The Arkansas Personal Data Protection Act was signed into law in 2023. Businesses must comply by July 1, 2025.
Arkansas Privacy & Accessibility Laws
Arkansas enacted the Arkansas Personal Data Protection Act (APDPA) in 2023, becoming one of the states with comprehensive consumer privacy legislation. The law takes effect July 1, 2025. Arkansas state agencies must also ensure their digital services are accessible to individuals with disabilities.
→
Privacy Law Status
APDPA Enacted
→
Accessibility Requirements
State Government Websites
Arkansas state agencies must ensure their websites and digital services are accessible under ADA Title II and state IT policies.
Arkansas Personal Data Protection Act (APDPA)
The APDPA establishes comprehensive privacy rights for Arkansas consumers and obligations for businesses that collect personal data.
Key Dates
- Enacted: April 11, 2023
- Effective Date: July 1, 2025
- Cure Period: 60 days (until January 1, 2027, then at AG discretion)
Who Must Comply?
The APDPA applies to entities that conduct business in Arkansas or target Arkansas residents AND:
| Threshold | Requirement |
|---|---|
| Data Volume | Control or process personal data of 25,000+ Arkansas consumers |
| Revenue + Data | Derive 50%+ of gross revenue from selling personal data AND process data of 10,000+ consumers |
Consumer Rights Under APDPA
| Right | Description |
|---|---|
| Right to Know | Confirm whether a controller is processing personal data and access that data |
| Right to Correct | Correct inaccurate personal data |
| Right to Delete | Delete personal data provided by or obtained about the consumer |
| Right to Portability | Obtain a copy of personal data in a portable format |
| Right to Opt-Out | Opt out of targeted advertising, sale of personal data, and profiling |
Sensitive Data Categories
The APDPA requires opt-in consent for processing sensitive data, including:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data (for identification)
- Personal data of known children
- Precise geolocation data
Accessibility Requirements
Arkansas government agencies must ensure digital accessibility for all residents:
State Government Obligations
- Arkansas state agencies must comply with ADA Title II for all public-facing digital content
- Department of Information Systems (DIS) provides accessibility guidelines
- State websites should follow WCAG 2.1 Level AA guidelines
- Educational institutions must ensure accessible digital learning materials
- State IT procurement requires vendor accessibility certification
Private Sector Considerations
- Businesses with physical locations in Arkansas are subject to ADA Title III
- Website accessibility claims can be brought under federal ADA
- Healthcare providers must ensure accessible patient portals
- Financial institutions must provide accessible online services
Enforcement
→
Privacy Enforcement
- Arkansas Attorney General - Exclusive enforcement authority for APDPA
- 60-day cure period - Until January 1, 2027
- No private right of action - Only AG can enforce
Contact:
Office of the Attorney General
323 Center Street, Suite 200
Little Rock, AR 72201
(501) 682-2007
→
Accessibility Enforcement
- U.S. Department of Justice - ADA Title II and III enforcement
- Office for Civil Rights (HHS) - Healthcare accessibility
- Private litigation - Individuals can bring ADA claims
Contact:
Disability Rights Arkansas
1100 N. University Ave., Suite 201
Little Rock, AR 72207
(501) 296-1775
APDPA Penalties
| Violation Type | Maximum Penalty |
|---|---|
| Per violation (after cure period expires) | $10,000 per violation |
| Deceptive trade practice | Subject to Arkansas Deceptive Trade Practices Act penalties |
| Injunctive relief | Court may order business practices to cease |
Business Obligations
| Obligation | Description |
|---|---|
| Privacy Notice | Provide clear privacy notice including data categories, purposes, and consumer rights |
| Data Minimization | Limit collection to what is reasonably necessary for disclosed purposes |
| Purpose Limitation | Use data only for purposes disclosed to consumers |
| Security | Implement reasonable security practices appropriate to data sensitivity |
| Consent for Sensitive Data | Obtain opt-in consent before processing sensitive personal data |
| Consumer Request Response | Respond to consumer requests within 45 days (can extend 45 more days) |
| Data Processing Agreements | Establish contracts with processors that handle personal data |
Consumer Rights
Arkansas residents have comprehensive privacy rights under the APDPA:
- Right to Access: Confirm processing and access personal data
- Right to Correct: Correct inaccurate personal data
- Right to Delete: Request deletion of personal data
- Right to Portability: Receive data in portable format
- Right to Opt-Out: Opt out of targeted advertising, sales, and profiling
- Right to Non-Discrimination: Cannot be penalized for exercising rights
- Right to Appeal: Appeal controller's decision on consumer requests
Important Exemptions
The APDPA exempts certain entities and data types including HIPAA-covered entities, financial institutions subject to GLBA, nonprofits, higher education institutions, and data regulated by FERPA, HIPAA, or GLBA.
Related Resources
- US Privacy Laws Overview
- State Privacy Law Comparison
- ADA Title II Requirements
- All State Laws
- Privacy Compliance Guide
- Report a Violation
Need Help with Arkansas Compliance?
The APDPA takes effect July 1, 2025. Businesses should begin preparing now to meet compliance requirements. Contact our experts for guidance on privacy policies, consumer request processes, and data security measures.