Arkansas Legislative Update: New Technology, Privacy and Cybersecurity Laws

The Regular Session of the 95th General Assembly is set to adjourn sine die on Monday, May 5, 2025.  During this session, the Arkansas legislature passed several bills relating to technology, privacy and cybersecurity which will impact many different industries.  Regulating the use of artificial intelligence and protecting children’s privacy appeared to be a particular legislative priority.  The following list contains a high-level overview of the relevant acts passed during this session and recently signed by Governor Sarah Huckabee Sanders.  

• Act 263 (HB1184) amends the Fair Mortgage Lending Act and prohibits using a mortgage trigger lead in a misleading or deceptive manner, including in a way violative of consumer privacy or the federal Fair Credit Reporting Act. Act 263 lists specific violative conduct. Full text here.

• Act 452 (HB1509) creates the Second Amendment Financial Privacy Act and prohibits a covered entity (including banks) from assigning a firearms retailer a merchant category code that distinguishes a firearms retailer from other retailers. Act 452 also prohibits keeping a list, record or registry of a privately owned firearm or owners of the same. Full text here.

• Act 827 (HB1529) creates the criminal offense of creating or distributing “deepfake visual material” that depicts an identifiable person in a state of nudity or engaging in sexual conduct. Full text here.

• Act 489 (HB1549), titled the Arkansas Cybersecurity Act of 2025, establishes the State Cybersecurity Office and tasks it with directing and managing cybersecurity and information security functions for state agencies, “maximiz[ing] state cybersecurity resources”, establishing governance policies to protect state IT systems, and reporting certain audit findings. Full text here.

• Act 952 (HB1717) creates the Arkansas Children and Teens’ Online Privacy Protection Act. Modeled after the related federal Children’s Online Privacy Protection Act (COPPA), Act 952 makes it unlawful for an operator of a website, online service, online or mobile application “directed at children or teens” to collect personal information from a child or teen without providing a clear and conspicuous privacy notice and obtaining consent for the collection, use, or disclosure of that information from the parent of the child or teen. This law will enter force on July 1, 2026. Full text here.

• Act 908 (HB1866) creates “Eli’s Law,” and will require each public school to install an audio recording device in each locker room and dressing room on a public school campus. Full text here.

• Act 927 (HB1876) codifies ownership rights of content generated by artificial intelligence (“AI”), establishing that the person providing the input to the AI tool is the owner of the content, so long as the content does not infringe of existing copyrights or other intellectual property rights. Full text here.

• Act 848 (HB1958) amends Ark. Code Ann. § 25-1-128 and requires all public entities to create an “artificial intelligence and automated decision tool policy” that defines the authorized use of AI for the entity and requires a human employee to make final decisions regardless of the AI recommendation. Full text here.

• Act 900 (SB611) amends the Social Media Safety Act to, among other things, expand the scope of covered “social media platforms,” prohibit engaging in practices to evoke addiction or compulsive behaviors in an Arkansas user under the age of 16, prohibit sending notifications to an Arkansas user under the age of 16 during certain times, develop an online dashboard allowing a parent to view and understand his or her child’s habits on the covered social media platform. Full text here.

• Act 901 (SB612) prohibits a social media platform from using a design, algorithm, or feature that the platform knows (or should have known through the exercise of reasonable care) cases a user to purchase a controlled substance, develop an eating disorder, commit or attempt to commit suicide, or develop or sustain an addiction to the social media platforms. Violations are enforceable by the Attorney General and punishable by civil penalty up to $10,000 per violation plus attorneys’ fees and costs. Full text here.

One noteworthy bill that did not make it out of the Arkansas Senate was SB258, or the bill to create the Arkansas Digital Responsibility, Safety, and Trust Act. SB258 would have been Arkansans’ own comprehensive consumer privacy law. The bill generally tracked a similar Texas law, but incorporated certain principles from the European Union’s stricter General Data Protection Regulation. If passed, SB258 would have imposed on businesses certain obligations with respect to processing Arkansas’ personal information. However, despite a committee recommendation to pass as amended, the Senate ultimately voted against SB258. Full text here.

Lizzi Esparza focuses her practice on information privacy, security and data rights law. She is a Certified Information Privacy Professional/United States (CIPP/US) and a Certified Information Privacy Professional/Europe (CIPP/E). For more information about the new technology, privacy and cybersecurity laws, contact our Information Privacy, Security and Data Rights team.