Keypoint: If signed by the governor, the Arkansas bill will create new obligations for the collection and processing of personal information for Arkansas children and teens under 16 years of age, however, compliance may prove difficult given ambiguity in the bill’s provisions.
On April 15, 2025, the Arkansas legislature passed HB 1717 – the Arkansas Children and Teens’ Online Privacy Protection Act. If signed by the governor, Arkansas will be the latest state to legislate in the teens’ privacy space but with a bill unlike any other passed to date.
In the below article, we provide a summary of the bill and its requirements.
Scope
The bill applies to “operators” of websites, online services, online applications or mobile applications that are either (1) directed at children or teens or (2) where the operator has actual knowledge that it is collecting personal information from children or teens.
The bill defines children as Arkansas residents 12 and under and teens as Arkansas residents ages 13 to 16. The bill creates overlap with the Children’s Online Privacy Protection Act’s (COPPA) scope of regulating the collection of personal information from children under 13. Given the overlap, it is important to note that COPPA has been interpreted to not preempt state laws that supplement, rather than contradict or are inconsistent with, COPPA’s provisions. See Jones v. Google LLC, 73 F.4th 636 (9th Cir. 2023) (“We hold that COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA”); see also COPPA, 15 U.S.C. § 6502(d) (“No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section”).
The bill uses the terms “directed at children” and “actual knowledge” which aligns with COPPA’s use of the same terms. See, e.g., FTC, Complying with COPPA: Frequently Asked Questions. However, the Arkansas bill does not define those terms. In theory, those terms could be interpreted consistently with the FTC definitions, but this is left open in the bill. In addition, the bill does not provide examples or clarification on what would be considered a website directed at teens.
Operator is defined as a “person who, for commercial purpose, operates or provides a website on the internet, an online service, an online application, or a mobile application and who” either (1) collects or maintains personal information of users of the website, service, or application or (2) allows another person to collect information of users.
The bill excludes from the definition of operator certain nonprofits, gaming platforms that comply with COPPA, state agencies and institutions, and state schools. The exemption of gaming platforms that comply with COPPA is of interest given that the Arkansas bill has a broader scope insofar as it regulates the processing of personal information of teens under 16. Of note, the bill uses nearly a page of text to provide a definition for “social media platform,” but the bill does not include any requirements for “social media platforms.”
The bill does contain a definition of “personal information” which is broadly defined to include information such as name, home address, email address, telephone number, Social Security number, precise geolocation information, certain types of biometric information, and online identifiers. The definition excludes audio voice files under certain conditions.
By its terms, the bill does not require operators to collect age. Specifically, the bill states that it does not require an operator to affirmatively collect any personal information regarding the age of a child or teen or implement an age-gating or age verification functionality.
Data Minimization Requirements
The bill prohibits covered operators from collecting the personal information of children or teens except when the collection is either (1) “consistent with the context of a particular service or the relationship of the child or teen with the operator, including without limitation collection that is necessary to fulfill a transaction or provide a product or service requested by the child or teen or parent of the teen”; or (2) required or specifically authorized by law.
Further, covered operators cannot retain personal information of children/teens for longer than is “reasonably necessary to fulfill a transaction or provide a service requested by the child or teen except as required for the safety or integrity of the service or specifically authorized by law.”
Reading the two provisions together, covered operators could collect a broader set of personal information than they would be able to retain.
Additionally, covered operators cannot collect personal information from children/teens for purposes of targeted advertising or allow other entities to do so unless it is consistent with the above collection and retention requirements.
Two pages later, the bill contains another data minimization provision, which prohibits operators from requiring a child (but not a teen) to disclose more personal information “than is reasonably necessary to participate as a condition to participate in” a game, the offering of a prize or another activity. It is unclear whether this provision could be read to supplement COPPA or, given that COPPA allows for parental consent, conflicts with it.
Consent Requirements
While the data minimization requirements do not have any exceptions for consent, the bill goes on to require covered operators that have “actual knowledge” that they are collecting personal information from teens to “obtain consent for the collection, use, or disclosure of personal information from a teen from a parent of a teen or a teen [sic?], except when the processing is for” one of eight specific processing activities. For example, consent is not required to provide or maintain a product or service requested by the teen, conduct internal business operations, protect against fraud, or comply with law.
It is worth noting that this section of the bill only applies when an operator has actual knowledge that it is collecting personal information from teens. That said, the prior data minimization section also regulates the collection of such information and, as noted, requires that the collection be consistent with the context of a particular service or the relationship of the teen with the operator. It is unclear how these two provisions should be reconciled; although, in theory, it could be argued that obtaining a teen’s consent means that the collection is consistent with the context of the relationship.
This section does not specifically allow for verified parental consent (VPC) for the collection of personal information from children under 13 years of age. This could create an issue with COPPA preemption. As noted, states may supplement COPPA, but not contradict it. Because COPPA allows for collection of children’s data with VPC, it could be argued that not allowing for VPC contradicts COPPA.
Privacy Notices
Covered operators that have actual knowledge that they are collecting personal information from children or teens must provide “clear and conspicuous notice” of (1) what information the operator collects from children or teens, (2) the purpose for processing personal data, (3) the operator’s disclosure practices for such information, (4) the right and opportunities available to the parent of a child or teen, and (5) the categories of third parties, if any, with whom the controller shares personal data.
The bill does not provide for how or when an operator must provide this notice. For example, it is unclear if an operator needs to provide the notice on a website and mobile application and, if so, where. Further, this portion of the bill vacillates between using personal information, information, and personal data. The bill only defines personal information. It does not define personal data or information. Presumably, these terms all have the same meaning.
Rights
The bill creates two sets of rights. First, covered operators must provide the “opportunity” to request the deletion of a child’s account or content submitted by a child. The bill, however, does not identify who has this right (presumably, the parent). The bill goes on to state that a parent of a child may challenge the inaccuracy of personal information and “obtain any personal information collected from that child.” The bill also creates similar rights for teens.
Notably, the bill does not provide how these consumer rights must be presented to users. In addition, the bill does not state how long a covered operator has to respond to these requests or whether an operator has the right – or obligation – to verify the identity of the requestors.
Verifiable Consent
The next section of the bill does refer to verifiable consent. Specifically, it provides that “[v]erifiable consent under subdivision (b)(2)(A) of this section is not required in the case of” certain activities such as the one-time collection of personal information from a child or teen to respond to an inquiry. However, subdivision (b)(2)(A) does not require verifiable consent. Rather, that subdivision states that consent is not required if an operator is providing a product or service requested by the child or teen. In fact, the bill only uses “verifiable consent” in this section. In theory, this section of the bill could be read to establish ways that covered operators can collect and use personal information without the need to obtain consent and consistent with the data minimization provisions.
Rulemaking
The bill does not authorize rulemaking. In addition, the broader Deceptive Trade Practices chapter that the law will be added to does not allow for rulemaking.
Enforcement
The bill grants the Attorney General exclusive authority to enforce its provisions and specifically states that it does not create a private right of action.
Effective Date
If signed by the governor, the bill goes into effect July 1, 2026.
[View source.]
