Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

ARKANSAS DATA PRIVACY REGULATIONS

Did You Know?

 
  • Limited methods of notification delivery
  • Data owners are responsible for breach reporting and notifications
  • Vendors must report to AR data owners and cooperate
  • Violations may incur up to $10,000 in penalties plus damages
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply 

Who Me?

 

Arkansas breach and notification laws may apply if you:

  • Acquires, owns, or licenses computerized data that includes PII
  • Maintains computerized data that includes PII that you do not own

 There are exemptions.

What is PII?

 

PII relevant to a breach in Arkansas include a person's name plus one or more of the following:

  • Social Security Number
  • Driver license or ID card number
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account
  • Medical Records

LAWS

APPLICABLE LAWS

A few applicable statutes include, but are not limited to:

Title 4 Business and Commercial Law / Subtitle 7 Consumer Protection /

  • Chapter 110 Personal Information Protection Act / A.C.A. § 4-110-101 – 103, 105-108
  • Chapter 88 Deceptive Trade Practices / Subchapter 1 General Provisions / A.C.A. § 4-88-101 -113

RELATED LAWS

A few applicable statutes include, but are not limited to:

Title 4 Business and Commercial Law / Subtitle 7 Consumer Protection /

  • Chapter 110 Personal Information Protection Act / A.C.A. § 4-110-101 - 104
  • Chapter 88 Deceptive Trade Practices / Subchapter 1 General Provisions / A.C.A. § 4-88-101 -113

PENALTIES

COMPLIANCE PENALTIES

Violations are punishable by action of the attorney general under the provisions of § 4-88-101 et seq., which indicates that the attorney general may investigate, penalties up to $10,000, suspension of authorization to do business in Arkansas, liability for any monetary judgements, and right of action by the customers to recover actual damages, and more.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • If it was acquired by an unauthorized person
  • If there is a risk of harm to the customers

TIME LIMITS

Depending on impact and type of breach there may be specific entities to report to and specific time limits to report a breach. The notifications must be made in the most expedient time and manner possible and without unreasonable delay, unless law enforcement advises the person it will interfere with an investigation.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

Disclosure may be made by written notice or electronically (with stipulations).

A substitute notice, with specific requirements, may be sent if the person demonstrates that the cost of providing the notice would exceed $250,000, or the persons to be notified exceeds 500,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR