/>iOn April 22, 2025, Arkansas enacted the Arkansas Children and Teens’ Online Privacy Protection Act (HB 1717, Act 952), making it the first state to expand core federal children’s privacy protections to teens. The law, effective July 1, 2026, applies to for-profit websites, online services, apps, and mobile applications that are directed to children (under 13) or teens (ages 13-16), or that have actual knowledge they are collecting personal information from these groups.
The Act establishes a two-tiered framework: parental consent is required to collect personal information from children, while either the teen or their parent may consent in the case of users aged 13 to 16. Operators must also provide clear notice of their data practices, respect deletion and correction requests, and implement reasonable security measures. The statute broadly defines personal information to include not only contact details and identifiers, but also biometric data, geolocation, and any information linked or reasonably linkable to a child, teen, or parent.
The law prohibits targeted advertising to minors using their personal information and limits data collection to what is necessary for the specific service or transaction. Operators are not required to implement age verification, but are expected to comply where they have actual knowledge of a user’s age. Importantly, enforcement authority is vested exclusively in the Arkansas Attorney General; the law does not create a private right of action.
HB 1717 reflects growing state-level momentum to address youth privacy concerns amid the absence of federal privacy reform. Businesses that operate online platforms accessible to Arkansas users, particularly those relying on personalized advertising or handling sensitive data, should evaluate their compliance posture now to prepare for the law’s 2026 effective date.
