Alston & Bird Privacy, Cyber & Data Strategy Blog

Arkansas Enacts Children and Teens’ Online Privacy Protection Act

By and

On April 21, 2025, Arkansas Governor Sarah Huckabee Sanders signed into law the Arkansas Children and Teens’ Online Privacy Protection Act (Act), which will become effective on July 1, 2026. It draws inspiration from the federal Children and Teens’ Online Privacy Protection Act (COPPA 2.0) and provides stronger privacy protections for Arkansas residents under thirteen (children) and those aged thirteen to sixteen (teens). This Act continues the trend of state-level efforts to extend online privacy protections, which have been traditionally offered to children under thirteen by the federal Children’s Online Privacy Protection Act (COPPA), to older teens.

Scope of the Act

The Act applies to businesses that operate websites, online services, online applications, or mobile applications (collectively, online services) that are directed at children or teens or that have actual knowledge of collecting personal information from children or teens (collectively, operators). The Act broadly defines “personal information” as any individually identifiable information collected online. This includes any information linked or reasonably linkable to a child, teen, or the parent of a child or teen.

While the Act does not define “directed at children or teens,” the term appears to track a comparable term in COPPA, “directed to children,” which means targeted to children. Therefore, operators of online services that target children or teens are likely subject to the Act. The Act also does not define “actual knowledge” but clarifies that operators do not have an affirmative duty to investigate consumers’ age, such as through an age gating or age verification functionality. This approach is similar to the Federal Trade Commission’s interpretation of “actual knowledge” under COPPA.

Data Minimization Requirements

The Act sets data minimization requirements by restricting any operator from collecting personal information of a child or teen unless the collection is (1) consistent with the context of a particular service the operator provides to the child or teen; (2) consistent with the context of the child’s or teen’s relationship with the operator; or (3) required or specifically authorized by law. The scope of personal information operators may retain is narrower. An operator may retain personal information of a child or teen only if the retention is (1) necessary to fulfill a transaction or provide a service the child or teen requested; (2) necessary for the safety or integrity of such service; or (3) specifically authorized by law.

The Act also bans operators from collecting personal information from a child or teen, or allowing another person to collect, use, disclose, or maintain such personal information, for targeted advertising. Notably, this prohibition does not apply to personal information collected and retained in accordance with the data minimization requirements described above. The Act is silent on whether operators may rely on consent from a child’s parent or teen to process the child’s or teen’s personal information for targeted advertising or any purpose other than the permitted purposes for collection and retention specified in the data minimization requirements.

Additional Requirements for Operators with Actual Knowledge

The Act places additional responsibilities on operators who actually know they are collecting personal information from children or teens (operators with actual knowledge).

Privacy Notice

An operator with actual knowledge must provide a clear and conspicuous privacy notice. This notice must describe:

  • The information collected from children or teens.


    

  • The purposes for processing personal data.
    • 





    

  • The disclosure practices for the collected information.
    • 





    

  • The types of personal data shared with third parties.
    • 





    

  • The types of third parties with whom personal data is shared.
    • 





    

  • The privacy rights available under the Act.
    • 





Notably, the Act requires operators to describe their processing of “information” and “personal data,” which the Act does not define, rather than “personal information.”


Privacy Rights


An operator with actual knowledge must respect the following rights:


    

  • The right to delete a child’s (but not a teen’s) account with the operator’s online service or any content or information submitted by a child or teen (right to delete).
    • 





    

  • The right to refuse the operator’s further use, storage in a retrievable form, or future online collection of personal information from a child or teen (right to object).
    • 





    

  • The right to challenge the accuracy of personal information collected from a child or teen (right to challenge).
    • 





    

  • The right to correct inaccurate personal information collected from a child or teen (right to correct).
    • 





    

  • The right to obtain personal information collected from a child or teen (right to access).
    • 





The rights to correct and access are exercisable by a child’s parent (for the child’s personal information) or by a teen (for the teen’s personal information). But the Act does not specify who can exercise the rights to delete, object, and challenge, nor does it expressly bind operators with a fixed timeline for responding to privacy rights requests.


Consent


An operator with actual knowledge must obtain consent for the collection, use, or disclosure of personal information of teens. Interestingly, the Act is silent on consent for children’s personal information. This consent is required from a teen or his or her parent unless the collection, use, or disclosure is for the following purposes:


    

  • Providing or maintaining the specific product or service the teen requested.
    • 





    

  • Conducting the operator’s internal business operations.
    • 





    

  • Protecting against malicious, fraudulent, or illegal activity, or detecting, responding to, or preventing security incidents or threats.
    • 





    

  • Investigating, establishing, exercising, preparing for, or defending legal claims.
    • 





    

  • Complying with applicable laws, rules, or regulations.
    • 





    

  • Complying with a civil, criminal, or regulatory inquiry, investigation, or subpoena, or a summons by governmental authorities.
    • 





    

  • Protecting a natural person’s vital interest.
    • 





For consent to be valid, the operator must use reasonable effort to ensure that the teen or his or her parent receives notice of the operator’s privacy notice before providing consent. Importantly, the operator may obtain consent through the teen’s or his or her parent’s free and unambiguous authorization of the operator’s terms of service or acknowledgment of the operator’s privacy notice. The Act also references “verifiable consent” but does not expressly require that the consent operators obtain be verifiable.


Security Practices


An operator with actual knowledge must establish, implement, and maintain reasonable security practices to protect the confidentiality, integrity, and accessibility of personal information of children or teens and protect such personal information from unauthorized access.


Rulemaking


The Act does not create a rulemaking procedure, but the Arkansas Attorney General (Arkansas AG) has authority under Arkansas administrative law to provide formal opinions interpreting Arkansas law when asked by certain state officials, such as the governor, head of executive agencies, and members of the Arkansas general assembly. Therefore, the Arkansas AG’s office may publish its interpretations of the Act to inform operators of the Act’s requirements and help their compliance efforts, for example by setting a standard for “actual knowledge,” clarifying the consent requirement and its effect, or specifying whether “information,” “personal information,” and “personal data” are meant to be interchangeable or have unique meanings.


Enforcement


The Arkansas AG has the exclusive authority to enforce the Act, and the Act expressly prohibits a private right of action. Violators may be subject to (1) injunctive reliefs; (2) damages, restitution, or other compensation; (3) civil penalties of up on $10,000 per violation; or (4) other reliefs courts find appropriate. There is no cure period under the Act.


Takeaways


The Act may signal a change in state-level lawmakers’ approach to the online protection of minors. The Act models its framework after COPPA 2.0, focusing on obtaining consent for the online processing of minors’ personal information, rather than online safety legislations such as age-appropriate design codes that have faced constitutional challenges. Operators providing services to minors should closely monitor the development of federal COPPA 2.0 as well as potential introduction of comparable bills in other jurisdictions that seek to impose COPPA 2.0-like consent requirement for processing minors’ personal information.


Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor federal- and state-level legal and regulatory developments surrounding minors’ online privacy and safety. Please contact us if you have any questions.


LinkedIn


Avatar photo
About Maki DePalo
Maki DePalo is a partner with Alston & Bird’s Privacy, Cyber & Data Strategy Team. She devotes her practice to clients' initiatives in technology and corporate transactions encompassing intellectual property licensing, strategic outsourcing, Internet-based marketing and advertising, data privacy and security, governance and compliance.


[Read Bio]
Avatar photo
About Hyun Jai Oh
Hyun Jai Oh is an associate in Alston & Bird’s Technology & Privacy Group in the Atlanta office. Before joining the firm, Hyun Jai worked as an intern researching a multitude of industries involving artificial intelligence solutions, environmental justice, and COVID-related state health regulations. Hyun Jai previously served as a sergeant in the Republic of Korea Army, working in the logistics department of the 21st Infantry Division Reconnaissance Unit.


[Read Bio]
			
			












Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly