Arkansas Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Arkansas protects consumer data under two state laws: the Personal Data Protection Act, effective July 1, 2025, which grants residents rights to access, correct, delete, and opt out of data sales, and the Personal Information Protection Act (Ark. Code 4-110-101), which requires breach notification and data security.

Arkansas now has a comprehensive consumer privacy law. The Arkansas Personal Data Protection Act, signed April 11, 2023 and effective July 1, 2025, gives residents rights over their personal data and imposes obligations on businesses that operate in the state. It joins the state's existing breach notification statute, student data protections, and the Attorney General's consumer protection enforcement authority.

This guide covers every significant Arkansas data privacy law currently in effect, what protections you have as a consumer, what obligations businesses must meet, and the penalties for noncompliance.

Arkansas Personal Data Protection Act

The Arkansas Personal Data Protection Act (APDPA), signed by Governor Sarah Huckabee Sanders on April 11, 2023 and effective July 1, 2025, is Arkansas's comprehensive consumer privacy law. It follows the framework established by the Virginia Consumer Data Protection Act and gives Arkansas residents five core rights over their personal data.

Who the APDPA Covers

The APDPA applies to persons that conduct business in Arkansas or produce products or services targeted at Arkansas residents, and that in a calendar year either:

• Control or process personal data of 25,000 or more Arkansas consumers, or
• Derive more than 50% of gross revenue from the sale of personal data and control or process personal data of 10,000 or more Arkansas consumers

The law exempts HIPAA-covered entities, financial institutions and their affiliates regulated under the Gramm-Leach-Bliley Act, nonprofit organizations, higher education institutions, and data regulated by FERPA, HIPAA, or the GLBA.

Consumer Rights Under the APDPA

Arkansas residents have the following rights under the APDPA, with controllers required to respond within 45 days (extendable by another 45 days with notice):

• Right to access: Confirm whether a controller processes your personal data and obtain a copy of that data.
• Right to correct: Request correction of inaccurate personal data the controller holds about you.
• Right to delete: Request deletion of personal data you have provided or that the controller has obtained about you.
• Right to data portability: Obtain a copy of your personal data in a portable, readily usable format.
• Right to opt out: Opt out of targeted advertising, the sale of your personal data, and certain automated profiling that produces legal or similarly significant effects. Controllers must honor opt-out requests within 15 days.

To exercise these rights, consumers submit a request to the controller. Controllers may not require consumers to create an account or verify their identity beyond what is reasonably necessary to authenticate the request.

Sensitive Data

Controllers must obtain opt-in consent before processing sensitive personal data. Sensitive data under the APDPA includes:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnoses
• Sexual orientation or gender identity
• Citizenship or immigration status
• Genetic data
• Biometric data processed for the purpose of uniquely identifying an individual

Controllers and Processors

The APDPA distinguishes between controllers (entities that determine the purpose and means of processing) and processors (entities that process data on behalf of a controller). Processors must follow the controller's instructions and assist in responding to consumer rights requests. Contracts between controllers and processors must specify the processing purpose, duration, and data categories, and require processors to delete or return data upon termination.

Controllers must conduct and document data protection assessments before engaging in processing that presents a heightened risk, including targeted advertising, data sales, processing of sensitive data, and profiling.

Enforcement and Penalties

The Arkansas Attorney General has exclusive authority to enforce the APDPA. There is no private right of action. The AG may bring civil enforcement actions seeking:

• Civil penalties of up to $10,000 per violation
• Injunctive relief
• Restitution for consumers

Until January 1, 2027, businesses that receive a notice of violation from the Attorney General have 60 days to cure the violation before the AG proceeds with formal enforcement. This cure period expires on January 1, 2027, after which the AG may proceed without providing a cure opportunity.

As of May 2026, the Attorney General has not yet announced any formal APDPA enforcement actions, as the law only took effect in July 2025.

Arkansas Personal Information Protection Act

The Personal Information Protection Act (PIPA) is the cornerstone of Arkansas's data breach notification and security framework, operating independently from the APDPA. Originally enacted in 2005 through Act 1526, the law was significantly amended in 2019 by Act 1030 to expand the definition of personal information and strengthen notification requirements.

What Qualifies as Personal Information

Under Ark. Code 4-110-103, personal information means an individual's first name or first initial and last name in combination with one or more of the following data elements, when either the name or the data element is not encrypted or redacted:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to a financial account
• Medical information, including any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
• Health insurance policy number or subscriber identification number, combined with any unique identifier used by a health insurer to identify the individual
• Biometric data, defined as data generated by automatic measurements of an individual's biological characteristics used to uniquely authenticate an individual's identity

The 2019 amendment through Act 1030 added medical information, health insurance information, and biometric data to this definition. Before that amendment, the law covered only Social Security numbers, driver's license numbers, and financial account information.

Data Security Requirements

Under Ark. Code 4-110-104, any person or business that acquires, owns, or licenses personal information about an Arkansas resident must implement and maintain reasonable security procedures and practices appropriate to the nature of the information. These measures must protect personal information from unauthorized access, destruction, use, modification, or disclosure.

The statute does not define what constitutes "reasonable security procedures." This gives businesses flexibility to design security programs that fit their size and the sensitivity of the data they handle, but it also means adequacy is judged on a case-by-case basis if a breach occurs.

Records Destruction Requirements

Ark. Code 4-110-104 also requires that any person or business take all reasonable steps to destroy or arrange for the destruction of a customer's records containing personal information that is no longer to be retained. Acceptable destruction methods include shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable through any means.

This applies to both paper and electronic records. The goal is to prevent personal information from being recovered from discarded records.

Data Breach Notification Requirements

The breach notification provisions in Ark. Code 4-110-105 are the most detailed and consequential part of the Personal Information Protection Act.

Who Must Notify

Any person or business that acquires, owns, or licenses computerized data that includes personal information must disclose any breach of the security of the system to any Arkansas resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

This obligation extends to third parties that maintain data on behalf of another business. If a third-party service provider experiences a breach involving data belonging to another entity's customers, the service provider must notify the data owner, which must then notify affected individuals.

Definition of a Breach

A "breach of the security of the system" means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business. The key word is "acquisition." A breach has not necessarily occurred simply because a system was accessed without authorization. There must be evidence that personal information was actually obtained or is reasonably believed to have been obtained.

Notification Timeline

Notification must be made in the most expedient time and manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Attorney General Notification

If a breach affects the personal information of more than 1,000 individuals, the person or business must also notify the Arkansas Attorney General. This notification must be made at the same time as notice to affected individuals, or within 45 days after the person or business determines there is a reasonable likelihood of harm to customers, whichever occurs first.

The Attorney General notification must be submitted through the Data Breach Reporting Form on the Arkansas Attorney General's website.

Methods of Notification

Notification may be provided through one of the following methods:

• Written notice sent to the postal address in the records of the person or business
• Electronic notice if the person or business has an email address for the affected individual and the notice is consistent with the provisions of the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act)
• Substitute notice if certain conditions are met

Substitute Notice

Substitute notice is permitted if the person or business demonstrates that the cost of providing direct notice would exceed $250,000, the affected class of persons exceeds 500,000 individuals, or the person or business does not have sufficient contact information to provide notice.

Substitute notice must include all of the following:

• Email notice to all affected individuals for whom the business has an email address
• Conspicuous posting of the notice on the business's website
• Notification through statewide media

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that notification would impede a criminal investigation. Once the law enforcement agency determines that notification will not compromise the investigation, the notification must be made.

Penalties for Violating the Personal Information Protection Act

Under Ark. Code 4-110-108, violations of the Personal Information Protection Act are punishable by action of the Attorney General under the Arkansas Deceptive Trade Practices Act (Ark. Code 4-88-101 et seq.).

This means the Attorney General can pursue the full range of remedies available under the DTPA, including:

• Civil penalties of up to $10,000 per violation
• Injunctive relief ordering the business to change its security practices
• Restitution to consumers who suffered ascertainable losses
• Attorney's fees and costs of investigation

Willful and knowing violations of the Personal Information Protection Act constitute a Class A misdemeanor under Arkansas law, which carries potential criminal penalties including fines and up to one year in jail.

Student Online Personal Information Protection Act

The Student Online Personal Information Protection Act, codified at Ark. Code 6-18-109 through 6-18-114, protects the data of K-12 students who use educational technology platforms.

Who the Law Covers

The law applies to "operators," defined as owners of websites, online services, online applications, or mobile applications with actual knowledge that the website, service, or application is used for K-12 school purposes. The law does not apply to the Arkansas Division of Elementary and Secondary Education, school districts, or open-enrollment public charter schools.

Prohibited Activities

Operators covered by the Student Online Personal Information Protection Act are prohibited from:

• Targeted advertising based on covered information obtained through the operator's K-12 educational platform
• Compiling profiles about students using covered information, except in furtherance of K-12 school purposes
• Selling covered information about students, unless the transaction is part of a corporate merger, acquisition, or bankruptcy and the successor entity remains bound by the same restrictions
• Disclosing covered information except in limited, specified circumstances

Security and Deletion Requirements

Operators must implement and maintain reasonable security measures appropriate to the nature of the covered information. When a school or school district requests deletion of a student's covered information, the operator must delete the data within a reasonable timeframe.

Third-Party Service Providers

If an operator shares covered information with a service provider, the operator must contractually require the service provider to:

• Use the information only for providing the contracted service
• Refrain from disclosing the information to additional third parties unless expressly permitted
• Implement and maintain reasonable security procedures and practices

Arkansas Children and Teens' Online Privacy Protection Act

In April 2025, Arkansas enacted the Children and Teens' Online Privacy Protection Act through HB 1717, signed into law as Act 952. This law takes effect on July 1, 2026.

Arkansas is the first state to extend COPPA-like protections specifically to teenagers. While the federal Children's Online Privacy Protection Act (COPPA) only covers children under 13, this Arkansas law creates a two-tiered framework covering both children and teens.

Two-Tiered Consent Framework

The Act establishes different consent requirements based on age:

• Children under 13: Operators must obtain verifiable parental consent before collecting personal information, consistent with federal COPPA requirements.
• Teens aged 13 through 16: Either the teen or their parent may consent to the collection, use, and disclosure of personal information, after receiving clear notice of the operator's data practices.

Operator Requirements

Operators covered by the law must:

• Provide clear, prominent notice of their data collection, use, and disclosure practices
• Honor deletion and correction requests from parents or teens
• Implement reasonable security measures to protect collected personal information
• Avoid collecting more personal information than reasonably necessary

Who Is Covered

The Act applies to for-profit websites, online services, applications, and mobile applications directed to children or teens, or that have actual knowledge they are collecting personal information from these age groups. The definition of "operator" covers any person who, for commercial purposes, operates or provides an online service and collects or maintains personal information from users.

Exemptions

The Act exempts nonprofit organizations, interactive gaming platforms that already comply with federal COPPA, Arkansas governmental entities, and public educational entities in Arkansas.

Enforcement

The Arkansas Attorney General has exclusive authority to enforce the Act. There is no private right of action. This means individual consumers cannot sue companies directly for violations, but the Attorney General can pursue enforcement actions on behalf of Arkansas residents.

Attorney General Enforcement

AG Tim Griffin has pursued privacy-adjacent enforcement actions under the Arkansas Deceptive Trade Practices Act and Personal Information Protection Act, without waiting for the APDPA to take effect.

In March 2023, Griffin sued TikTok and parent company ByteDance in Cleburne County Circuit Court, alleging deceptive practices related to the collection and use of Arkansas users' personal information. The lawsuit survived early dismissal motions.

In June 2024, Griffin sued Temu, the Chinese e-commerce platform, calling it "a data-theft business that sells goods online as a means to an end." The complaint alleged violations of the ADTPA and PIPA based on Temu's alleged access to device data including camera, location, contacts, and text messages. As of early 2026, the lawsuit remained active.

These enforcement actions signal that the AG will use the full range of available state statutes, including now the APDPA, to address data privacy violations affecting Arkansas residents.

Federal Privacy Laws That Protect Arkansas Residents

Federal statutes provide significant privacy protections for Arkansas residents across specific sectors.

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Privacy Rule establishes national standards for the protection of individually identifiable health information. HIPAA applies to covered entities including health plans, healthcare providers, and healthcare clearinghouses, as well as their business associates.

In 2023, the U.S. Department of Health and Human Services settled a HIPAA enforcement action with Arkansas-based business associate MedEvolve for $350,000 after the company exposed protected health information on an unsecured server.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to customers and to safeguard sensitive data. Arkansas residents who do business with banks, credit unions, insurance companies, and securities firms are protected by the GLBA's privacy and data security provisions.

Children's Online Privacy Protection Act (COPPA)

The federal COPPA law requires operators of websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information. Beginning July 1, 2026, the Arkansas Children and Teens' Online Privacy Protection Act will extend similar protections to teens aged 13 through 16.

Fair Credit Reporting Act (FCRA)

The FCRA regulates the collection, dissemination, and use of consumer credit information. This law gives Arkansas consumers the right to access their credit reports, dispute inaccurate information, and limit who can access their credit data.

TAKE IT DOWN Act (2025)

Congress enacted the TAKE IT DOWN Act (Pub. L. 119-12) on May 19, 2025. The law prohibits the nonconsensual publication of intimate visual depictions, including AI-generated deepfakes. Covered platforms -- including major social media sites, dating apps, and image-hosting services -- were required to implement a notice-and-removal process by May 19, 2026, with the removal obligation requiring action within 48 hours of a valid request. The FTC began enforcement against non-compliant platforms in May 2026.

How Consumers Exercise Their Rights

Arkansas residents now have two distinct sets of privacy rights depending on who holds their data.

Under the APDPA, consumers can submit requests directly to covered businesses to access, correct, delete, or obtain a copy of their personal data, and to opt out of data sales or targeted advertising. Businesses must respond within 45 days. If a business denies a request, it must provide a reason. Consumers may appeal a denial, and if the appeal fails, they may contact the Arkansas Attorney General's Consumer Protection Division.

Under HIPAA, patients can request their medical records, ask for corrections, and receive a Notice of Privacy Practices explaining how their health information is used.

Under the FCRA, consumers can request free annual credit reports from each of the three major bureaus and dispute inaccurate entries.

Consumers who believe a business has violated Arkansas data privacy laws can file a complaint with the Consumer Protection Division of the Arkansas Attorney General's office.

More Arkansas Laws

• Arkansas AI Meeting Recording Laws
• Arkansas Alimony Laws
• Arkansas At-Will Employment Laws
• Arkansas Car Accident Laws
• Arkansas Car Seat Laws
• Arkansas Child Custody Laws
• Arkansas Child Support Laws
• Arkansas Common Law Marriage Laws
• Arkansas Deepfake Laws
• Arkansas Divorce Laws
• Arkansas Dog Bite Laws
• Arkansas Emancipation Laws
• Arkansas Expungement Laws
• Arkansas Hit and Run Laws
• Arkansas Landlord-Tenant Laws
• Arkansas Lemon Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Arkansas for advice about your specific situation. Last reviewed: May 2026.