Arkansas companies that are gathering any online information on European Union residents, regardless of whether they have an EU office or EU customers, must comply with the EU’s new General Data Protection Regulation or risk massive fines.
The GDPR was approved two years ago and went into effect on May 25.
It requires companies that interact with EU residents to make specific commitments and disclosures in their privacy policies and data management contracts, according to a recent release published by PPGMR Law PLLC of Little Rock.
The agreements have to tell EU residents how to access, change, receive or delete their personal information. “Personal information” is not just names and phone numbers. It’s also IP addresses, tracking cookies, device IDs, geo-locators and more.
The GDPR also requires companies to have a data protection officer, conduct a data privacy impact assessment, establish an internal data retention policy and develop a data breach response procedure that includes notifying users of a breach within 72 hours.
A company could be fined 20 million euros (even more dollars) or 4 percent of its total annual revenue, whichever is greater, for a major violation of the GDPR, according to PPGMR attorney Amanda Denton.
Denton said major violations include not getting EU residents’ explicit consent to collect their data or not providing the “right to be forgotten” to EU residents. The “right to be forgotten” is an individual’s right to have a company delete any data it has collected on that individual.
For lesser violations, like failing to notify users of a data breach within 72 hours, a company could be fined the greater of 10 million euros or 2 percent of its total annual revenue, Denton said.
She said several Arkansas companies that are clients of the firm have asked for help with GDPR compliance, but she declined to name them.
Denton added that the GDPR applies to any companies that contract with EU-based vendors.
Denton also said many consumers may have noticed one effect of the GDPR: emails notifying them of privacy policy changes.
She said most companies are applying the GDPR to all users because it is more difficult to identify EU residents and then apply the rules to just that group.
In addition, U.S. consumers are starting to take a more active role in protecting their privacy, mostly due to the Cambridge Analytica scandal. The political consulting firm obtained data on 50 million Facebook users without their permission.
The GDPR was not a reaction to this scandal, but its timing reinforces that it pays to be ahead of the curve when it comes to privacy, Denton said.
“Arkansas businesses are scrappy and capable. They’re ready to be on the forefront of what we need to do for the next generation of the internet,” she added. “So, if they were thinking ahead that way, they would start thinking the way of marketing in the future is to promote myself as a privacy-friendly company.”
Sign up for Daily E-news
![Curtis Barnett is the president and CEO of Arkansas Blue Cross & Blue Shield. He’s navigating a funding crisis in the health care and insurance industries. [Karen E. Segrave]](https://arkansasbusiness.wppcdn.com/wp-content/uploads/2025/05/ARBusiness-Curtiss-Barnett-0040_opt-150x150.jpg)
![Walmart’s 4,700 U.S. stores put it in a prominent postion to make the most of omnichannel advertising opportunities. [PHOTO provided]](https://arkansasbusiness.wppcdn.com/wp-content/uploads/2025/05/walmart-connect-associate-customer_opt-150x150.jpg)
![MCC President Hex Bisbee has been with the company he now co-owns since 1999. [Michael Woods]](https://arkansasbusiness.wppcdn.com/wp-content/uploads/2025/05/DSC_0490_opt-e1747605395154-150x150.jpg)
