Arkansas Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Arkansas takes a breach-focused approach to biometric privacy. Rather than regulating how businesses collect, store, or use biometric identifiers, the state treats biometric data as a category of protected personal information under its existing breach notification framework. If your organization handles fingerprints, facial recognition data, or other biometric identifiers belonging to Arkansas residents, you need to understand what the law requires and where the gaps are.

For the full picture of Arkansas data protection requirements, see the parent guide to [Arkansas Data Privacy Laws](/us-laws/data-privacy-laws/arkansas-data-privacy-laws).

How Arkansas Defines Biometric Data

Arkansas Code Ann. 4-110-103(1) defines "biometric data" as data generated by automatic measurements of an individual's biological characteristics. The statute lists specific examples, including:

• Fingerprints
• Faceprints
• Retinal scans
• Iris scans
• Hand geometry
• Voiceprint analysis
• Deoxyribonucleic acid (DNA)
• Any other unique biological characteristics

There is one critical limitation built into this definition. The biometric data only qualifies as protected personal information when it is "used by the owner or licensee to uniquely authenticate the individual's identity when the individual accesses a system or account." Biometric data collected for purposes other than authentication, such as research or general analytics, falls outside this specific protection.

This authentication-linked definition is narrower than what states like Illinois, Texas, and Washington use in their dedicated biometric privacy laws.

The Personal Information Protection Act and Biometric Data

How Biometric Data Became Protected

Arkansas originally enacted the Personal Information Protection Act in 2005, but biometric data was not included in the original definition of personal information. That changed on July 23, 2019, when Act 1030 of 2019 took effect.

Act 1030 (originally House Bill 1943) expanded the definition of "personal information" under Ark. Code Ann. 4-110-103(7) to include three new categories: medical information, health insurance information, and biometric data. This amendment brought Arkansas into a growing group of states that explicitly recognize biometric identifiers as sensitive personal information within their breach notification laws.

What the Law Requires

The Personal Information Protection Act imposes two main obligations on entities that handle personal information, including biometric data:

Reasonable Security Measures (Ark. Code Ann. 4-110-104(a))

Any person or business that acquires, owns, or licenses personal information about an Arkansas resident must implement and maintain reasonable security procedures and practices appropriate to the nature of the information. These measures must protect personal information from unauthorized access, destruction, use, modification, or disclosure.

The statute does not define what "reasonable" means, leaving that determination to be made on a case-by-case basis depending on the type and sensitivity of the data involved.

Data Destruction (Ark. Code Ann. 4-110-104(b))

When a business no longer needs to retain personal information, it must take all reasonable steps to destroy or arrange for the destruction of the data. Acceptable methods include shredding, erasing, or otherwise modifying the information to make it unreadable or undecipherable through any means.

For organizations storing biometric templates, this means you cannot simply abandon the data when a system is decommissioned. Active destruction is required.

Breach Notification Requirements for Biometric Data

If biometric data is compromised in a security breach, Arkansas law triggers specific notification obligations under Ark. Code Ann. 4-110-105.

When Notification Is Required

An entity must notify affected Arkansas residents when it becomes aware of a security breach involving the unauthorized acquisition of unencrypted or unredacted personal information that compromises the security, confidentiality, or integrity of the data.

There is one exception: notification is not required if, after a good-faith investigation, the entity determines there is no reasonable likelihood of harm to affected consumers.

Notification Timeline

Arkansas law requires disclosure "in the most expedient time and manner possible and without unreasonable delay." The clock starts after the entity has taken measures necessary to determine the scope of the breach and restore system integrity.

Attorney General Notification

When a breach affects more than 1,000 individuals, the entity must also notify the Arkansas Attorney General. This notice must be provided either at the same time the entity notifies affected individuals or within 45 days of determining there is a reasonable likelihood of harm, whichever comes first.

Record Retention

Entities that experience a breach must retain a written copy of their determination and all supporting documentation for five years from the date of the determination.

Enforcement and Penalties

Attorney General Enforcement

The Arkansas Attorney General enforces the Personal Information Protection Act through the Arkansas Deceptive Trade Practices Act (ADTPA), Ark. Code Ann. 4-88-101 et seq. The AG can bring enforcement actions seeking:

• Civil penalties of up to $10,000 per violation
• Injunctive relief to stop ongoing violations
• Consumer restitution
• Recovery of attorney fees and investigation costs

Criminal Penalties

Under Ark. Code Ann. 4-110-108, willful and knowing violations of the Personal Information Protection Act constitute a Class A misdemeanor. In Arkansas, a Class A misdemeanor carries penalties of up to one year in county jail and fines up to $2,500.

No Private Right of Action

Arkansas does not provide a private right of action under the Personal Information Protection Act. Individual consumers cannot sue businesses directly for mishandling their biometric data under this statute. Only the Attorney General can bring enforcement actions.

This is a significant difference from Illinois, where the Biometric Information Privacy Act (BIPA) allows individuals to sue and recover statutory damages of $1,000 to $5,000 per violation.

What Arkansas Law Does Not Cover

Understanding the gaps in Arkansas biometric privacy law is just as important as knowing what it covers.

No consent requirement. Unlike Illinois, Texas, and Washington, Arkansas does not require businesses to obtain informed consent before collecting biometric data. There is no obligation to provide written notice explaining what biometric data will be collected, why it will be collected, or how long it will be stored.

No retention or destruction schedule. While the law requires data destruction when information is no longer needed, it does not mandate a specific retention period or require businesses to publish a retention policy for biometric data.

No restrictions on sale or disclosure. Arkansas law does not prohibit the sale, lease, trade, or other disclosure of biometric data to third parties. The protections only activate when a breach occurs.

No employer-specific rules. Some states require employers to get consent before using fingerprint scanners for time clocks or facial recognition for building access. Arkansas has no such requirement.

The 2025 Legislative Attempt: SB 258

In February 2025, Senator Clint Penzo introduced Senate Bill 258, the Arkansas Digital Responsibility, Safety, and Trust Act. The original bill included comprehensive provisions for biometric data processing, including consent requirements and limits on lawful processing conditions.

However, business groups argued the biometric and AI provisions were too broad. The Senate Committee on Transportation, Technology and Legislative Affairs stripped all biometric and AI sections from the bill before passing it. Privacy consultant Josh Bryant, who helped draft the legislation, confirmed that "all of the biometric stuff is gone" from the amended version.

SB 258 ultimately died on the Senate Calendar at sine die adjournment on May 5, 2025, without becoming law. Senator Penzo indicated he may pursue separate legislation for privacy and AI in future sessions, but as of early 2026, Arkansas remains without dedicated biometric privacy protections.

The Deceptive Trade Practices Act as a Backstop

Even without a dedicated biometric statute, the ADTPA provides a general backstop. Under Ark. Code Ann. 4-88-107, it is unlawful to engage in any unconscionable, false, or deceptive act or practice in business, commerce, or trade.

If a business makes misleading representations about how it handles biometric data, or if it collects biometric information in ways that a reasonable consumer would find deceptive, the Attorney General could potentially bring an action under the ADTPA. This is not a biometric-specific protection, but it creates some accountability for the most egregious misuses of biometric data.

Practical Compliance Steps for Businesses

Even though Arkansas law does not require consent or published retention policies, organizations operating in the state should consider these best practices:

1. Implement strong security controls around biometric databases, since the law requires "reasonable security procedures" without defining the term.

2. Develop a breach response plan that accounts for the 45-day AG notification timeline and the five-year record retention requirement.

3. Create a data destruction protocol for biometric data that is no longer needed for its original purpose.

4. Monitor multi-state exposure. If you collect biometric data from residents of Illinois, Texas, Washington, or other states with dedicated biometric laws, those stricter requirements may apply regardless of where your business is located.

5. Track legislative developments. The failure of SB 258 does not mean Arkansas is done considering biometric legislation. Future sessions may produce new bills.

More Arkansas Laws

• Arkansas Recording Laws
• Arkansas Recording Laws
• Arkansas Data Privacy Laws
• Arkansas Recording Laws
• Arkansas Recording Laws
• Arkansas Recording Laws
• Arkansas Dog Bite Laws
• Arkansas Child Support Laws

Sources and References

• Arkansas Personal Information Protection Act, Ark. Code Ann. 4-110-101 et seq.
• Act 1030 of 2019, Arkansas State Legislature
• Arkansas Deceptive Trade Practices Act, Ark. Code Ann. 4-88-101 et seq.
• Security or Data Breach, Arkansas Attorney General
• SB 258, Arkansas State Legislature (2025 Session)

---

This article provides general legal information about Arkansas biometric privacy protections and is not legal advice. Laws and regulations change frequently. Consult a qualified attorney licensed in Arkansas for advice about your specific situation.