The Arkansas State Legislature passed The Arkansas Cybersecurity Act on April 8, 2025. HB1549 – To Create the Arkansas Cybersecurity Act of 2025, ARKANSAS STATE LEGISLATURE, https://arkleg.state.ar.us/Bills/Detail?id=HB1549&ddBienniumSession=2025%2F2025R (last visited Aug. 8, 2025). The Act created the State Cybersecurity Office, which is responsible for “directing and managing all functions related to state cybersecurity and information security for each state agency,” maximizing cybersecurity resources, establishing “cybersecurity governance polices, procedures, and standards to protect state information technology systems,” and reporting all findings and enforcement to the Joint Committee on Advanced Communications and Information Technology. H.B. 1549, 95th Gen. Assemb., Reg. Sess. (Ark. 2025). The governance polices, procedures, and standards may include, but are not limited to: data classification and design controls; cybersecurity and data breach notification; detection, mitigation, and monitoring of cybersecurity threats; a cyber assessment program and remediation actions; cybersecurity awareness and training; and enforcement and compliance. H.B. 1549, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).
The Arkansas Children and Teens’ Online Privacy Protection Act expands personal information and privacy protections for children and teens. The Act requires operators of websites, online services, online apps, and mobile apps that are directed to children or teens or have actual knowledge that they are collecting personal information from children or teens to provide notice of the information that is being collected, the purpose for collecting the data, and their disclosure practices. H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025). Further, these operators are required to obtain consent for the collection and distribution of the data and provide parents the opportunity to examine, change, and delete the data. Id. The act also limits the amount of personal information that can be requested to play a game, win a prize, or participate in another activity. Id. 

Neither of these acts have been interpreted by Arkansas courts as of August 2025.

“Personal information” is defined by the Personal Information Protection Act (PIPA), which was updated in 2019. The definition remains current:
Personal information means an individual’s first name or first initial and his or her last name in combination with any one (1) or more of the following data elements when either the name or the data element is not encrypted or redacted: 
(A) Social Security number; 
(B) Driver’s license number or Arkansas identification card number;
(C) Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; 
(D) Medical information; and 
(E) (i) Biometric data. 
ARK. CODE. ANN. § 4-10-103(7) (West 2019). 
 The Arkansas Children and Teens’ Online Privacy Protection Act expands the definition of personal information in relation to children and teens’ information. Passed in 2025, the Act defines “personal information” as: 
Individually identifiable information about an individual collected online, including without limitation: 
(i) A first and last name; 
(ii) A home or other physical address including street name and name of the city or town of residence; 
(iii) An e-mail address; 
(iv) A telephone number; 
(v) A Social Security number; 
(vi) Any other identifier that permits the physical or online contacting of a specific individual; 
(vii) Geolocation information sufficient to identify a street name and a city or town; 
(viii) Information generated from the measurement or technological processing of an individual’s biological, physical, or physiological characteristics that is used to identify an individual . . . 
(ix) Information that is linked or reasonable linkable to a child or teen; or 
(x) Information linked or reasonably linkable to a child or teen or the parents of that child or teen, including without limitation any unique identifier, that an operator collects online from the child or teen and combines with an identifier described in this subdivision (11)(A). 
H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).

Protections of personal data are governed by ARK. CODE ANN. § 4-110-104, which was last modified in 2005: 
A person or business should take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means. 
ARK. CODE. ANN. § 4-110-104 (West 2005). 
Under the Arkansas Children and Teens’ Online Privacy Act, enacted in 2025, operators that have actual knowledge that they are collecting information from children and teens must “establish, implement, and maintain reasonable security practices to protect the confidentiality, integrity, and accessibility of personal information of children or teens collected by the operator, and protect the personal information against unauthorized access.” H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).

The Arkansas Personal Information Act, last updated in 2019, requires a “person” and a “business” to follow the regulations. The Act defines “[b]usiness” as “a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the United States, or of any other country or the parent or the subsidiary of a financial institution” and includes both an entity that destroys records and state agencies. ARK. CODE ANN. § 4-110-103(2)(A-B) (West 2019).
The Arkansas Children and Teens’ Online Privacy Act expands who is subject to regulations in relation to children and teens’ data. Passed in 2025, the Act regulates privacy for operators of websites, online services, online applications, and mobile applications directed at children or teens or those with actual knowledge that they are collecting personal information from children or teens. H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).

The Arkansas Children and Teens’ Online Privacy Act mentions data processing but does not provide a definition. H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).

See above

The Arkansas Children and Teens’ Online Privacy Act requires operators that have actual knowledge that they are collecting personal information from children or teens to provide clear and conspicuous notice of their purpose for processing personal data. H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).

ARK. CODE ANN. § 4-110-104, last modified in 2005 requires: a person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
As mentioned above, under the Arkansas Children and Teens’ Online Privacy Act, enacted in 2025, operators that have actual knowledge that they are collecting information from children and teens must “establish, implement, and maintain reasonable security practices to protect the confidentiality, integrity, and accessibility of personal information of children or teens collected by the operator, and protect the personal information against unauthorized access.” H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).

This is governed by PIPA with no updates since 2005. Any waiver of any provision of PIPA is “contrary to public policy, void, and unenforceable.” ARK. CODE ANN. § 4-110-107 (West 2005). 
Moreover, the Arkansas Children and Teens’ Online Privacy Act, enacted in 2025, expands these rights for children and teens. Parents have the right to request the deletion of the account of a child or the information submitted by the child or teen, challenge the accuracy of their child or teen’s personal information, correct any inaccurate information, and obtain any of their child or teen’s personal information that has been collected. H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).

Under the Arkansas Children and Teens’ Online Privacy Protection Act, passed in 2025, operators of websites, online services, online applications, and mobile applications directed at children or teens or with actual knowledge that they are collecting personal information from children or teens must “[o]btain consent for the collection, use, or disclosure of personal information from a teen from a parent of a teen or a teen.” H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025). However, this is not required when the data is needed for providing or maintaining the specific service, conducting internal business operations, protecting and preventing malicious or illegal activities or threats, preparing for or defending legal claims, complying with other government authorities, or protecting the teen. Id. 

See above

No change since 2019 – regulated by general laws in PIPA. 

“Breach in the security of the system” is defined by ARK. CODE ANN. § 4-110-103, which was last updated in 2019. “’Breach in the security of the system’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.” ARK. CODE ANN. § 4-110-103(1)(A) (West 2019). 

This is governed by ARK. CODE ANN. § 4-110-105, which is part of the Arkansas Personal Information Protection Act. There have been no changes in the statute, except technical changes made by the Arkansas Code Revision Commission, since 2019. The statute requires that any person or business must disclose any breach to any Arkansas resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. ARK. CODE ANN. § 4-110-105(a)(1) (West 2019). 

The Arkansas Attorney General has oversight over violations of the Personal Information Protection Act; this has received no changes since 2005. ARK. CODE ANN. § 4-110-108 (West 2005). However, the legislature passed the Arkansas Cybersecurity Act in 2025, which created the State Cybersecurity Office, which is responsible for “directing and managing all functions related to state cybersecurity and information security for each state agency.” H.B. 1549, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).
The Arkansas Attorney General also has the exclusive authority to enforce the Arkansas Children and Teens’ Online Privacy Act. H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).

Governed by the Arkansas Personal Information Protection Act, there have been no updates since 2019. After disclosing the breach to any persons affected or reasonably believed to be affected, the person or business must retain “a copy of the written determination of a breach of the security of the system and supporting documentation for five (5) years from the date of determination . . .” ARK. CODE ANN. § 4-110-105(g)(1). Further, if the Attorney General submits a written request for the determination, the person or business must send that written determination to the Attorney General within thirty days. ARK. CODE ANN. § 4-110-105(g)(2). 

Under the Arkansas Children and Teen’s Online Privacy Act, passed in 2025, it is unlawful for operators with actual knowledge that they are collecting information from children or teens to collect personal information from children or teens for purposes or targeted advertising or to allow another person to “collect, use, disclose, or maintain this information for targeted advertising to children or teens.” H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).

No changes since 2019 – the Arkansas Personal Information Protection Act mentions “medical information” but does not specify any special procedures for security or destruction of that data. ARK. CODE ANN. § 4-110-103(5). 

The Arkansas Cybersecurity Protection Act of 2025 authorizes a State Information Security Officer to create a Cybersecurity Governance Team. H.B. 1549, 95th Gen. Assemb., Reg. Sess. (Ark. 2025). The Team will assist the Officer in developing and administering the Office’s “cybersecurity plan, standards, policies, and procedures.” H.B. 1549, 95th Gen. Assemb., Reg. Sess. (Ark. 2025). 

This is governed by PIPA, last updated in 2019. A person or business that experiences a security breach must keep a copy of the written determination of the breach and keep that document and any supporting documentation for five years. ARK. CODE ANN. § 4-110-105(g)(1) (West 2019). 

I was unable to find any Arkansas statutes, regulations, or case law regarding Data Protection Impact Assessments (DPIAs). 

Under the Arkansas Children and Teens’ Online Privacy Protection Act, passed in 2025, operators of websites, online services, online applications, and mobile applications directed at children or teens or with actual knowledge that they are collecting personal information from children or teens must disclose the categories of personal data the controller shares with third parties and the types of third parties with whom the controller shares personal data. H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).

Governed by the Arkansas Personal Information Protection Act, there have been no changes since 2005. The Arkansas Attorney General enforces the Act and can punish for noncompliance through actions under ARK. CODE ANN. § 4-88-101 et seq. 
Under the Arkansas Children and Teens’ Online Privacy Act, enacted in 2025, the Attorney General has the authority to enjoin any practice that violates the act, enforce compliance with the rule, obtain damages, restitution, or other compensation on behalf of the residents of the state, or obtain other relief the court finds appropriate. H.B. 1717, 95th Gen. Assemb., Reg. Sess. (Ark. 2025). The Attorney General has “exclusive authority” to enforce the Act. Id. 

Under the Arkansas Cybersecurity Act of 2025, the State Cybersecurity Office must establish and undertake an “audit of the compliance of each state agency with state and federal cybersecurity governance standards, polices, and procedures; and [r]eport the audit and enforcement findings of the State Cybersecurity Office . . . to the Joint Committee on Advanced Communications and Information Technology at least two (2) times per calendar year.” H.B. 1549, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).

The Arkansas Senate proposed the Arkansas Digital Responsibility, Safety, and Trust Act in 2025, but the act failed to pass in the Senate. SB258 – To Create the Arkansas Digital Responsibility, Safety, and Trust Act, ARKANSAS STATE LEGISLATURE, https://arkleg.state.ar.us/Bills/Detail?id=SB258&ddBienniumSession=2025%2F2025R&Search=  (last visited Aug. 5, 2025). The bill proposed the prohibition of small businesses selling personal data without prior consent, stronger consumer personal data rights, the prohibition of waivers or limitations on consumer rights, the creation of methods for consumers to submit requests to exercise their consumer rights, and privacy notices to consumers, among other privacy and security regulations. S.B. 258, 95th Gen. Assemb., Reg. Sess. (Ark. 2025). Though this act did not pass, it could be relevant for future legislation and would have made significant changes in Arkansas data privacy laws.

Further, the State Cybersecurity Office, created by the Arkansas Cybersecurity Act of 2025, will likely establish new cybersecurity governance policies, procedures, and standards for state agencies. H.B. 1549, 95th Gen. Assemb., Reg. Sess. (Ark. 2025).