Key Takeaways
- The Arkansas Digital Responsibility, Safety, and Trust Act ("ADRSTA," Senate Bill 258) never became law. It failed its third reading twice in the Arkansas Senate and died on the Senate calendar at Sine Die adjournment on May 5, 2025. Several sources, including at least one AI-generated search summary pulled during this article's research, still describe it as enacted or "effective July 1, 2026." It is not.
- The law that actually governs Arkansas consumer privacy is the Arkansas Personal Data Protection Act (APDPA), signed April 11, 2023, and in effect since July 1, 2025.
- The APDPA's 60-day cure period, the window in which the Arkansas Attorney General must warn a business and let it fix a violation before penalizing it, expires January 1, 2027. After that date, the Attorney General can enforce without offering that warning first.
- Do not confuse the APDPA with ACTOPPA (Act 952, HB 1717), Arkansas's separate teen-privacy law, which takes effect July 1, 2026, and governs minors' data, not the general consumer rights covered here.
If your compliance calendar has "Arkansas ADRSTA" on it, delete it and add "APDPA cure period expires January 1, 2027" instead. That single correction changes what your team needs to build, and by when.
Here is the scenario this article exists to prevent: a privacy team reads a secondary source (or an AI Overview) that describes the "Arkansas Digital Responsibility, Safety, and Trust Act" as a real, binding law with obligations phasing in through 2026. They build a project plan around a law that does not exist, while the law that does exist, and that already has 18 months of enforcement history, sits unaddressed. The bill never left the Arkansas Senate. The real law has been live since the summer of 2025, and its safety net for first-time violators is about to disappear.
Correcting the record: ADRSTA never passed
Senate Bill 258, which would have created the Arkansas Digital Responsibility, Safety, and Trust Act, was introduced in the 2025 regular session of the Arkansas General Assembly. It would have combined a comprehensive consumer privacy framework with rules for high-risk artificial intelligence systems, an ambitious pairing that drew comparisons to Colorado's AI law.
It did not survive the legislative process. According to the Arkansas State Legislature's own bill-tracking record, SB258 was read a third time and failed on the Senate floor on April 8, 2025, then failed a second time on April 10, 2025, on a vote of 17 yeas to 11 nays, short of the majority required for passage. The bill never came up again. Arkansas's official record lists its final status as "died on Senate Calendar at Sine Die adjournment" on May 5, 2025, the day the legislature closed its 2025 regular session. LegiScan's independent tracking of the same bill confirms the identical outcome and date.
ADRSTA is not a real, currently effective law. It has no compliance deadline, because it has no statute. Any source describing SB258 as "effective July 1, 2026" or already governing Arkansas businesses is describing a bill that failed, not a law in force. That distinction matters practically: teams that build controls around a nonexistent AI-regulation regime may be spending scarce compliance budget on a law with no enforcement mechanism, while missing the deadline that actually carries legal risk.
The law that is actually in effect: the APDPA
The Arkansas Personal Data Protection Act is the state's real comprehensive consumer privacy law. Governor Sarah Huckabee Sanders signed it on April 11, 2023, and it took effect on July 1, 2025, joining the wave of state privacy laws modeled loosely on Virginia's Consumer Data Protection Act.
One more naming trap worth flagging: Arkansas also has an older, unrelated statute called the Personal Information Protection Act (Ark. Code § 4-110-101), on the books since 2005 and last amended in 2019. That law covers data security safeguards and breach notification only. It does not grant access, correction, deletion, or opt-out rights, and it is not the law this article is about. If a source you are reading discusses breach-notification timelines without mentioning consumer rights, it is likely describing that older statute, not the APDPA.
Who has to comply
The APDPA applies to a business if either of two thresholds is met during a calendar year:
- It processes the personal data of 25,000 or more Arkansas residents, or
- It derives 50% or more of its gross revenue from selling personal data and processes the data of 10,000 or more Arkansas residents.
That 25,000-consumer threshold is notably lower than several peer states. Virginia's law, for comparison, sets its baseline at 100,000 consumers, which means mid-sized companies that would clear Virginia's bar with room to spare can still fall inside Arkansas's.
The APDPA also carves out entities and data already regulated elsewhere: HIPAA-covered entities and their business associates, financial institutions and affiliates covered by the Gramm-Leach-Bliley Act, higher education institutions, state agencies, and nonprofit organizations (though nonprofits lose that exemption once annual receipts exceed $15 million in any of the preceding five years). Data already governed by FERPA, HIPAA, or the GLBA is excluded even when the entity handling it isn't otherwise exempt. Don't assume an exemption applies without checking it against your specific data flows. A hospital system's clinical data may be HIPAA-exempt while its marketing analytics data, running through a separate vendor, is not.
What consumers can demand
The APDPA gives Arkansas residents five rights over their personal data, all enforceable only through the Attorney General, not through a private lawsuit:
- Right to know (access): confirm whether a business processes your data and get a copy of it.
- Right to correct: fix inaccurate personal data a business holds about you.
- Right to delete: have your personal data removed.
- Right to data portability: receive your data in a usable, transferable format.
- Right to opt out of targeted advertising, the sale of personal data, and certain automated profiling that produces legal or similarly significant effects.
Processing sensitive data, which the law defines to include racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, and genetic or biometric data used for identification, requires opt-in consent, not just a disclosed opt-out.
How enforcement works, and why the cure period matters now
The Arkansas Attorney General holds exclusive enforcement authority. There is no private right of action, so consumers cannot sue directly; every case runs through the AG's office. A confirmed violation can carry a civil penalty of up to $10,000, on top of potential injunctive relief.
The detail that makes this a live compliance deadline, not background reading, is the cure period. Under the APDPA, a business that receives a formal notice of violation from the Attorney General currently has 60 days to fix the problem before the state can seek penalties. That cure period is written into the statute as available only until January 1, 2027. After that date, the Attorney General has discretion over whether to offer a cure opportunity at all, rather than an obligation to do so.
In practice, that means any compliance gap your team discovers during the second half of 2026 is racing a shrinking runway. A gap identified in late November 2026, for example, leaves barely a month before the automatic safety net disappears, and even less time if the Attorney General's office takes weeks to identify and notice the violation in the first place. Waiting until 2027 to find out whether your consent flows, opt-out mechanism, or sensitive-data handling actually comply is a materially different risk than finding out now, while a cure window still exists as a matter of right rather than discretion.
APDPA vs. ACTOPPA: two different Arkansas laws, two different dates
A second, unrelated source of confusion is Arkansas's teen-privacy law. The Arkansas Children and Teens' Online Privacy Protection Act (ACTOPPA, enacted as Act 952 via House Bill 1717) is real, was signed in 2025, and takes effect July 1, 2026, a full year after the APDPA. It is often covered in the same roundup articles as the APDPA and, less forgivably, sometimes conflated with the failed ADRSTA bill because the acronyms and timelines are easy to blur.
ACTOPPA is narrower and different in kind. It applies to for-profit operators of websites, apps, and online services that are directed at children under 13 or teens aged 13 to 16, or that have actual knowledge they are collecting personal data from users in those age groups. It requires parental consent to collect a child's personal data, allows either the teen or a parent to consent for 13-to-16-year-olds, bans targeted advertising based on a minor's data, and (like the APDPA) is enforced exclusively by the Arkansas Attorney General with no private right of action.
If your business serves general consumers, the APDPA's cure-period deadline is the one to plan around. If your product is directed at or knowingly collects data from children or teens, ACTOPPA's July 1, 2026 effective date is a separate, additional obligation, not a substitute for APDPA compliance.
The table below is the fastest way to see why these three names keep getting tangled together, and why only two of them require anything from you.
| ADRSTA (SB258) | APDPA | ACTOPPA (Act 952 / HB 1717) | |
|---|---|---|---|
| Status | Failed. Died at Sine Die adjournment May 5, 2025 | In effect | In effect starting July 1, 2026 |
| Covers | Would have covered general consumer privacy + high-risk AI | General consumer privacy | Children's and teens' data only |
| Effective date | None. Never became law | July 1, 2025 | July 1, 2026 |
| Enforcement | None | Arkansas AG only, no private right of action | Arkansas AG only, no private right of action |
| Action required from your business | None | Compliance gap analysis before January 1, 2027 | Compliance review if you serve minors, before July 1, 2026 |
The broader July 2026 patchwork
ACTOPPA's effective date is not a coincidence of timing; it lands on the same day two other states update their own privacy laws. Connecticut's SB 1295 amends the Connecticut Data Privacy Act effective July 1, 2026, lowering its applicability threshold from 100,000 to 35,000 consumers, removing the processing-volume threshold entirely for businesses that handle sensitive data or sell personal data, expanding the definition of sensitive data to include neural data and government-issued identifiers, and adding a new requirement to disclose whether personal data is used to train large language models. Utah's HB 418 takes effect the same day, adding a right to correct inaccurate data (closing a gap in Utah's original law) and new data portability and interoperability obligations for social media platforms.
None of these three July 2026 changes are the APDPA. But a compliance team that already has "July 1, 2026" flagged for Connecticut, Utah, and ACTOPPA can easily assume Arkansas's general consumer privacy obligations start the same day. They do not. The APDPA has been enforceable since July 2025, and its cure-period cliff arrives six months before the next round of state law changes takes effect.
Compliance checklist: closing the gap before the cure period ends
If your organization already complies with California's CCPA/CPRA opt-out requirements or Colorado's CPA, most of the underlying infrastructure, a data inventory, a DSAR process, an opt-out mechanism, transfers cleanly to Arkansas. This is a gap-analysis exercise, not a build-from-scratch project. Work through these before the cure period narrows further:
- Confirm applicability, including exemptions. Run the 25,000-consumer and revenue-based thresholds against actual Arkansas traffic and customer data, not an assumption carried over from a larger state's threshold, and check whether any of your data already falls under the HIPAA, GLBA, or FERPA carve-outs before assuming full scope.
- Audit your opt-out mechanism for Arkansas-specific coverage. Verify it correctly captures targeted advertising, data sales, and the specific automated-profiling category the APDPA covers, not just the categories your CCPA build already handles.
- Check sensitive-data consent flows for opt-in, not opt-out. A CCPA-style disclosed-opt-out pattern for health, biometric, or immigration-status data will not satisfy the APDPA's opt-in requirement.
- Test your access, correction, deletion, and portability workflows against Arkansas residency, confirming your DSAR intake process actually identifies and routes Arkansas requesters correctly rather than defaulting to a generic US flow.
- Separate your ACTOPPA obligations from your APDPA obligations if you knowingly serve minors; they have different consent rules, different effective dates, and are not satisfied by the same controls.
- Document your cure-period response plan now, while the 60-day window is still guaranteed. Knowing in advance who owns a violation notice, and how quickly your organization can actually remediate a gap, is worth far more before January 1, 2027, than after.
A practical way to work through this list without building a parallel spreadsheet for every state is to run it through a data map that already tracks jurisdiction-specific thresholds and legal bases. Secure Privacy's Data Map & ROPA module keeps a live record of processing activities, purposes, and applicable regulations in one place, so an Arkansas-specific threshold check does not mean starting a separate audit.
Where a privacy governance platform closes the gap faster
Correcting a factual record is only useful if it changes what you do next. Two parts of this problem are genuinely operational rather than just legal-reading exercises: knowing whether your existing DSAR and consent workflows actually satisfy a 25,000-consumer, opt-in-for-sensitive-data regime, and not missing the moment the cure period disappears.
Secure Privacy's Privacy & AI Governance Platform maps processing activities and applicable regulations, including state laws like the APDPA, inside the same Data Map & ROPA module compliance teams already use for GDPR or CCPA records, so an Arkansas-specific gap check does not require standing up separate tooling. Its DSAR Handling module manages access, correction, deletion, and portability requests through a single lifecycle with regulation-specific deadline tracking, which matters when a business already runs CCPA's 45-day response clock and needs the same discipline applied to Arkansas requests without missing either one. And because the platform's own materials cite avoiding $10,000-plus in potential fines annually as a realistic outcome of timely, accurate risk reviews and DSAR responses, tightening that workflow before January 1, 2027 is directly aimed at the exact per-violation penalty the APDPA imposes.
If your team is still deciding whether an Arkansas-specific review is worth prioritizing this year, that $10,000-per-violation number, multiplied by however many Arkansas residents' requests your business mishandles after the cure period ends, is the number to run past whoever owns the budget.
FAQ
Is the Arkansas Digital Responsibility, Safety, and Trust Act (ADRSTA) a real law?
No. ADRSTA was proposed as Senate Bill 258 in the Arkansas Senate's 2025 session, failed its third reading twice, and died on the Senate calendar at Sine Die adjournment on May 5, 2025. It never became law and has no effective date, despite some sources describing it as enacted.
What is the Arkansas Personal Data Protection Act (APDPA)?
The APDPA is Arkansas's actual comprehensive consumer privacy law. Signed April 11, 2023, and effective since July 1, 2025, it gives Arkansas residents rights to access, correct, delete, and port their personal data, plus the right to opt out of targeted advertising, data sales, and certain automated profiling.
When does the APDPA's cure period end?
The 60-day cure period, during which the Arkansas Attorney General must notify a business of a violation and give it a chance to fix it before pursuing penalties, is available only until January 1, 2027. After that date, offering a cure opportunity becomes discretionary rather than guaranteed.
What is the difference between the APDPA and ACTOPPA?
The APDPA governs general consumer data rights and has been in effect since July 1, 2025. ACTOPPA (Act 952, HB 1717) is a separate law specifically protecting children and teens' data, effective July 1, 2026, requiring parental or teen consent and banning targeted advertising to minors. They have different scopes, different consent standards, and different effective dates.
Who enforces the APDPA, and can consumers sue directly?
Only the Arkansas Attorney General can enforce the APDPA. There is no private right of action, so individual consumers cannot bring their own lawsuits for violations. Confirmed violations can carry penalties of up to $10,000 each.
Does the APDPA apply to my business if I already comply with California or Colorado privacy law?
Possibly, and the underlying work required is smaller than starting fresh. Check the APDPA's specific thresholds (25,000 Arkansas consumers, or 50% of revenue from data sales plus 10,000 consumers) against your actual Arkansas user base, since they are lower than several other states' baselines, then confirm your existing consent and rights-request workflows correctly extend opt-in sensitive-data consent and Arkansas-specific opt-out coverage.
What else changes in state privacy law around the same time as ACTOPPA?
Connecticut's SB 1295 amendments to the Connecticut Data Privacy Act and Utah's HB 418 amendments both take effect July 1, 2026, the same date as ACTOPPA. None of these affect the APDPA's separate, earlier cure-period deadline.
Ready to see whether your Arkansas coverage actually holds up? Book a demo of Secure Privacy's Privacy & AI Governance Platform and run the gap analysis before the cure period, and your safety net, runs out.




