What are the app store accountability acts?

Texas, Utah, and Louisiana have each enacted an app store accountability act (ASAA). These laws impose requirements on app stores and app developers related to the use of mobile apps by minors (anyone under the age of 18). The ASAA definitions of “app store” vary by law, but they generally refer to a publicly available website, software application, or electronic service that allows users to download applications from third-party developers onto a mobile device. “Developer” is typically defined as a person that owns or controls an app made available through an app store in the state.

California’s Digital Age Assurance Act (DAAA) similarly imposes age verification requirements on app stores and developers, but it materially differs from the ASAAs. The law additionally regulates “operating system providers,” defined as a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.

What do the ASAAs require of app stores?

While the exact requirements vary from law to law, generally, app stores must:

• At the time an individual creates an account with the app store:
  • Request age information from the individual; and
  • Verify the individual’s age category using:
    • Commercially available methods that are reasonably designed to ensure accuracy; or
    • An age verification method or process approved by the state regulator.
• For minors (under 18):
  • Require that the minor’s account be affiliated with a parent account; and
  • Obtain verifiable parental consent from the holder of the affiliated parent account before allowing the minor to download or purchase an app or make an in-app purchase.
  • Pass the age range information (e.g., under 13, 13 – 15, 16 – 17, or 18+) to the developer.
• After receiving notice of a significant change to an app from a developer:
  • Notify users of the app of the significant change; and
  • For a minor account:
    • Notify the holder of the affiliated parent account; and
    • Obtain renewed verifiable parental consent.
  • In response to a developer’s request, provide the developer with the age category data for a user and the status of verifiable parental consent for a minor user.
• Notify a developer when a parent revokes consent.
• Protect age verification data by:
  • Limiting collection and processing to what is necessary to verify a user’s age, obtain parental consent, and maintain compliance records; and
  • Transmitting age verification data using industry-standard encryption protocols that ensure data integrity and confidentiality.

What do the ASAAs require of app developers?

While the exact requirements vary from law to law, generally, app developers must:

• Assign an age rating to each app and each purchase that can be made through the app.
• Provide the app store with each assigned age rating and a description of what elements in the app led to each rating.
• Provide notice to the app store of significant changes to the terms of service or privacy policy applicable to the app.
• Use information received from the app store to verify each app user’s age category and, if the user is a minor, whether the user’s parent or guardian has consented to the relevant download or purchase.
• Request personal age verification data or parental consent:
  • At the time a user downloads or purchases an app;
  • When implementing a significant change to an app; or
  • To comply with applicable laws or regulations.
• Use information received from app store only to:
  • Enforce app age restrictions and protections;
  • Ensure compliance with applicable laws and regulations; and
  • Implement safety-related features and default settings.

The requirements of each law differ slightly by state. Texas, for example, requires developers to delete the information provided by the app store after completing the age and consent verification. Louisiana, meanwhile, provides that developers – in addition to app stores – must require a minor’s account to be affiliated with a parent account and obtain verifiable parental consent before allowing the minor to download or purchase an app or make an in-app purchase.

What does the DAAA require of developers, operating system providers, and app stores?

Developers must request an age signal with respect to a particular user from an operating system provider or app store when the app is downloaded and launched.

Operating system providers must:

• Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age category to apps.
• Provide a developer who has requested a signal with respect to a user with a digital signal via a reasonably consistent real-time application programming interface (API) that identifies the user’s age category.
• Send only the minimum amount of information necessary to comply with the DAAA.
• Comply with the DAAA in a nondiscriminatory manner, including imposing at least the same restrictions and obligations on its own apps and app distribution as it does on those from third-party apps or app distributors.

App stores also must comply with the DAAA in a nondiscriminatory manner, including imposing at least the same restrictions and obligations on their own apps and app distribution as they do on those from third-party apps or app distributors. As noted above, the DAAA requires that developers request an age signal from an operating system provider or app store. However, the DAAA does not explicitly require that an app store provide a developer any information in response to the signal.

What are the age categories?

The ASAAs’ and DAAA’s age categories include “child” (under 13), “younger teenager” (13 – 15), “older teenager” (16 – 17), and “adult” (18+).

• App stores and developers would be required to comply with the Children’s Online Privacy Protection Act (COPPA) with respect to any users in the “child” category. COPPA applies to (1) any operator of a website or online service directed to children under 13 or (2) any operator that has actual knowledge that it is collecting or maintaining personal information from a child under 13. When an app store or developer learns that a user is in the “child” category, the app store or developer would be considered to have “actual knowledge” that it is collecting or maintaining personal information from a child under 13.
• “Child,” “younger teenager,” and “older teenager” users may only download or purchase apps or make in-app purchases with parental consent. For these users, developers must implement any restrictions or safety features the developer has designed for the age of the user.
• The ASAAs do not impose any restrictions on “adult” users. However, companies will need to consider how to transition “older teenager” accounts to “adult” accounts once a user turns 18.

What conduct do the ASAAs prohibit?

Once again, the laws vary, but uniformly they prohibit:

• An app store or developer from enforcing a contract or terms of service against a minor unless the app store or developer has obtained verifiable parental consent;
• An app store or developer from knowingly misrepresenting the information in the parental consent disclosure;
• An app store from sharing personal age verification data except between an app store and a developer as required by the ASAA or as required by law; and
• A developer sharing age category data with any person.

What conduct does the DAAA prohibit?

Operating system providers are prohibited from:

• Sharing the digital signal information with a third party for a purpose not required by the DAAA; and
• Using data collected from a third party in the course of compliance with the DAAA to compete against that third party, give the app store’s services preference relative to those of a third party, or to otherwise use this data or consent mechanism in an anticompetitive manner.

Developers are prohibited from:

• Requesting more information from an operating system provider or an app store than the minimum amount of information necessary to comply with the DAAA; and
• Sharing the signal with a third party for a purpose not required by the DAAA.

When do the ASAAs and DAAA take effect?

Texas’s ASAA is scheduled to take effect on January 1, 2026, but the law is currently subject to a constitutional challenge, which could delay its effective date. The court hearing the litigation will likely rule on a preliminary injunction in December 2025.

Utah’s law has rolling effective dates. The law formally took effect on May 7, 2025, but the requirements for app stores and developers take effect on May 6, 2026, and the enforcement provisions take effect on December 31, 2026. Louisiana’s law takes effect on July 1, 2026. California’s DAAA takes effect on January 1, 2027.

What do companies need to do now?

Companies that develop or own apps available in an app store should take the following steps by January 1, 2026:

• Evaluate the applicability of the ASAAs and DAAA.
• Review app store guidance for using new age signal APIs.
• Update their privacy policies and operational workflows to address the collection and processing of age verification and parental consent data.
• Evaluate existing app age gates and ratings.
• Update or implement parental controls.
• Develop and implement new procedures for handling age signals from app stores.
• Assess how newly collected age category data affects the applicability of COPPA and other privacy laws.