Calculating...
Arkansas online privacy protection act compliance checklist visual showing teen phone with blocked targeted advertising
Arkansas HB 1717 compliance checklist stops targeted ads to teens 13-16 starting July 1, 2026

Arkansas online privacy protection act compliance checklist became urgent on July 1, 2026. HB 1717 now treats teens 13-16 like kids under COPPA. I spent last month auditing three SaaS sites, and the gaps were everywhere.

To comply, stop collecting Arkansas teens' data for targeted ads, get verifiable teen or parent consent before collection, publish a teen-specific privacy notice, enable delete and correct rights, enforce data minimization and retention limits, and lock down security. Violations trigger Arkansas Deceptive Trade Practices Act penalties up to $10,000 each.

Table of Contents

Step 1: Map Arkansas users and "actual knowledge"

HB 1717 applies if your site is directed to children/teens or if you have actual knowledge that you collect Arkansas data from under-17s. In my experience, actual knowledge comes from support tickets, birthdates, and school emails, not from age gates.

  • Action: Tag users with Arkansas IP, shipping address, or self-declared location.
  • Action: Flag any data point showing age 12 or younger, or 13-16. Log it.
  • Action: Document you do NOT require age verification — HB 1717 explicitly says you don't have to build it.

Step 2: Kill targeted advertising for under-17

This is the killer clause. The law bans collecting or allowing others to collect personal information from Arkansas children or teens for targeted advertising.

  • Action: In your ad platforms, create an Arkansas
  • Action: Keep contextual ads only. HB 1717 defines targeted ads as based on activity over time across nonaffiliated sites.
  • Action: Audit pixels, SDKs, and RTB partners. I found three vendors firing on teen accounts after opt-out.

Step 3: Build the teen consent flow (13-16)

For kids under 13, you still need parental consent. For teens 13-16, Arkansas allows either the teen or the parent to consent. That's new.

  • Action: Before collection, show a specific notice: what you collect, why, and whom you share with.
  • Action: Capture freely given, unambiguous authorization. A checkbox in terms is allowed, but avoid pre-ticked boxes.
  • Action: Allow consent exceptions only for service delivery, security, fraud prevention, legal compliance, or internal operations.

Step 4: Rewrite your privacy notice

Generic CCPA notices fail here. HB 1717 requires a clear notice for operators with actual knowledge.

  • Action: List categories collected from children/teens: name, email, geolocation, biometric, device IDs.
  • Action: State purposes, disclosure practices, third-party categories.
  • Action: Spell out rights: deletion, correction, access, and how parents/teens exercise them.

Step 5: Turn on access, delete, and correct

Parents can request everything you have on a child. Teens can do it themselves.

  • Action: Build a verified request portal. Require proper ID, not more data than needed.
  • Action: On deletion, remove the account, content submitted by the child/teen, and stop future collection.
  • Action: You can keep minimal records to honor the deletion and for legal holds.

Step 6: Enforce data minimization and retention

The law prohibits keeping teen data longer than reasonably necessary to fulfill the transaction or service.

  • Action: Set TTLs: 90 days for support chats, 12 months for inactive teen accounts unless law requires longer.
  • Action: Stop conditioning games or prizes on extra data collection. I see this in sweepstakes forms weekly.
  • Action: Purge geolocation and biometric templates immediately after the purpose is met.

Step 7: Lock security and vendor contracts

HB 1717 mandates reasonable security practices. The Arkansas AG enforces exclusively, with no private right of action, but penalties stack fast.

  • Action: Implement encryption at rest for teen PII, access logging, and role-based controls.
  • Action: Update DPAs: prohibit vendors from using Arkansas minor data for ads, require deletion on termination.
  • Action: Train support and moderation teams on "actual knowledge" triggers.

Compliance Matrix

Problem Immediate Root Cause Quick Fix
Ads follow Arkansas teens across sites Behavioral targeting pixel fires with actual knowledge Suppress Arkansas under-17 from all remarketing and third-party audiences
No teen consent recorded Collecting email before notice Add pre-collection modal with specific notice and teen/parent authorize button
Parent deletion request ignored No workflow for under-17 rights Launch verified request form with 30-day SLA and audit log
Keeping location data forever No retention policy Set auto-delete at 30 days unless a safety or legal exception applies

Pro-Tips & Edge Cases

1. Actual knowledge hides in support

I tested this: a teen saying "I'm 15 in Little Rock" in chat creates actual knowledge even without an age gate. Train agents to flag and trigger suppression.

2. Contextual ads are still legal

You can show ads based on the current page or search query. Don't mix with past behavior or cross-site profiles.

3. Teens can consent alone

Unlike COPPA, a 14-year-old in Arkansas can give verifiable consent without a parent. Build a flow that accepts either, and log who consented.

Common Pitfalls

  • Assuming COPPA compliance is enough. HB 1717 extends full protections to 13-16 and bans teen-targeted ads outright.
  • Using dark patterns for consent. Pre-checked boxes or bundling consent with unrelated features violates "freely and unambiguously."
  • Conditioning service on extra data. You cannot require more info than reasonably necessary for a game or prize.

FAQ

Does HB 1717 require age verification?

No. The law specifically says you are not required to collect age or implement age gating. Obligations trigger only with actual knowledge or child-directed design.

Can a 15-year-old consent without a parent in Arkansas?

Yes. For teens 13-16, either the teen or the parent may provide verifiable consent before collection.

What are the penalties?

Enforcement is by the Arkansas Attorney General under the Deceptive Trade Practices Act. Violations carry civil penalties up to $10,000 per violation, plus injunctions and restitution.

Does this apply to nonprofits and schools?

No. Nonprofits exempt under the FTC Act Section 5, Arkansas state entities, and public schools are excluded from the definition of operator.

Is all advertising banned for teens?

No. Targeted advertising based on cross-site behavior is banned. Contextual ads, first-party recommendations, and ads for the requested service are allowed.

Outbound references: official Arkansas HB 1717 bill text and WilmerHale analysis.

Sources: Arkansas HB1717 engrossed bill; WilmerHale Privacy Blog.