Two state laws that have been on the books for more than a year crossed into active enforcement on Tuesday with no grace period, no remediation window, and no soft-launch buffer - making July 1 a hard legal deadline for every technology company with users in Arkansas or Utah. One law categorically bans behavioral advertising against teenagers aged 13 to 16 using their personal data; the other requires social media platforms to open their data holdings to users who want to leave. Together, they represent the most consequential simultaneous state privacy law activation in U.S. history, arriving alongside Connecticut's own expansion of its data privacy statute on the same date and bringing the national total of states with comprehensive consumer privacy laws to 20.
Arkansas Closes the 26-Year Gap Federal Law Left Open
When Congress passed the Children's Online Privacy Protection Act in 1998, it drew the line of protection at age 13. Every American teenager who crossed that threshold entered a legal landscape that treated them, for data collection purposes, as indistinguishable from adults. Arkansas has now moved that line for the first time in any U.S. state.
The Arkansas Children and Teens' Online Privacy Protection Act - ACTOPPA - extends COPPA-style protections to users aged 13 through 16. Signed by Governor Sarah Huckabee Sanders in April 2025, it applies to any for-profit website, application, or online service that is directed at children or teens, or that has actual knowledge it is collecting personal data from users under 17. For children under 13, parental consent is required before any data collection. For the 13-16 bracket, the operator must obtain consent from either the teen or a parent.
The law's most structurally significant provision is an absolute ban on using minors' personal data for targeted behavioral advertising. That prohibition contains no consent exception. A parent cannot opt in on behalf of a 15-year-old to permit behavioral ad targeting. A teenager cannot consent to it themselves. The ban is categorical and unqualified - a deliberate departure from the opt-in frameworks that appear in other state privacy statutes and one that directly confronts the revenue model most large social media platforms have built around younger users.
The definition of personal information under ACTOPPA is broad, encompassing not only the expected identifiers - names, addresses, email, phone numbers, precise geolocation, and online identifiers - but also biometric data: fingerprints, voice prints, iris scans, and facial recognition templates. Platforms must maintain clear privacy notices, honor access and deletion requests from both teens and their parents, and implement reasonable data security measures. The Arkansas Attorney General holds exclusive enforcement authority starting Tuesday. There is no private right of action, and there is no cure period.
The compliance architecture ACTOPPA creates contains a notable tension. The law does not require platforms to verify users' ages or to build age-gating systems - a deliberate choice that distances it from Arkansas's earlier Social Media Safety Act, which a federal district court permanently enjoined in March 2025 after finding its mandatory third-party age verification requirement unconstitutional. ACTOPPA's trigger is "actual knowledge," the same standard used in federal COPPA. But legal analysts, including attorneys at Davis Wright Tremaine and WilmerHale, have flagged a practical consequence: platforms that use age-signaling tools - such as age-bracketed consent flows or Apple's Declared Age Range API, which returns an age bracket without transmitting a user's actual birthdate - may be deemed to have actual knowledge of teen users the moment those signals arrive. A platform that receives a signal placing a user in the 13-15 bracket has, by most reasonable interpretation, acquired actual knowledge. ACTOPPA's full obligations attach immediately.
The result is a compliance calculation that runs in opposite directions depending on a platform's current architecture. Operators who want to remain outside ACTOPPA's scope must avoid systems that generate reliable age signals. Operators who want to comply must ensure that, once any age signal arrives, consent mechanisms and data minimization practices are already in place. The Arkansas Attorney General's office had issued no interpretive guidance as of Tuesday's effective date.
Utah Mandates the Open Door That Network Effects Have Kept Shut
The Utah Digital Choice Act, enacted as part of HB 418 and signed by Governor Spencer Cox in March 2025, addresses a different kind of coercion - one that operates not through surveillance but through inertia. Social media platforms retain users not only because of the quality of their product but because leaving means abandoning years of posts, photographs, interaction history, and connection lists that cannot easily be moved elsewhere. The data silo is, functionally, a retention mechanism.
Starting Tuesday, that mechanism faces a legal check in Utah. Social media operators serving Utah users must, upon request, provide a complete personal data archive - posts, connections, interaction history, likes, metadata - within five business days. They must also support real-time, continuous data sharing through open, publicly accessible interoperability interfaces that allow users to transfer their data to competing services.
The law does not mandate a specific technical protocol, but the Utah Division of Consumer Protection has rulemaking authority to designate qualifying open standards, and platforms that adopt a designated protocol receive a presumption of compliance. Two protocols already in active use fit the law's requirements. ActivityPub, standardized by the World Wide Web Consortium in January 2018 and adopted by Mastodon and Meta's Threads, defines a server-to-server delivery protocol using HTTP as its transport layer and JSON-LD Activity Streams objects as its data format, enabling platforms to exchange posts and social connections without a central intermediary. Bluesky's AT Protocol takes a structurally different approach, embedding portable user identity into the protocol architecture itself: rather than tying a user's identity to a specific server, the AT Protocol stores each user's posts and social graph in a personal data repository that travels with the user's identifier, making migration technically more straightforward than ActivityPub's current implementation allows.
The Utah law includes important carve-outs. Platforms are not required to expose proprietary algorithms, internal ranking systems, or internally derived data about users. Third-party content - comments posted by other users - can only travel in a transfer if the commenting user has separately consented. Platforms may set reasonable thresholds on request frequency and volume before charging fees. A companion correction right, broader in scope, allows any Utah consumer to request that a business fix inaccurate personal data within 45 days, applying across all operators subject to the Utah Consumer Privacy Act, not only social media companies.
A Regulatory Posture Built on Assumed Readiness
Taken together, ACTOPPA and the Digital Choice Act reflect a maturing posture in state privacy legislation - one that no longer treats large technology companies as parties that need time to discover their obligations. Cure periods, once standard features of early state privacy laws, are absent from both statutes. Both laws were signed more than a year before their effective dates, and both carry immediate enforcement risk from the moment they took effect.
The two laws also represent distinct fronts of the same broader campaign. Arkansas is acting on the youth protection front, filling a gap in federal law that has persisted for more than a quarter century since COPPA took effect. Utah is acting on the structural competition front, using portability and interoperability mandates to reduce the network-effect advantage that allows dominant platforms to retain users independent of product quality or user preference.
Neither approach waits for federal action. The U.S. Congress has considered comprehensive federal privacy legislation repeatedly without passing it; the patchwork of state laws now in effect across 20 states is the direct consequence. For technology companies operating at national scale, the practical effect is a compliance map that keeps expanding - and that, as of Tuesday, includes two states that have made clear they intend to enforce from day one.
