# Arkansas Consumer Privacy Law[^about] Arkansas has no comprehensive consumer-privacy statute. The Personal Information Protection Act governs safeguards, disposal, and breach notice, enforced solely by the Attorney General; a children-and-teens online privacy law takes effect July 1, 2026. ## Which privacy laws apply to your business in Arkansas? {#which-privacy-laws-apply} **Short answer.** There is no comprehensive Arkansas consumer-privacy law. The operative state statute is the Personal Information Protection Act (PIPA) [^pipa-title], a 2005 law whose stated purpose is to encourage individuals, businesses, and state agencies that hold personal information about Arkansans to provide reasonable security for it [^pipa-purpose]. PIPA imposes three duties — reasonable security [^pipa-security], secure destruction of records no longer retained [^pipa-disposal], and breach notification — and every violation is punishable by action of the Attorney General under the Deceptive Trade Practices Act [^pipa-adtpa-bridge]. The second pillar arrives on July 1, 2026, when the Arkansas Children and Teens' Online Privacy Protection Act (Act 952 of 2025) takes effect [^act952-effective]. Arkansas residents have no general state-law rights to access, delete, correct, or port their personal data, no right to opt out of its sale, and businesses face no state notice-at-collection, consent, data-protection-assessment, universal-opt-out, or processor-contract duties. No comprehensive consumer-privacy act has been enacted in Arkansas, so any compliance materials premised on one would describe a statute that does not exist. PIPA applies broadly within its narrower lane: any person or business that acquires, owns, or licenses personal information about an Arkansas resident is covered, with no revenue or volume threshold, and the statutory definition of a business expressly includes state agencies. Entities regulated by a state or federal law that provides greater protection and at least as thorough breach-disclosure requirements are exempt, and compliance with that law is deemed compliance with PIPA [^pipa-regulated-exemption]. The rest of an Arkansas privacy program rides the federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide [^ftc5-overlay]; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; and the Children's Online Privacy Protection Act governs services directed to children under 13. Arkansas has also enacted a cluster of social-media statutes aimed at minors — Acts 689 of 2023, 900 of 2025, and 901 of 2025 — but those statutes are tied up in federal constitutional litigation and none imposes operative duties as of this review. Act 952 — covered in depth in its own section below — is the one Arkansas minors-privacy law on track to take effect, three weeks from now. ## What must your Arkansas privacy policy contain? {#privacy-policy-contents} **Short answer.** No Arkansas statute requires a general commercial business to post a consumer privacy policy or fixes what it must say — today. The enforceable rule is that whatever you publish has to be true: the Deceptive Trade Practices Act's catch-all prohibits any other unconscionable, false, or deceptive act or practice in business, commerce, or trade [^q2-adtpa-catchall], and Section 5 of the FTC Act reaches a policy that misstates actual practices [^q2-ftc5]. That changes on July 1, 2026 for operators covered by Act 952 of 2025, which requires an operator with actual knowledge that it is collecting personal information from children or teens to provide clear and conspicuous notice [^q2-act952-notice] of six elements — what is collected, the purpose for processing, disclosure practices, the rights available to parents and teens, the categories of personal data shared with third parties, and the categories of those third parties [^q2-act952-notice-elements]. For most businesses, the drafting question in Arkansas is less what must be included and more whether the policy matches actual practice. Where a sectoral regime applies, that regime supplies the contents — a HIPAA covered entity, for example, must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^q2-hipaa-notice] — and GLBA privacy-notice rules govern financial institutions, with COPPA notices for services directed to children under 13. For operators in Act 952's scope, the privacy policy is about to do double duty. The act's consent definition lets a teen or a teen's parent authorize collection through an operator's terms of service or acknowledgement of the operator's privacy policy [^q2-act952-consent-policy] — which makes the policy text itself a consent instrument. A covered operator drafting for July 1, 2026 should fold the six notice elements into the policy now and write them precisely, because an inaccurate or incomplete notice is both an Act 952 problem and, like any false policy statement, exposure under the ADTPA catch-all [^q2-adtpa-catchall]. ## What does Arkansas's children and teens online privacy law require starting July 1, 2026? {#children-teens-online-privacy} **Short answer.** Act 952 of 2025 — the Arkansas Children and Teens' Online Privacy Protection Act, enacted as H.B. 1717 [^q3-act952-title] — takes effect July 1, 2026 [^q3-act952-effective]. It extends COPPA-style protections beyond children (twelve and younger [^q3-act952-child]) to teens — Arkansans thirteen through sixteen [^q3-act952-teen] — and its prohibitions reach an operator of a website, online service, online application, or mobile application directed at children or teens, as well as any operator with actual knowledge that it is collecting personal information from children or teens [^q3-act952-scope]; an operator is anyone who, for commercial purposes, runs such a service and collects or maintains personal information from or about its users [^q3-act952-operator]. Covered operators may not collect a child's or teen's personal information for targeted advertising or let anyone else use it for that purpose [^q3-act952-targeted-ads], must limit collection to what is consistent with the context of the service [^q3-act952-minimization], and may not retain the data longer than reasonably necessary [^q3-act952-retention]. The act's duty structure turns on whether the service is directed at children or teens or the operator has actual knowledge that it collects their personal information. Operators with actual knowledge must give the six-element notice covered in the privacy-policy section, and must obtain consent for the collection, use, or disclosure of a teen's personal information from a parent of a teen or a teen — either suffices — subject to enumerated processing exceptions such as providing the requested service, internal operations, security, legal claims, and legal compliance [^q3-act952-teen-consent]. Teens hold their own rights: the operator must provide the opportunity at any time to delete personal information collected from the teen or content the teen submitted [^q3-act952-teen-deletion], the opportunity to challenge the accuracy of that information and have inaccuracies corrected [^q3-act952-teen-correction], and a reasonable means for the teen to obtain the personal information the operator holds [^q3-act952-teen-access]. For children, those rights run to the parent, who may request at any time the deletion of the child's account or submitted content [^q3-act952-parent-deletion]. Operators must also establish, implement, and maintain reasonable security practices for children's and teens' personal information [^q3-act952-security], and may not condition a child's participation in a game, prize offering, or other activity on disclosing more data than reasonably necessary. Two design choices matter for compliance planning. First, the act expressly disclaims any age-verification mandate: it is not to be construed to require an operator to affirmatively collect age information it does not already collect or to implement age-gating or age-verification functionality [^q3-act952-no-age-verification]. That distinguishes it from Arkansas's social-media statutes, which were built on age verification and are not operative because of federal constitutional litigation. Second, the act sits on top of the federal baseline: COPPA already makes it unlawful for an operator directed to children, or with actual knowledge, to collect a child's personal information in violation of the FTC's rules [^q3-coppa-baseline], so the genuinely new state-law ground is the teen layer and the targeted-advertising and retention limits. Enforcement is exclusively by the Attorney General, with no private right of action — detailed in the lawsuit and enforcement sections below. One citation note for legal teams: the enrolled act assigns the new subchapter section numbers that collided with a different 2025 act, and the codified numbering may differ from early summaries. Until the official code supplement settles the placement, the reliable way to cite the law is by act and bill number — Act 952 of 2025, H.B. 1717 — rather than a code section. ## What must your contracts with vendors say? {#vendor-contracts} **Short answer.** Arkansas has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. The one Arkansas rule that directly touches the vendor relationship is PIPA's maintainer duty: a person or business that maintains computerized personal information it does not own must notify the owner or licensee immediately following discovery of a breach [^q4-pipa-maintainer-notice]. Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract and to require them to implement appropriate safeguards [^q4-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before sharing protected health information [^q4-hipaa-baa]. Outside those verticals, the prudent move is to carry the same protections forward as contract best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business on a defined clock, and return or deletion of data at the end of the engagement — even though no Arkansas statute compels them. The PIPA maintainer duty is the floor worth tightening by contract: *immediately following discovery* is the statutory standard, so a well-drafted vendor agreement should define discovery, set a notice deadline in hours, and require the cooperation needed for the owner to make its own notice and Attorney General deadlines, which remain the owner's problem under the statute [^q4-pipa-maintainer-notice]. ## When must you notify people of a data breach in Arkansas? {#breach-notification} **Short answer.** Any person or business that acquires, owns, or licenses computerized personal information must disclose a breach to any Arkansas resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person [^q5-pipa-notice-duty]. The disclosure must be made in the most expedient time and manner possible and without unreasonable delay — Arkansas sets no numeric deadline for individual notice [^q5-pipa-timing]. If a breach affects the personal information of more than 1,000 individuals, the Attorney General must also be notified, at the same time as individual disclosure or within 45 days after determining a reasonable likelihood of harm to customers, whichever occurs first [^q5-pipa-ag-notice]. Notification is excused only if, after a reasonable investigation, the business determines there is no reasonable likelihood of harm to customers [^q5-pipa-offramp] — and that determination must be put in writing and retained for five years [^q5-pipa-determination-retention]. The trigger is acquisition-based: a breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information, with a good-faith-employee carve-out [^q5-pipa-breach-def]. The data elements are broader than in many states without comprehensive laws: personal information means a first name or initial plus last name combined with an unencrypted, unredacted Social Security number, driver's license or Arkansas ID number, financial-account or card number with its access code, medical information, or biometric data [^q5-pipa-pi-def]. Medical information covers any individually identifiable information — in electronic or physical form — about medical history, treatment, or diagnosis [^q5-pipa-medical-def], and biometric data means data generated by automatic measurements of biological characteristics, with fingerprints, faceprints, retinal or iris scans, hand geometry, voiceprint analysis, and DNA expressly listed [^q5-pipa-biometric-def]. Encryption and redaction function as safe harbors, since the definition only reaches data where the name or the data element is unencrypted and unredacted. The mechanics reward preparation. Notice may be written or by e-mail, and substitute notice — e-mail where held, conspicuous website posting, and statewide media — is available when the cost of notice would exceed 250,000 dollars, the affected class exceeds 500,000 people, or contact information is insufficient [^q5-pipa-substitute-notice]. Notice may be delayed when law enforcement determines it would impede a criminal investigation [^q5-pipa-law-enforcement]. A business that follows the notification procedures of its own information-security policy, consistent with the statute's timing requirements, is deemed compliant [^q5-pipa-own-policy] — a concrete reason to maintain a written incident-response plan. The most overlooked duty is the paper trail: even an incident resolved as no-notice under the risk-of-harm off-ramp requires a written determination kept for five years [^q5-pipa-determination-retention], and the Attorney General can demand a copy, which must be produced within 30 days of the request [^q5-pipa-determination-production]. ## Can a consumer sue your business in Arkansas over privacy? {#consumer-lawsuit} **Short answer.** Not under PIPA. The statute's entire enforcement section says any violation is punishable by action of the Attorney General under the Deceptive Trade Practices Act [^q6-pipa-ag-only] — there is no private right of action, no statutory damages, and no cumulative-remedies clause. The ADTPA itself does have a private remedy, but it was sharply narrowed in 2017: a plaintiff may sue only for an actual financial loss caused by his or her reliance on the unlawful practice [^q6-adtpa-private-suit], must prove that loss and reliance individually [^q6-adtpa-reliance-proof], and cannot bring a private class action — the statute prohibits them outside a narrow constitutional-usury exception [^q6-adtpa-class-ban]. Act 952 of 2025 is even more explicit: the Attorney General has exclusive enforcement authority, and nothing in the act provides the basis for a private right of action for a violation of the act or any other law [^q6-act952-no-pra]. The practical consequence is that Arkansas is among the more defendant-favorable states for private data litigation. A breach victim suing under the ADTPA must clear three screens at once — an *actual financial loss* (lost time, anxiety, or the cost of precautionary credit monitoring fit awkwardly), *reliance* on the unlawful practice (hard to articulate for a security failure the consumer never saw), and individual proof with no class vehicle. The reliance element fits affirmative misrepresentation better than omission, so the live private theory is a consumer who read a privacy or security promise, relied on it, and lost money when it proved false; how Arkansas appellate courts will apply the 2017 elements to data cases remains largely untested, so frame private exposure as narrow rather than zero. Plaintiffs can still plead common-law negligence or contract theories after a breach, but they face the same damages and standing hurdles that screen those claims elsewhere, without a state statutory hook. Two boundary notes. First, businesses cannot buy their way out of the public regime: any waiver of a PIPA provision is contrary to public policy, void, and unenforceable [^q6-pipa-anti-waiver], so a terms-of-service clause purporting to waive breach-notice rights is a nullity. Second, the only true privacy-adjacent private rights of action Arkansas has enacted sit in the social-media statutes (Acts 900 and 901 of 2025), and those provisions are not operative because of federal constitutional litigation — if they ever take effect, the private-suit posture would change for social platforms specifically, so platform operators should watch that litigation. ## How is privacy law enforced in Arkansas? {#ag-enforcement} **Short answer.** By the Attorney General, through the Deceptive Trade Practices Act. PIPA routes every violation to the Attorney General under the ADTPA [^q7-pipa-adtpa-bridge], and in an ADTPA civil-enforcement proceeding the court may assess penalties of up to 10,000 dollars per violation [^q7-adtpa-penalties], order restoration of money or property to purchasers who suffered ascertainable loss [^q7-adtpa-restitution], and even suspend or forfeit corporate charters, franchises, and licenses to do business in the state [^q7-adtpa-charter]. From July 1, 2026, the Attorney General will also enforce Act 952, with express authority to enjoin a practice, enforce compliance, and obtain damages, restitution, or other compensation on behalf of Arkansas residents [^q7-act952-ag-remedies]. The ADTPA chassis has real teeth beyond the headline penalty. Controlling persons — partners, officers, and directors — and those who knowingly facilitate a violation are jointly and severally liable for penalties and monetary judgments if they knew or reasonably should have known the operative facts [^q7-adtpa-joint-liability], and when judgment is rendered for the state the Attorney General is entitled to the expenses reasonably incurred in investigating and prosecuting the suit — including expert-witness expenses — plus attorney's fees and costs [^q7-adtpa-fees]. For privacy matters specifically, the enforcement theories stack: a breach-notice failure or unreasonable-security lapse is a PIPA violation prosecuted as a deceptive trade practice, a false privacy-policy statement runs through the ADTPA catch-all directly, and once Act 952 is effective, violations of its consent and parent-and-teen-rights duties are themselves treated as unfair or deceptive acts under the Deceptive Trade Practices Act [^q7-act952-adtpa-bridge]. Operationally, that means the Arkansas regulator-relations file is a single file: the Attorney General is the breach-notice recipient for incidents over 1,000 residents, the holder of the written-determination demand power, and the exclusive enforcer of both PIPA and the children-and-teens act. Businesses planning for July 1, 2026 should expect first-mover enforcement attention on the targeted-advertising ban and the six-element notice, since those are the act's most visible, audit-friendly duties. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-12. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Arkansas. This article synthesizes Arkansas primary law and is not legal advice from a Arkansas-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^pipa-title]: **Ark. Code Ann. § 4-110-101** — "This chapter shall be known and cited as the ‘Personal Information Protection Act’." *Ark. Code Ann. § 4-110-101.* [^pipa-purpose]: **Ark. Code Ann. § 4-110-102** — "To that end, the purpose of this chapter is to encourage individuals, businesses, and state agencies that acquire, own, or license personal information about the citizens of the State of Arkansas to provide reasonable security for the information." *Ark. Code Ann. § 4-110-102(b).* [^pipa-security]: **Ark. Code Ann. § 4-110-104** — "A person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." *Ark. Code Ann. § 4-110-104(b).* [^pipa-disposal]: **Ark. Code Ann. § 4-110-104** — "A person or business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means." *Ark. Code Ann. § 4-110-104(a).* [^pipa-adtpa-bridge]: **Ark. Code Ann. § 4-110-108** — "Any violation of this chapter is punishable by action of the Attorney General under the provisions of § 4-88-101 et seq." *Ark. Code Ann. § 4-110-108.* [^act952-effective]: **H.B. 1717 (Act 952 of 2025)** — "This act shall be effective on and after July 1, 2026." *Act 952, 2025 Ark. Acts (H.B. 1717), § 3.* [^pipa-regulated-exemption]: **Ark. Code Ann. § 4-110-106** — "The provisions of this chapter do not apply to a person or business that is regulated by a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breaches of the security of personal information than that provided by this chapter." *Ark. Code Ann. § 4-110-106(a)(1).* [^ftc5-overlay]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q2-adtpa-catchall]: **Ark. Code Ann. § 4-88-107** — "Engaging in any other unconscionable, false, or deceptive act or practice in business, commerce, or trade;" *Ark. Code Ann. § 4-88-107(a)(10).* [^q2-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q2-act952-notice]: **H.B. 1717 (Act 952 of 2025)** — "An operator of a website, online service, online application, or mobile application that has actual knowledge that it is collecting personal information from children or teens shall: (1) Provide clear and conspicuous notice of:" *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q2-act952-notice-elements]: **H.B. 1717 (Act 952 of 2025)** — "What information is collected from children or teens by the operator; (B) The purpose for processing personal data; (C) The operator’s disclosure practices for such information; (D) The rights and opportunities available to the parent of the child or teen under subdivisions (b)(3) and (b)(4) of this section; (E) The categories of personal data that the controller shares with third parties, if any; and (F) The categories of third parties, if any, with whom the controller shares personal data;" *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q2-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* [^q2-act952-consent-policy]: **H.B. 1717 (Act 952 of 2025)** — "Before the personal information of the teen is collected, freely and unambiguously authorizes, including without limitation the giving of consent through an operator's terms of service or acknowledgement of the operator's privacy policy:" *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-title]: **H.B. 1717 (Act 952 of 2025)** — "This subchapter shall be known and may be cited as the ‘Arkansas Children and Teens' Online Privacy Protection Act’." *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-effective]: **H.B. 1717 (Act 952 of 2025)** — "This act shall be effective on and after July 1, 2026." *Act 952, 2025 Ark. Acts (H.B. 1717), § 3.* [^q3-act952-child]: **H.B. 1717 (Act 952 of 2025)** — "‘Child’ means an individual twelve (12) years of age or younger in the State of Arkansas;" *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-teen]: **H.B. 1717 (Act 952 of 2025)** — "‘Teen’ means an individual located in the State of Arkansas who is: (A) Thirteen (13) years of age or older; and (B) Younger than seventeen (17) years of age; and" *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-scope]: **H.B. 1717 (Act 952 of 2025)** — "Except as provided in subdivision (a)(2) of this section, it is unlawful for an operator of a website, online service, online application, or mobile application directed at children or teens or for any operator of a website, online service, online application, or mobile application with actual knowledge that it is collecting personal information from children or teens: (A) To collect personal information from a child or teen in a manner that violates subsection (b) of this section;" *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-operator]: **H.B. 1717 (Act 952 of 2025)** — "‘Operator’ means a person who, for commercial purposes, operates or provides a website on the internet, an online service, an online application, or a mobile application, and who: (i) Collects or maintains, either directly or through a service provider, personal information from or about the users of that website, service, or application; or (ii) Allows another person to collect personal information directly from users of that website, service, or application, in which case, the operator is deemed to have collected the information." *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-targeted-ads]: **H.B. 1717 (Act 952 of 2025)** — "Except as provided in subdivisions (a)(1)(C) and (D) of this section, to collect personal information from a child or teen personal information of a child or teen for purposes of targeted advertising to children or teens, or to allow another person to collect, use, disclose, or maintain this information for targeted advertising to children or teens;" *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-minimization]: **H.B. 1717 (Act 952 of 2025)** — "To collect the personal information of a child or teen except when the collection of the personal information is: (i) Consistent with the context of a particular service or the relationship of the child or teen with the operator, including without limitation collection that is necessary to fulfill a transaction or provide a product or service requested by the child or teen or parent of the child or teen; or (ii) Required or specifically authorized by law" *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-retention]: **H.B. 1717 (Act 952 of 2025)** — "To retain the personal information of a child or teen for longer that is reasonably necessary to fulfill a transaction or provide a service requested by the child or teen except as required for the safety or integrity of the service or specifically authorized by law." *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-teen-consent]: **H.B. 1717 (Act 952 of 2025)** — "Obtain consent for the collection, use, or disclosure of personal information from a teen from a parent of a teen or a teen, except when the processing is for:" *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-teen-deletion]: **H.B. 1717 (Act 952 of 2025)** — "The opportunity at any time to delete personal information collected from the teen or content or information submitted by the teen to a website, online service, online application, or mobile application;" *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-teen-correction]: **H.B. 1717 (Act 952 of 2025)** — "The opportunity to challenge the accuracy of the personal information and, if the teen establishes the inaccuracy of the personal information, to have the inaccurate personal information corrected; and" *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-teen-access]: **H.B. 1717 (Act 952 of 2025)** — "A means that is reasonable under the circumstances for the teen to obtain any personal information collected from the teen, if the information is available to the operator at the time the teen makes the request;" *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-parent-deletion]: **H.B. 1717 (Act 952 of 2025)** — "Request at any time the deletion of the account of the child or content or information submitted by the child to a website," *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-security]: **H.B. 1717 (Act 952 of 2025)** — "Establish, implement, and maintain reasonable security practices to protect the confidentiality, integrity, and accessibility of personal information of children or teens collected by the operator, and protect the personal information against unauthorized access." *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-act952-no-age-verification]: **H.B. 1717 (Act 952 of 2025)** — "This subchapter shall not be construed to require an operator to: (1) Affirmatively collect any personal information regarding the age of a child or teen that an operator is not already collecting in the normal course of business; or (2) Implement an age-gating or age verification functionality." *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q3-coppa-baseline]: **COPPA** — "It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b)." *15 U.S.C. § 6502(a)(1).* [^q4-pipa-maintainer-notice]: **Ark. Code Ann. § 4-110-105** — "A person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee that there has been a breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *Ark. Code Ann. § 4-110-105(b)(1).* [^q4-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* [^q4-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must" *45 C.F.R. § 164.504(e)(2).* [^q5-pipa-notice-duty]: **Ark. Code Ann. § 4-110-105** — "Any person or business that acquires, owns, or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of Arkansas whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *Ark. Code Ann. § 4-110-105(a)(1).* [^q5-pipa-timing]: **Ark. Code Ann. § 4-110-105** — "The disclosure shall be made in the most expedient time and manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section, or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system." *Ark. Code Ann. § 4-110-105(a)(2).* [^q5-pipa-ag-notice]: **Ark. Code Ann. § 4-110-105** — "If a breach of the security of a system affects the personal information of more than one thousand (1,000) individuals, the person or business required to make a disclosure of the security breach under subdivision (b)(1) of this section shall, at the same time the security breach is disclosed to an affected individual or within forty-five (45) days after the person or business determines that there is a reasonable likelihood of harm to customers, whichever occurs first, disclose the security breach to the Attorney General." *Ark. Code Ann. § 4-110-105(b)(2).* [^q5-pipa-offramp]: **Ark. Code Ann. § 4-110-105** — "Notification under this section is not required if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to customers." *Ark. Code Ann. § 4-110-105(d).* [^q5-pipa-determination-retention]: **Ark. Code Ann. § 4-110-105** — "A person or business shall retain a copy of the written determination of a breach of the security of the system and supporting documentation for five (5) years from the date of determination of the breach of the security of the system." *Ark. Code Ann. § 4-110-105(g)(1).* [^q5-pipa-breach-def]: **Ark. Code Ann. § 4-110-103** — "‘Breach of the security of the system’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business." *Ark. Code Ann. § 4-110-103(1)(A).* [^q5-pipa-pi-def]: **Ark. Code Ann. § 4-110-103** — "‘Personal information’ means an individual's first name or first initial and his or her last name in combination with any one (1) or more of the following data elements when either the name or the data element is not encrypted or redacted:" *Ark. Code Ann. § 4-110-103(7).* [^q5-pipa-medical-def]: **Ark. Code Ann. § 4-110-103** — "‘Medical information’ means any individually identifiable information, in electronic or physical form, regarding the individual's medical history or medical treatment or diagnosis by a healthcare professional;" *Ark. Code Ann. § 4-110-103(5).* [^q5-pipa-biometric-def]: **Ark. Code Ann. § 4-110-103** — "‘biometric data’ means data generated by automatic measurements of an individual's biological characteristics, including without limitation:" *Ark. Code Ann. § 4-110-103(7)(E)(ii).* [^q5-pipa-substitute-notice]: **Ark. Code Ann. § 4-110-105** — "Substitute notice if the person or business demonstrates that: - (i) The cost of providing notice would exceed two hundred fifty thousand dollars ($250,000); - (ii) The affected class of persons to be notified exceeds five hundred thousand (500,000); or - (iii) The person or business does not have sufficient contact information." *Ark. Code Ann. § 4-110-105(e)(3)(A).* [^q5-pipa-law-enforcement]: **Ark. Code Ann. § 4-110-105** — "The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation." *Ark. Code Ann. § 4-110-105(c)(1).* [^q5-pipa-own-policy]: **Ark. Code Ann. § 4-110-105** — "Notwithstanding subsection (e) of this section, a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if the person or business notifies affected persons in accordance with its policies in the event of a breach of the security of the system." *Ark. Code Ann. § 4-110-105(f).* [^q5-pipa-determination-production]: **Ark. Code Ann. § 4-110-105** — "If the Attorney General submits a written request for the written determination of the breach of the security of the system, the person or business shall send a copy of the written determination of the breach of the security of the system and supporting documentation to the Attorney General no later than thirty (30) days after the date of receipt of the request." *Ark. Code Ann. § 4-110-105(g)(2).* [^q6-pipa-ag-only]: **Ark. Code Ann. § 4-110-108** — "Any violation of this chapter is punishable by action of the Attorney General under the provisions of § 4-88-101 et seq." *Ark. Code Ann. § 4-110-108.* [^q6-adtpa-private-suit]: **Ark. Code Ann. § 4-88-113** — "A person who suffers an actual financial loss as a result of his or her reliance on the use of a practice declared unlawful by this chapter may bring an action to recover his or her actual financial loss proximately caused by the offense or violation, as defined in this chapter." *Ark. Code Ann. § 4-88-113(f)(1)(A).* [^q6-adtpa-reliance-proof]: **Ark. Code Ann. § 4-88-113** — "To prevail on a claim brought under this subsection, a claimant must prove individually that he or she suffered an actual financial loss proximately caused by his or her reliance on the use of a practice declared unlawful under this chapter." *Ark. Code Ann. § 4-88-113(f)(2).* [^q6-adtpa-class-ban]: **Ark. Code Ann. § 4-88-113** — "A private class action under this subsection is prohibited unless the claim is being asserted for a violation of Arkansas Constitution, Amendment 89." *Ark. Code Ann. § 4-88-113(f)(1)(B).* [^q6-act952-no-pra]: **H.B. 1717 (Act 952 of 2025)** — "The Attorney General shall have exclusive authority to enforce this subchapter. (2) Nothing in this subchapter provides the basis for, or subjects an operator, processor, or person to a private right of action for a violation of this subchapter or any other law." *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q6-pipa-anti-waiver]: **Ark. Code Ann. § 4-110-107** — "Any waiver of a provision of this chapter is contrary to public policy, void, and unenforceable." *Ark. Code Ann. § 4-110-107.* [^q7-pipa-adtpa-bridge]: **Ark. Code Ann. § 4-110-108** — "Any violation of this chapter is punishable by action of the Attorney General under the provisions of § 4-88-101 et seq." *Ark. Code Ann. § 4-110-108.* [^q7-adtpa-penalties]: **Ark. Code Ann. § 4-88-113** — "Assess penalties to be paid to the state, not to exceed ten thousand dollars ($10,000) per violation, against persons found to have violated this chapter." *Ark. Code Ann. § 4-88-113(a)(3).* [^q7-adtpa-restitution]: **Ark. Code Ann. § 4-88-113** — "Restore to any purchaser who has suffered any ascertainable loss by reason of the use or employment of the prohibited practices any moneys or real or personal property which may have been acquired by means of any practice declared to be unlawful by this chapter, together with other damages sustained." *Ark. Code Ann. § 4-88-113(a)(2)(A).* [^q7-adtpa-charter]: **Ark. Code Ann. § 4-88-113** — "Upon petition of the Attorney General, the court may order the suspension or forfeiture of franchises, corporate charters, or other licenses or permits or authorization to do business in this state." *Ark. Code Ann. § 4-88-113(b).* [^q7-act952-ag-remedies]: **H.B. 1717 (Act 952 of 2025)** — "In a case in which the Attorney General has reason to believe that an interest of the residents of the state has been or is threatened or adversely affected by the engagement of any person in a practice that violates the provisions of this subchapter, the Attorney General may bring a civil action on behalf of the residents of the state in a court of competent jurisdiction to: (1) Enjoin that practice; (2) Enforce compliance with the rule; (3) Obtain damages, restitution, or other compensation on behalf of residents of the state; or (4) Obtain other relief that the court finds appropriate." *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.* [^q7-adtpa-joint-liability]: **Ark. Code Ann. § 4-88-113** — "Every person, or every partner, officer, or director of another person who directly or indirectly controls another person or who is in violation of or liable under this chapter or every person who directly or indirectly facilitates, assists, acts as intermediary for, or in any way aids another person who is in violation of or liable under this chapter in the operation or continuance of the act or practice for which the violations or liability exists shall be jointly and severally liable for any penalties assessed and any monetary judgments awarded in any proceeding for civil enforcement of this chapter, if the persons to be held jointly and severally liable knew or reasonably should have known of the existence of the facts by reason of which the violation or liability exists." *Ark. Code Ann. § 4-88-113(d)(1).* [^q7-adtpa-fees]: **Ark. Code Ann. § 4-88-113** — "As compensation for his or her services under this chapter, the Attorney General shall be entitled to all expenses reasonably incurred in the investigation and prosecution of suits, including, but not limited to, expenses for expert witnesses, to be paid by the defendant when judgment is rendered for the state, and, in addition, shall recover attorney's fees and costs." *Ark. Code Ann. § 4-88-113(e).* [^q7-act952-adtpa-bridge]: **H.B. 1717 (Act 952 of 2025)** — "a violation of subdivisions (b)(2) and (b)(3) of this section shall be treated as an unfair or deceptive act or practice prescribed under the Deceptive Trade Practices Act, § 4-88-101 et seq." *Act 952, 2025 Ark. Acts (H.B. 1717), § 1.*