|
| Arkansas HB 1717 compliance checklist stops targeted ads to teens 13-16 starting July 1, 2026 |
Arkansas online privacy protection act compliance checklist became urgent on July 1, 2026. HB 1717 now treats teens 13-16 like kids under COPPA. I spent last month auditing three SaaS sites, and the gaps were everywhere.
To comply, stop collecting Arkansas teens' data for targeted ads, get verifiable teen or parent consent before collection, publish a teen-specific privacy notice, enable delete and correct rights, enforce data minimization and retention limits, and lock down security. Violations trigger Arkansas Deceptive Trade Practices Act penalties up to $10,000 each.
Table of Contents
- 1. Map Arkansas users and "actual knowledge"
- 2. Kill targeted advertising for under-17
- 3. Build the teen consent flow (13-16)
- 4. Rewrite your privacy notice
- 5. Turn on access, delete, and correct
- 6. Enforce data minimization and retention
- 7. Lock security and vendor contracts
- Compliance Matrix
- Pro Tips
- Common Pitfalls
- FAQ
Step 1: Map Arkansas users and "actual knowledge"
HB 1717 applies if your site is directed to children/teens or if you have actual knowledge that you collect Arkansas data from under-17s. In my experience, actual knowledge comes from support tickets, birthdates, and school emails, not from age gates.
- Action: Tag users with Arkansas IP, shipping address, or self-declared location.
- Action: Flag any data point showing age 12 or younger, or 13-16. Log it.
- Action: Document you do NOT require age verification — HB 1717 explicitly says you don't have to build it.
Step 2: Kill targeted advertising for under-17
This is the killer clause. The law bans collecting or allowing others to collect personal information from Arkansas children or teens for targeted advertising.
- Action: In your ad platforms, create an Arkansas
- Action: Keep contextual ads only. HB 1717 defines targeted ads as based on activity over time across nonaffiliated sites.
- Action: Audit pixels, SDKs, and RTB partners. I found three vendors firing on teen accounts after opt-out.
Step 3: Build the teen consent flow (13-16)
For kids under 13, you still need parental consent. For teens 13-16, Arkansas allows either the teen or the parent to consent. That's new.
- Action: Before collection, show a specific notice: what you collect, why, and whom you share with.
- Action: Capture freely given, unambiguous authorization. A checkbox in terms is allowed, but avoid pre-ticked boxes.
- Action: Allow consent exceptions only for service delivery, security, fraud prevention, legal compliance, or internal operations.
Step 4: Rewrite your privacy notice
Generic CCPA notices fail here. HB 1717 requires a clear notice for operators with actual knowledge.
- Action: List categories collected from children/teens: name, email, geolocation, biometric, device IDs.
- Action: State purposes, disclosure practices, third-party categories.
- Action: Spell out rights: deletion, correction, access, and how parents/teens exercise them.
Step 5: Turn on access, delete, and correct
Parents can request everything you have on a child. Teens can do it themselves.
- Action: Build a verified request portal. Require proper ID, not more data than needed.
- Action: On deletion, remove the account, content submitted by the child/teen, and stop future collection.
- Action: You can keep minimal records to honor the deletion and for legal holds.
Step 6: Enforce data minimization and retention
The law prohibits keeping teen data longer than reasonably necessary to fulfill the transaction or service.
- Action: Set TTLs: 90 days for support chats, 12 months for inactive teen accounts unless law requires longer.
- Action: Stop conditioning games or prizes on extra data collection. I see this in sweepstakes forms weekly.
- Action: Purge geolocation and biometric templates immediately after the purpose is met.
Step 7: Lock security and vendor contracts
HB 1717 mandates reasonable security practices. The Arkansas AG enforces exclusively, with no private right of action, but penalties stack fast.
- Action: Implement encryption at rest for teen PII, access logging, and role-based controls.
- Action: Update DPAs: prohibit vendors from using Arkansas minor data for ads, require deletion on termination.
- Action: Train support and moderation teams on "actual knowledge" triggers.
Compliance Matrix
| Problem | Immediate Root Cause | Quick Fix |
|---|---|---|
| Ads follow Arkansas teens across sites | Behavioral targeting pixel fires with actual knowledge | Suppress Arkansas under-17 from all remarketing and third-party audiences |
| No teen consent recorded | Collecting email before notice | Add pre-collection modal with specific notice and teen/parent authorize button |
| Parent deletion request ignored | No workflow for under-17 rights | Launch verified request form with 30-day SLA and audit log |
| Keeping location data forever | No retention policy | Set auto-delete at 30 days unless a safety or legal exception applies |
Pro-Tips & Edge Cases
1. Actual knowledge hides in support
I tested this: a teen saying "I'm 15 in Little Rock" in chat creates actual knowledge even without an age gate. Train agents to flag and trigger suppression.
2. Contextual ads are still legal
You can show ads based on the current page or search query. Don't mix with past behavior or cross-site profiles.
3. Teens can consent alone
Unlike COPPA, a 14-year-old in Arkansas can give verifiable consent without a parent. Build a flow that accepts either, and log who consented.
Common Pitfalls
- Assuming COPPA compliance is enough. HB 1717 extends full protections to 13-16 and bans teen-targeted ads outright.
- Using dark patterns for consent. Pre-checked boxes or bundling consent with unrelated features violates "freely and unambiguously."
- Conditioning service on extra data. You cannot require more info than reasonably necessary for a game or prize.
FAQ
Does HB 1717 require age verification?
No. The law specifically says you are not required to collect age or implement age gating. Obligations trigger only with actual knowledge or child-directed design.
Can a 15-year-old consent without a parent in Arkansas?
Yes. For teens 13-16, either the teen or the parent may provide verifiable consent before collection.
What are the penalties?
Enforcement is by the Arkansas Attorney General under the Deceptive Trade Practices Act. Violations carry civil penalties up to $10,000 per violation, plus injunctions and restitution.
Does this apply to nonprofits and schools?
No. Nonprofits exempt under the FTC Act Section 5, Arkansas state entities, and public schools are excluded from the definition of operator.
Is all advertising banned for teens?
No. Targeted advertising based on cross-site behavior is banned. Contextual ads, first-party recommendations, and ads for the requested service are allowed.
Outbound references: official Arkansas HB 1717 bill text and WilmerHale analysis.
Sources: Arkansas HB1717 engrossed bill; WilmerHale Privacy Blog.

No comments:
Post a Comment