Arkansas has no consumer privacy law. However, under the leadership of Attorney General Tim Griffin, the state is beginning to position itself as a staunch defender of individual privacy rights.
With a focus on cybersecurity, robocalls, and children's privacy, as well as broader consumer privacy issues, Griffin's approach follows the U.S. Federal Trade Commission's in protecting consumer privacy absent a federal consumer privacy law — the Arkansas Deceptive Trade Practices Act. He has also held summits and issued warnings and demand letters.
Griffin has been exceptionally busy in 2024 protecting Arkansans' right to privacy and that push may indicate the time is right for the Arkansas General Assembly to follow his leadership and pass a comprehensive data privacy law.
In February, Griffin filed an amicus brief on behalf of 23 other state attorneys general opposing a database created by the U.S. Security and Exchange Commission containing vast quantities of personal information.
In March, he wrote to Meta on behalf of himself and 26 state attorneys general demanding the company improve Instagram's protection of children. Later that month, he began investigating Change Healthcare after a ransomware attack and issued consumer alerts about how consumers could best protect themselves. A week later, he sued a robocaller for the second time, along with another seven attorneys general, seeking a USD122 million fine.
In May, Griffin announced his previous suit against TikTok and parent company Bytedance would continue after defeating efforts to dismiss that suit. He filed a similar suit against Meta in 2023, which the courts allowed to proceed in June. Later the same month, he sued Temu based on its use of Arkansans' personal information. In July, a court denied the defendant's motion to dismiss a separate suit Griffin filed against TikTok and Bytedance.
In September, he joined 41 other attorneys general in calling for Congress to require the surgeon general to place warnings on social media platforms. Later that month, he sued Google, YouTube, and parent company Alphabet.
In October, Griffin lead a cybersecurity summit featuring Cybersecurity and Infrastructure Agency Director Jen Easterly. On 9 Oct., he settled with Marriott International in a suit related to a data breach. Two weeks later, he announced the Anti-Robocall Multistate Litigation Task Force, of which he is a member, issued a warning to a Florida-based robocall company.
For a state as small as Arkansas to have that much privacy, cybersecurity and related litigation is remarkable. As an Arkansan, I appreciate Griffin's commitment to protect citizens' privacy.
However, for a state whose motto is "regnat populus" — "the people rule" — this focus on privacy begs the question of whether it is time to give Arkansans the ability to rule their personal information by recognizing their data privacy rights.
Common provisions within data privacy laws of other states can give some insight into whether Arkansas is ready to pass its own data privacy legislation.
Children's data
It is clear Griffin is concerned with the effect social media and other internet use has on children. Arkansas has taken legislative steps to protect children, including requiring age verification on adult sites and parental consent for social media use — though some of those laws have encountered constitutional hurdles.
However, the opt-in requirements found in every state privacy law passed thus far have not faced serious constitutional challenges. While age-appropriate design code laws have faced constitutional challenges, some legislation protecting children through parental consent and other safeguards have withstood or not faced them at all.
There are many things the Arkansas General Assembly could do to protect children, and a broad data privacy law is a good place to start. It would not be at all surprising to see Arkansas take further steps to protect children's privacy online in 2025.
Consumer rights
The recognition and enforcement of consumers' rights to their personal information is almost ubiquitously foundational to data privacy laws all over the world. In reviewing Griffin's privacy actions this year, it is clear he is concerned with how companies use and protect Arkansans' personal information.
When governments recognize and enforce a consumer's right to access, correct, delete and opt-out of the use of their personal information, they give citizens the best tools to protect themselves in cyberspace. A citizen's personal information that a company deletes at the citizen's request cannot be stolen and sold on the dark web to the highest bidder. It cannot be used for social engineering attacks that compromise financial accounts or otherwise steal a person's identity.
Requiring companies to comply with a consumer's requests protects the individual and the company, as companies no longer have to protect that data and build trust with their customers.
Giving parents the right to exercise these rights on behalf of the children is also a great way to further the state's focus on protecting children.
Arkansas' concern with how companies are using citizens' personal information seems aligned with the concerns broader consumer data privacy laws are written to address.
Data minimization requirements
Data minimization — requiring businesses to collect only the necessary data as stated in their privacy notice and keep it only as long as necessary to fulfill that purpose — is another great way to solve some of the problems Griffin seems concerned with.
For example, the lawsuits against Temu and TikTok demonstrate his concerns with cross-border data transfers to nations where privacy protections may be lacking. Assuming these concerns are warranted, forcing companies to minimize the data they collect, keep and process addresses some of them. In fact, consumer rights and provisions designed to protect children could do the same thing.
While absent from state privacy laws thus far, Griffin's willingness to wade into the foray of international data use suggests Arkansas could be comfortable testing the limits of the First Amendment and Dormant Commerce Clause of the U.S. Constitution by imposing EU General Data Protection Regulation-style limits on international data transfers.
Risk assessments
Arkansas' actions so far in 2024 also suggest the state could be well-positioned to require documentation like privacy impact assessments, data protection assessments, transfer impact assessments, and the like.
These are common across other state privacy laws and give the enforcing agency — often the state attorney general — the right to demand access to the assessments during investigations. These assessments would be beneficial in almost all Griffin's actions this year.
Additionally, assessments are a great way to prevent companies from developing intentional or unintentional blind spots in their use of personal information. Considering what Griffin could do with such risk assessments in his current cases, Arkansas seems poised to pass a law requiring them.
Purpose limitations
Most state privacy laws contain provisions regarding purpose limitations. Of all the common themes among data privacy laws, this one seems least likely to pass if only because it is least necessary. Using personal information for purposes other than those stated is an action that usually fits well under the UDTPA umbrella.
Nevertheless, this commonality among data privacy laws still seems a better fit to achieve Griffin's objectives than UDTPA laws. If nothing else, such limitations on the use of personal information would just be another tool the attorney general could use to achieve the state's objectives in protecting Arkansans' privacy.
Either way, considering the number of other states with similar provisions, it seems likely Arkansas would pass purpose limitations if it considered a broad consumer privacy law.
Conclusion
Some might say Arkansas has put the cart before the horse — enforcing privacy laws using trade practice acts that weren't written with the exponential increase in the use and risk associated with personal information in mind. However, the infrastructure for enforcing a data privacy law appears to already be in place. Arkansas seems well-positioned to hit the ground running with a state law if the General Assembly passes one.
Lawmakers have not considered broad privacy legislation before and other states have taken two or three sessions, or more, to get one passed. As Andrew Kingman and Willy Martinez recently noted in an op-ed for the IAPP, data privacy is a bipartisan issue. Arkansas has many like-minded states to which it could look for guidance to pass a law in one session.
Given the state's focus on protecting Arkansans' privacy, there seems a better chance than not that it becomes one of the next states to pass comprehensive data privacy legislation.
Joshua Bryant, AIGP, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT is the senior manager of privacy operations at DaVita Kidney Care.
