Last Updated: September 24th, 2024

1. Please Read Carefully 

This Privacy Policy describes the information that governs your access to and use of the websites, mobile applications, and all other services (collectively, the “Services”) provided by Watermark Chiropractic PLLC (collectively referred to as “Company”) collects about you though our website(s), mobile application, and any other services we provide (collectively, the “Services”), how we use and share that information, who will have access to the information we collect, and the security measures Company offers to protect your information. This policy applies to information we collect when you access or use our website(s) (“Site”) and mobile application (“App”) (the Site and App may hereinafter collectively be referred to as the “Platform”), when you use our Services or when you otherwise interact with us.

When you create, register or log into an account through our platforms, you are automatically accepting and agreeing to the most-recent version of this Privacy Policy, as well as the Site’s and the App’s Terms and Conditions.

Similarly, by visiting, accessing or using the Platform, you are automatically accepting and agreeing to the most-recent version of this Privacy Policy, as well as the Site’s and the App’s Terms and Conditions, and your continuing visit, access or use of the Site or the App reaffirms your acceptance and agreement in each instance.

2.Changes to this Privacy Policy

We may change this Privacy Policy from time to time. If we make changes, we will notify you by posting the updated policy on our Platform and revising the “Last Updated” date above. We encourage you to review the Privacy Policy whenever you use our Services to stay informed about our information practices and about ways you can help protect your privacy.

3.Confidentiality of Health Information

Health information that Company receives and/or creates about you, personally, relating to your past, present, or future health, treatment, or payment for healthcare services, may be “protected health information” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). Your health information may also be protected by state privacy laws and regulations.

Company understands that health information about you and your health is personal. We support your privacy and ensure that the transmittal and use of your information complies with all laws, except to the extent that you have authorized Company to transmit information to you by other means. In this regard, where applicable, we comply with HIPAA, HITECH, and other relevant state laws and regulations by entering into Business Associate Agreements with the treatment providers for which we provide services to ensure that your protected health information is appropriately safeguarded.

You will find more specific information below in the Notice of Privacy Practices about how we collect your protected health information, how we use or disclose it, and what your rights are regarding your protected health information.

4.Use of Services

Your access to and use of our Services are subject to certain terms and conditions, which are set forth in our Terms of Use.

5.Collection of Information

  • 5.1. Information You Provide

We collect information you provide, such as when you email us, sign up through our Platform, or submit information through our Platform. We may collect, but are not limited to collecting, the following information: your name, gender, email address, mailing address, phone number, date of birth, payment and bank information provided through the use of our website.

  • 5.2. Children

Company provides content on its Platform intended for use only by persons eighteen (18) years of age and older. Neither the Site nor the App is designed or intended to attract and is not directed to, children under 18 years of age, let alone children under thirteen (13) years of age. Company does not knowingly collect or maintain personally identifiable information from persons under 18 years of age without verifiable parental consent. If you are under 18 years of age, then please do not use the Services without parental consent.

If Company learns that personally identifiable information of persons less than 18 years of age has been collected without verifiable parental consent, then Company will take the appropriate steps to delete this information. If you are a parent and know that your child of less than 18 years of age is using our Platform, you can make a request to delete their information (“Request for Removal of Minor Information”) from our Platform by contacting us at watermarkchiro@outlook.com

Please submit any such Request for Removal of Minor Information to any one of the following:

  • 1.By e-mail:

watermarkchiro@outlook.com, with a subject line of “Removal of Minor Information.”

  • 2.By U.S. mail:

If you send a Request for Removal of Minor Information by mail, then please do so by U.S. Certified Mail, Return Receipt Requested to allow for confirmation of mailing, delivery and tracking. Company will not accept any Request for Removal of Minor Information via telephone or facsimile. Company is not responsible for failing to comply with any Request for Removal of Minor Information that is incomplete, incorrectly labeled or incorrectly sent.

Address:
Watermark Chiropractic – Privacy Compliance

501 West Emma Ave, Springdale, AR 72764

For each Request for Removal of Minor Information, please state “Removal of Minor Information” in the e-mail or letter subject line, and clearly state the following in the body:

  • a. the nature of your request;
    • b. the identity of the content or information to be removed;
    • c. whether such content or information if found on the Site or the App;
    • d. the location on content or information on the Site or the App (e.g., providing the URL for the specific web page the content or information is found on);
    • e. that the request is related to the “Removal of Minor Information;”
    • f. your name, street address, city, state, zip code and e-mail address; and
    • g. whether you prefer to receive a response to your request by mail or e-mail

Please note that the aforementioned removal does not ensure complete or comprehensive removal of such content or information posted on the Site or the App.

Also, please note that Company is not required to erase or otherwise eliminate, or to enable erasure or elimination of, such content or information in certain circumstances, such as, for example, when an international, federal, state, or local law, rule or regulation requires Company to maintain the content or information; when the content or information is stored on or posted to the Site by a third party other than you (including any content or information posted by you that was stored, republished or reposted by the third party); when Company anonymizes the content or information so that you cannot be individually identified; when you do not follow the aforementioned instructions for requesting the removal of the content or information; and when you have received compensation or other consideration for providing the content or information.

The foregoing is a description of Company’s voluntary practices concerning the collection of personal information through the Site from certain minors, and is not intended to be an admission that Company is subject to the Children’s Online Privacy Protection Act, the Federal Trade Commission’s Children’s Online Privacy Protection Rule(s), or any similar international, federal, state, or local laws, rules, or regulations.

  • 5.3.Information We Collect from Your Use of the Services

We collect information about you when you use our Platform, including, but not limited to the following:

  • Account Information. When you register with us using the Platform to create an account and become a registered user, you will need to provide us with certain personally identifiable information to complete the registration, including information that can be used to contact or identify you and payment or other billing information in some cases.
    • Device Information. We may automatically collect certain information about the computer or devices (including mobile devices) you use to access the Services. For example, we may collect and analyze information such as (a) IP addresses, geolocation information (as described in the next section below), unique device identifiers and other information about your mobile phone or other mobile device(s), browser types, browser language, operating system, the state or country from which you accessed the Services; and (b) information related to the ways in which you interact with the Services, such as: referring and exit pages and URLs, platform type, the number of clicks, domain names, landing pages, pages and content viewed and the order of those pages, the amount of time spent on particular pages, the date and time you used the Services, the frequency of your use of the Services, error logs, and other similar information. As described further below, we may use third-party analytics providers or service providers and technologies, including cookies and similar tools, to assist in collecting this information.
    • Location Information. We may collect different types of information about your location, including general information (e.g., IP address, zip code) and more specific information (e.g., GPS-based functionality on mobile devices used to access the Services), and may use that information to customize the Services with location-based information, advertising, and features. For example, if your IP address indicates an origin in Springdale, Arkansas, the Services may be customized with Springdale-specific information and advertisements. In order to do this, your location information may be shared with our agents, third party vendors or third party advertisers. If you access the Services through a mobile device and you do not want your device to provide us with location-tracking information, you can disable the GPS or other location-tracking functions on your device, provided your device allows you to do this. See your device manufacturer’s instructions for further details.
    • Cookies and Other Electronic Technologies. We may use the tools outlined below in order to better understand users. As we adopt additional technologies, we may also gather additional information through other methods.
    • Cookies: “Cookies” are small computer files transferred to your computing device that contain information such as user ID, user preferences, lists of pages visited and activities conducted while using the Services. We use Cookies to help us improve or tailor the Services by tracking your navigation habits, storing your authentication status so you do not have to re-enter your credentials each time you use the Services, customizing your experience with the Services, and for analytics and fraud prevention.

      We may use a type of advertising commonly known as interest-based or online behavioral advertising, discussed in more detail below in the Section titled “Online Behavioral Advertising”. This means that some of our third-party business partners use Cookies to display Company ads on other websites and services based on information about your use of the Services and on your interests (as inferred from your online activity). Other Cookies used by our business partners may collect information when you use the Services, such as the IP address, mobile device ID, operating system, browser, web page interactions, the geographic location of your internet service provider, and demographic information such as sex and age range. These Cookies help Company learn more about our users’ demographics and internet behaviors.
      For more information on cookies, visit http://www.allaboutcookies.org.
    • Web Beacons: “Web Beacons” (a.k.a. clear GIFs or pixel tags) are tiny graphic image files imbedded in a web page or email that may be used to collect anonymous information about your use of our Services, the websites of selected advertisers, and the emails, special promotions or newsletters that we send you. The information collected by Web Beacons allows us to analyze how many people are using the Services, using the selected advertisers’ websites or opening our emails, and for what purpose, and also allows us to enhance our interest-based advertising.
    • Platform Analytics: We may use third-party analytics services in connection with the Platform, including, for example, to register mouse clicks, mouse movements, scrolling activity and text that you type into the Platform. These analytics services generally do not collect personal information unless you voluntarily provide it and generally do not track your browsing habits across sites which do not use their services. We use the information collected from these services to help make the Platform easier to use.
    • Mobile Device Identifiers: Mobile device identifiers are data stored on your mobile device that may track mobile device and data and activities occurring on and through it, as well as the applications installed on it. Mobile device identifiers enable collection of personal information (such as media access control, address and location) and traffic data. Mobile device identifiers help Company learn more about our users’ demographics and internet behaviors.
  • 5.4. Information from Third Parties

We may obtain additional information about you from third parties such as marketers, partners, researchers, and others. We may combine information that we collect from you with information about you that we obtain from such third parties and information derived from any other subscription, product, or service we provide

  • 5.5. Aggregate or De-identified Data

We may aggregate and/or de-identify information collected by the Services or via other means so that the information is not intended to identify you. Our use and disclosure of aggregated and/or de-identified information is not subject to any restrictions under this Privacy Policy, and we may disclose it to others without limitation for any purpose, in accordance with applicable laws and regulations.

6.Use of Information

We use the information that we collect for the following purposes:

  • For the purposes for which you provided the information.
  • To contact you when necessary or requested.
  • To personalize your experience with the Services by informing you of products, programs, events, services, and promotions of Company, our affiliates, our partners and/or third parties that we believe may be of interest to you (see the “Opt-In Policy” below).
  • To fulfill your purchase from us, including, to process your payments, communicate with you regarding your purchase or provide you with related customer service.
  • To send mobile notifications (you may opt-out of this service).
  • To provide, maintain, administer, improve, or expand the Services, perform business analyses, or for other internal purposes to support, improve or enhance our business, the Services, and other products and services we offer.
  • To customize and tailor your experience of the Services.
  • To send emails and other communications that display content that we think will interest you and according to your preferences.
  • To send you news and information about our Services.
  • To track and analyze trends and usage in connection with our Services
  • To better understand who uses the Services and how we can deliver a better user experience.
  • To combine information received from third parties with the information that we have from or about you and use the combined information for any of the purposes described in this Privacy Policy.
  • To conduct research and measurement activities for purposes of product and service research and development, advertising claim substantiation, market research, and other activities related to Company, the Site, the App and/or their respective products and/or services.
  • To place and track orders for prescription drugs and other products on your behalf.
  • To use statistical information that we collect in any way permitted by law, including from third parties in connection with their commercial and marketing efforts.
  • To prevent, detect, and investigate security breaches, fraud, and other potentially illegal or prohibited activities
  • To enforce the legal terms that govern your use of the Services.
  • To protect our rights or property.
  • To administer and troubleshoot the Services.
  • For any other purpose disclosed to you in connection with our Services.

We may use third-party service providers to process and store personal information in the United States and other countries.

7.Sharing of Information

We may share personal information about you as follows:

  • With third parties to provide, maintain, and improve our Services, including service providers who access information about you to perform services on our behalf.
  • With our affiliates and partners, vendors and those respective contractors who may provide you healthcare services or other vendors, or other healthcare-related product orders, so that they may use such information for the purposes described in this Privacy Policy.
  • With our affiliates, partners or other third parties to allow them to contact you regarding products, programs, services, and promotions that we and/or they believe may be of interest to you (See the “Opt-In Policy” below).
  • In connection with, or during the negotiation of, any merger, sale of Company stock or assets, financing, acquisition, divestiture or dissolution of all or a portion of our business (but only under non-disclosure and confidentiality agreements and protections).
  • If we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request; to enforce applicable user agreements or policies; to protect the security or integrity of our Services; and to protect us, our users or the public from harm or illegal activities.
  • With your consent.

We may also share aggregated, non-personally identifiable information with third parties for any purpose because we have taken reasonable steps to carefully remove any identifiers that may personally identify you.

8.Opt-In Policy

When you supply us with personally identifiable information in connection with your use of the Services, you may be asked to indicate whether you are interested in receiving information from us about our product and service offerings and if you would like us to share personally identifiable information about you with our affiliates, partners or other third parties for their marketing purposes. If you do choose to opt-in, you will receive such communications and/or we will share your information in accordance with your “opt-in” consent

You may, of course, choose not to receive additional marketing information from us or choose not to allow our sharing of your personally identifiable information as follows: at any time, you can follow a link provided in our marketing-related email messages (but excluding e-commerce confirmations and other administrative emails) to opt out from receiving such communications; or at any time, you can contact us in accordance with the “Contact Us” section below to opt out from receiving such communications.

If you decide to contact us to change your contact preferences to opt out of receiving communications from us, please specify clearly which of the following choices you are opting out of: (a) receiving marketing communications from us; (b) allowing us to share personally identifiable information about you with our affiliates and partners for their marketing purposes; and/or (c) allowing us to share personally identifiable information about you with other third parties for their marketing purposes.

We will endeavor to implement your requested change as soon as reasonably practicable after receiving your request. Please be aware that your requested change will not be effective until we implement such change. Please note that if you choose not to allow our sharing of your personally identifiable information, we are not responsible for removing your personally identifiable information from the databases of third parties with which we have already shared your personally identifiable information as of the date that we implement your request. If you wish to cease receiving marketing-related e-mails from these third parties, please contact them directly or utilize any opt-out mechanisms in their privacy policies or marketing-related e-mails.

Please note that if you do opt-out of receiving marketing-related messages from us, we may still send you important administrative messages. You cannot opt-out from receiving these administrative messages. We reserve the right, from time to time, to contact former customers or users of the Services for administrative purposes or in order to comply with applicable laws, rules or regulations.

9.Social Media and Third Party Platforms

Certain sections or functionalities on our Platform’s Services you engage with may permit you to share information on websites that are owned or operated by other companies, including third party social media sites or platforms such as Facebook, Instagram, LinkedIn, Twitter, or other similar sites (collectively, “Third-Party Websites”). When you use a link online to visit a Third-Party Website, you will be subject to that website’s privacy and security practices, which may differ from ours. You should familiarize yourself with the privacy policy, terms of use and security practices of the linked Third-Party Website before providing any information on that website. Company does not own or control such Third-Party Websites, and posting your information on Third-Party Websites is subject to the third party’s Privacy Policy and other legal terms, which may not provide privacy protections with which you agree. Company is not responsible for any act or omission of any Third-Party Website, nor are we responsible for the consequences of your choice to share your information on Third-Party Websites.

10.Security

We take reasonable measures, including administrative, technical, and physical safeguards, to help protect personal information from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction. Unfortunately, no data transmission over the Internet can be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, Company cannot ensure or warrant the security of any information you transmit to us or from our online products or services, and you do so at your own risk. Please note that information you send to us electronically may not be secure when it is transmitted to us. We recommend that you do not use unsecure channels to communicate sensitive or confidential information (such as your Social Security number) to us. To help maintain the security of your personal information, we ask that you please notify us immediately of any unauthorized visit, access or use of the Site and/or the App, or the loss or unauthorized use of your user access information for the Site and/or the App (e.g., username or password).

11.Your Privacy Choices

  • 11.1. How You Can Access and Update Your Information

You may update or correct information about yourself at any time or by emailing us at  watermarkchiro@outlook.com

  • 11.2. Cookies

Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject cookies; however, our Services may not function properly if you do so.

  • 11.3. Options for Opting out of Cookies and Mobile Device Identifiers

If you are interested in more information about online behavioral advertising/interest-based advertising and how you can generally control cookies from being put on your computer to deliver tailored advertising, you may visit the Network Advertising Initiative’s Consumer Opt-Out link, the Digital Advertising Alliance’s Consumer Opt-Out link or TRUSTe’s Advertising Choices Page to opt-out of receiving tailored advertising from companies that participate in those programs.

Please note that even after opting out of interest-based advertising, you may still see Company’s advertisements that are not interest-based (i.e., not targeted toward you). Also, opting out does not mean that Company is no longer using its tracking tools—Company still may collect information about your use of the Services even after you have opted out of interest-based advertisements and may still serve advertisements to you via the Services based on information it collects via the Services.

  • 11.4. How Company Responds to Browser “Do Not Track” Signals

We are committed to providing you with meaningful choices about the information collected on our Platform for third-party purposes, which is why we provide above the Network Advertising Initiative’s “Consumer Opt-out” link, Digital Advertising Alliance’s Consumer Opt-Out Link, and TRUSTe’s Advertising Choices page. However, we do not recognize or respond to browser-initiated Do Not Track signals, as the Internet industry is currently still working on Do Not Track standards, implementations and solutions. For more information about DNT signals, visit http://allaboutdnt.com.

  • 11.5. Links to Other Websites

Our Services may contain links to other Third-Party Websites, and those websites may not follow the same privacy practices as Company. We are not responsible for the privacy practices of Third-Party Websites. We encourage you to read the privacy policies of such third parties to learn more about their privacy practices.

  • 11.6. No Rights of Third Parties

This Privacy Policy does not create rights enforceable by third parties.

  • 11.7. How to Contact Us

Please contact us with any questions or concerns regarding this Privacy Policy, you may send mail or courier to Watermark Chiropractic at 501 West Emma Ave STE A, Springdale, AR 72764, or send an email to: watermarkchiro@outlook.com

12. Notice of Privacy Practices

Company is dedicated to maintaining the privacy of your protected health information (“PHI”). PHI is information about you that may be used to identify you (such as your name, social security number or address), and that relates to (a) your past, present or future physical or mental health or condition, (b) the provision of healthcare to you, or (c) your past, present, or future payment for the provision of healthcare. In conducting its business, Company may receive and create records containing your PHI. Company is required by law to maintain the privacy of your PHI and to provide you with notice of its legal duties and privacy practices with respect to your PHI.

Company must abide by the terms of this Notice while it is in effect. This Notice is in effect from the date noted above until Company replaces it. Company reserves the right to change the terms of this Notice at any time, as long as the changes are in compliance with applicable law. If Company changes the terms of this Notice, the new terms will apply to all PHI that it maintains, including PHI that was created or received before such changes were made. If Company changes this Notice, it will post the new Notice on its Platform and will make the new Notice available upon request.

  • 12.1 Use and disclose your PHI

Company may use and disclose your PHI in the following ways:

1) Treatment, Payment and Healthcare Operations.

Company is permitted to use and disclose your PHI for purposes of (a) treatment, (b) payment and (c) healthcare operations. For example:

  • Treatment. Company may disclose your PHI to a physician in connection with the provision of treatment to you.
    • Payment. Company may use and disclose your PHI to your health insurer or health plan in connection with the processing and payment of claims and other charges.
    • Healthcare Operations. Company may use and disclose your PHI in connection with its healthcare operations, such as providing customer services and conducting quality review assessments. Company may engage third parties to provide various services for Company. If any such third party must have access to your PHI in order to perform its services, Company will require that third party to enter an agreement that binds the third party to the use and disclosure restrictions outlined in this Notice.

2) Authorization.

Company is permitted to use and disclose your PHI upon your written authorization, to the extent such use or disclosure is consistent with your authorization. You may revoke any such authorization at any time.

3) As Required by Law.

Company may use and disclose your PHI to the extent required by law.

4) Special Circumstances.

The following categories describe unique circumstances in which Company may use or disclose your PHI:

  • Public Health Activities. Company may disclose your PHI to public health authorities or other governmental authorities for purposes including preventing and controlling disease, reporting child abuse or neglect, reporting domestic violence and reporting to the Food and Drug Administration regarding the quality, safety and effectiveness of a regulated product or activity. Company may, in certain circumstances disclose PHI to persons who have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition.
    • Workers’ Compensation. Company may disclose your PHI as authorized by, and to the extent necessary to comply with, workers’ compensation programs and other similar programs relating to work-related illnesses or injuries.
    • Health Oversight Activities. Company may disclose your PHI to a health oversight agency for authorized activities such as audits, investigations, inspections, licensing and disciplinary actions relating to the healthcare system or government benefit programs.
    • Judicial and Administrative Proceedings. Company may disclose your PHI, in certain circumstances, as permitted by applicable law, in response to an order from a court or administrative agency, or in response to a subpoena or discovery request.
    • Law Enforcement. Company may, under certain circumstances, disclose your PHI to a law enforcement official, such as for purposes of identifying or locating a suspect, fugitive, material witness or missing person.
    • Decedents. Company may, under certain circumstances, disclose PHI to coroners, medical examiners and funeral directors for purposes such as identification, determining the cause of death and fulfilling duties relating to decedents.
    • Organ Procurement. Company may, under certain circumstances, use or disclose PHI for the purposes of organ donation and transplantation.
    • Research. Company may, under certain circumstances, use or disclose PHI that is necessary for research purposes.
    • Threat to Health or Safety. Company may, under certain circumstances, use or disclose PHI if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
    • Specialized Government Functions. Company, may in certain situations, use and disclose PHI of persons who are, or were, in the Armed Forces for purposes such as ensuring proper execution of a military mission or determining entitlement to benefits. Company may also disclose PHI to federal officials for intelligence and national security purposes.
  • 12.2 Your Rights Regarding Your PHI

You have the following rights regarding the PHI maintained by Company :

1) Confidential Communication.

You have the right to receive confidential communications of your PHI. You may request that Company communicate with you through alternate means or at an alternate location, and Company will accommodate your reasonable requests. You must submit your request in writing to Company.

2) Restrictions.

You have the right to request restrictions on certain uses and disclosures of PHI for treatment, payment or healthcare operations. You also have the right to request that Company limits its disclosures of PHI to only certain individuals involved in your care or the payment of your care. You must submit your request in writing to Company. Company is not required to comply with your request. However, if Company agrees to comply with your request, it will be bound by such agreement, except when otherwise required by law or in the event of an emergency.

3) Inspection and Copies.

You have the right to inspect and copy your PHI. You must submit your request in writing to Company. Company may impose a fee for the costs of copying, mailing, labor and supplies associated with your request. Company may deny your request to inspect and/or copy your PHI in certain limited circumstances. If that occurs, Company will inform you of the reason for the denial, and you may request a review of the denial.

4) Amendment.

You have a right to request that Company amend your PHI if you believe it is incorrect or incomplete, and you may request an amendment for as long as the information is maintained by Company. You must submit your request in writing to Company and provide a reason to support the requested amendment. Company may, under certain circumstances, deny your request by sending you a written notice of denial. If Company denies your request, you will be permitted to submit a statement of disagreement for inclusion in your records.

5) Accounting of Disclosures.

You have a right to receive an accounting of all disclosures Company has made of your PHI. However, that right does not include disclosures made for treatment, payment or healthcare operations, disclosures made to you about your treatment, disclosures made pursuant to an authorization, and certain other disclosures. You must submit your request in writing to Company and you must specify the time period involved (which must be for a period of time less than six years from the date of the disclosure). Your first accounting will be free of charge. However, Company may charge you for the costs involved in fulfilling any additional request made within a period of 12 months. Company will inform you of such costs in advance, so that you may withdraw or modify your request to save costs.

6) Breach Notification.

You have the right to be notified in the event that Company (or a Company Business Associate) discovers a breach of unsecured PHI.

7) Paper Copy.

You have the right to obtain a paper copy of this Notice from Company at any time upon request. To obtain a paper copy of this notice, please contact Company by calling (415) 209-5810.

8) Complaint.

You may complain to Company and to the Secretary of the Department of Health and Human Services if you believe that your privacy rights have been violated. To file a complaint with Company, you must submit a statement in writing to Company at watermarkchiro@outlook.com Company will not retaliate against you for filing a complaint.

9) Further Information.

If you would like more information about your privacy rights, please contact Company by calling (480) 245-5960 and ask to speak to the Privacy and Security Officer. To the extent you are required to send a written request to Company to exercise any right described in this Notice, you must submit your request to watermarkchiro@outlook.com 

13. Arkansas Privacy Notice

The Arkansas Personal Information Protection Act requires persons and businesses to take reasonable steps to destroy or arrange for the destruction of customer records within their (the persons or businesses’) custody or control. Persons and businesses must destroy customer records if those records contain personal information that the person or business is to no longer retain.

The Arkansas Personal Information Protection Act also requires that a person or business that acquires, owns, or licenses personal information about an Arkansas resident:

  • Implement and maintain reasonable security procedures and practices, that are
  • Appropriate to the nature of the information, to protect 
  • Personal information,
  • From unauthorized access, destruction, use, modification, or disclosure.

With respect to breach notification, the Arkansas Personal Information Protection Act requires that any person or business that acquires, owns, or licenses computerized data that includes personal information, must disclose certain breaches of the security of the system. Breaches of the security system must be disclosed to any resident of Arkansas whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

In addition, persons or businesses maintaining computerized data containing personal information that the person or business does not own, must notify the owner or licensee of the information of a breach, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. 

Amended Arkansas Personal Information Protection Act Data Security Requirements

Before the amendments to the Arkansas Personal Information Protection Act, personal information was defined as:

  • An individual’s first name or first initial and his or her last name in combination with any one (1) or more of the following data elements when either the name or the data element is not encrypted or redacted:
    • Social Security number;
    • Driver’s license number or Arkansas identification;
    • Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; and
    • Medical information.

The Arkansas Personal Information Protection Act has been amended by adding biometric data to the definition of personal information.

Under the amended Arkansas Personal Information Protection Act, biometric data is defined as data generated by automatic measurements of an individual’s biological characteristics, including (but not limited to):

  • Fingerprints;
  • Faceprint;
  • A retinal or iris scan;
  • Hand geometry;
  • Voiceprint analysis;
  • DNA; or
  • Any other unique biological characteristics of an individual if the characteristics are used by an owner or licensee (someone who has a license) of personal information to uniquely authenticate the individual’s identity when the individual accesses a system or account.

Amended Arkansas Personal Information Protection Act Breach Notification Requirements

The amended Arkansas Personal Information Protection Act adds a breach notification requirement to those listed above.

The new requirement is as follows:

  • If a breach of the security of a system affects the personal information of more than 1,000 individuals, the person or business required to make a disclosure of the breach must also:
    • At the same time, or within 45 days after the person or business determines that there has been a reasonable likelihood of harm to customers, whichever occurs first, disclose the security breach to the Arkansas Attorney General.

The amended Arkansas Personal Information Protection Act does not apply to a person or business that is regulated by a state or federal law that provides greater protection to personal information, and at least as thorough disclosure requirements for breaches of the security of personal information, than that provided by the Arkansas Personal Information Protection Act. Arkansas law deems compliance with the state or federal law, to be compliance with the amended Arkansas Personal Information Protection Act.