Media Center

November 19, 2025
Publications

Reprinted with permission from the Nov. 18, 2025, edition of The Legal Intelligencer © 2025 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

State lawmakers across the country prioritized children’s online safety and privacy in 2025. Utah, Texas and Louisiana have taken an aggressive approach through new app store accountability acts. California followed suit, passing its own age assurance law that places obligations on device operating system providers. App developers offering applications through app stores should note these new technical requirements and their upcoming effective dates.

California’s Digital Age Assurance Act

In October, California passed the Digital Age Assurance Act, imposing an alternative method of age estimation measures on device operating system providers that make their software available on mobile devices, computers and other electronic computing devices.

Operating system providers. Providers must send a “signal” to applications made available on “covered application stores.” These covered app store providers are broadly defined as “publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications” to mobile devices, tablets, computers, and other electronic computing devices.

A “signal” is a device user’s “age bracket data” that is sent to an app developer in real time through a secure application programming interface or operating system. To obtain a user’s age bracket data, the operating system developer must establish an interface for an “account holder” to input the age, birth date, or both of the device’s intended user. However, the law does not provide any further technical requirements regarding how this should be achieved.

An account holder is “an individual who is 18 years or older, or the legal parent or guardian of a device user.” This provision shifts some responsibility to parents or guardians to ensure that the age information of device users is disclosed adequately.

Age bracket data. California’s law defines age bracket data as “nonpersonally identifiable data derived from a user’s birth date or age,” to determine where a user falls into the following age ranges:

• Under 13 years old
• Between 13 and 16 years old
• Between 16 and 18 years old
• Over 18 years old

App developers. Owners, operators, and developers of applications also have new obligations under the Digital Age Assurance Act. They must request a signal from an operating system or app store provider when a user downloads and launches their app.

Once received, developers are deemed to have “actual knowledge” of users’ age ranges. The app developer’s actual knowledge is applied “across all platforms of the application and points of access of the application, even if the developer willfully disregards the signal.” This may have a ripple effect on other state and federal laws that are triggered by this knowledge standard, such as the California Age-Appropriate Design Code Act or the federal Children’s Online Privacy Protection Act.

Developers must use the signal as the primary indicator of the user’s age, except where they have clear and convincing evidence to the contrary. This may pose a potential obstacle for app developers who have already implemented their own age estimation measures, as these could result in conflicting age determinations.

Prohibitions. The law imposes data minimization restrictions on operating system providers by limiting the amount of age bracket data sent by a signal to only what is necessary. App developers are similarly restricted to requesting only the information necessary to comply with the law. Both are prohibited from sharing age bracket data with any third party.

Enforcement. The state’s attorney general will enforce this law. Violations can result in injunctions and fines up to $2,500 for negligent violations and $7,500 for willful violations. The law is scheduled to take effect on Jan. 1, 2027.

Potential challenges. Notably, major companies in the tech industry supported the newly enacted law. Nonetheless, streaming services and the film industry have criticized the law, stating that it conflicts with the age measures that have already been implemented and standardized in their industry.

App Store Accountability Acts from Utah, Louisiana and Texas

Utah became the first state to enact an App Store Accountability Act on March 26, 2025. Texas followed on May 27, 2025, and Louisiana on June 30, 2025.

These laws cover both app store providers and app developers, imposing new age verification and new safeguards when individuals under the age of 18 download, launch and make purchases within an app. All three laws define a minor as an individual under the age of 18.

Age categories. Each law establishes “age categories” for users who create an account with an app store provider. These categories are broken up into the following:

• A child, defined as an individual under 13 years old.
• A young teenager, defined as an individual who is 13 to 16 years old.
• An older teenager, defined as an individual who is 16 to 18 years old.
• An adult, defined as an individual who is 18 years old or older.

App store providers. App store providers must collect a user’s age during account setup and use commercially reasonable methods to verify accuracy. While the laws do not define any commercially reasonable methods, Utah’s law grants its attorney general the authority to establish these methods through rulemaking.

If a user is a minor, the provider must link the account to a verified parent or guardian account and obtain verifiable parental consent before allowing downloads or purchases. Providers also must:

• Send the age category data and parental consent to the app developers upon request.
• Disclose developer-prepared age ratings to parents or guardians before obtaining consent, where applicable.
• Notify users of any significant changes to the app (upon being informed by the app developer).
• Notify developers when parents revoke their consent.
• Protect the age verification data obtained from users.

App developers. Businesses that own, develop, or operate apps in these states must adopt or update age verification systems and:

• Request the age verification data from the app store provider when a user downloads or purchases an app or makes an in-app purchase.
• Verify users’ age category and status of parental consent from the app store provider.
• Utilize the age categories data to enforce and implement developer-created safety features.
• Use age categories data to ensure compliance with state and federal laws.
• Limit the use of the age verification data to what is necessary to enforce its safety features and restrictions.
• Notify app store providers when a significant change is made to the app.

The laws define a “significant change” as:

• The collection, storage, or transfer of new categories of data beyond what was previously required.
• Any modifications to the app or features’ age rating.
• The addition of new monetization features, such as new methods for making in-app purchases or new advertisements within the application.
• Any new functionalities or user experiences available on the app.

Disclosure requirements. Texas adds an additional requirement: app developers must assign an age rating to each app and in-app purchases and describe the content that informed the rating.

Prohibitions. Both app store providers and app developers are prohibited from enforcing contracts with known minors, misrepresenting parental consent and sharing age category data with any third party.

Enforcement. Notably, Utah’s law allows minors and parents to sue app store providers or developers for specific violations under the act and collect actual damages or up to $1,000 per violation, plus attorney fees. Developers who knowingly misrepresent information in parental consent disclosures can also face penalties under Utah’s Unfair and Deceptive and Abusive Acts and Practices Act.

The Louisiana law lacks a private right of action. Instead, the Louisiana attorney general has exclusive power to bring a civil action and may levy fines up to $10,000 per violation after a 45-day cure.

Texas treats violations as deceptive practices under the Texas Deceptive Trade Practices Act. The attorney general’s Consumer Protection Division may seek penalties up to $10,000 per violation, plus injunctive relief. Additionally, Texas’ DTPA allows individuals to bring actions for economic damages, as well as injunctive relief and attorney fees.

Safe harbors. Utah provides a safe harbor for app developers that can demonstrate reasonable reliance on the age verification data received from app providers. Additionally, app developers who can demonstrate they used common industry standards to determine age categories and consistently applied these standards across users are compliant.

Texas offers similar protection for those using recognized standards in good faith, though it lacks a cure period for inadvertent mistakes or failures in implementing obligations under the law.

In Louisiana, both app store providers and app developers must receive notice from the state attorney general’s office explaining their noncompliance with the law and be given 45 days to cure their deficiencies before initiating civil proceedings.

Challenges. On Oct. 16, the Computer and Communications Industry Association (CCIA) challenged Texas’ App Store Accountability Act in the U.S. District Court for the Western District of Texas. The CCIA alleges that the law unlawfully compels the speech of app developers, while preventing app stores from making lawful content available to all users.

A student advocacy group, Students Engaged in Advancing Texas (SEAT), also filed a First Amendment challenge against the Texas law with the same court on Oct. 16. The lawsuit argues the law imposes content-based restraints on lawful speech while replacing parents’ ability to monitor what their children see online. It also raises concerns about the amount of personal information that will be collected to verify users’ ages.

It is unclear whether the federal district court will issue a temporary injunction to prevent the law from taking effect at the beginning of 2026.

Effective dates. The Texas law is scheduled to take effect on Jan. 1, 2026. Utah’s obligations for developers and providers are effective on May 6, 2026. Louisiana’s law goes into effect on July 1, 2026. Utah’s private right of action becomes enforceable on Dec. 31, 2026.

Considerations for Covered Entities

App developers, app store owners, and operating system owners will need to implement age verification measures within the next year to remain compliant. However, current state laws remain vague about what commercially reasonable methods companies can take to ensure they adequately verify the ages of users. This is likely to create operational challenges, especially for companies that have already established their own internal age estimation measures.

App developers should carefully consider the best course of action to comply with the new technical requirements under these laws, or access to their applications may be restricted by device operating system providers and app store providers.

This article is a general analysis of legal and economic issues and should not be construed as advocacy for or against any policy position.