person can look at the system's inputs, logic, and outputs to see if it follows the law.
- "Monitorable" means someone can watch the system's operations in real time or through records to spot problems.
- "Testable with repeatable results" means the system gives the same answer every time you give it the same information.
---
41-1XX.11. You can file a complaint with a state agency for free
A. If an automated system violates your rights, you can file a complaint with the state agency that handles that kind of issue. Pick the agency that fits your situation:
Agency What they handle
--------------------------
Attorney General's Office Discrimination, privacy, civil rights
Department of Insurance Insurance, banking, financial services
Department of Housing Housing applications, evictions, rentals
Department of Economic Security Benefits, disability, unemployment
Corporation Commission Utilities, electricity, phone service
Department of Health Services Healthcare, medical decisions
Department of Administration State government services
B. When you file a complaint, the agency must:
1. Send you a letter saying they got it within 15 days.
2. Investigate to find out what happened.
3. Try to resolve the problem through mediation if that makes sense.
4. Give you a written decision within 180 days.
5. If they find a violation, they can order:
- The company to stop the illegal practice
- The company to give you back any benefit you lost
- The company to pay you actual damages
- A civil penalty of up to $10,000 paid to you
- Payment for the costs of investigation
C. You can also file a lawsuit in court even if you filed an agency complaint. One does not stop the other.
---
41-1XX.12. The Attorney General can help
A. The Attorney General can sue a company on your behalf or on behalf of a group of people who were harmed by an automated system.
B. When the Attorney General sues, they can ask the court for:
- An order to stop the illegal practice
- Actual damages for the people who were harmed
- Civil penalties of up to $25,000 per violation, paid to the people harmed
- Their lawyer fees and costs
---
41-1XX.13. Office of the Ombudsman for Automated Systems
A. The Office of the Ombudsman for Automated Systems is established within the Arizona Attorney General's Office. The Ombudsman shall be appointed by the Attorney General and shall serve at the pleasure of the Attorney General.
B. The Ombudsman shall:
1. Provide information and assistance to persons seeking to file complaints under this article;
2. Assist persons in identifying the appropriate agency for their complaint;
3. Provide educational materials explaining the rights established under this article;
4. Track complaint patterns and identify systemic issues;
5. Report annually on the activities of the office.
C. The services of the Ombudsman shall be provided without cost to persons seeking assistance.
---
41-1XX.14. Aggregation of violations; enhanced remedies
A. When a single automated system deployed by the same deployer causes rights violations affecting multiple persons, each violation may be aggregated for purposes of:
1. Determining the applicable damages;
2. Establishing a pattern of conduct; and
3. Calculating penalties under this article.
B. A court may award enhanced damages of up to treble the amount of actual damages upon a showing that the deployer:
1. Knew or recklessly disregarded a substantial risk that the automated system would cause rights violations;
2. Failed to implement reasonable safeguards despite such knowledge; and
3. Continued deployment without meaningful remediation.
---
41-1XX.15. Favorable bid assessment for open source contractors
A. Preference for open source. In any procurement for automated systems, data processing services, or technology that may affect individual rights, the state and political subdivisions shall give a favorable bid assessment to contractors that provide open source access to their technology as described in Section 41-1XX.2(C).
B. Bid assessment formula. For purposes of evaluating bids, proposals, or offers, the contracting agency shall apply a favorable adjustment to the bid score of any contractor that qualifies as an open source contractor under this section. The adjustment shall be:
1. For full open source compliance. A contractor that provides all of the following shall receive a 10% favorable adjustment to their total bid score:
- Full source code of all decision-making algorithms
- Complete training data documentation (with personally identifiable information redacted)
- Comprehensive testing and validation documentation
- Fairness and bias assessments
- Ongoing maintenance of open source materials for the duration of the contract and five years thereafter
2. For substantial open source compliance. A contractor that provides substantially all of the requirements but with limited redactions approved by the Attorney General shall receive a 5% favorable adjustment to their total bid score.
3. For partial open source compliance. A contractor that provides some open source materials but with significant redactions or limitations may receive a 2% favorable adjustment at the discretion of the contracting agency, based on a written finding that the open source materials provided nevertheless offer meaningful transparency.
C. Application of favorable adjustment. The favorable adjustment shall be applied as follows:
1. For bids evaluated on a numerical scoring system, the adjustment shall increase the total score by the applicable percentage.
2. For bids evaluated on a lowest-price basis, the adjustment shall be applied as a reduction to the bid price by the applicable percentage for comparison purposes only.
3. For bids evaluated on a best-value basis, the adjustment shall be factored into the overall value assessment as a weighting factor in favor of open source contractors.
D. Preference for open source contractors. In addition to the favorable bid adjustment, the state and political subdivisions shall:
1. Include open source accessibility as a factor in any request for proposals, invitation for bids, or other solicitation for technology contracts
2. Give preference to open source contractors when all other factors are substantially equal
3. Consider the long-term cost savings and public benefits of open source technology, including reduced vendor lock-in, increased competition, and public accountability
E. Qualification as open source contractor. A contractor qualifies as an open source contractor under this section if:
1. They have submitted complete due diligence materials under Section 41-1XX.2(B) and have received certification from the Attorney General that their open source materials comply with the requirements of Section 41-1XX.2(C); or
2. They are listed on the public registry established under Section 41-1XX.6 as a compliant deployer with open source materials publicly available
F. Maintenance of open source status. To maintain eligibility for favorable bid assessment, a contractor must:
1. Keep all open source materials current and publicly accessible for the duration of any active contract
2. Promptly update open source materials whenever the technology is materially changed
3. Provide quarterly certification to the contracting agency that open source materials remain current and accurate
4. Notify the contracting agency and the Attorney General within 30 days of any change that would affect their open source status
G. Loss of preference. A contractor that fails to maintain open source status during the term of a contract:
1. Shall forfeit any favorable bid assessment applied to that contract
2. May be subject to termination of the contract
3. Shall be ineligible for favorable bid assessment on future contracts until compliance is restored
H. Reporting requirement. The Arizona Department of Administration shall report annually to the Governor and the Legislature on:
1. The number of contracts awarded with favorable bid assessments under this section
2. The average favorable adjustment applied
3. The total value of contracts awarded to open source contractors
4. Any instances where open source status was lost during the term of a contract
5. The estimated cost savings and public benefits resulting from open source procurement preferences
---
41-1XX.16. University research contracts for accountable technology
A. Legislative findings. The Legislature finds that:
1. Arizona's public universities possess unique expertise in artificial intelligence, software development, data security, and technology transfer.
2. Engaging universities in the development and validation of accountable technology serves a public purpose by:
- Creating educational opportunities for students
- Advancing research on AI accountability, auditability, and data sovereignty
- Developing open source solutions that benefit all Arizonans
- Building a workforce trained in accountable AI practices
- Reducing vendor lock-in and long-term procurement costs
B. University participation authorized. State agencies and political subdivisions may contract with the Arizona Board of Regents or its constituent universities (Arizona State University, the University of Arizona, and Northern Arizona University) for the development, testing, validation, or deployment of accountable technology under this article, provided that:
1. The contract includes a research component that offers a valuable educational or research experience for students as a part of their education, consistent with A.R.S. § 41-2753.
2. The contract requires that any technology developed or validated through the contract be made available under open source terms, consistent with the open source requirements of this article.
3. The contract includes provisions for publication of research findings, subject to appropriate protection of trade secrets or patentable inventions.
C. Research advantage deemed to exist. For purposes of A.R.S. § 41-2753(A)(2), a contract for accountable technology under this article is deemed to provide a clear educational or research advantage to this state, as the development and validation of accountable AI systems directly advances Arizona's interests in transparent, auditable, and privacy-protecting technology.
D. Technology transfer. The Arizona Board of Regents may license, assign, or otherwise transfer intellectual property developed under contracts authorized by this section in accordance with A.R.S. § 15-1635.01, provided that any such transfer preserves the state's rights to use the technology for governmental purposes and maintains open source availability for non-commercial use.
E. Preference for university research contracts. In evaluating bids or proposals for accountable technology contracts, state agencies shall give preference to proposals that include a substantive research component conducted by an Arizona public university, where all other factors are substantially equal.
F. Annual report. The Arizona Board of Regents shall submit an annual report to the Governor and the Legislature summarizing:
1. The number of research contracts entered into under this section
2. The types of technologies developed or validated
3. The number of students who participated in research
4. Any publications, open source releases, or technology transfers resulting from the contracts
5. Recommendations for improving university engagement in accountable technology development
---
41-1XX.17. Severability
If any part of this law is found invalid by a court, the rest of the law remains in effect.
---
SECTION 3. TITLE 13, CHAPTER 23, ARIZONA REVISED STATUTES, IS AMENDED BY ADDING SECTION 13-2314.05, TO READ:
13-2314.05. When AI harms count for racketeering claims
A. For the racketeering law in Section 13-2314.04, a "pattern of racketeering activity" includes two or more rights violations caused by automated systems deployed by the same person or company, as long as:
1. The violations happened within ten years of each other.
2. The violations were part of a common plan or course of conduct.
B. If a company's automated system harms five or more people, that is strong evidence of a pattern of racketeering activity.
C. In a racketeering lawsuit based on AI harms:
1. The people harmed can collect triple their actual damages, plus court costs and lawyer fees.
2. The court can order the company to stop using the system, sell off parts of the business used to harm people, or take other steps to protect the public.
3. Lawsuits must be filed within four years of when the harm was discovered or should have been discovered.
D. Nothing in this section creates a new criminal crime where none exists. It only adds civil remedies for people who are harmed.
---
SECTION 4. WHEN THIS LAW TAKES EFFECT
This law takes effect on January 1, 2027.
---
Complete Section Index
Section Title
----------------
41-1XX Definitions (including FISA data and university)
41-1XX.1 Federal preemption does not limit civil liability
41-1XX.2 If the feds say Arizona can't regulate a technology, here's how the state can still use it (due diligence + open source)
41-1XX.3 Local governments follow the same rules
41-1XX.4 Contractors using prohibited technology
41-1XX.5 When the rules do not apply
41-1XX.6 Public registry of compliant technology
41-1XX.7 Arizona data stays on Arizona hardware
41-1XX.8 Data rights, retention, and constitutional protections (including FISA data segregation firewall)
41-1XX.9 When an automated system hurts you, you can get help
41-1XX.10 How intent is proved (auditability presumption)
41-1XX.11 You can file a complaint with a state agency for free
41-1XX.12 The Attorney General can help
41-1XX.13 Office of the Ombudsman for Automated Systems
41-1XX.14 Aggregation of violations; enhanced remedies
41-1XX.15 Favorable bid assessment for open source contractors
41-1XX.16 University research contracts for accountable technology
41-1XX.17 Severability
13-2314.05 When AI harms count for racketeering claims
---
