Arkansas Consumer Privacy Law

Primary law

Arkansas's operative privacy statute is chapter 110 of Title 4, formally titled the Personal Information Protection Act.

This chapter shall be known and cited as the "Personal Information Protection Act".

See Ark. Code Ann. § 4-110-101.

Primary law

PIPA's stated purpose is to encourage individuals, businesses, and state agencies holding personal information about Arkansans to provide reasonable security for it.

To that end, the purpose of this chapter is to encourage individuals, businesses, and state agencies that acquire, own, or license personal information about the citizens of the State of Arkansas to provide reasonable security for the information.

See Ark. Code Ann. § 4-110-102(b).

Primary law

PIPA requires any person or business that acquires, owns, or licenses personal information about an Arkansas resident to implement and maintain reasonable security procedures and practices.

A person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

See Ark. Code Ann. § 4-110-104(b).

Primary law

PIPA requires reasonable steps to destroy a customer's records containing personal information that is no longer to be retained, by shredding, erasing, or otherwise making the information unreadable.

A person or business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.

See Ark. Code Ann. § 4-110-104(a).

Primary law

PIPA's entire enforcement architecture is one sentence: every violation is punishable by action of the Attorney General under the Deceptive Trade Practices Act.

Any violation of this chapter is punishable by action of the Attorney General under the provisions of § 4-88-101 et seq.

See Ark. Code Ann. § 4-110-108.

Primary law

PIPA exempts persons and businesses regulated by a state or federal law that provides greater protection to personal information and at least as thorough breach-disclosure requirements.

The provisions of this chapter do not apply to a person or business that is regulated by a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breaches of the security of personal information than that provided by this chapter.

See Ark. Code Ann. § 4-110-106(a)(1).

Primary law

The Arkansas Children and Teens' Online Privacy Protection Act takes effect on July 1, 2026.

This act shall be effective on and after July 1, 2026.

See Act 952, 2025 Ark. Acts (H.B. 1717), § 3.

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches privacy and data-security practices nationwide.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

The ADTPA's catch-all prohibits any other unconscionable, false, or deceptive act or practice in business, commerce, or trade — the natural theory against a privacy policy that misstates actual practices.

Engaging in any other unconscionable, false, or deceptive act or practice in business, commerce, or trade;

See Ark. Code Ann. § 4-88-107(a)(10).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520.

Primary law

From July 1, 2026, an operator with actual knowledge that it is collecting personal information from children or teens must provide clear and conspicuous notice.

An operator of a website, online service, online application, or mobile application that has actual knowledge that it is collecting personal information from children or teens shall: (1) Provide clear and conspicuous notice of:

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

The required notice covers six elements — data collected, processing purpose, disclosure practices, parent and teen rights, categories of data shared, and categories of third-party recipients.

What information is collected from children or teens by the operator; (B) The purpose for processing personal data; (C) The operator’s disclosure practices for such information; (D) The rights and opportunities available to the parent of the child or teen under subdivisions (b)(3) and (b)(4) of this section; (E) The categories of personal data that the controller shares with third parties, if any; and (F) The categories of third parties, if any, with whom the controller shares personal data;

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

Act 952's consent definition allows authorization to be given through an operator's terms of service or acknowledgement of the operator's privacy policy, making the policy text itself a consent instrument.

Before the personal information of the teen is collected, freely and unambiguously authorizes, including without limitation the giving of consent through an operator's terms of service or acknowledgement of the operator's privacy policy:

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

Act 952 of 2025 is formally titled the Arkansas Children and Teens' Online Privacy Protection Act.

This subchapter shall be known and may be cited as the "Arkansas Children and Teens' Online Privacy Protection Act".

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

The Arkansas Children and Teens' Online Privacy Protection Act takes effect on July 1, 2026.

This act shall be effective on and after July 1, 2026.

See Act 952, 2025 Ark. Acts (H.B. 1717), § 3.

Primary law

A child under the act is an individual twelve years of age or younger in Arkansas.

"Child" means an individual twelve (12) years of age or younger in the State of Arkansas;

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

A teen under the act is an Arkansan who is thirteen or older and younger than seventeen — thirteen through sixteen.

"Teen" means an individual located in the State of Arkansas who is: (A) Thirteen (13) years of age or older; and (B) Younger than seventeen (17) years of age; and

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

An operator is a person who, for commercial purposes, operates or provides a website, online service, online application, or mobile application and collects or maintains personal information from or about users, or allows another person to collect it.

"Operator" means a person who, for commercial purposes, operates or provides a website on the internet, an online service, an online application, or a mobile application, and who: (i) Collects or maintains, either directly or through a service provider, personal information from or about the users of that website, service, or application; or (ii) Allows another person to collect personal information directly from users of that website, service, or application, in which case, the operator is deemed to have collected the information.

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

The act's prohibitions apply to operators of websites, online services, online applications, or mobile applications directed at children or teens, and to any operator with actual knowledge that it is collecting personal information from children or teens.

Except as provided in subdivision (a)(2) of this section, it is unlawful for an operator of a website, online service, online application, or mobile application directed at children or teens or for any operator of a website, online service, online application, or mobile application with actual knowledge that it is collecting personal information from children or teens: (A) To collect personal information from a child or teen in a manner that violates subsection (b) of this section;

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

Covered operators may not collect a child's or teen's personal information for purposes of targeted advertising to children or teens, or allow another person to collect, use, disclose, or maintain it for that purpose.

Except as provided in subdivisions (a)(1)(C) and (D) of this section, to collect personal information from a child or teen personal information of a child or teen for purposes of targeted advertising to children or teens, or to allow another person to collect, use, disclose, or maintain this information for targeted advertising to children or teens;

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

The act imposes data minimization: collection of a child's or teen's personal information is unlawful except when consistent with the context of the service or relationship, or required or specifically authorized by law.

To collect the personal information of a child or teen except when the collection of the personal information is: (i) Consistent with the context of a particular service or the relationship of the child or teen with the operator, including without limitation collection that is necessary to fulfill a transaction or provide a product or service requested by the child or teen or parent of the child or teen; or (ii) Required or specifically authorized by law

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

The act imposes a retention limit: a child's or teen's personal information may not be kept longer than reasonably necessary to fulfill the transaction or service requested, with safety, integrity, and legal-authorization exceptions.

To retain the personal information of a child or teen for longer that is reasonably necessary to fulfill a transaction or provide a service requested by the child or teen except as required for the safety or integrity of the service or specifically authorized by law.

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

An operator with actual knowledge must obtain consent for the collection, use, or disclosure of a teen's personal information from a parent of a teen or a teen, subject to enumerated processing exceptions.

Obtain consent for the collection, use, or disclosure of personal information from a teen from a parent of a teen or a teen, except when the processing is for:

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

A teen must be given the opportunity at any time to delete personal information collected from the teen or content the teen submitted.

The opportunity at any time to delete personal information collected from the teen or content or information submitted by the teen to a website, online service, online application, or mobile application;

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

A teen must be given the opportunity to challenge the accuracy of the personal information and, on establishing an inaccuracy, to have it corrected.

The opportunity to challenge the accuracy of the personal information and, if the teen establishes the inaccuracy of the personal information, to have the inaccurate personal information corrected; and

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

A teen must be given a means that is reasonable under the circumstances to obtain any personal information the operator has collected from the teen.

A means that is reasonable under the circumstances for the teen to obtain any personal information collected from the teen, if the information is available to the operator at the time the teen makes the request;

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

A parent must be able to request at any time the deletion of the child's account or content or information the child submitted.

Request at any time the deletion of the account of the child or content or information submitted by the child to a website,

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

Covered operators must establish, implement, and maintain reasonable security practices for children's and teens' personal information.

Establish, implement, and maintain reasonable security practices to protect the confidentiality, integrity, and accessibility of personal information of children or teens collected by the operator, and protect the personal information against unauthorized access.

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

The act expressly disclaims any duty to collect age information or implement age-gating or age-verification functionality.

This subchapter shall not be construed to require an operator to: (1) Affirmatively collect any personal information regarding the age of a child or teen that an operator is not already collecting in the normal course of business; or (2) Implement an age-gating or age verification functionality.

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

COPPA is the federal baseline: it is unlawful for an operator directed to children, or with actual knowledge, to collect a child's personal information in violation of the FTC's regulations.

It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).

See 15 U.S.C. § 6502(a)(1).

Primary law

A person or business that maintains computerized personal information it does not own must notify the owner or licensee of a breach immediately following discovery.

A person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee that there has been a breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

See Ark. Code Ann. § 4-110-105(b)(1).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Requiring your service providers by contract to implement and maintain such safeguards

See 16 C.F.R. § 314.4(f)(2).

Primary law

HIPAA requires a written business-associate contract that establishes the permitted uses and disclosures of protected health information and binds the business associate to safeguard it.

A contract between the covered entity and a business associate must

See 45 C.F.R. § 164.504(e)(2).

Primary law

Any person or business holding computerized personal information must disclose a breach to any Arkansas resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Any person or business that acquires, owns, or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of Arkansas whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

See Ark. Code Ann. § 4-110-105(a)(1).

Primary law

Individual breach notice must be made in the most expedient time and manner possible and without unreasonable delay — there is no numeric deadline.

The disclosure shall be made in the most expedient time and manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section, or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.

See Ark. Code Ann. § 4-110-105(a)(2).

Primary law

A breach affecting more than 1,000 individuals must be disclosed to the Attorney General at the same time as individual disclosure or within 45 days after determining a reasonable likelihood of harm, whichever occurs first.

If a breach of the security of a system affects the personal information of more than one thousand (1,000) individuals, the person or business required to make a disclosure of the security breach under subdivision (b)(1) of this section shall, at the same time the security breach is disclosed to an affected individual or within forty-five (45) days after the person or business determines that there is a reasonable likelihood of harm to customers, whichever occurs first, disclose the security breach to the Attorney General.

See Ark. Code Ann. § 4-110-105(b)(2).

Primary law

Notification is not required if, after a reasonable investigation, the business determines there is no reasonable likelihood of harm to customers.

Notification under this section is not required if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to customers.

See Ark. Code Ann. § 4-110-105(d).

Primary law

A written determination of a breach and its supporting documentation must be retained for five years from the date of the determination.

A person or business shall retain a copy of the written determination of a breach of the security of the system and supporting documentation for five (5) years from the date of determination of the breach of the security of the system.

See Ark. Code Ann. § 4-110-105(g)(1).

Primary law

On the Attorney General's written request, the business must produce the written breach determination and supporting documentation within 30 days.

If the Attorney General submits a written request for the written determination of the breach of the security of the system, the person or business shall send a copy of the written determination of the breach of the security of the system and supporting documentation to the Attorney General no later than thirty (30) days after the date of receipt of the request.

See Ark. Code Ann. § 4-110-105(g)(2).

Primary law

A breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information — an acquisition-based trigger.

"Breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.

See Ark. Code Ann. § 4-110-103(1)(A).

Primary law

Personal information is a name combined with an unencrypted, unredacted Social Security number, driver's license or Arkansas ID number, financial-account credentials, medical information, or biometric data.

"Personal information" means an individual's first name or first initial and his or her last name in combination with any one (1) or more of the following data elements when either the name or the data element is not encrypted or redacted:

See Ark. Code Ann. § 4-110-103(7).

Primary law

Medical information means any individually identifiable information, in electronic or physical form, regarding medical history, treatment, or diagnosis by a healthcare professional.

"Medical information" means any individually identifiable information, in electronic or physical form, regarding the individual's medical history or medical treatment or diagnosis by a healthcare professional;

See Ark. Code Ann. § 4-110-103(5).

Primary law

Biometric data means data generated by automatic measurements of an individual's biological characteristics, with fingerprints, faceprint, retinal or iris scans, hand geometry, voiceprint analysis, and DNA expressly listed.

"biometric data" means data generated by automatic measurements of an individual's biological characteristics, including without limitation:

See Ark. Code Ann. § 4-110-103(7)(E)(ii).

Primary law

Substitute notice is available when the cost of notice would exceed $250,000, the affected class exceeds 500,000 persons, or contact information is insufficient.

Substitute notice if the person or business demonstrates that: - (i) The cost of providing notice would exceed two hundred fifty thousand dollars ($250,000); - (ii) The affected class of persons to be notified exceeds five hundred thousand (500,000); or - (iii) The person or business does not have sufficient contact information.

See Ark. Code Ann. § 4-110-105(e)(3)(A).

Primary law

Notification may be delayed if a law enforcement agency determines it would impede a criminal investigation.

The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

See Ark. Code Ann. § 4-110-105(c)(1).

Primary law

A business that notifies affected persons under its own information-security-policy procedures, consistent with the statute's timing requirements, is deemed compliant.

Notwithstanding subsection (e) of this section, a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if the person or business notifies affected persons in accordance with its policies in the event of a breach of the security of the system.

See Ark. Code Ann. § 4-110-105(f).

Primary law

PIPA contains no private right of action — every violation is punishable by action of the Attorney General under the ADTPA.

Any violation of this chapter is punishable by action of the Attorney General under the provisions of § 4-88-101 et seq.

See Ark. Code Ann. § 4-110-108.

Primary law

A private ADTPA plaintiff may sue only to recover an actual financial loss proximately caused by his or her reliance on the unlawful practice.

A person who suffers an actual financial loss as a result of his or her reliance on the use of a practice declared unlawful by this chapter may bring an action to recover his or her actual financial loss proximately caused by the offense or violation, as defined in this chapter.

See Ark. Code Ann. § 4-88-113(f)(1)(A).

Primary law

Private ADTPA class actions are prohibited except for claims under the constitutional usury amendment.

A private class action under this subsection is prohibited unless the claim is being asserted for a violation of Arkansas Constitution, Amendment 89.

See Ark. Code Ann. § 4-88-113(f)(1)(B).

Primary law

To prevail, a private ADTPA claimant must prove individually an actual financial loss proximately caused by his or her own reliance on the unlawful practice.

To prevail on a claim brought under this subsection, a claimant must prove individually that he or she suffered an actual financial loss proximately caused by his or her reliance on the use of a practice declared unlawful under this chapter.

See Ark. Code Ann. § 4-88-113(f)(2).

Primary law

Act 952 gives the Attorney General exclusive enforcement authority and expressly disclaims any private right of action for a violation of the act or any other law.

The Attorney General shall have exclusive authority to enforce this subchapter. (2) Nothing in this subchapter provides the basis for, or subjects an operator, processor, or person to a private right of action for a violation of this subchapter or any other law.

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

Any waiver of a PIPA provision is contrary to public policy, void, and unenforceable — businesses cannot contract around the statute.

Any waiver of a provision of this chapter is contrary to public policy, void, and unenforceable.

See Ark. Code Ann. § 4-110-107.

Primary law

PIPA violations are enforced by the Attorney General under the Deceptive Trade Practices Act.

Any violation of this chapter is punishable by action of the Attorney General under the provisions of § 4-88-101 et seq.

See Ark. Code Ann. § 4-110-108.

Primary law

In an Attorney General civil-enforcement action, the court may assess penalties of up to $10,000 per violation.

Assess penalties to be paid to the state, not to exceed ten thousand dollars ($10,000) per violation, against persons found to have violated this chapter.

See Ark. Code Ann. § 4-88-113(a)(3).

Primary law

The court may order restoration of money or property to any purchaser who suffered ascertainable loss from the prohibited practices.

Restore to any purchaser who has suffered any ascertainable loss by reason of the use or employment of the prohibited practices any moneys or real or personal property which may have been acquired by means of any practice declared to be unlawful by this chapter, together with other damages sustained.

See Ark. Code Ann. § 4-88-113(a)(2)(A).

Primary law

On the Attorney General's petition, the court may suspend or forfeit franchises, corporate charters, and licenses or permits to do business in Arkansas.

Upon petition of the Attorney General, the court may order the suspension or forfeiture of franchises, corporate charters, or other licenses or permits or authorization to do business in this state.

See Ark. Code Ann. § 4-88-113(b).

Primary law

Controlling persons and knowing facilitators are jointly and severally liable for penalties and monetary judgments in ADTPA civil enforcement.

Every person, or every partner, officer, or director of another person who directly or indirectly controls another person or who is in violation of or liable under this chapter or every person who directly or indirectly facilitates, assists, acts as intermediary for, or in any way aids another person who is in violation of or liable under this chapter in the operation or continuance of the act or practice for which the violations or liability exists shall be jointly and severally liable for any penalties assessed and any monetary judgments awarded in any proceeding for civil enforcement of this chapter, if the persons to be held jointly and severally liable knew or reasonably should have known of the existence of the facts by reason of which the violation or liability exists.

See Ark. Code Ann. § 4-88-113(d)(1).

Primary law

When judgment is rendered for the state, the Attorney General is entitled to all expenses reasonably incurred in investigation and prosecution, including expert-witness expenses, plus attorney's fees and costs.

As compensation for his or her services under this chapter, the Attorney General shall be entitled to all expenses reasonably incurred in the investigation and prosecution of suits, including, but not limited to, expenses for expert witnesses, to be paid by the defendant when judgment is rendered for the state, and, in addition, shall recover attorney's fees and costs.

See Ark. Code Ann. § 4-88-113(e).

Primary law

Under Act 952, the Attorney General may sue on behalf of Arkansas residents to enjoin a practice, enforce compliance, and obtain damages, restitution, or other compensation.

In a case in which the Attorney General has reason to believe that an interest of the residents of the state has been or is threatened or adversely affected by the engagement of any person in a practice that violates the provisions of this subchapter, the Attorney General may bring a civil action on behalf of the residents of the state in a court of competent jurisdiction to: (1) Enjoin that practice; (2) Enforce compliance with the rule; (3) Obtain damages, restitution, or other compensation on behalf of residents of the state; or (4) Obtain other relief that the court finds appropriate.

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.

Primary law

Violations of Act 952's consent and parent-and-teen-rights duties are treated as unfair or deceptive acts or practices under the Deceptive Trade Practices Act, subject to the act's stated exceptions.

a violation of subdivisions (b)(2) and (b)(3) of this section shall be treated as an unfair or deceptive act or practice prescribed under the Deceptive Trade Practices Act, § 4-88-101 et seq.

See Act 952, 2025 Ark. Acts (H.B. 1717), § 1.