• by Wendy Davis  @wendyndavis, April 21, 2025

Lawmakers in Arkansas have approved a privacy bill that would prohibit websites and apps from knowingly collecting personal data from users under 17 in order to serve them with behaviorally targeted ads.

HB 1717, passed last week, would also prohibit websites and apps from knowingly collecting personal data -- including names, biometric data, geolocation information and device identifiers -- from teens under 17 without their consent (or their parents' consent), and from children under 13 without parental consent.

Unless vetoed by Governor Sarah Huckabee Sanders, the measure will take effect on July 1, 2026.

The bill's restrictions on targeted advertising, as well as data collection, would apply when websites and apps are “directed at” children or teens under 17, or when the websites and apps have actual knowledge of a user's age. (The bill exempts interactive gaming platforms from the restrictions.)

The measure defines targeted advertising as ads based on data collected over time and across nonaffiliated sites and apps. The definition excludes contextual ads, as well as ads based on current search queries.

Other provisions of the bill require websites and apps to collect only data that's needed to provide a product or service requested by teens and children, and to shed data when it's no longer needed.

The measure's restrictions on collecting data from children under 13 appear to go further than the federal Children's Online Privacy Protection Act (COPPA), which prohibits websites and apps from knowingly collecting personal information from children 12 and under, without parental consent. Unlike the Arkansas measure, COPPA allows companies to serve targeted ads to children under 13, providing the companies obtain parental consent.

The advocacy group Electronic Privacy Information Center supports the Arkansas law.

“Unlike bills that regulate harmful design or limit access to social media or other content, HB 1717 focuses solely on privacy protections through a mixture of consent and data minimization requirements, including use and purpose limitations,” the group writes.

But Santa Clara University law professor Eric Goldman says the bill is problematic for several reasons, including that it can be difficult to determine whether a site is directed to younger teens, as opposed to older teens and adults.

He notes that COPPA, which took effect in 2000, only covers children 12 and under. That age cut-off was driven by the idea that “there's a set of prepubescent needs that are different from teenager needs,” Goldman says.

“It's a lot harder to segregate a 16-year-old from a 17-year-old,” he adds.

The bill itself doesn't set out standards for determining when sites or apps are “directed” toward teens under 17.

The think tank Future of Privacy Forum notes that there are questions about whether the Arkansas law is valid, given that COPPA overrides inconsistent state laws.

“The Arkansas law will both (1) extend protections to teens and (2) introduce new substantive limitations on the use of children’s and teens’ data, such as limits on targeted advertising and strict data minimization requirements, that go beyond COPPA’s scope,” the group writes.