Arkansas Joins the Growing List of US State Privacy Laws
Arkansas signed the Personal Data Protection Act (APDPA) into law on 11 April 2023, making it one of a growing number of US states with comprehensive consumer privacy legislation. The law took effect on 1 July 2025, and the privacy landscape in Arkansas shifts again in July 2026 when the Arkansas Children and Teens' Online Privacy Protection Act (ACTOPPA) takes effect alongside a maturing enforcement environment for the APDPA itself.
The APDPA follows the Virginia Consumer Data Protection Act (VCDPA) model closely. It establishes an opt-out framework for targeted advertising and data sales, requires opt-in consent for sensitive data, and gives the Attorney General exclusive enforcement authority.
For website owners and businesses operating in Arkansas, understanding both the APDPA and the incoming ACTOPPA is now a compliance priority.
Who Must Comply with the APDPA
The APDPA applies to businesses that conduct operations in Arkansas or produce products and services targeted at Arkansas residents. Two applicability thresholds determine whether the law covers your organisation.
You must comply if you control or process the personal data of 25,000 or more Arkansas consumers during a calendar year. The second threshold applies if you derive more than 50% of gross revenue from selling personal data and process the data of at least 10,000 consumers.
These thresholds are relatively modest compared to some other state laws. The Texas Data Privacy and Security Act, for instance, has no revenue or processing threshold at all.
Exemptions
The APDPA exempts several categories of entities and data. HIPAA-covered entities, financial institutions regulated under the Gramm-Leach-Bliley Act (GLBA), nonprofit organisations, and higher education institutions fall outside the law's scope. Data already regulated by FERPA, HIPAA, or GLBA is also excluded from coverage.
Consumer Rights Under the APDPA
Arkansas residents receive five core rights under the APDPA, mirroring the rights found in other VCDPA-style laws across the country.
| Consumer Right | Description | Response Deadline |
|---|---|---|
| Right to Know | Confirm whether a controller processes personal data and access that data | 45 days |
| Right to Correct | Request correction of inaccurate personal data | 45 days |
| Right to Delete | Request deletion of personal data provided by or obtained about the consumer | 45 days |
| Right to Portability | Obtain a copy of personal data in a portable, readily usable format | 45 days |
| Right to Opt Out | Decline targeted advertising, sale of personal data, or profiling | 15 days |
Controllers must respond to verified consumer requests within 45 days, with the possibility of a 45-day extension when reasonably necessary. The opt-out right operates without a requirement for the consumer to create an account or verify identity beyond what is needed to authenticate the request.
The US state privacy laws comparison provides a useful side-by-side reference for how these rights differ across jurisdictions.
Sensitive Data and Opt-In Consent
The APDPA requires controllers to obtain opt-in consent before processing sensitive data. This is a stricter standard than the opt-out model applied to general personal data.
Sensitive data under the APDPA includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, and genetic or biometric data processed for identification purposes. Personal data collected from a known child also falls into this category, which links directly to the broader protections arriving in July 2026 under the ACTOPPA.
If your website collects any of these data categories through forms, account registration, or third-party scripts, you need a consent mechanism that captures affirmative, informed agreement before processing begins. A well-designed cookie banner that distinguishes between general and sensitive data categories is one practical approach.
What Changes in July 2026
Two developments make July 2026 a significant date for Arkansas privacy compliance.
The Arkansas Children and Teens' Online Privacy Protection Act (ACTOPPA), signed by Governor Sarah Huckabee Sanders on 21 April 2025, takes effect on 1 July 2026. This law prohibits operators of online services directed at children, or those with actual knowledge of collecting data from minors, from using that data for targeted advertising. It extends protections beyond federal COPPA rules by covering teenagers aged 13 to 16, not just children under 13.
The ACTOPPA's definition of personal information is broad, encompassing biometric data such as fingerprints, voice prints, iris scans, facial templates, and DNA information.
The second consideration is the APDPA's 60-day cure period, which remains available until 1 January 2027. Businesses that receive a notice of violation from the Attorney General currently have 60 days to remedy the issue before enforcement action proceeds. That window closes at the start of 2027, meaning any compliance gaps discovered in mid-2026 leave limited time to fix problems before the cure period disappears entirely.
Preparing for the ACTOPPA
If your website or online service collects data from users who may be under 16, you should audit your tracking scripts and age-gating mechanisms before July 2026. Cookies used for targeted advertising - such as _fbp, _gcl_au, or third-party advertising pixels - must not fire for users identified as children or teenagers without verifiable parental consent.
Enforcement and Penalties
The Arkansas Attorney General holds exclusive enforcement authority over the APDPA. There is no private right of action, which means individual consumers cannot sue businesses directly for violations.
Penalties can reach up to $10,000 per violation. The Attorney General may seek injunctive relief, civil penalties, and restitution on behalf of affected Arkansas residents.
Arkansas has not yet issued any public enforcement actions under the APDPA, as the law only took effect in July 2025. The Attorney General's office has, however, been active in privacy-adjacent enforcement - pursuing litigation against TikTok, Meta, and Google over data practices, and investigating major data breaches. This suggests the office has both the appetite and the infrastructure for privacy enforcement.
Other states with exclusive AG enforcement, such as Indiana and Kentucky, have followed a similar pattern of building enforcement capacity before bringing formal actions under new laws.
How the APDPA Compares to Other State Laws
The APDPA sits firmly in the Virginia-model camp of US state privacy legislation. It shares the opt-out approach to targeted advertising and data sales, the requirement for opt-in consent for sensitive data, and exclusive AG enforcement.
| Feature | Arkansas (APDPA) | Virginia (VCDPA) | Texas (TDPSA) | Connecticut (CTDPA) |
|---|---|---|---|---|
| Effective Date | 1 Jul 2025 | 1 Jan 2023 | 1 Jul 2024 | 1 Jul 2023 |
| Consumer Threshold | 25,000 | 100,000 | None | 100,000 |
| Cure Period | 60 days (until Jan 2027) | 30 days (expired) | 30 days | None (since Jan 2025) |
| Sensitive Data | Opt-in | Opt-in | Opt-in | Opt-in |
| Universal Opt-Out Signal | Not required | Not required | Not required | Required |
| Private Right of Action | No | No | No | No |
One notable difference is the APDPA's lower consumer threshold of 25,000, which brings smaller businesses into scope compared to Virginia's 100,000 threshold. The 60-day cure period is also more generous than most other state laws, though it is temporary.
The APDPA does not require recognition of Global Privacy Control (GPC) or other universal opt-out signals, unlike Connecticut and Colorado.
Practical Compliance Steps for Website Owners
Meeting the APDPA's requirements involves several concrete actions. Start with a cookie audit to identify every cookie and tracking technology on your site, including those set by third-party scripts.
Categorise cookies into essential, functional, analytics, and advertising groups. Advertising and analytics cookies that enable targeted advertising or profiling must be subject to opt-out controls for Arkansas consumers. Sensitive data processing requires a separate opt-in mechanism.
Your privacy policy needs updating to disclose the categories of personal data processed, the purposes of processing, the categories of third parties with whom data is shared, and instructions for exercising consumer rights. The APDPA requires this information to be clear, accessible, and reasonably conspicuous.
Set up a process for handling consumer rights requests within the 45-day response window. Document your data processing activities and maintain records that demonstrate compliance - this becomes especially valuable if the cure period expires and the Attorney General begins enforcement without the 60-day remediation buffer.
Frequently Asked Questions
When does the Arkansas Personal Data Protection Act take effect?
The APDPA took effect on 1 July 2025. A separate law, the Arkansas Children and Teens' Online Privacy Protection Act (ACTOPPA), takes effect on 1 July 2026 and adds protections for minors aged 13 to 16.
Does the APDPA apply to small businesses?
The APDPA applies to businesses that process personal data of 25,000 or more Arkansas consumers, or those deriving over 50% of revenue from data sales while processing data of 10,000 or more consumers. Businesses below these thresholds are not covered.
Does Arkansas require opt-in consent for sensitive data?
Yes. The APDPA requires opt-in consent before processing sensitive data, which includes health diagnoses, racial or ethnic origin, sexual orientation, religious beliefs, and biometric or genetic data used for identification.
Can individuals sue businesses under the Arkansas privacy law?
No. The APDPA does not create a private right of action. Only the Arkansas Attorney General can bring enforcement actions, with penalties of up to $10,000 per violation.
Does Arkansas recognise Global Privacy Control signals?
The APDPA does not require businesses to recognise GPC or other universal opt-out signals. Consumers must opt out through the mechanisms provided by the business directly.
How long do businesses have to cure a violation?
The APDPA provides a 60-day cure period after receiving notice from the Attorney General. This cure period is available until 1 January 2027, after which it expires.
What is the penalty for violating the APDPA?
The Arkansas Attorney General can impose penalties of up to $10,000 per violation, along with injunctive relief and restitution for affected consumers.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether your consent mechanism meets Arkansas requirements, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
