Little Rock, Minor Rights: Arkansas Leads with COPPA 2.0-Inspired Law

FILTER
April 17, 2025
Bailey Sanchez
Deputy Director for U.S. Legislation
About Bailey
Blogs by Bailey

With thanks to Daniel Hales and Keir Lamont for their contributions.

Shortly before the close of its 2025 session, the Arkansas legislature passed HB 1717, the Arkansas Children and Teens’ Online Privacy Protection Act, with unanimous votes. As the name suggests, Arkansas modeled this legislation after Senator Markey’s federal “COPPA 2.0” proposal, which passed the U.S. Senate as part of a broad child online safety package last year. Presuming enactment by Governor Sarah Huckabee Sanders, HB 1717 will take effect on July 1, 2026. The Arkansas law, or “Arkansas COPPA 2.0” establishes privacy protections for teens aged 13 to 16, introduces substantive data minimization requirements including prohibitions on targeted advertising, and provides new rights to access, delete, and correct personal information for teens. The legislature also considered an Arkansas version of the federal Kids Online Safety Act but this proposal ultimately failed, with the bill’s sponsor noting some uncertainties about its constitutionality.

What to know about Arkansas HB 1717: 

  • Expanded protections to teens: The original Children’s Online Privacy Protection Act of 1998 establishes national privacy protections for children under 13. It requires companies to give notice and obtain verifiable parental consent before data from children is collected. Arkansas COPPA 2.0 goes further by covering not only children but also teens 13 to 16. In doing so, Arkansas will join just New York in adopting specific privacy protections for children and teens in the absence of a comprehensive law protecting the data of all residents.
  • Similar scope to federal COPPA – mostly: The law applies to “operators” defined as entities who operate or provide a website, online service, online application, or mobile application that is either “directed at” children or teens or when the service has actual knowledge that it is collecting personal information from a child or teen. Notably, Arkansas COPPA 2.0 exempts (but does not define) “interactive gaming platforms” from coverage if they comply with the requirements of the COPPA statute, even though, as mentioned above, the federal law does not provide protections for teens.
  • Prohibiting targeted advertising: HB 1717 prohibits operators from collecting personal information from a child or teen for targeted advertising or allowing another person to collect, use, disclose, or maintain this information for targeted advertising to children or teens. The framework’s definition of “targeted advertising” includes common carveouts for activities such as contextual advertising and processing data to measure advertising performance, reach, and frequency. 
  • Right to correction: The federal COPPA does not create a right to challenge the accuracy of personal information and have inaccuracies corrected—a right commonly found in other privacy frameworks and a gap that Arkansas COPPA 2.0 fills. 
  • Age verification disclaimer: The law clarifies that there is no requirement to implement age gating or age verification. The federal COPPA already does not require age verification, but this clarification may be in response to an Arkansas social media age verification law from 2023 that was declared unconstitutional.
  • Vestigial terms? There are various drafting quirks in Arkansas COPPA 2.0. For example, the law defines the term “social media platform” but does not further use the term in any way. Like the federal COPPA, the law uses terms like “personal information” and “operator,” but in a few instances switches to “personal data” and “controller,” perhaps from borrowing language from more modern privacy laws like the Virginia Consumer Data Protection Act.    

The substantive data minimization trend continues

While the federal COPPA framework is largely focused on consent, former Commissioner Slaughter noted in 2022 that people “may be surprised to know that COPPA provides for perhaps the strongest, though under-enforced, data minimization rule in US privacy law.” Arkansas builds on these requirements and follows the recent shift towards substantive data minimization with a complex web of layered requirements that operators must satisfy to use both child and teen data:

  • Collecting child and teen data must be consistent with the “context” of a particular service or the “relationship” between an operator and child or teen user. The provision further goes on to say “including without limitation collection that is necessary to… provide a product or service” requested by the child, teen, or parent of a child or teen. It is unclear how the “consistent with the context” language modifies the rest of this requirement or whether it may be unnecessary.
  • Operators must also obtain verifiable parental consent to process child data.
  • Operators must obtain either verifiable parental consent or consent from a teen to process teen data, unless the processing is for one of seven permitted purposes, such as conducting internal business operations or preventing security incidents.  
  • Finally, Arkansas COPPA 2.0 limits retention of child or teen data to no longer than reasonably necessary to fulfill a transaction, provide a requested service, or as required for the safety or integrity of the service, or authorized by law. 

 In practice, the interaction between these distinct requirements may raise difficult questions of statutory interpretation.

Differences from federal COPPA 2.0

As originally introduced, Arkansas’s bill was nearly identical to last year’s federal COPPA 2.0 bill. Arkansas’ framework went through various, largely business-friendly amendments (and one bill number switch) during its legislative journey. Though HB 1717 maintains the same general framework of COPPA 2.0, it includes several important divergences:

  • No reliance on existing COPPA guidance and rule: An important reminder that COPPA 2.0 amends an existing statute, which has extensive Federal Trade Commission (FTC) guidance and a rule promulgated by the FTC that is periodically updated. An underlying difference between the two frameworks is that Arkansas COPPA 2.0 declines to reference these existing resources to provide further clarity on what certain terms mean or what compliance obligations might look like. A key example of this is that there is no definition of what is considered “directed at” a teen. The FTC has given guidance on factors for assessing “directed to children,” but it is unclear whether these would apply for assessing what is directed to a teen in Arkansas, particularly given that there is likely to be overlap between what is “teen directed” and what is “adult directed.”
  • Narrower knowledge standard: One of the most hotly debated aspects of youth privacy is the “knowledge standard”: under what circumstances will a business be required to apply heightened child protections for users and what obligations a service has to determine the age of its users. Arkansas COPPA 2.0 maintains a narrow “actual knowledge” standard concerning teens. In practice, this means companies will only be in scope of the law when they actually know they are collecting information from a teen. As passed, HB 1717 rejects COPPA 2.0’s broader “actual knowledge or knowledge fairly implied on the basis of objective circumstances” approach, which seeks to inch closer to a constructive knowledge standard. 
  • “Consent” vs. “Verifiable consent” (and when it’s needed): The federal COPPA framework requires “verifiable” parental consent, defined as affirmative express consent “reasonably designed in light of available technology to ensure that the person giving the consent is the child’s parent.”  Consent under Arkansas COPPA2.0 abandons this “verifiable” modifier but still appears to establish more prescriptive requirements for what constitutes valid consent than typical state privacy laws. Curiously, this section on obtaining consent appears only to apply when an operator has actual knowledge that it is collecting personal information from a teen, rather than also for services directed at teens. Rather than prescribe specific methods for obtaining consent, Arkansas borrows from the COPPA Rule and allows for “any reasonable effort, taking into consideration available technology.”
  • Narrower targeted advertising restriction: Arkansas’s “targeted advertising” definition is substantially similar to COPPA 2.0’s “individual-specific advertising.” However, Arkansas explicitly allows for targeted advertising to minors based solely on data collected in a first-party context, while the federal proposal would prohibit this type of advertising to minors. 

Could COPPA preempt the Arkansas law?

One question likely to emerge from Arkansas COPPA 2.0 is whether certain provisions, or the entire law, may be subject to federal preemption under the existing COPPA statute. COPPA includes an express preemption clause that prohibits state laws from imposing requirements that are inconsistent with COPPA. This is relevant in two ways as the Arkansas law will both (1) extend protections to teens and (2) introduce new substantive limitations on the use of children’s and teens’ data, such as limits on targeted advertising and strict data minimization requirements, that go beyond COPPA’s scope. 

The question of COPPA preemption was recently explored in Jones v. Google, with the FTC filing an amicus brief arguing that state laws that “supplement” or “require the same thing” as COPPA are not inconsistent. The FTC references the Congressional record from when COPPA was contemplated, arguing that “Congress viewed ‘the States as partners’. . . rather than as potential intruders on an exclusively federal arena,” and that “the state law protections at issue ‘complement–rather than obstruct–Congress’ ‘full purposes and objectives in enacting the statute.’” Something to additionally keep in mind is that the FTC has been in the process of finalizing an update to the COPPA Rule and which could introduce additional inconsistencies, or at least compliance confusion, between the new final Rule and Arkansas COPPA 2.0 when it comes to key terms like the definition of personal information or whether targeted advertising is allowed with consent. 

A trend to watch?

The passage of Arkansas COPPA 2.0 may signal an emerging trend towards a potentially more constitutionally resilient approach to protecting children and teens online. Unlike age-appropriate design codes or social media age verification mandates, which have faced significant First Amendment challenges, Arkansas COPPA 2.0 takes a more targeted approach focused on privacy and data governance, rather than access, online safety, or content. Questions of preemption and drafting quirks aside, this approach may be on firmer ground by focusing on data protection practices and building on a longstanding federal privacy framework. As states explore new ways to safeguard youth online without triggering constitutional pitfalls, privacy-focused legislation modeled on COPPA standards could become a popular path forward. 

Published: Last Updated: April 17, 2025
Tags: ,

Explore

Issues

authors

dates

Posts by Bailey

little,rock,,arkansas,,usa,at,the,state,capitol,and,park
Little Rock, Minor Rights: Arkansas Leads with COPPA 2.0-Inspired Law
READ MORE
new,york,flag,on,a,flagpole,waving,in,the,wind,
FPF Submits Comments to Inform New York Children’s Privacy Rulemaking Processes
READ MORE
Contextualizing the Kids Online Safety and Privacy Act: A Deep Dive into the Federal Kids Bill
READ MORE
View More