Codigo Alpha

Entenda a lei com clareza

Codigo Alpha

Entenda a lei com clareza

Digital & Privacy Law

Arkansas children’s privacy Act 952 and teen data standards

Código Alpha

The “Social Media Safety Act” is dead, but Arkansas’s new “COPPA 2.0” law takes effect July 1, 2026, extending strict data protections to teens up to age 16.

For the past few years, Arkansas has been the epicenter of a national legal battle over children’s online safety. Business leaders and developers have watched a chaotic ping-pong match: first, the state passed the aggressive “Social Media Safety Act” (Act 689), which attempted to force age verification on platforms. That law was struck down as unconstitutional in federal court in 2025. Many companies breathed a sigh of relief and stopped paying attention. That is a dangerous mistake.

While the headlines focused on the failed age-verification law, Arkansas quietly pivoted to a more robust, privacy-centric framework: Act 952 (HB 1717), known as the “Arkansas Children and Teens’ Online Privacy Protection Act.” Signed in April 2025 and effective July 1, 2026, this statute makes Arkansas the first state to successfully codify “COPPA 2.0” standards. It doesn’t just protect children under 13; it creates a new protected class of “teens” (ages 13–16), bans targeted advertising to minors, and imposes strict data minimization rules that go far beyond federal law.

This article defines the actual privacy baseline for minors in Arkansas today. We will strip away the confusion of the overturned laws and focus on what is enforceable: the existing Student Online Personal Information Protection Act (SOPIPA), the biometric mandates of APIPA, and the upcoming compliance requirements for Act 952. If you process data of Arkansas youth, your deadline to re-engineer your consent flows is rapidly approaching.

The New Arkansas Youth Privacy Hierarchy (2026):

  • Children (Under 13): Federal COPPA rules apply (Verifiable Parental Consent required). Act 952 layers on a ban on targeted ads.
  • Teens (13–16): The new protected class. Requires direct consent from the teen (or parent) to process data. Targeted ads are prohibited.
  • Student Data (K-12): Strictly regulated by SOPIPA (Ark. Code § 6-18-109). No selling, no profiling, no targeting.
  • Biometrics: Protected under APIPA. Collection of a minor’s fingerprint or face geometry requires specific security and retention protocols.

See more in this category: Digital & Privacy Law

In this article:

Last updated: February 4, 2026.

Quick definition: A patchwork of state statutes that regulates how businesses collect, share, and retain the data of Arkansas residents under age 18, focusing on consent, advertising prohibitions, and school data.

Who it applies to: Any online service, app, or website (commercial) that is “directed to” children/teens OR has “actual knowledge” that it is collecting their data.

Time, cost, and documents:

  • Act 952 Effective Date: July 1, 2026 (Compliance prep should be active now).
  • SOPIPA Status: Active and enforceable immediately.
  • Key Documents: Privacy Policy (updated for teens), Parental Consent Forms, Vendor Data Processing Addendums (DPA).

Key takeaways that usually decide disputes:

  • The definition of “Targeted Advertising” vs. “Contextual Advertising.”
  • Proof of “Actual Knowledge” regarding user age.
  • Vendor contracts for EdTech services.

Quick guide to Arkansas Minors’ Privacy

  • Targeted Ads are the Enemy: The core of the new Arkansas framework is a prohibition on behavioral advertising to minors. If you track a 15-year-old’s browsing history to sell them sneakers, you are in violation. Contextual ads (based on the current page content only) remain generally safe.
  • The “Actual Knowledge” Standard: Unlike the failed Act 689, the new Act 952 does not mandate ID checks for every user. It applies if your site is “directed to” minors or if you know (via profile data, support tickets, etc.) the user is a minor.
  • EdTech is a Walled Garden: If you sell software to Arkansas schools, you fall under SOPIPA. You cannot use student data for any non-educational purpose. You cannot build a profile on a student to use later.
  • Teen Consent (13-16): This is the new gap. Federal law stops at 12. Arkansas fills the 13-16 gap. You must obtain consent (from the teen or parent) to collect their PI, and they have the right to revoke it.
  • Biometrics are “Radioactive”: Under the general breach law (APIPA), biometric data triggers immediate notification risks. Collecting face scans of minors for “fun filters” without robust security is a high-liability activity.

Understanding the Arkansas Baseline in Practice

To navigate compliance in Arkansas, you must distinguish between the “Ghost of Laws Past” and the “Law of the Future.” The Social Media Safety Act (Act 689), which tried to force third-party age verification (uploading driver’s licenses), was permanently blocked by federal courts in 2025 for violating the First Amendment. It is dead. Do not build your compliance roadmap around it.

The Arkansas Children and Teens’ Online Privacy Protection Act (Act 952) is the new reality. Modeled after the proposed federal “COPPA 2.0,” it shifts the focus from “verifying age” to “minimizing data.” The philosophy is simple: you don’t necessarily have to card every user at the door, but if you let a minor in, or if your venue is built for minors, you cannot exploit their data for profit. This law introduces the concept of Data Minimization as a statutory requirement: you can only collect what is “reasonably necessary” to provide the specific service the minor requested.

Decision Matrix: Which law applies to your data?

  • Is the data from a K-12 Student for school purposes? -> SOPIPA (Ark. Code § 6-18-109). Strict prohibition on commercial use.
  • Is the user under 13? -> Federal COPPA + Act 952. Parental consent mandatory. Targeted ads banned.
  • Is the user 13–16? -> Act 952 (New). Teen consent required. Targeted ads banned. Right to delete.
  • Is it biometric data (Face/Fingerprint)? -> APIPA. High security and breach notification standards.

Legal and practical angles that change the outcome

The “Targeted Advertising” Prohibition is the most litigated concept in modern privacy law. Arkansas defines this broadly. It includes ads selected based on personal data obtained from the minor’s activities over time and across non-affiliated websites. Practically, this means if you use a Meta Pixel or Google AdSense on a page directed at Arkansas teens, you must ensure those tools are configured not to use the data for retargeting. “Contextual advertising” (showing a bike ad because the user is reading an article about bikes) is the safe harbor.

Another critical angle is Enforcement Authority. Unlike laws in California or Illinois that allow private class-action lawsuits (which attract predatory litigation), the Arkansas Act 952 is enforced exclusively by the Attorney General. While this reduces the risk of “troll” lawsuits, the Arkansas AG has a history of aggressive consumer protection enforcement. A specific “cure period” (a window to fix mistakes before being fined) was not included in the final text of Act 952, meaning the AG can fine up to $2,500 per violation immediately upon discovery.

Workable paths for mixed-audience platforms

Platforms that serve both adults and minors (e.g., news sites, gaming forums) face a dilemma. The “Actual Knowledge” standard is their shield. If you do not ask for age, and your site is not “directed to” kids (like a cartoon site would be), you generally do not fall under the strict mandates. However, the moment a user submits a support ticket saying, “I’m 14 and lost my password,” you have Actual Knowledge. The workable path is to tag that user account in your backend as “Minor” and immediately suppress targeted ad scripts for that specific User ID.

Practical application: Building a Compliant Flow

Preparing for the July 2026 deadline requires a retroactive audit of your data practices. Here is the operational workflow.

  1. Audit Your “Pixels”: Identify every third-party tracker (analytics, ads, social sharing buttons) on your site. Determine if they collect data for cross-site profiling.
  2. Define Your Audience: Be honest. Is your app “directed to” teens? Look at your marketing visuals, the age of models in your ads, and your content. If you lean “teen,” assume Act 952 applies to all users unless you age-gate.
  3. The “Teen Consent” UI: For users 13-16, build a specific onboarding flow. Instead of burying data rights in a Terms of Service link, present a clear screen: “We collect X data to provide Y service. Do you agree?”
  4. The “Do Not Sell/Target” Switch: Configure your backend so that any user identified as U17 (Under 17) automatically has “Targeted Ads” set to OFF. This must be the default state, not an opt-out.
  5. Vendor Contracts (EdTech): If you work with schools, review your Data Processing Addendum. Ensure it explicitly prohibits using student data for your own product R&D or marketing.
  6. Data Purge Policy: Implement an auto-delete rule for minor data. If a teen deletes their account, Arkansas law grants a “Right to Delete” that must remove data from your backups and third-party vendors within a reasonable time.

Technical details and relevant updates

The definition of “Personal Information” under Act 952 is expansive. It goes beyond names and emails to include “biometric data,” “geolocation information” (sufficient to identify a street name and city), and “inferences” drawn from data to create a profile. This means an AI algorithm that predicts a teen’s interests based on their clicks is creating regulated “Personal Information.”

Regarding Age Estimation: While the mandatory age verification law (Act 689) was struck down, Act 952 encourages operators to treat users as minors if they have mixed signals. Technically, you are not required to implement facial age estimation or government ID uploads. However, if you do collect age data (e.g., a birthdate picker), you cannot treat that field as “just another data point.” It becomes the trigger for your compliance logic.

  • Safe Harbor for Contextual Ads: You can still monetize teen traffic. You just have to serve ads based on the *current* session content, not the user’s history.
  • No “Dark Patterns”: The law prohibits using manipulative design to trick teens into consenting. The “Yes” and “No” buttons for consent must be of equal size and prominence.

Statistics and scenario reads

The shift from federal-only to state-level enforcement changes the risk calculus. Arkansas is part of a “red state” trend adopting strict privacy laws to protect children, signaling high political will for enforcement.

Scenario analysis suggests that the primary targets for AG enforcement will be social media platforms, gaming apps with “loot boxes” or aggressive monetization, and EdTech vendors who “leak” data to advertisers.

Social Media & Gaming (Act 952 focus)
60%

Primary enforcement targets due to high teen usage and data profiling.

EdTech / Schools (SOPIPA focus)
30%

Strict liability for vendors mishandling student records.

General Retail / E-commerce
10%

Lower risk unless specifically targeting teens with behavioral ads.

Monitorable points for compliance (2026 readiness):

  • Ad Revenue Mix: Monitor % of revenue from behavioral vs. contextual ads on teen-heavy pages.
  • Consent Rates: Track drop-off rates when the new “Teen Consent” modal is deployed.
  • Data Retention: Audit database for “orphan” teen accounts older than 2 years (delete them).

Practical examples of Privacy Compliance

Scenario A: The “Free” Educational App

A math tutor app is used in Arkansas schools. The app is free but shows ads. Under SOPIPA, the app cannot use the student’s progress data to serve targeted ads (e.g., “You failed algebra, buy this book”).

Correct Approach: The app disables all third-party ad trackers. It shows only “house ads” for its own premium version (contextual) or charges a license fee to the district instead of monetizing student eyeballs.

Scenario B: The Teen Fashion Store

An online clothing store notices 20% of its traffic comes from Arkansas users aged 14-16. It uses a Meta Pixel to retarget cart abandoners on Instagram.

Compliance Gap (Post-July 2026): This retargeting is “Targeted Advertising.” The store must either (A) remove the Pixel for all Arkansas users, or (B) ask users to self-identify age and disable the Pixel for anyone U17. Continuing to retarget teens without specific consent violates Act 952.

Common mistakes in Arkansas Youth Privacy

Relying on the “13+” Checkbox: Thinking you are safe because your TOS says “Users must be 13+.” Act 952 regulates teens 13–16, so banning U13s is no longer a total shield.

Confusing Act 689 with Act 952: Assuming “the courts blocked the law, so I don’t have to do anything.” They blocked the ID verification law. The data protection law (Act 952) is valid and incoming.

Ignoring “Inferences”: Collecting only a User ID but using AI to infer “this user is likely a teenage girl interested in diet pills” and targeting ads based on that inference is a violation.

Forgetting Biometrics: Using a “virtual try-on” feature for glasses or makeup that scans a teen’s face without explicit, written consent and a retention policy. This violates both Act 952 and potentially APIPA.

FAQ about Arkansas Children’s Privacy

Do I have to verify the age of every user in Arkansas?

No. Act 952 does not mandate identity verification (uploading an ID) for all users. That was the requirement of the now-defunct Act 689.

However, you must not willfully ignore the age of your users. If your platform is “directed to” children, or you obtain “actual knowledge” of a user’s age, you must apply the protections.

Can I still show ads to teenagers in Arkansas?

Yes, but with strict limits. You can show Contextual Advertising (ads based on the content of the page they are currently viewing). You generally cannot show Targeted Advertising (ads based on their behavior across other sites or a historical profile).

This effectively kills “retargeting” (following them around the web) for the 13-16 demographic.

What is the penalty for violating Act 952?

Enforcement is handled by the Arkansas Attorney General under the Deceptive Trade Practices Act. Penalties can reach up to $2,500 per violation (per user, per incident).

There is no “private right of action,” meaning parents cannot sue you directly under this specific statute, but the AG can seek significant civil penalties and injunctions.

Does this apply to non-profits or schools?

Act 952 generally applies to commercial entities. However, schools and their vendors are regulated by SOPIPA. If a non-profit operates a commercial website (selling merch, for example) directed at teens, they may still fall under scope.

Always review the specific “Operator” definition in the statute if you are a non-commercial entity.

How do I get “Verifiable Parental Consent”?

For children under 13 (federal COPPA standard), you must use approved methods: credit card verification (with a nominal charge), a signed consent form sent via email/fax, or calling a toll-free number.

For teens 13-16 under Arkansas Act 952, the standard is slightly different; you need consent to process data, but the mechanism for “teen consent” is often a clear, affirmative opt-in (checkbox) rather than a credit card check.

What if I am a small business outside Arkansas?

Jurisdiction is based on the residency of the child. If you collect data from a teen you know is in Arkansas, you must comply, regardless of where your server or office is located.

If you have no physical presence and do not target Arkansas users specifically, the risk is lower, but “doing business” via the internet typically establishes jurisdiction.

Can teens delete their own data?

Yes. Act 952 grants a “Right to Delete” and a “Right to Access.” If a teen (or their parent) requests deletion of their personal information, you must comply.

This is broader than federal COPPA, which primarily vests these rights in the parent.

Are internal analytics allowed?

Generally, yes. Using data for “internal operations” (fixing bugs, maintaining the site, checking server load) is a standard exception.

However, you cannot use “analytics” as a cover for building user profiles to sell or use for marketing later.

What about data brokers?

Act 952 specifically prohibits data brokers from selling the personal information of minors if they have actual knowledge of the age.

If you buy lists of “Arkansas high school students” for marketing, you are likely walking into a legal minefield.

When should I start preparing?

Now. The effective date is July 1, 2026. Engineering changes to separate “Contextual” vs. “Targeted” ad stacks and building “Teen Consent” flows take months of development and testing.

Waiting until June 2026 creates a high risk of broken deployments and non-compliance.

References and next steps

  • Review Act 952 (HB 1717): Read the full text of the “Arkansas Children and Teens’ Online Privacy Protection Act” to understand specific definitions of “Targeted Advertising.”
  • Audit Ad Tech: Contact your ad networks (Google, Meta, etc.) to understand their “Restricted Data Processing” settings for Arkansas users.
  • Update Privacy Policy: Create a dedicated section for “Arkansas Minors” explaining their specific rights to deletion and freedom from targeted ads.

Related reading:

  • Arkansas Code § 6-18-109 (SOPIPA – Student Data Privacy)
  • NetChoice v. Griffin (The case that struck down Act 689)
  • FTC COPPA Compliance Guide (Federal baseline)
  • Arkansas Attorney General Consumer Protection Division

Legal basis

The current legal baseline for children’s privacy in Arkansas is formed by three primary statutes. First, the Arkansas Student Online Personal Information Protection Act (SOPIPA) (Ark. Code § 6-18-109) governs data collected in educational settings. Second, the Arkansas Personal Information Protection Act (APIPA) (Ark. Code § 4-110-101) governs general data security and breach notification, including specific biometric protections.

Most importantly, the new Arkansas Children and Teens’ Online Privacy Protection Act (Act 952 of 2025), codified at Ark. Code Title 4, Chapter 88, Subchapter 15, establishes the “COPPA 2.0” standards for teens aged 13-16, effective July 1, 2026. This law replaces the void created when the Social Media Safety Act (Act 689) was permanently enjoined by the U.S. District Court in NetChoice, LLC v. Griffin.

Final considerations

The privacy landscape for minors in Arkansas has stabilized after years of volatility. The state has moved away from the constitutionally fraught “ID check at the door” approach and embraced a “data minimization” model that aligns with emerging national trends. This is good news for businesses because it offers a clearer technical path: you don’t need to verify identity, but you must respect the data.

Your goal for the next 12 months should be segregation. Can your systems distinguish a 15-year-old Arkansas user from a 25-year-old Texas user? If the answer is “no,” you cannot comply with the targeted advertising bans. Build that capacity now. By treating the data of Arkansas teens with the same “radioactive” caution you apply to federal COPPA data, you will future-proof your business against the AG’s inevitable enforcement wave in 2026.

Key point 1: The Age Verification law (Act 689) is dead; the Teen Data Privacy law (Act 952) is the new standard.

Key point 2: Targeted advertising to users under 17 will be illegal in Arkansas starting July 2026.

Key point 3: EdTech vendors have strict “no sale/no profile” liability under SOPIPA.

  • Default your ad settings to “Contextual Only” for users U17.
  • Create a clear “Delete My Data” flow for teens.
  • Train marketing teams that “Teens” (13-16) are now a protected class in Arkansas.

This content is for informational purposes only and does not replace individualized legal analysis by a licensed attorney or qualified professional.

Deixe um comentário

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *