September 2023

1.  Right to Privacy/ Constitutional Protection

The Constitution of Arkansas ('the Constitution') does not contain an explicit guarantee of the right to privacy. However, the Arkansas Supreme Court ('the Supreme Court') has found that 'Arkansas has a rich and compelling tradition of protecting individual privacy and that a fundamental right to privacy is implicit in the Arkansas Constitution' (Jegley v. Picado, 349 Ark. 600, 632, 80 S.W.3d 332, 350 (2002)). Arkansas requires a compelling state interest to override such a right.

The Supreme Court's analysis in Jegley noted that a right to privacy arises throughout several §§ of Article 2 of the Constitution. In particular, it provides that the rights enumerated in the Constitution must not be construed in such a way as to deny or disparage other rights retained by the people (Article 2, § 29 of the Constitution):

'This enumeration of rights shall not be construed to deny or disparage others retained by the people and to guard against any encroachments on the rights herein retained, or any transgression of any of the higher powers herein delegated, we declare that everything in this Article is excepted out of the general powers of the Government, and shall forever remain inviolate; and that all laws contrary thereto, or to the other provisions herein contained, shall be void'.

Turning to the remaining language, the Constitution guarantees certain inherent and inalienable rights, including the enjoyment of life and liberty and the pursuit of happiness (Article 2, § 2 of the Constitution):

'All men are created equally free and independent, and have certain inherent and inalienable rights, amongst which are those of enjoying and defending life and liberty; of acquiring, possessing, and protecting property and reputation, and of pursuing their own happiness. To secure these rights governments are instituted among men, deriving their just powers from the consent of the governed.'

Furthermore, it is established that no Arkansan can be deprived of life, liberty, or property without due process of law (Article 2, §§ 8 and 21 of the Constitution). Moreover, the Constitution recognizes the right of persons to be secure in the privacy of their own homes (Article 2, § 15 of the Constitution):

'The right of the people of this State to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures shall not be violated; and no warrant shall be issued except upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the person or thing to be seized.'

The Supreme Court has found that such a right to privacy extends to a Constitutional right of individuals to be free from unreasonable intrusions into their homes. See, e.g., Griffin v. State, 347 Ark. 788, 67 S.W.3d 582 (2002) (finding an illegal search in violation of Article 2, § 15 of the Constitution). However, while dwellings and their curtilage are largely protected from such intrusion, a later Court of Appeals decision found that it may not be reasonable to have an expectation of privacy in driveways and walkways, which are ordinarily used by visitors, where an officer's discovery of blood on the defendant's front porch without a search warrant was not held as an unreasonable search and seizure (Cox v. State, 2021 Ark. App. 426, 635 S.W.3d 529 (2021)).

The rights granted by the Constitution are guaranteed to all citizens equally, where '[t]he equality of all persons before the law is recognized and shall ever remain inviolate; nor shall any citizen ever be deprived of any right, privilege, or immunity, nor exempted from any burden or duty, on account of race, color or previous condition.' (Article 2, § 3 of the Constitution).

Moreover, '[t]he General Assembly shall not grant to any citizen or class of citizens privileges or immunities which upon the same terms shall not equally belong to all citizens' (Article 2, § 18 of the Constitution).

Finally, the concept of privacy is mentioned throughout many of the statutes enacted by the Arkansas General Assembly. The Supreme Court in Jegley has recognized that this frequent reference to the right to privacy indicates a public policy of the General Assembly supporting such right.

2. Key Privacy Laws

2.1. Civil Law Provisions

Privacy Torts

The Supreme Court recognizes the existence of four actionable forms of the tort of invasion of privacy (as per the cases of Wal-Mart Stores, Inc. v. Lee, 348 Ark. 707, 74 S.W.3d 634 (2002); Dunlap v. McCarty, 284 Ark. 5, 678 S.W.2d 361 (1984); Dodrill v. Arkansas Democrat Co., 265 Ark. 628, 590 S.W.2d 840 (1979); Olan Mills v. Dodd, 234 Ark. 459, 353 S.W.2d 22 (1962)):

• appropriation;
• intrusion (upon seclusion);
• public disclosure of private facts; and
• false light in the public eye.

Financial Liability for Deprivation of Rights, Privileges and Immunities

§105 of Chapter 123 of Title 16 of the Arkansas Code Annotated ('Ark. Code Ann.') provides for a right of recovery to every person who, under color of any statute, ordinance, regulation, custom, or usage of the State of Arkansas or any of its political subdivisions, subjects, or causes to be subjected, any person within the jurisdiction thereof to the deprivation of any rights, privileges, or immunities secured by the Constitution. The offender must be liable to the party injured in an action in the Circuit Court for legal and equitable relief or another proper redress, including at the discretion of the court, for payment of the injured party's cost of litigation and a reasonable attorney's fee in an amount to be fixed by the court.

Interception and Recording of Communications

It is unlawful to intercept a wire, landline, oral, telephonic communication, or wireless communication, and to record or possess a recording of the communication unless the person is a party to the communication or one of the parties to the communication has given prior consent to the interception and recording (§120 of Chapter 60 of Title 5 of the Ark. Code. Ann.).

A violation of § 5-60-120 is a Class A criminal misdemeanor.

Exceptions to such violation include the following (§5-60-201(c) of the Ark. Code Ann):

• a person acting under color of law;
• an officer, employee, or agent of a public telephone utility or company who is assisting a person acting under color of law; and
• an operator of a switchboard, or an officer, employee, or agent of any public telephone utility, or telecommunications provider engaged in the service being provided, or the protection of the rights or property of such provider.

Furthermore, the provisions do not apply to (§5-60-120 of the Ark. Code Ann.):

• telecommunication services offered by a telecommunications provider or public telephone utility;
• a Federal Communications Commission ('FCC') licensed amateur radio operator;
• anyone operating a police scanner for pleasure; and
• the issuance of a court order authorizing disclosure of a customer communication or record to a Governmental entity, including authorizing or approving the installation and use of a pen register or a trap-and-trace device, as part of an ongoing criminal investigation is not prohibited by Arkansas law.

Under § 5-16-101(a) of the Ark. Code Ann. (crime of video voyeurism), a person may not use a camera, videotape, photo-optical, photoelectric, or other image recording device for the purpose of secretly observing, viewing, photographing, filming, or videotaping another person in a residence, place of business, school, other structure, or a room, or particular location within that structure, if (for any of the above):

• the other person is in a private area out of the public view;
• has a reasonable expectation of privacy; and
• has not consented to the taping.

The Personal Information Protection Act

Arkansas's principle statutory mechanism requiring the protection of personal information in the hands of a third party is found in the Personal Information Protection Act ('the Act') (§s 4-110-101 et seq of the Ark. Code Ann.). Arkansas does not permit waivers of the Act's requirements (§ 4-110-107 of the Ark. Code Ann).

The Act encourages individuals, businesses, and State agencies that acquire, own, or license personal information about the citizens of the State of Arkansas to provide reasonable security for the information, and requires that all persons or businesses that acquire, own, or license personal information take reasonable steps to protect personal information from unauthorized access, destruction, use, modification, or disclosure, and take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information that is no longer to be retained by the person or business, including by shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable through any means.

The Act defines the following terms:

• breach of the security of the system;
• business;
• medical information;
• personal information;
• biometric data;
• records; and
• state agency.

The Act provides that any person or business that acquires, owns, or licenses computerized data that includes personal information must disclose any breach of the security of the system following discovery or notification of the breach to any resident of Arkansas whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Encrypted data is exempted from the notice procedure, provided that the password to decrypt the encrypted data was not lost with the encrypted data (§4-110-105(a)(1) of the Ark. Code Ann.). The disclosure must be in the most expedient time and manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.

Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation, and such notification must be made after the law enforcement agency determines that it will not compromise the investigation (§4-110-105(a)(2)-(c)(2) of the Ark. Code Ann.). Notification is not required if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to customers (§4-110-105(d) of the Ark. Code Ann.).

Where a person or business maintains computerized data that includes personal information that the person or business does not own, that person or business must notify the owner or licensee of the information of any breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person (§4-110-105(b) of the Ark. Code Ann.).

Notice may be made by written notice or electronic mail if the notice is consistent with the provisions regarding electronic records and signatures set forth in §7001 of Title 15 of the United States Code.

Substitute notice may be made if the person or business demonstrates that the cost of providing notice would exceed $250,000, the affected class of persons to be notified exceeds 500,000 individuals, or the person or business does not have sufficient contact information. Substitute notice consists of the performance of all of the following:

• electronic mail notice when the person or business has an electronic mail address for the subject persons;
• conspicuous posting of the notice on the website of the person or business if the person or business maintains a website; and
• notification by State media.

For breaches of more than 1,000 individuals, the person or business must disclose the breach to the Attorney General of Arkansas ('AG') at the same time as notice is provided to those affected (§4-110-105(2) and (e)(1)-(3) of the Ark. Code Ann.).

A person or business must retain a copy of the written determination of a breach of the security of a system and any supporting documentation for five years from the date of determination of the breach. Such determination and documentation may be requested by the AG and must be provided within 30 days of any such request. The determination and documentation retained are confidential and not subject to public disclosure.

There are two principal exceptions to the Act (§4-110-106(a) of the Ark. Code Ann):

• the Act does not apply to a person or business regulated by a State or federal law that requires greater protection of personal information and at least as thorough as the disclosure requirements for breaches of the security of personal information as set forth under the Act and compliance with that State or federal law would be deemed as compliance with the Act; and
• where a person or business maintains its own notification procedures as part of an information security policy for the treatment of personal information that is otherwise consistent with the timing requirements of the Act, notice made under those notification procedures would be deemed to be in compliance with the Act, if the person or business notifies the affected persons in accordance with its policies in the event of a breach of the security of the system.

Any violation of the Act is punishable by the AG under its consumer protection function (§§101, et seq of Chapter 88 of Title 4 of the Ark. Code Ann.), which generally provides for penalties of up to $10,000 per violation, recovery of actual financial loss, injunction on activity, incurred expenses, and attorneys' fees (§4-110-108 of the Ark. Code Ann).

Arkansas Supreme Court Limitations on Access to Arkansas Court Records

The Arkansas Supreme Court's Administrative Order Number 19 establishes the rights to and limitations from access to Arkansas Court records. Generally, all persons have access to court records, regardless of the manner of creation, method of collection, form of storage, or the form in which the records are maintained. Court records are defined to include both case records and administrative records, but do not include information gathered, maintained, or stored by a non-court agency or other entity (even though the court may have access to the information unless it is adopted by the court as part of the court record).

The Supreme Court has defined several exceptions to the disclosure of case information and administrative record information. The following case record information is excluded from public access and is confidential, absent a court order to the contrary, unless the information is disclosed in open court and is part of a verbatim transcript of court proceedings or included in trial transcript source materials:

• information that is excluded from public access pursuant to federal law;
• information that is excluded from public access pursuant to the Ark. Code Ann.;
• information that is excluded from public access by order or rule of court;
• social security numbers;
• account numbers of specific assets, liabilities, accounts, credit cards, and personal identification numbers;
• information about cases expunged or sealed pursuant to Ark. Code Ann. §§16-90-1401 et seq.;
• notes, communications, and deliberative materials regarding decisions of judges, jurors, court staff, and judicial agencies; and
• all home and business addresses of petitioners who request anonymity when seeking a domestic order of protection.

The following administrative record information is excluded from public access and is confidential, absent a court order to the contrary:

• information that is excluded from public access pursuant to Ark. Code Ann. or other court rule;
• information protected from disclosure by order or rule of court;
• security and emergency preparedness plans including risk and vulnerability assessments, plans, and proposals for preventing and mitigating security risks;
• emergency response and recovery records;
• security plans and procedures;
• any other records containing information that if disclosed might jeopardize or compromise efforts to secure and protect individuals, the courthouse, or court facility; and
• notes, communications, and deliberative materials of judges regarding court administration matters arising under Administrative Orders Numbers 14 and 18.

Arkansas Freedom of Information Act, Exceptions from Material in the Public Record

The Freedom of Information Act of 1967 ('the Freedom of Information Act') under Ark. Code Ann. §25-19-101, et seq. provides that all records maintained in public offices or by public employees within the scope of their employment are presumed to be public records (§25-19-103(7)(A) of the Ark. Code Ann.).

This arises from the legislative intent which states that: '[i]t is vital in a democratic society that public business be performed in an open and public manner so that the electors shall be advised of the performance of public officials and of the decisions that are reached in public activity and in making public policy. Toward this end, the Arkansas Freedom of Information Act is adopted, making it possible for them or their representatives to learn and to report fully the activities of their public officials (§25-19-102 of the Ark. Code Ann.).

A negligent violation of the Freedom of Information Act is guilty of a Class C misdemeanor (§25-19-104 of the Ark. Code Ann.).

The phrase 'public records' is widely defined, and means writings, recorded sounds, films, tapes, electronic, or computer-based information, or data compilations in any medium required by law to be kept or otherwise kept and that constitute a record of the performance or lack of performance of official functions that are or should be carried out by a public official or employee, a governmental agency, or any other agency or improvement district that is wholly or partially supported by public funds or expending public funds (§25-19-103(7)(A) of the Ark. Code Ann.).

Generally, under §§ 25-19-101, et seq. of the Ark. Code Ann. of the Freedom of Information Act, all public records are open to inspection and copying by any citizen of the State of Arkansas during the regular business hours of the custodian of records (§25-19-105(a)(1)(A) of the Ark. Code Ann.). The Freedom of Information Act exempts from disclosure several categories of information. With regard to privacy, the Freedom of Information Act excepts certain types of information as listed (§ 25-19-105(b)(1)-(27) of the Ark. Code Ann.).

Limitation on the personnel records exception

Notwithstanding the exception set forth in § 25-19-105 (b)(12) of the Ark. Code Ann., all employee evaluation or job performance records, including preliminary notes and other materials, must be open to public inspection only upon final administrative resolution of any suspension or termination proceeding at which the records form a basis for the decision to suspend or terminate the employee, and if there is a compelling public interest in their disclosure (§ 25-19-105(c)(1) of the Ark. Code Ann) any personnel or evaluation records exempt from disclosure under this chapter must nonetheless be made available to the person about whom the records are maintained or to that person's designated representative (§25-19-105(c)(2) of the Ark. Code Ann).

Exceptions from Disclosure of Legislative Communications, including for Freedom of Information Act

In 2023, the Arkansas Legislature enacted revisions to § 10-2-129 of the Ark. Code Ann. to insert a new privilege regarding the confidentiality of communications between State legislators. Recognizing the common law doctrine in other states, shielding from disclosure information related to legitimate legislative actions as well as the purposes underlying those actions (citing in findings to In re Hubbard, 803 F.3d 1298, 1310 11th Cir. 2015), and the common law deliberative process privilege's protection of confidential exchanges of opinions and advice, including applicability to documents and testimony that are pre-decisional, deliberative, and reflect the subjective intent of the legislators as reflected in the law of other states (citing to Corporacion Insular de Seguros v. Garcia, 709 F.Supp. 288, 295 (D.P.R. 1989), the Arkansas Legislature sought to extend the protections provided by the Arkansas Constitution under Article 5, § 15, legislative privilege, and the deliberative process privilege.

The Arkansas Legislature established that a drafting request or information request made to a legislative employee by or on behalf of a legislator is confidential and is privileged. It also provided that a legislator has the privilege to refuse to disclose and to prevent a legislative employee from disclosing a 'confidential communication', including a confidential communication between the legislator and their representative and a legislative employee, between two or more legislative employees related to a drafting request or an information request made by the legislator, or between two or more legislators and a legislative employee. It defined a confidential communication to include:

• a drafting request;
• an information request;
• a supporting document for a drafting request or information request;
• the draft or the work product for a drafting request or an information request; and
• any other verbal or written communication regarding a drafting request or an information request.  

The privilege against disclosure extends to former legislative employees if the confidential communication was received while employed as a legislative employee and not for purposes of committing a crime or fraud. A former legislative employee is guilty of a Class B misdemeanor for revealing a confidential communication while employed as a legislative employee or uses a confidential communication while received as a legislative employee for personal gain or benefit.

Finally, the changes provide that confidential communications are expressly exempt from the Freedom of Information Act, as absolutely privileged communications.

Arkansas Student Online Personal Information Act

The Arkansas Student Online Personal Information Act ('the Student Online Personal Information Act') (§ 6-18-109 of the Ark. Code Ann.) provides additional protection for personally identifiable information that students share with public schools in Arkansas through the use of the operator's website or created by an employee or agent of an educational institution for public school purposes.

The Student Online Personal Information Act defines an 'operator' as the 'owner of an internet website, online service, online application, or mobile application with actual knowledge that the website, service, or application is:

• used primarily for public school purposes;
• designed and marketed for public school purposes; and
• operating at capacity (§6-18-109(a)(2)(A)) of the Ark. Code Ann).

The Act also defines 'covered information', which includes everything from a student's name and address to their grades and search activity (§6-18-109(a)(1) of the Ark. Code Ann.).

The Student Online Personal Information Act prevents operators from:

• targeted advertising when the targeting of the advertising is based on covered information that the operator has acquired because of the use of the operator's website, service, or application;
• gathering information to compile a profile not for public school purposes;
• sell[ing] a public-school student's covered information other than for certain limited purposes, including entity merger or acquisition; and
• disclosing covered information, except when (§6-18-109(b) of the Ark. Code Ann.):
  • done in furtherance of public-school purposes or to allow or improve operation and functionality within the student's classroom or school;
  • the disclosure is necessary to:
    • ensure legal or regulatory compliance or protect against liability;
    • respond to or participate in the judicial process; or
    • protect the safety or integrity of users or others or the security of the website, service, or application;
  • done to a service provider, if the operator contractually:
    • prohibits the service provider from using any covered information for any purpose other than providing the contracted service to or on behalf of the operator;
    • prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, unless the disclosure is expressly permitted under this § 6-18-109(b) of the Ark. Code Ann.; and
    • requires the service provider to implement and maintain reasonable security procedures and practices; or
  • done for the public school, educational, or employment purpose requested by the student or the student's parent or guardian, provided that the information is not used or further disclosed for any other purpose.

Restriction on Institution of Higher Education Access to Social Media Accounts

Institutions of higher education are barred, pursuant to §104(a) and (b) of Chapter 60 of Title 6 of the Ark. Code Ann., from requiring, requesting, suggesting, or causing a current or prospective student (or employee) to disclose their username and password to a social media account. §104(a) and (b) of Chapter 60 of Title 6 of the Ark. Code Ann. also prohibits an institution of higher education from requiring a current or prospective student, as a condition of acceptance in curricular or extracurricular activities, to add an employee or volunteer of the institution of higher education, including without limitation a coach, professor, or administrator, to the list of contacts associated with their social media account, or change the privacy settings associated with their social media account.

An institution of higher education must not take action against or threaten to discharge, discipline, prohibit from participating in curricular or extracurricular activities, or otherwise penalize a current student for exercising their rights, or fail or refuse to admit or hire a prospective employee or student for exercising their rights under that law (§ 6-60-104 of the Ark. Code Ann.).

An institution of higher education is not prohibited from viewing information about a current or prospective employee or student that is publicly available on the internet.

An 'institution of higher education' is defined as a public or private institution that provides postsecondary education or training to students that are academic, technical, trade-oriented, or in preparation for gaining employment in a recognized occupation (§ 6-60-104(a)(2) of the Ark. Code Ann.).

A 'social media account' is defined as a personal account with an electronic medium or service where users may create, share, or view user-generated content, including without limitation (§ 6-60-104(a)(3)(A) of the Ark. Code Ann.):

• videos;
• photographs;
• blogs;
• podcasts;
• messages;
• emails; or
• website profiles or locations.

A 'social media account' does not include an account (§ 6-60-104(a)(3)(B) of the Ark. Code Ann.):

• opened by an employee or student at the request of an institution of higher education;
• provided to an employee or student by an institution of higher education, such as an institutional email account or other software program owned or operated exclusively by an institution of higher education;
• set up by an employee or student on behalf of an institution of higher education; or
• set up by an employee or student to impersonate an institution of higher education, through the use of the institution's name, logos, or trademarks.

A 'social media account' includes, without limitation, an account established with Facebook, Twitter, LinkedIn, Myspace, or Instagram (§6-60-104(a)(3)(C) of the Ark. Code Ann.).

Student Data Vendor Security Act

The Arkansas Student Data Vendor Security Act (to be codified at § 6-18-2501 et seq. of the Ark. Code Ann.) requires contracts between local education agencies and vendors to include express provisions that safeguard the privacy and security of a student's personally identifiable information. Local education agency refers to a public school district or an open-enrolment public charter school. In the event of a material breach of a contract with a vendor involving the misuse or unauthorized release of a student's personally identifiable information ('student PII'), the Act imposes additional investigatory duties on local education agencies.

School service contract providers are limited in their collection, use, and sharing of student PII. Specifically, they may not sell student PII or use or share student PII for purposes of targeted advertising without the consent of the student or student's parent (§ 6-18-2506 of the Ark. Code Ann.). Additional obligations with respect to student PII include:

• providing information to local education agencies regarding:
  • the elements of student personally identifiable information that it collects and the purpose for which it is collected; and
  • how the school service contract provider uses and shares the student's personally identifiable information;
• notifying the local education agency prior to making a material change to its privacy policy that would result in a material reduction in the level of privacy and security provided for student personally identifiable information;
• facilitating access to and the correction of any factually inaccurate student PII that a local education agency receives; and
• notifying the contracting public education entity, as soon as possible, upon discovery of misuse or unauthorized release of student PII, regardless of whether the misuse or unauthorized release is a result of a material breach of the terms of a contract.

In addition, a school service provider is required to make use of appropriate administrative, technological, and physical safeguards to maintain a comprehensive information security program adequately designed to protect the security, privacy, confidentiality, and integrity of student PII (§6-18-2507 of the Ark. Code Ann.).

Other Educational Privacy Considerations

In an effort to ensure privacy and safety, Arkansas requires each public school district and open-enrolment public charter school serving students in prekindergarten through grade 12 to designate each multiple occupancy restroom or changing area for the exclusive use of either the male or female sex (§6-21-120 or the Ark. Code Ann.). The school must also provide a reasonable accommodation to an individual who is unwilling or unable to use such a room designated for that individual's sex. A multiple-occupancy restroom or changing area includes restrooms, locker rooms, changing rooms, and shower rooms.

Similarly, public school districts or open-enrollment charter school that sponsors or supervises an overnight trip for public school students must ensure that students attending the trip either share sleeping quarters with one or more student of the same sex, or be provided single-occupancy sleeping quarters (§6-10-137 of the Ark. Code Ann.).

3. Health Data

3.1. General Protection

The protection of health data is generally provided for under the Act (§§4-110-101, et seq. of the Ark. Code Ann.), discussed in the section on the Personal Information Protection Act above.

The Act protects against the disclosure of 'medical information,' which it defines as any individually identifiable information, in electronic or physical form, regarding the individual's medical history or medical treatment or diagnosis by a healthcare professional, and other personal information including biometric data (§ 4-110-103(5), (7)(E) of the Ark. Code Ann.).

Violations are enforced under the AG's consumer protection enforcement powers (§§104(a) and (b) of Chapter 60 of Title 6 of the Ark. Code Ann. 4-88-101 et seq. of the Ark. Code Ann.), which generally provides for penalties of up to $10,000 per violation, recovery of actual financial loss, injunction on activity, incurred expenses, and attorneys' fees.

3.2. Patient Access to Records

Arkansas law provides patients the right to access their own medical records in contemplation of, in preparation for, or in use in any legal proceeding, either directly or through their chosen legal representative (§16-46-106(a)(1)) of the Ark. Code Ann.).

3.3. Provider Limitations on Use of Health Data

Arkansas law prevents medical providers from using patient medical information outside of the specific, limited parameters provided for under Arkansas law. 'Any data or information pertaining to the diagnosis, treatment, or health of any enrollee or applicant obtained from the person or from any provider by any health maintenance organization shall be held in confidence and shall not be disclosed to any person except to the extent that it may be necessary to carry out the purposes of this chapter, upon the express consent of the enrollee or applicant, pursuant to a statute or a court order for the production of evidence or the discovery thereof or in the event of a claim of litigation between the person and the health maintenance organization wherein the data or information is pertinent.' (§23-76-129 of the Ark. Code Ann.).

3.4. Prescription Drug Monitoring Program Records

The confidentiality of patient health data extends to prescription drug information held by the Arkansas Department of Health ('DoH') under the Arkansas Prescription Drug Monitoring Program Act (§§104(a) and (b) of Chapter 60 of Title 6 of the Ark. Code Ann. 20-7-601, et seq. of the Ark. Code Ann.). Such prescription information is confidential and, notably, not subject to disclosure under the Arkansas Freedom of Information Act (§20-7-606) of the Ark. Code Ann).

Department of Health and Human Services ('HHS') Regulation 007.07.4-VI also requires such information to be confidential and further requires that DoH policies and procedures comply with §§104(a) and (b) of Chapter 60 of Title 6 of the Ark. Code Ann. of the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), and the Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH').

3.5. HIPAA privacy requirements in the use of email and facsimile services by DHA staff

Rule 016.14.7-4006.0.0 ('the Rule') of the Arkansas Department of Human Services ('DHA) provides that any email message containing protected health information ('PHI') and sent to destinations within the State's email system must be sent by encrypted WebAccess email. The sending of email messages containing PHI to destinations outside the State's email system is not secure and is prohibited and requires that such messages be sent by fax only to a specific person for whom such release has been determined to be authorized. The Rule states that it should be established by a prior telephone contact that a specific person is present to receive the transmitted fax. The Rule provides that the conveyance of large electronic files requires secure media sharing (password-protected files on disk or CD) or conveyance by a secure transfer protocol.

PHI is defined by the Rule as health information which:

• identifies an individual or offers a reasonable basis for identification;
• is created or received by a covered entity or an employer;
• relates to past, present, or future physical or mental health conditions, provision of healthcare, or payment for healthcare; and
• which has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form.

To be PHI, the information must:

• relate to a person's physical or mental health, the provision of healthcare, or the payment of healthcare;
• identify, or could be used to identify, the person who is the subject of the information;
• be created or received by a covered entity; and
• be transmitted or maintained in any form or medium, electronic, written, or oral.

Relatedly, the DHA also provides that its clients (and their legal representatives) have a right to request an accounting of PHI disclosures that the DHA has made for a period of up to six years previous to the date of request (Rule 016.14.7-4011.2.1 of the Ark. Code Ann.). To satisfy this right, it is DHS's policy that all disclosures of clients' PHI will be recorded on the PHI Tracking Sheet and entered into the PHI Disclosure Tracking System. The accounting of PHI disclosures must include:

• the date of the disclosure;
• the name, and address if known, of the person or entity that received the disclosed PHI; and
• a brief description of the information disclosed, a brief statement of the purpose of the disclosure that reasonably informs the client of the basis for the disclosure, or in lieu of such statement, a copy of the client's written request for the accounting of disclosures.

3.6. Information and Documents Disclosed to the Arkansas Insurance Commissioner During Examination or Investigation

The Insurance Holding Company Regulatory Act (§§104(a) and (b) of Chapter 60 of Title 6 of the Ark. Code Ann.23-63-501 et seq. of the Ark. Code Ann.) provides that all information and documents obtained by or disclosed to the Arkansas Insurance Commissioner, or any person during an examination or investigation pursuant to § 23-63-516 of the Ark. Code Ann., and all information reported under §§104(a) and (b) of Chapter 60 of Title 6 of the Ark. Code Ann. 23-63-514 and 23-63-515 of the Ark. Code Ann., must be given confidential treatment.

Such information is not subject to subpoena or discovery or admissible in evidence even though testimony in any private civil action and may not be made public by the Commissioner under the Freedom of Information Act, or any other public records law, or by the National Association of Insurance Commissioners (§23-63-517(a)(1) of the Ark. Code Ann.).

However, the Arkansas Insurance Commissioner may use such information in furtherance of any regulatory or legal action brought as part of the Arkansas Insurance Commissioner's duties (§23-63-517(a)(1) of the Ark. Code Ann.).

4. Financial Data

4.1. General Protection

The protection of financial data is generally provided for under the Act (§4-110-101, et seq. of the Ark. Code Ann.), discussed in the section on Personal Information Protection Act above. The Act protects against the disclosure of any 'account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.' (§ 4-110-103(7)(C) of the Ark. Code Ann.).

Violations are enforced under the AG's consumer protection enforcement powers under §§104(a) and (b) of Chapter 60 of Title 6 of the Ark. Code Ann. 4-88-101 et seq. of the Ark. Code Ann., which generally provides for penalties of up to $10,000 per violation, recovery of actual financial loss, an injunction on activity, incurred expenses, and attorneys' fees.

Examination reports, examiner records, investigation materials, and personal financial statements filed or received by the Arkansas State Bank Department are confidential (§§104(a) and (b) of Chapter 60 of Title 6 of the Ark. Code Ann. 23-39-518, 23-46-101, 23-51-187, and 23-55-607 of the Ark. Code Ann.).

Certain protections are also found under the insurance regulations. Under Arkansas Insurance Department Regulation 054.00.74-11, a licensee may not directly or through any affiliate, disclose any non-public personal financial information about a consumer to a non-affiliated third party, unless that customer has been provided notice, the opportunity to opt-out and a reasonable timeframe in which to do so, and the customer has not opted out.

4.2. Prohibition on Digital Currency Tracking

Arkansas prohibits the use of a digital currency tracker in the State, to track an individual's purchases or location through an individual's use of digital currency, absent a valid warrant authorizing such tracking or the consent of the individual (to be codified at §4-56-106 of the Ark. Code Ann.). 'Digital currency' is defined as a digital form of money available to the general public, including Central Bank digital currency.

5. Employment Data

5.1. Employment History

A current or former employer may disclose the following information about a current or former employee's employment history to a prospective employer of the current or former employee, upon receipt of written consent from the current or former employee (§204(a)(1) of Chapter 3 of Title 11 of the Ark. Code Ann.):

• date and duration of employment;
• current pay rate and wage history;
• job description and duties;
• the last written performance evaluation prepared prior to the date of the request;
• attendance information;
• results of drug or alcohol tests administered within one year prior to the request;
• threats of violence, harassing acts, or threatening behavior related to the workplace or directed at another employee;
• whether the employee was voluntarily or involuntarily separated from employment and the reasons for the separation; and
• whether the employee is eligible for rehire.

The consent must be set forth on a separate form from the application form or, if included in the application form, must be in bold letters and in a larger typeface than the largest typeface in the text of the application form, and must state, at a minimum, language similar to the following: 'I, (applicant), hereby give consent to any and all prior employers of mine to provide information with regard to my employment with prior employers to (prospective employer).' The consent must be signed and dated by the applicant and be valid only for the length of time that the application is considered active by the prospective employer. If the applicant is hired and remains with the new employer for longer than six months, the consent must be valid for no longer than six months. If the applicant is hired and remains with the new employer for less than six months, the consent must be valid for six months after the termination of employment (§11-3-204(b)(1) of the Ark. Code Ann.).

A school district or an officer, an agent, a servant, or an employee of a school district may disclose the above information and any additional information that may have some bearing upon the hiring of a current or former employee by a school district, with or without the written consent of the current or former employee. The current or former employer disclosing the information is presumed to be acting in good faith and is immune from civil liability for the disclosure or any consequences of the disclosure, unless the presumption of good faith is rebutted upon a showing by a preponderance of the evidence that the information disclosed by the current or former employer was false, and the current or former employer had knowledge of its falsity or acted with malice or reckless disregard for the truth. The current or former employer disclosing the information may present the information in a format convenient to the current or former employer, including any electronic format (§11-3-204(a)(2)-(4) of the Ark. Code Ann.).

5.2. Background Checks

Upon the request of an employee or an applicant for employment, an employer that receives background check information regarding an employee or an applicant for employment must provide a copy of the background check information to the employee or applicant for employment (§11-3-206 of the Ark. Code Ann.).

5.3 Employee's Protected Privacy Interest in Personal Life

The Arkansas courts have seldom adjudicated intrusion claims in Wal-Mart Stores, for instance.

However, because Arkansas has adopted the Restatement of (Second) of Torts, the 8th Circuit has applied the Restatement approach to the tort of intrusion when applying Arkansas law. In Lee, the Arkansas Supreme Court articulated that an employee has a protected privacy interest in their own home outside of work, such that it is unlawful for an employer to search the employee's house without consent, even when the employer believed the employee was stealing.

In Pingatore v. Union Pacific Railroad Co  Ark. App. 459, 530 S.W.3d 372, 378, 2017., the Court of Appeals stated that an employee has a privacy interest in a history of substance misuse. However, the Court of Appeals distinguished Lee from Pingatore because of the nature of the privacy interest at stake: the plaintiff in Pingatore only had limited privacy interest that does 'not extend to cover the fact that he was being drug tested' or to their identity in the drug testing process.

5.4. Restrictions on Employer Access to Employee Social Media

Employers are barred from requiring, requesting, suggesting, or causing a current or prospective employee to disclose their username and password to a social media account, or change the privacy settings associated with a social media account (§124(b) of Chapter 2 of Title 11 of the Ark. Code Ann.). Employers are also prohibited from requiring an employee to add another employee, supervisor, or administrator to the list of contacts associated with that employee or prospective employee's social media accounts.

Employers may not take action against or threaten to discharge, discipline, or otherwise penalize a current employee for exercising their rights under Ark. Code Ann. §11-2-124(b), or fail or refuse to hire a prospective employee for exercising their rights under Ark. Code Ann. § 11-2-124(b). Social media is broadly defined to include an electronic medium or service where users may create, share, or view user-generated content, including without limitation:

• videos;
• photographs;
• blogs;
• podcasts;
• messages;
• emails; and
• website profiles or locations.

However, the law specifically notes that it does not affect an employer's existing rights or obligations to request an employee to disclose their username and password for the purpose of accessing a social media account if the employee's social media account activity is reasonably believed to be relevant to a formal investigation or related proceeding by the employer of allegations of an employee's violation of federal, State, or local laws or regulations or of the employer's written policies. If an employer exercises such a right, the employee's username and password must only be used for the purpose of the formal investigation or a related proceeding.

A parallel provision regards employees and students of institutions of higher education and is discussed in the section above on the restriction on institutions of higher education access to social media accounts (§ 6-60-104 of the Ark. Code Ann.).

5.5. Prohibition of Employer Use of Genetic Test or Information

Employers are prevented from seeking to obtain or use a genetic test or genetic information of the employee or the prospective employee for the purposes of distinguishing between or discriminating against or restricting any right or benefit otherwise due or available to an employee or prospective employee (§ 11-5-403 of the Ark. Code Ann.). Furthermore, an employer must not require a genetic test or genetic information from the employee or prospective employee for the purposes of distinguishing between, or discriminating against, or restricting any right or benefit otherwise due or available to an employee or prospective employee.

6. Online Privacy

The protection of personal information including gathered or stored online, is generally provided for under the Act (§§104(a) and (b) of Chapter 60 of Title 6 of the Ark. Code Ann. 4-110-101, et seq. of the Ark. Code Ann.), as discussed in § on the Personal Information Protection Act above.

The Act protects against the disclosure of any 'account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account (§ 4-110-103(7)(C) of the Ark. Code Ann.).

Violations are enforced under the AG's consumer protection enforcement powers under § 4-88-101, et seq. of the Ark. Code Ann. which generally provides for penalties of up to $10,000 per violation, recovery of actual financial loss, injunction on activity, incurred expenses, and attorneys' fees (§ 4-110-108 of the Ark. Code Ann.).

6.1. Arkansas Social Media Safety Act

The Arkansas Social Media Safety Act, which has been preliminarily enjoined from entering into effect ON September 1, 2023, by the District Court of Arkansas, Fayetteville Division, in its decision NetChoice LLC v. Tim Griffin, in his official capacity as Attorney General of Arkansas, (to be codified at § 4-88-11 of the Ark. Code Ann.) requires social media companies with Arkansas users to use a third-party vendor to perform a reasonable age verification of account holders of its social media platform to ensure that the account holder is 18 years of age or older. A 'reasonable age verification' may be performed using a digital copy of a driver's license or other Government-issued identification, or any commercially reasonable age verification method. Failure to perform an age verification may result in a penalty of $2,500 per violation, court costs, and reasonable attorney's fees, or damages resulting from a minor accessing a social media platform.

Both the social media company and the third party are prohibited from retaining the information used to verify a user's age. For a user who is a minor, a social media company must obtain express consent from a parent or legal guardian before the minor may become an account holder. 'Express consent' is not defined in the statute.

A social media company is defined as a business that provides an online forum where a user creates a public profile or account for the primary purpose of:

• interacting socially with other profiles and accounts;
• uploading or creating posts or content;
• viewing posts or content of other account holders; and
• interacting with other account holders of users.

A social media platform is defined as a public or semi-public internet-based service or application that has users who reside in Arkansas and on which a substantial function is to connect users to allow them to interact socially with each other within the service or application.

The following statutory exceptions are carved out from the duties otherwise imposed under the Social Media Safety Act:

• social media companies with less than $100 million in annual gross revenue;
• internet service providers;
• viewing posts or content of other account holders; and
• online services, websites, or applications with the predominant or exclusive function of:
  • email;
  • direct messaging consisting of messages, photos, or videos that are sent between devices by electronic means and are shared between and only visible to sender and recipient(s);
  • a streaming service;
  • news, sports, entertainment, or other content preselected by the provider and not user-generated;
  • online shopping or e-commerce;
  • business-to-business software that is not accessible to the general public;
  • cloud storage;
  • shared document collaboration;
  • providing access to or interacting with data visualization platforms, libraries, or hubs;
  • to permit comments on a digital news website if the news content is posted only by the provider of the digital news website;
  • for the purpose of providing or obtaining technical support for the social media company’s social media platform, products, or services;
  • academic or scholarly research; and
  • other research (subject to limitations).

7. Unsolicited Commercial Communication

7.1. Arkansas Consumer Telephone Privacy Act/State Do Not Call List

Finding that unrestricted telemarketing can be an intrusive invasion of privacy, the Arkansas Legislature enacted the Arkansas Consumer Telephone Privacy Act under §§104(a) and (b) of Chapter 60 of Title 6 of the Ark. Code Ann. 4-99-401 et seq. of the Ark. Code Ann., with a focus on balancing individual privacy rights, public safety interests, and commercial freedom of speech and trade, in order to protect the privacy of individuals while permitting legitimate telemarketing practices (§ 4-99-402(a)(6) of the Ark. Code Ann.).

A state-wide Do-Not-Call database is established under § 4-99-404 of the Ark. Code Ann.. It is a violation to make or transmit a telephone solicitation to a telephone listed on the database (§ 4-99-405(1) of the Ark. Code Ann.).

Moreover, the following exceptions are provided to the scope of the Arkansas Consumer Telephone Privacy Act (§ 4-99-406 of the Ark. Code Ann.):

• any person who is a licensee, who is a resident of the State of Arkansas, and whose telephone call to the consumer is for the sole purpose of selling, exchanging, purchasing, renting, listing for sale or rent, or leasing real estate in accordance with the provisions for which they were licensed and not in conjunction with any other offer;
• any motor vehicle dealer, who is a resident of the State of Arkansas, and who maintains a current motor vehicle dealer's license issued by the Arkansas Motor Vehicle Commission, whose call to the consumer is for the sole purpose of selling, offering to sell, soliciting, or advertising the sale of motor vehicles in accordance with the provisions for which they were licensed and not in conjunction with any other offer;
• any agent, who maintains a current license as an insurance agent whose call to the consumer is for the purpose of soliciting, consulting, advising, or adjusting in the business of insurance;
• any broker-dealer, agent, or investment advisor registered by the Securities Commissioner pursuant to the provisions of § 23-42-301, et seq. of the Ark. Code Ann., whose telephone call to the consumer is for the purpose of effecting or attempting to affect the purchase or sale of securities or has the purpose of providing or seeking to provide investment or financial advice;
• any person calling on behalf of a charitable organization whose call to the consumer is for the sole purpose of soliciting for the charitable organization, and who receives no compensation as a result of their solicitation activities on behalf of the charitable organization;
• any person calling on behalf of a newspaper of general circulation whose call to the consumer is for the purpose of soliciting a subscription to the newspaper from the consumer or soliciting advertising from the consumer;
• telephone calls made on behalf of any federally chartered or state-chartered bank if the call to the consumer relates to banking services other than credit card offers. In no event must the telephone calls reference any form of credit card offer; and
• telephone calls made on behalf of a funeral establishment properly licensed, if the purpose of the telephone call relates to services provided by the funeral establishment in its ordinary course of business.

Any violation must constitute an unfair or deceptive act or practice as defined under § 4-88-101, et seq., of the Ark. Code Ann., and all authority is granted to the AG and all remedies available to the AG under § 4-88-101 et seq., of the Ark. Code Ann. are available to the AG for the enforcement of the Arkansas Telephone Privacy Act (§4-99-407 of the Ark. Code Ann.).

7.2. Unsolicited Commercial and Sexually Explicit Electronic Mail Prevention Act

The Unsolicited Commercial and Sexually Explicit Electronic Mail Prevention Act (codified at § 4-88-601 et seq. of the Ark. Code Ann.), requires senders of unsolicited commercial email to:

• conspicuously state the sender's name, street address, and valid internet domain name within the email;
• provide the recipient a convenient, no-cost mechanism to notify the sender not to send any future email; and
• conspicuously provide in the text of the email a notice informing the recipient of the recipient's right to opt-out.

Unsolicited commercial email means an electronic message, a file, data, or other information that is transmitted between two or more computers, computer networks, or electronic terminals, or within or between computer networks, without the recipient's express permission. Commercial email from a sender with whom the recipient has a pre-existing business or personal relationship is not unsolicited for the purpose of this statute.

8. Privacy Policies

8.1. State Agencies Operating or Maintaining Websites

State agencies that operate or maintain a website are required to incorporate and publish a machine-readable privacy policy onto each of their websites that include the following information (§ 114(b) of Chapter 1 of Title 25 of the Ark. Code Ann.):

• a description of the data the unit of Government or agency collects on its website, and how the data will be used by the unit of Government or agency;
• the type of data and the purposes for which data are shared with other entities;
• whether the unit of Government's or agency's data collecting and sharing practices are mandatory, or allow a browser to opt in or opt out of those practices;
• an explanation that certain information collected by the Governmental unit or agency is subject to disclosure under the Freedom of Information Act under §§104(a) and (b) of Chapter 60 of Title 6 of the Ark. Code Ann.;
• a link to or instructions for locating the website's policy reference file, which must identify the uniform resource locator for the website's policy statements and must indicate those portions of the website and the website's cookies that are covered by each statement; and
• a link to the website's human-readable privacy policy.

8.2. Post Secondary Institutions

Each postsecondary institution in Arkansas is required to adopt a privacy policy governing electronic communications transmitted over the institution's computer network system that is originated or received by a faculty member, staff member, or student.

The privacy policy must be included in each institution's student handbook and must be available on each institution's website (§ 6-61-126(a)(b) of the Ark. Code Ann.). The privacy policy must also include provisions identifying (§ 6-61-126(c) of the Ark. Code Ann.):

• the types of electronic communications that are not confidential;
• methods to be used by the institution to protect the confidentiality of personally identifiable electronic communications that are originated or received by a faculty member, staff member, or a student;
• procedures for releasing any confidential personally identifiable electronic communication that is originated or received by a faculty member, staff member, or a student; and
• any other information necessary for the institution's faculty, staff, and students to understand their rights and obligations under the policy.

The phrase 'electronic communication' is defined to include any electronic mail message transmitted through the international network of interconnected government, educational, and commercial computer networks and includes messages transmitted from or to any address affiliated with an internet site (§ 6-61-126(d) of the Ark. Code Ann.).

9. Data Disposal/Cybersecurity/Data Security

The secure destruction of consumer data is generally provided for under the Act, § 4-110-101 et seq., of the Ark. Code Ann. as discussed in the section on Personal Information Protection Act above.

Under the Act, a person or business must take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means (§ 4-110-104(a) of the Ark. Code Ann.).

A person or business that acquires, owns, or licenses personal information about an Arkansas resident must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (§ 4-110-104(b) of the Ark. Code Ann.).

Violations are enforced under the AG's consumer protection enforcement powers under §s 4-88-101, et seq., of the Ark. Code Ann. which generally provides for penalties of up to $10,000 per violation, recovery of actual financial loss, injunction on activity, incurred expenses and attorneys' fees (§ 4-110-108 of the Ark. Code Ann.).

10. Other Specific Jurisdictional Requirements

Not applicable.