Arkansas Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Arkansas takes a sectoral approach to data privacy. Rather than enacting a single comprehensive consumer privacy statute, the state relies on a combination of breach notification requirements, data security mandates, student data protections, and the enforcement authority of the Attorney General under the Deceptive Trade Practices Act.

This guide covers every significant Arkansas data privacy law currently in effect, what protections you have as a consumer, what obligations businesses must meet, and the penalties for noncompliance.

Overview of Arkansas Data Privacy Law

Arkansas does not have an omnibus data privacy law that grants consumers broad rights over their personal data. States like California, Texas, Virginia, and Colorado have enacted comprehensive frameworks giving residents the right to access, delete, correct, and opt out of the sale of personal information. Arkansas has not joined that group.

Instead, Arkansas protects data privacy through several targeted statutes. The most important is the Personal Information Protection Act, codified at Ark. Code 4-110-101 through 4-110-108. This law focuses on data security and breach notification rather than consumer data rights.

Additional protections come from the Student Online Personal Information Protection Act, federal laws like HIPAA and the Gramm-Leach-Bliley Act that apply to specific industries, and the Attorney General's enforcement authority under the Arkansas Deceptive Trade Practices Act.

Beginning July 1, 2026, the state's newly enacted Children and Teens' Online Privacy Protection Act will add significant protections for minors.

Arkansas Personal Information Protection Act

The Personal Information Protection Act (PIPA) is the cornerstone of Arkansas data privacy law. Originally enacted in 2005 through Act 1526, the law was significantly amended in 2019 by Act 1030 to expand the definition of personal information and strengthen notification requirements.

What Qualifies as Personal Information

Under Ark. Code 4-110-103, personal information means an individual's first name or first initial and last name in combination with one or more of the following data elements, when either the name or the data element is not encrypted or redacted:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to a financial account
• Medical information, including any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
• Health insurance policy number or subscriber identification number, combined with any unique identifier used by a health insurer to identify the individual
• Biometric data, defined as data generated by automatic measurements of an individual's biological characteristics used to uniquely authenticate an individual's identity

The 2019 amendment through Act 1030 added medical information, health insurance information, and biometric data to this definition. Before that amendment, the law covered only Social Security numbers, driver's license numbers, and financial account information.

Data Security Requirements

Under Ark. Code 4-110-104, any person or business that acquires, owns, or licenses personal information about an Arkansas resident must implement and maintain reasonable security procedures and practices appropriate to the nature of the information. These measures must protect personal information from unauthorized access, destruction, use, modification, or disclosure.

The statute does not define what constitutes "reasonable security procedures." This gives businesses flexibility to design security programs that fit their size and the sensitivity of the data they handle, but it also means adequacy is judged on a case-by-case basis if a breach occurs.

Records Destruction Requirements

Ark. Code 4-110-104 also requires that any person or business take all reasonable steps to destroy or arrange for the destruction of a customer's records containing personal information that is no longer to be retained. Acceptable destruction methods include shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable through any means.

This applies to both paper and electronic records. The goal is to prevent personal information from being recovered from discarded records.

Data Breach Notification Requirements

The breach notification provisions in Ark. Code 4-110-105 are the most detailed and consequential part of the Personal Information Protection Act.

Who Must Notify

Any person or business that acquires, owns, or licenses computerized data that includes personal information must disclose any breach of the security of the system to any Arkansas resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

This obligation extends to third parties that maintain data on behalf of another business. If a third-party service provider experiences a breach involving data belonging to another entity's customers, the service provider must notify the data owner, which must then notify affected individuals.

Definition of a Breach

A "breach of the security of the system" means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business. The key word is "acquisition." A breach has not necessarily occurred simply because a system was accessed without authorization. There must be evidence that personal information was actually obtained or is reasonably believed to have been obtained.

Notification Timeline

Notification must be made in the most expedient time and manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Attorney General Notification

If a breach affects the personal information of more than 1,000 individuals, the person or business must also notify the Arkansas Attorney General. This notification must be made at the same time as notice to affected individuals, or within 45 days after the person or business determines there is a reasonable likelihood of harm to customers, whichever occurs first.

The Attorney General notification must be submitted through the Data Breach Reporting Form on the Arkansas Attorney General's website.

Methods of Notification

Notification may be provided through one of the following methods:

• Written notice sent to the postal address in the records of the person or business
• Electronic notice if the person or business has an email address for the affected individual and the notice is consistent with the provisions of the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act)
• Substitute notice if certain conditions are met

Substitute Notice

Substitute notice is permitted if the person or business demonstrates that the cost of providing direct notice would exceed $250,000, the affected class of persons exceeds 500,000 individuals, or the person or business does not have sufficient contact information to provide notice.

Substitute notice must include all of the following:

• Email notice to all affected individuals for whom the business has an email address
• Conspicuous posting of the notice on the business's website
• Notification through statewide media

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that notification would impede a criminal investigation. Once the law enforcement agency determines that notification will not compromise the investigation, the notification must be made.

Penalties for Violating the Personal Information Protection Act

Under Ark. Code 4-110-108, violations of the Personal Information Protection Act are punishable by action of the Attorney General under the Arkansas Deceptive Trade Practices Act (Ark. Code 4-88-101 et seq.).

This means the Attorney General can pursue the full range of remedies available under the DTPA, including:

• Civil penalties of up to $10,000 per violation
• Injunctive relief ordering the business to change its security practices
• Restitution to consumers who suffered ascertainable losses
• Attorney's fees and costs of investigation

Willful and knowing violations of the Personal Information Protection Act constitute a Class A misdemeanor under Arkansas law, which carries potential criminal penalties including fines and up to one year in jail.

Student Online Personal Information Protection Act

The Student Online Personal Information Protection Act, codified at Ark. Code 6-18-109 through 6-18-114, protects the data of K-12 students who use educational technology platforms.

Who the Law Covers

The law applies to "operators," defined as owners of websites, online services, online applications, or mobile applications with actual knowledge that the website, service, or application is used for K-12 school purposes. The law does not apply to the Arkansas Division of Elementary and Secondary Education, school districts, or open-enrollment public charter schools.

Prohibited Activities

Operators covered by the Student Online Personal Information Protection Act are prohibited from:

• Targeted advertising based on covered information obtained through the operator's K-12 educational platform
• Compiling profiles about students using covered information, except in furtherance of K-12 school purposes
• Selling covered information about students, unless the transaction is part of a corporate merger, acquisition, or bankruptcy and the successor entity remains bound by the same restrictions
• Disclosing covered information except in limited, specified circumstances

Security and Deletion Requirements

Operators must implement and maintain reasonable security measures appropriate to the nature of the covered information. When a school or school district requests deletion of a student's covered information, the operator must delete the data within a reasonable timeframe.

Third-Party Service Providers

If an operator shares covered information with a service provider, the operator must contractually require the service provider to:

• Use the information only for providing the contracted service
• Refrain from disclosing the information to additional third parties unless expressly permitted
• Implement and maintain reasonable security procedures and practices

Arkansas Children and Teens' Online Privacy Protection Act

In April 2025, Arkansas enacted the Children and Teens' Online Privacy Protection Act through HB 1717, signed into law as Act 952. This law takes effect on July 1, 2026.

Arkansas is the first state to extend COPPA-like protections specifically to teenagers. While the federal Children's Online Privacy Protection Act (COPPA) only covers children under 13, this Arkansas law creates a two-tiered framework covering both children and teens.

Two-Tiered Consent Framework

The Act establishes different consent requirements based on age:

• Children under 13: Operators must obtain verifiable parental consent before collecting personal information, consistent with federal COPPA requirements.
• Teens aged 13 through 16: Either the teen or their parent may consent to the collection, use, and disclosure of personal information, after receiving clear notice of the operator's data practices.

Operator Requirements

Operators covered by the law must:

• Provide clear, prominent notice of their data collection, use, and disclosure practices
• Honor deletion and correction requests from parents or teens
• Implement reasonable security measures to protect collected personal information
• Avoid collecting more personal information than reasonably necessary

Who Is Covered

The Act applies to for-profit websites, online services, applications, and mobile applications directed to children or teens, or that have actual knowledge they are collecting personal information from these age groups. The definition of "operator" covers any person who, for commercial purposes, operates or provides an online service and collects or maintains personal information from users.

Exemptions

The Act exempts nonprofit organizations, interactive gaming platforms that already comply with federal COPPA, Arkansas governmental entities, and public educational entities in Arkansas.

Enforcement

The Arkansas Attorney General has exclusive authority to enforce the Act. There is no private right of action. This means individual consumers cannot sue companies directly for violations, but the Attorney General can pursue enforcement actions on behalf of Arkansas residents.

Deceptive Trade Practices Act and Privacy Enforcement

The Arkansas Deceptive Trade Practices Act (ADTPA), codified at Ark. Code 4-88-101 et seq., serves as the primary enforcement mechanism for privacy violations in Arkansas.

Because Arkansas does not have a comprehensive consumer privacy law with its own enforcement provisions, the Attorney General relies on the ADTPA to take action against businesses that engage in unfair or deceptive practices related to personal data.

How the ADTPA Applies to Privacy

Violations of the Personal Information Protection Act are expressly treated as violations of the ADTPA. This means the Attorney General can use the full enforcement toolkit available under the deceptive trade practices framework.

Beyond the Personal Information Protection Act, the Attorney General can also pursue privacy-related enforcement actions under the ADTPA's general prohibition on deceptive and unconscionable practices. For example, if a business makes misleading statements in its privacy policy about how it collects or shares personal data, this could constitute a deceptive trade practice.

Available Remedies

The ADTPA grants the Attorney General broad enforcement powers, including:

• Filing suit to obtain injunctive relief preventing continued violations
• Seeking civil penalties of up to $10,000 per violation
• Obtaining restitution for consumers who suffered financial losses
• Recovering attorney's fees and investigation costs
• Seeking suspension or forfeiture of business licenses in extreme cases

Consumer Complaints

Arkansas residents who believe a business has violated their privacy rights can file a complaint with the Consumer Protection Division of the Arkansas Attorney General's office. The Division reviews complaints, contacts businesses, mediates resolutions, and in some cases pursues formal enforcement actions.

Federal Privacy Laws That Protect Arkansas Residents

Because Arkansas does not have a comprehensive state privacy law, federal statutes play a significant role in protecting the personal data of Arkansas residents in specific sectors.

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Privacy Rule establishes national standards for the protection of individually identifiable health information. HIPAA applies to covered entities including health plans, healthcare providers, and healthcare clearinghouses, as well as their business associates.

For Arkansas residents, HIPAA provides the primary framework for medical data privacy. The rule grants patients the right to access their medical records, request corrections, and receive notice of how their health information is used and disclosed. HIPAA sets a federal floor, and Arkansas law does not impose additional requirements that exceed HIPAA's protections in most areas.

In 2023, the U.S. Department of Health and Human Services settled a HIPAA enforcement action with Arkansas-based business associate MedEvolve for $350,000 after the company exposed protected health information on an unsecured server.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to customers and to safeguard sensitive data. Arkansas residents who do business with banks, credit unions, insurance companies, and securities firms are protected by the GLBA's privacy and data security provisions.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student education records at institutions that receive federal funding. This law gives parents and eligible students the right to access education records, request corrections, and control the disclosure of personally identifiable information from those records.

Children's Online Privacy Protection Act (COPPA)

The federal COPPA law requires operators of websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information. Beginning July 1, 2026, the Arkansas Children and Teens' Online Privacy Protection Act will extend similar protections to teens aged 13 through 16.

Fair Credit Reporting Act (FCRA)

The FCRA regulates the collection, dissemination, and use of consumer credit information. This law gives Arkansas consumers the right to access their credit reports, dispute inaccurate information, and limit who can access their credit data.

How to Protect Your Data Privacy in Arkansas

Because Arkansas does not provide the broad consumer data rights available in states with comprehensive privacy laws, residents must take a more proactive approach to protecting their personal information.

Monitor Your Accounts

Regularly review bank statements, credit card statements, and credit reports for unauthorized activity. Arkansas residents are entitled to one free credit report per year from each of the three major credit bureaus under federal law.

Place a Security Freeze

Arkansas law allows residents to place a security freeze on their credit reports to prevent new accounts from being opened in their name. This is one of the most effective tools for preventing identity theft.

Report Breaches to the Attorney General

If you receive a data breach notification, or if you believe a business has failed to notify you of a breach, you can report the issue to the Arkansas Attorney General's Consumer Protection Division.

Exercise Federal Rights

Take advantage of the rights available under HIPAA, FCRA, and other federal laws. Request copies of your medical records, dispute inaccurate credit information, and opt out of marketing communications when possible.

Read Privacy Policies

Before providing personal information to a business, review its privacy policy to understand how your data will be collected, used, shared, and stored. While Arkansas law does not require businesses to maintain a privacy policy, most businesses that operate nationally will have one.

Future of Data Privacy in Arkansas

Arkansas has shown increasing interest in data privacy legislation. The passage of the Children and Teens' Online Privacy Protection Act in 2025 signals that the legislature is willing to enact targeted privacy protections.

However, as of early 2026, Arkansas has not introduced comprehensive consumer data privacy legislation comparable to the laws enacted in California, Texas, Virginia, Colorado, Connecticut, Montana, Oregon, Delaware, and other states. The National Conference of State Legislatures tracks consumer privacy legislation across all 50 states.

Until Arkansas enacts broader protections, the Personal Information Protection Act, the Student Online Personal Information Protection Act, the new Children and Teens' Online Privacy Protection Act, and federal privacy laws will continue to form the core of data privacy protection for Arkansas residents.

More Arkansas Laws

• Arkansas Whistleblower Laws
• Arkansas Hit and Run Laws
• Arkansas Statute of Limitations
• Arkansas Dog Bite Laws
• Arkansas Sexting Laws
• Arkansas Child Support Laws
• Arkansas Lemon Laws
• Arkansas Recording Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Arkansas for advice about your specific situation. Last reviewed: March 2026.