By Alex Harris, Rose Law Group corporate transactions attorney
In my opinion, the most pressing legal issue for Arizona businesses right now is the gap between how quickly technology is changing daily operations and how slowly most businesses update the legal documents and policies that govern that technology. Many businesses are using tools, platforms and data practices that did not exist five to ten years ago but are still relying on employee handbooks, contracts and privacy disclosures from that era.
One area businesses may be overlooking is the use of artificial intelligence in hiring, performance management, marketing and customer communications. Employers need to know that they remain on the hook for the outcomes of the AI tools they use. For example, if an automated résumé screening tool, chatbot or scoring system results in a discriminatory impact, the fact that the tool came from a third-party vendor will not necessarily protect the employer. Businesses should understand what tools they are using, who is supervising them, what data is being collected and whether the results can be explained and are legally permissible.
A second area is data privacy. Even businesses that are not based in California, Colorado or one of the other states with comprehensive consumer privacy statutes can be subject to those laws if they collect data from residents of those states through their website, app or marketing platforms. Privacy notices, cookie banners, terms of service and data-request procedures should be reviewed frequently. Businesses that collect biometric information, geolocation or health-related data should be especially careful because that information often carries heightened consent and disclosure obligations.
Cybersecurity is another area where the legal exposure has grown faster than most internal policies. Arizona, like nearly every other state, requires notification to affected individuals after certain data breaches, often within tight time frames. Businesses should have a written incident response plan, know when and who to notify, and confirm that their cyber insurance actually aligns with that plan before a breach incident occurs.
Finally, businesses should look closely at their technology vendor agreements. Standard SaaS terms often allow the vendor to use customer data to train models, change features or substantially limit their own liability. Businesses handing sensitive data to a vendor should confirm in writing how that data may be used, how it is secured, what happens on termination and what notice they will receive if the vendor experiences a breach.
Technology compliance should be treated as ordinary business maintenance. Arizona businesses should periodically review their AI usage, privacy disclosures, cybersecurity, employee practices and vendor contracts so they can identify risk early and update their practices before a problem becomes expensive.
As part of Rose Law Group’s corporate practice, Alex Harris advises both newly formed and established companies on the full spectrum of business matters, from the ordinary course of navigating day-to-day operations, securing financing, or mergers and acquisitions. His practice spans every stage of a company’s lifecycle, including formation, governance, fundraising, stock and asset sales, mergers, and corporate reorganizations.
