Insights: AlertsArkansas Becomes First State to Enact a COPPA 2.0 Inspired Privacy LawApril 30, 2025 On April 7, 2025, Arkansas passed the Arkansas Children and Teens' Online Privacy Protection Act (HB 1717) - a state law modeled closely after the federal Children and Teens' Online Privacy Protection Act (widely referred to as COPPA 2.0), which is currently pending in Congress. This new Arkansas law expands online privacy protections to teens aged 13–16, imposes stronger consent and transparency requirements on online operators, and includes prohibitions against targeted advertising to minors. On April 22, 2025, the Arkansas governor signed HB 1717, which is scheduled to take effect on July 1, 2026. Key Provisions of Arkansas HB 1717HB 1717 substantially expands upon the federal Children's Online Privacy Protection Act of 1998 (COPPA), which protects children under the age of 13. It's worth noting that COPPA does not override state laws that add protections—as long as those laws don't conflict with or contradict COPPA's requirements. See Jones v. Google LLC, 73 F.4th 636 (9th Cir. 2023). Like the federal COPPA 2.0 proposal, HB 1717 adopts a two-tiered framework that applies to both children and teens. Key provisions include: Covered Age Groups:
Scope of Covered Entities: HB 1717 applies to any for-profit operator of a website, online service, or app that:
Nonprofits, government entities, educational institutions, and compliant gaming platforms are excluded.3 Scope of Personal Information: Under Arkansas HB 1717, personal information includes: “Individually identifiable information about an individual collected online,” including but not limited to:
Audio files containing a child's or teen's voice are not considered personal information under HB 1717 if they are not used to collect identifying data, are deleted promptly, and are only used to enhance the service experience.5 Consent Requirements: Operators must obtain consent before collecting, using, or disclosing personal information.
Consent is not required, however, in several key circumstances—such as, without limitation, when the information is processed to provide or maintain a specific product or service requested by the teen, or to support the operator's internal operations.6 We expect operators to adopt as broad a view as feasible of those exceptions to consent. The statute defines “consent” as any reasonable effort, taking into consideration available technology and including without limitation a request for authorization for future collection, use, and disclosure described in the notice, to ensure that in the case of a teen, the parent of a teen or the teen:
Data Minimization and Collection Limits: law adopts a relatively moderate data minimization standard, as collection is only allowed if:
Targeted Advertising Ban: The law's ban on targeted advertising is somewhat illusory. Operators may not use children's or teens' personal information for targeted advertising or allow others to do so.9 However, that ban does not apply to information collected consistently with the law's data minimization standards (see above). Data Subject Rights: Both parents and teens have the right to:
Security Requirements: Operators must implement reasonable security measures to safeguard personal information of children and teens.11 Enforcement:
Key Takeaways Arkansas clarifies that companies don't need to verify user age, possibly distancing the law from age-gating laws that have been struck down by federal courts on First Amendment grounds. Next steps for companies operating in Arkansas or reaching Arkansas youth are to:
FootnotesRelated People![]() John M. Brigagliano
jbrigagliano@ktslaw.com ![]() Tatum Andres
tandres@ktslaw.com |


