Privacy Laws in Arkansas: What You Need to Know

Arkansas does not yet have a comprehensive consumer data privacy law, but the state has carved out a leadership role in one critical area: protecting children and teenagers online. The Arkansas Children and Teens' Online Privacy Protection Act, signed into law in April 2025, is one of the most significant state-level children's privacy statutes in the country — and the first to extend COPPA-like protections to teenagers ages 13 through 16. Here is what Arkansas residents need to know about the current privacy landscape, the protections that do exist, and how to safeguard your personal data in the absence of a broader law.

Arkansas Children and Teens' Online Privacy Protection Act (HB 1717)

On April 21, 2025, Governor Sarah Huckabee Sanders signed House Bill 1717 into law, creating the Arkansas Children and Teens' Online Privacy Protection Act. The law takes effect on July 1, 2026, and represents a major expansion of online privacy protections for young people.

Why This Law Is Groundbreaking

The federal Children's Online Privacy Protection Act (COPPA) has been the primary framework for children's online privacy since 1998, but it only covers children under 13. HB 1717 makes Arkansas the first state to create a comprehensive, COPPA-style framework that explicitly extends protections to teenagers ages 13 through 16 — a group whose data is heavily targeted by social media companies, gaming platforms, and digital advertisers.

Protections for Children Under 13

For children under 13, HB 1717 mirrors the structure of federal COPPA while adding state-level enforcement authority:

• Verifiable parental consent is required before an operator can collect, use, or disclose a child's personal information
• Operators must provide clear, complete privacy notices describing their data practices
• Parents have the right to review their child's personal information and request deletion
• Data collection must be limited to what is reasonably necessary for the child's participation in the activity

Protections for Teens Ages 13-16

This is where Arkansas breaks new ground. For teenagers between 13 and 16, the law establishes a consent framework that gives both the teen and the parent authority:

• Either the teen or a parent can provide consent for data collection and processing
• Operators must provide age-appropriate privacy disclosures that teens can understand
• Teens have the right to request deletion of their personal information
• Targeted advertising directed at teens based on their personal data requires affirmative consent
• Sale of a teen's personal data is prohibited without consent

Arkansas Personal Information Protection Act (PIPA)

The Arkansas Personal Information Protection Act (Ark. Code Ann. § 4-110-101 et seq.) is the state's data breach notification law and serves as the primary general-purpose data protection statute for all residents.

PIPA requires businesses and government entities to notify Arkansas residents when their personal information has been compromised in a data breach. Key provisions include:

• Personal information covered: Name combined with Social Security number, driver's license number, financial account numbers, medical information, or biometric data
• Notification timeline: Notice must be provided in the most expedient time possible and without unreasonable delay
• Method of notice: Written notice, electronic notice, or substitute notice (for breaches affecting large numbers of individuals or where cost would be excessive)
• AG notification: If a breach affects more than 1,000 Arkansas residents, the entity must also notify the Arkansas Attorney General
• Penalties: The Attorney General can bring an action under the Deceptive Trade Practices Act, with penalties of up to $10,000 per violation

Notably, PIPA was updated in recent years to include medical information and biometric data in the definition of protected personal information — a broader scope than many comparable state breach notification laws.

Student Online Personal Information Protection Act

Arkansas also has the Student Online Personal Information Protection Act, which regulates how educational technology companies handle student data. This law prohibits operators of school-facing online services from:

• Using student data for targeted advertising
• Selling student personal information
• Using student data to build advertising profiles
• Disclosing student data except for legitimate school purposes

This law works alongside HB 1717 to create layered protections for young people in Arkansas, covering both their educational and personal online activity.

Enforcement Authority

Enforcement of Arkansas's privacy and data protection laws rests with the Arkansas Attorney General. There is no private right of action under PIPA or HB 1717, meaning individual consumers cannot sue businesses directly for violations. The AG's Consumer Protection Division handles complaints and investigations related to data breaches and deceptive data practices.

Under HB 1717, the Attorney General has the authority to seek injunctive relief and civil penalties against operators that violate the children's and teens' privacy provisions. This gives the AG a meaningful enforcement tool, though the effectiveness will depend on the resources allocated to privacy enforcement.

How Arkansas Compares to Neighboring States

Arkansas's neighbors have taken different approaches to privacy legislation. Texas enacted the Texas Data Privacy and Security Act (TDPSA) effective July 1, 2024, giving residents comprehensive data rights. Tennessee passed the Tennessee Information Protection Act (TIPA) effective July 1, 2025. Missouri has been considering its own comprehensive privacy bill. Arkansas stands out for its children's privacy leadership but lags behind in providing general consumer data protections for adults.

This patchwork means that your level of protection can vary depending on which state you live in — and Arkansas residents currently have fewer tools at their disposal than their counterparts in Texas or Tennessee.

What Arkansas Residents Can Do Now

While you wait for broader privacy legislation, there are steps you can take today to reduce your data exposure:

• Opt out of data brokers: Submit removal requests to sites like Spokeo, BeenVerified, Whitepages, Radaris, and Intelius. Your personal information is almost certainly listed on multiple people-search sites.
• Freeze your credit: Place a free security freeze at Equifax, Experian, and TransUnion to prevent identity thieves from opening accounts in your name.
• Review your children's online presence: With HB 1717 taking effect on July 1, 2026, now is a good time to audit what platforms your children use and what data those platforms collect.
• Use privacy tools: A VPN, a privacy-focused browser, and a password manager significantly reduce the amount of data that companies can collect about you.
• Take advantage of other states' laws: If a company operates in California or another state with a comprehensive privacy law, you may be able to submit deletion requests under that state's statute.

The Road Ahead

Arkansas has demonstrated that it takes privacy seriously — at least when it comes to protecting young people. HB 1717 is a genuinely forward-thinking piece of legislation that other states are looking to emulate. The next step is extending meaningful privacy rights to all Arkansas residents, regardless of age.

Until that happens, proactive data management is your best defense. Regularly checking where your information appears online, submitting removal requests, and using privacy-enhancing tools will give you far more protection than the current legal framework provides on its own.