ARTICLE
17 June 2025

State Data Privacy Update: Oregon Bans Sale Of Geolocation And Children's Data; Arkansas Extends COPPA-Like Protections To Teens

RJ
Roth Jackson

Contributor

Roth Jackson logo
Roth Jackson and Marashlian & Donahue’s strategic alliance delivers premier regulatory, litigation,and transactional counsel in telecommunications, privacy, and AI—guiding global technology innovators with forward-thinking strategies that anticipate risk, support growth, and navigate complex government investigations and litigation challenges.
Explore Firm Details
On June 2, 2025, Oregon Governor Tina Kotek signed House Bill 2008 (HB 2008), amending the Oregon Consumer Privacy Act (the OCPA) to significantly expand protections for children's...
United States Arkansas Oregon Privacy
Diana James and Susan Duarte
Your Author LinkedIn Connections
  1. Oregon Bans Sale of Geolocation and Children's Data

On June 2, 2025, Oregon Governor Tina Kotek signed House Bill 2008 (HB 2008), amending the Oregon Consumer Privacy Act (the OCPA) to significantly expand protections for children's personal data and all Oregonians' precise geolocation data. The amendments take effect January 1, 2026, and introduce obligations that will require immediate attention and operational changes for many businesses.

Key Amendments and Business Implications

Protections for Minors (Under 16)

  • Prohibited Activities: Controllers will now be prohibited from selling the personal data of consumers under 16 years of age, if the controller has actual knowledge of their age or willfully disregards it.
  • No Consent Exception: Unlike under the current law, obtaining consent from the minor or their guardian will not permit these activities. The prohibition will apply regardless of consent.
  • COPPA Compliance: Processing sensitive data of children will need to comply with the Children's Online Privacy Protection Act (COPPA).

Precise Geolocation Data

  • Sale Ban: The OCPA now prohibits the sale of precise geolocation data – defined as data identifying a consumer's (or their device's) present or past location within a 1,750-foot radius, regardless of consumer consent.
  • Scope: The restriction applies to any exchange of such data for monetary or other valuable consideration, potentially impacting all location-based advertising and data-sharing arrangements.
  • Exceptions: Some limited types of data are exempt from the scope of covered geolocation data, such as the contents of communications and certain utilities-related data.

General Data Controller Obligations

  • Purpose Limitation: Controllers must specify the purposes for collecting personal data in their privacy notices and limit collection to what is adequate, relevant, and reasonably necessary for those purposes.
  • Consumer Rights: Controllers must provide mechanisms for consumers to revoke consent and must cease processing it within 15 days of an opt-out.
  • Opt-Out Mechanisms: User-friendly and unambiguous opt-out mechanisms are required for the sale of personal data, targeted advertising, and profiling with significant legal or similar effects.
  • Privacy Notices: Notices must clearly disclose categories of data collected, purposes of processing, methods to exercise consumer rights, categories of third parties with whom data is shared, and contact details.
  • Non-Discrimination: The law prohibits discriminatory treatment of consumers exercising their rights but allows differentiated terms for voluntary participation in loyalty or rewards programs to incentivize consent to data collection and processing.

Recommended Next Steps for Businesses

  • Data Inventory: Identify and map all personal data collected from consumers under 16 and all precise geolocation data processed or sold.
  • Policy Review: Update privacy policies and notices to prepare for the new requirements, including explicit disclosures about data collection, use, and sharing practices.
  • Operational Controls: Implement technical and organizational measures to prevent the sale of covered data in violation of the new prohibitions. Establish age controls to ensure your business does not "willfully disregard" the consumer's age.
  • Consent and Opt-Out Mechanisms: Ensure mechanisms for revoking consent and opting out are in place and operational within the required timelines.
  • Training: Educate staff, especially those involved in marketing, data analytics, and IT, on the new legal requirements and internal procedures.
  • Vendor Management: Review contracts and data-sharing agreements with third parties to ensure compliance with the new restrictions, particularly regarding location-based advertising and sales of data.

Conclusion

Oregon's amendments to its Consumer Privacy Act set a new standard for the protection of minors' data and precise geolocation information, going beyond many existing state privacy laws by prohibiting certain activities regardless of consumer consent. Businesses doing business in Oregon should act promptly to assess their data practices and implement necessary changes before the January 1, 2026, effective date.

2. Arkansas Passes First-of-Its-Kind COPPA-Like Privacy Law for Children and Teens

On April 21, 2025, Arkansas Governor Huckabee Sanders signed the Arkansas Children and Teens' Online Privacy Protection Act (ACTOPPA) into law. This legislation, effective July 1, 2026, imposes significant new requirements on operators of websites, apps, and online services that collect personal information from children and teens in Arkansas. ACTOPPA closely mirrors the federal COPPA but expands protections to include teens aged 13 to 16 and introduces several unique provisions. Below is a summary of ACTOPPA's key requirements and implications for online service providers.

Scope and Applicability

  • ACTOPPA applies to operators of online services "directed at" children (12 and under) or teens (13 to 16), or those with "actual knowledge" they are collecting personal information from these groups.
  • ACTOPPA does not define "directed at" or "actual knowledge," but enforcement is expected to follow criteria similar to those used by the FTC under COPPA.
  • ACTOPPA explicitly states that operators are not required to collect age information they do not already collect in the normal course of business, nor are they required to implement age-gating or age verification functionality.

Operator Obligations

  • Notice: Operators with actual knowledge of collecting personal information from children or teens must provide clear and conspicuous notice detailing:
  • What information is collected
  • Purposes for processing
  • Disclosure practices
  • Rights to access, correct, or delete information
  • Categories of information shared and with whom
  • Consent for Teens: Operators must obtain consent from either the teen or their parent before processing personal information, except for certain operational, legal, or safety-related purposes.
  • Consent for Children: ACTOPPA is ambiguous regarding parental consent for children under 13. While it provides certain exceptions similar to COPPA, it does not clearly require verifiable parental consent, potentially deferring to federal COPPA requirements.
  • Access, Correction, and Deletion Rights:
  • Parents can access, correct, or delete their child's information and refuse further collection or use.
  • Teens have similar rights, except they cannot refuse further collection or use.
  • Operators are not required to delete information necessary in certain enumerated cases, such as when it is necessary to provide services to the data subject, for legal compliance, or to protect the integrity or security of operators' systems.
  • Data Minimization: Operators must not collect or retain more personal information than necessary to provide the requested service or as required by law.
  • Security: Reasonable security practices must be implemented to protect collected personal information from unauthorized access.

Enforcement and Liability

  • The Arkansas Attorney General has exclusive enforcement authority. Violations are treated as unfair or deceptive acts under Arkansas consumer protection law.
  • Remedies may include injunctions, damages, restitution, or other appropriate relief.
  • There is no private right of action; individuals cannot sue operators directly under ACTOPPA.

Practical Steps for Compliance

  • Review and update privacy policies to ensure clear notice regarding collection and use of children's and teens' data.
  • Assess current data collection practices and implement mechanisms for obtaining and documenting consent from teens or their parents.
  • Prepare to respond to requests for access, correction, and deletion of personal information.
  • Ensure data minimization and reasonable security measures are in place.
  • Monitor developments and potential amendments to ACTOPPA prior to its effective date, as ambiguities and any drafting errors may be clarified by future guidance or legislative updates.

Looking Ahead

Arkansas is among the first states to extend online privacy protections to teens, and similar legislation is being considered in other jurisdictions. Operators serving Arkansas residents should prioritize compliance efforts and monitor further regulatory developments in this evolving area.

Conclusion

These legislative actions underscore a growing trend among states to fill gaps left by federal privacy laws. For further guidance on compliance strategies or to discuss how these changes may affect your organization, please contact our Privacy Law Group.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Diana James
Diana James
Photo of Susan Duarte
Susan Duarte
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More