Insights
Privacy & Security

Arkansas Adopts Privacy Law To Extend COPPA-Like Protections to Teens

The new law creates additional obligations and restrictions for processing personal data of children and teens under 17 years old
By   Nancy Libin and Apurva Dharia
06.11.25
Print this page

On April 21, 2025, Arkansas Gov. Huckabee Sanders signed the Arkansas Children and Teens' Online Privacy Protection Act (the Act) into law. Among other things, the Act prohibits operators of websites, online services, or apps (collectively, "online services") that are "directed at" children or teens, or that have "actual knowledge" they are collecting personal information from children or teens, from collecting such personal information without the proper notice and consent and from collecting or allowing access to such personal information for purposes of targeted advertising. The Act mirrors the Children's Online Privacy Protection Act (COPPA) in many ways and is similar to a pending federal bill that would amend COPPA (also known as "COPPA 2.0") and extends COPPA's protections to teens between ages 13 and 16.

Arkansas' Act becomes effective on July 1, 2026.

Summary of the Act

We provide a detailed discussion of the Act below:

  • Determining Applicability of the Act to Operators of Online Services. Like COPPA, the Act does not define the terms "directed at" children or teens or "actual knowledge." It is likely that the state attorney general will use criteria similar to those that the FTC uses in its COPPA Rule to determine their meaning when determining the law's applicability to online services. The Act makes clear, however, that an operator is not required to affirmatively collect any personal information regarding the age of a child or teen that an operator is not already collecting in the normal course of business, or to implement an age-gating or age verification functionality.
  • Key Definitions:
    • "Child" means an individual twelve years of age or younger in the state of Arkansas and "teen" means an individual located in Arkansas who is at least 13 years of age but younger than 17 years old. The Act is less clear than other state privacy laws that establish applicability based on where an individual resides, not where an individual is "located," although enforcement by the Arkansas Attorney General is limited to protecting the interests of state "residents."
    • "Consent" is defined in relation to teens and parents of teens but not children. It means any reasonable effort, taking into consideration available technology and including, without limitation, a request for authorization for future collection, use, and disclosure described in the notice, to ensure that in the case of a teen, either the parent of a teen or the teen:

      • Receives notice of the personal information collection, use, and disclosure practices of the operator; and
      • Before the personal information of the teen is collected, freely and unambiguously authorizes, including without limitation, the giving of consent through an operator's terms of service or acknowledgement of the operator's privacy policy:

        • The collection, use, and disclosure, as applicable, of the teen's personal information; and
        • Any subsequent use of the teen's personal information.
    • "Disclosure" means making personal information collected from a child or teen publicly available in an identifiable form to a third party that is not affiliated with the operator, when the personal information is collected by online services targeted toward children or teens or that is collected with actual knowledge the personal information is from a child or teen. Like COPPA, the Act exempts information provided to persons other than an operator who provide support for the internal operations of the operator's online services (including processors) where internal operations are defined to include "without limitation identifying and repairing technical errors that impair existing or intended functionality."
    • "Operator" means a person who for commercial purposes operates or provides an online service and who:

      • Collects or maintains, either directly or through a processor, personal information from or about the users of that website, service, or application; or
      • Allows another person to collect personal information directly from users of that website, service, or application, in which case, the operator is deemed to have collected the information.

      The definition excludes nonprofits; interactive gaming platforms that comply with COPPA; Arkansas governmental entities; and any public educational entity of Arkansas (e.g., school districts and institutions of higher learning).

    • "Personal information" mostly aligns with COPPA's definition of personal information, except that it includes biometric or genetic information such as fingerprints, voice prints, iris or retina imagery scans, facial templates, deoxyribonucleic acid (DNA) information, or gait. In its recent update to COPPA, the FTC opted not to include "data derived from voice data, gait data, or facial data" in the definition of biometric identifiers but indicated that it still intends for the definition to include templates—e.g., facial and fingerprint templates—that are derived from such data and that can be used for the automated or semi-automated recognition of an individual. The definition also excludes an audio file that contains a child or teen's voice so long as the operator: (i) does not request information via voice that would otherwise be considered personal information under this definition; (ii) provides clear notice of its collection and use of the audio file and its deletion policy in its privacy policy; (iii) uses the voice within the audio file as a replacement for written words, to perform a task, or engage with a website, online service, online application, or mobile application; and (iv) only maintains the audio file long enough to complete the stated purpose and improve or enhance the users' experience of the service and then deletes the audio file when it is no longer reasonably needed and does not make any other use of the audio file before deletion. Permitting the retention of voice information to improve or enhance the service could theoretically allow retention of such information for a considerably longer timeframe (if notice and lack of deletion are clearly disclosed) than otherwise would be permitted under the Act or COPPA.
    • "Targeted advertising" means displaying advertisements to a user where the advertisement is selected based on personal data obtained from that user's activities over time and across nonaffiliated websites or online applications to predict that consumer's preferences or interests. The definition excludes advertising based on activities within an operator's own online services; contextual ads; ads directed to a user in response to the user's request for information or feedback, or processing conducted solely to measure or report ad performance, reach, or frequency.
  • Operators' Obligations and Prohibitions.
    • Provide Notice. An operator of an online service that has actual knowledge that it is collecting personal information from children or teens is required to provide a clear and conspicuous notice that includes the following:

      • Information collected from children or teens by the operator
      • Purpose(s) for processing personal information
      • Operator's disclosure practices for such information
      • Rights and opportunities available to the parent of the child or teen to access, correct, or delete the information, or delete the account
      • Categories of personal information that the operator shares with third parties, if any
      • Categories of third parties, if any, with whom the operator shares personal information
    • Obtain Consent for Processing Personal Information of Teens. Operators must obtain consent either from a parent of a teen or from the teen before processing personal information collected from a teen unless the processing is for one (or more) of the following purposes:

      • Providing or maintaining the specific product or service requested by the teen;
      • Conducting the operator's internal business operations (e.g., identifying and repairing technical errors that impair existing or intended functionality);
      • Protecting against malicious, fraudulent, or illegal activity or detecting, responding to, or preventing security incidents or threats;
      • Engaging in legal activities such as investigating, establishing, exercising, preparing for, or defending legal claims; ensuring compliance with federal, state, or local laws, regulations; and responding to governmental process or investigations; or
      • Protecting the vital interests of a natural person.

      Uncertainty Regarding Child Consent Requirements. While the Act requires consent to collect personal information from teens, it does not specifically address the need for parental consent before collecting personal information from children except to provide exceptions that are analogous to some (but not all) of the COPPA Rule's exceptions for consent at 16 C.F.R. § 312.5(c). The Act's silence on this matter could be construed to defer to the COPPA Rules regarding verifiable parental consent for collection and processing of personal information of children, but it could also be construed to prohibit the collection of personal information of children whether or not verifiable parental consent is obtained when read in conjunction with the prohibited actions described above. If Arkansas attempts to impose liability on an operator under this latter possible construction of the law, it could be preempted by COPPA's preemption clause (15 U.S.C.A. § 6502(d)) which states that "[n]o State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section."
    • Provide Rights To Access, Correct, and Delete Personal Information. The Act requires operators to provide parents with the following rights with respect to the personal information of children:

      • To delete the account, personal information collected from the child, or content or information submitted by the child to an online service;
      • To refuse at any time to allow the operator's further use or maintenance in retrievable form or future online collection of personal information from that child;
      • To challenge the accuracy of the personal information and, if the parent establishes the inaccuracy of the personal information, to have the inaccurate personal information corrected; and
      • A means that is reasonable under the circumstances for the parent to obtain any personal information collected from the child if the information is available to the operator at the time the parent makes the request.

      The Act provides teens the same rights with respect to personal information that the operator collects from them, except that teens are not given the right to refuse to allow further use or maintenance or online collection of personal information from them.

      Like comprehensive state privacy laws, the Act provides several exceptions to the right to delete, including when the deletion of personal information would interfere with the operator's ability to protect the integrity or security of its systems or protect against fraud and other illegal activity. In addition, neither operators nor third parties are required to delete personal information that they are required by law to maintain or that was submitted by a person other than the user requesting to delete the information, including information that was submitted by the user but was republished or resubmitted by another person.

    • Not Terminate Processing Unless Unable To Provide the Service. An operator may terminate a service provided to a teen or to a child whose parent has refused to permit an operator's further use or maintenance of personal information, but an operator may not terminate service based on a request by the parent of a child or a teen to delete personal information collected from the child or teen if the operator can offer the service without the personal information.
    • Not Retain or Collect More Personal Information Than Necessary. Operators may not retain the personal information of a child or teen for longer than is reasonably necessary to fulfill a transaction or provide a service requested by the child or teen except as required for the safety or integrity of the service or specifically authorized by law. Operators are further prohibited from requiring a child to disclose more personal information than is reasonably necessary as a condition to participate in a game, the offering of a prize, or other activity. Operators may collect personal information of a child or teen when the collection of the personal information is required or specifically authorized by law or when it is consistent with the context of a particular service or the relationship of the child or teen with the operator, including collection that is necessary to fulfill a transaction or provide a product or service requested by the child or teen or parent of the child or teen.

      • Operators may run into preemption issues if attempting to retain personal information of children for the purpose of ensuring the safety or integrity of the service, as COPPA does not permit retention for this purpose. COPPA requires an operator to delete personal information collected online from a child when it is no longer reasonably necessary to fulfill the purpose for which the information was collected, regardless of whether the parent has expressly requested that the information be deleted.
    • Implement Reasonable Security Practices. Operators must establish, implement, and maintain reasonable security practices to protect the confidentiality, integrity, and accessibility of personal information of children or teens that the operator collects and to protect the personal information against unauthorized access.
  • Enforcement. Except in certain circumstances, violations of the Act will be treated as unfair or deceptive acts or practices under the Arkansas consumer protection law. The state attorney general has exclusive authority to enforce the Act and may seek an injunction, require compliance, or obtain damages, restitution, or other compensation or relief deemed appropriate. The Act expressly forecloses a private right of action.

What's Next

Operators who provide services in Arkansas should review their compliance programs to ensure practices related to collection, use, disclosure, maintenance, retention, access, correction, and deletion of personal information of children and teens are in line with the new requirements. Given the many ambiguities and errors (e.g., incorrect internal section references) that exist in the current version of the Act, we will monitor this law for updates before it goes into effect on July 1, 2026. Policymakers in other states are considering ways to protect the privacy of children and teens, and we expect that more states will follow Arkansas in doing so.

+++

For assistance with compliance, please contact one of the authors of this alert or the Davis Wright Tremaine attorney with whom you work.

Related Insights