ARTICLE
5 May 2026

Effort To Invalidate Original Utah App Store Act Voluntarily Dismissed Following Legislative Amendments

SR
McDermott Will & Schulte

Contributor

McDermott Will & Schulte logo
Explore Firm Details
Utah's App Store Accountability Act has been amended through H.B. 498, expanding its scope to include pre-installed applications and introducing new compliance requirements for both app-store providers and developers. The amendments establish a dual-layer framework with refined definitions, enhanced age-verification obligations, and a developer-specific safe harbor provision, while shifting enforcement exclusively to a private right of action with potential damages of up to $1,000 per violation.
United States Utah Media, Telecoms, IT, Entertainment
Tyler Henry,Katelyn Ringrose, and David P. Saunders
Your Author LinkedIn Connections
McDermott Will & Schulte are most popular:
  • within Media, Telecoms, IT, Entertainment, Consumer Protection and International Law topic(s)
  • in United States

On April 21, 2026, the Computer & Communications Industry Association (CCIA) agreed to a stipulated dismissal of its constitutional challenge to Utah’s App Store Accountability Act (Utah ASAA) following the amendments to the ASAA in Utah H.B. 498. Those amendments effectively delay the substantive requirements of ASAA to May 6, 2027.

Future constitutional challenges to the Utah ASAA are possible, but because enforcement now relies on a private right of action, companies may need to wait until a case is filed for the law to be challenged. In the meantime, companies should assume the amendments will take effect and prepare accordingly.

In Depth

Expanded scope

H.B. 498 expands the scope of the Utah ASAA to include pre-installed applications – applications already present on a device at the time of purchase or setup – excluding apps required for basic device operation. The original Utah law focused primarily on applications downloaded through an app store; however, the amended law ensures age verification and parental consent requirements apply regardless of how an application reaches the user.

Updated definitions: §13-76-101

The amendments to the Utah ASAA refine key terms (e.g., “significant change,” “account holder,” “minor,” “in-app purchase,” “parent”), clarifying how these terms apply in practice:

  • “Account holder” expands the statute to define an individual associated with a mobile device, replacing the broader “user” concept; this requires covered entities to apply compliance obligations at the account/device level, increasing operational complexity and coverage.
  • “In-app purchase” includes charges billed by an app store for virtual currency, digital goods, services, or other apps within an app; this brings monetization features squarely within scope and requires covered entities to extend consent and disclosure obligations to in-app transactions.
  • “Minor” narrows the definition to exclude emancipated or married individuals under 18 years of age; this reduces the population subject to protections and requires covered entities to refine age-classification processes to determine when obligations apply.
  • “Parent” expands to include individuals reasonably believed to have legal authority and others authorized to act on behalf of a minor; this provides flexibility in obtaining consent but requires app-store providers and developers to implement reasonable verification processes to support that determination.
  • “Parent account” aligns eligibility with the revised “minor” definition by requiring the account holder to be “not a minor” instead of explicitly 18 years old or older; this requires covered entities to adjust age-verification logic and account eligibility criteria.
  • “Parental consent disclosure” refocuses required disclosures on obtaining “verifiable parental consent” and removes express references to in-app purchases; this requires app-store providers and developers to design clear, disclosure-driven consent flows tied to verification requirements.
  • “Pre-installed application” expands the Utah ASAA to cover apps present on a device at purchase or activation, subject to certain exclusions; this broadens applicability and requires covered entities – including manufacturers and distributors – to evaluate compliance for preloaded software.
  • “Significant change” narrows the trigger to material updates involving data practices, age ratings, or first-time introduction of ads or in-app purchases; this allows covered entities to target compliance reviews on high-risk updates while reducing burdens for routine changes.

Adjustments to age-verification and default settings

The amendments to the Utah ASAA establish a dual-layer compliance framework: app-store providers are responsible for building and enforcing infrastructure-level controls, while developers must ensure substantive accuracy and transparency in their apps and updates.

App-store providers: § 13-76-201

The amendments impose more structured and explicit obligations on app-store providers. Most notably, the amendments tie compliance to the “account holder,” requiring providers to apply age-verification and consent mechanisms at the individual account or device level.

The Utah ASAA also reinforces the requirement to link the accounts of minors to the accounts of parents, effectively mandating a parent–child account structure for covered users. The revised “significant change” standard introduces ongoing compliance duties, requiring providers to reassess notice and consent obligations when apps introduce new data practices, advertising, or monetization features.

Developers: § 13-76-202

Importantly, the Utah ASAA extends compliance expectations to app functionality itself, requiring developers to account for in-app purchases, advertising, and data-collection practices in disclosures as well as design. Updates that constitute a “significant change” may trigger renewed disclosure and consent requirements, making compliance an ongoing consideration throughout the product lifecycle.

Changes to enforcement and introduction of safe-harbor concepts 

Private right of action: § 13-76-401

While the original ASAA had a dual enforcement mechanism – allowing private rights of action and regulatory enforcement – the amended ASAA only has a private right of action. The ASAA provides for monetary damages, including the greater of actual damages or statutory damages of up to $1,000 per violation. This per-violation framework could create substantial liability, particularly where practices affect large numbers of users. Companies should ensure that compliance measures are consistently implemented and well documented in anticipation of defending putative class claims under the ASAA.

Safe harbor (developers only): § 13-76-402

The amendments establish a safe harbor that applies specifically to developers (not app-store providers). Under this provision, a developer may be shielded from liability for certain violations if it reasonably relied on the app-store provider’s compliance systems, particularly with respect to age-category determinations and obtaining verifiable parental consent.

To qualify for the safe harbor, a developer must:

  • Rely in good faith on the app-store provider to determine the user’s age category and obtain verifiable parental consent.
  • Not have actual knowledge that the app-store provider’s processes are noncompliant or that the information provided is inaccurate.
  • Operate consistently with the information provided by the app store (e.g., honoring age-category data and not circumventing restrictions or consent requirements).

Importantly, the safe harbor does not protect developers who independently violate the Utah ASAA, such as by misrepresenting content, failing to provide accurate disclosures, or designing features that bypass or undermine app-store controls.

Practical implications for clients

The amendments introduced by H.B. 498, coupled with the dismissal of the CCIA challenge, reflect an evolving regulatory environment for digital marketplaces. Clients should consider several key action items:

  • Assess coverage: Determine whether your platform or services fall within the revised definition of covered entities.
  • Update compliance frameworks: Align internal policies and procedures with the clarified requirements under the amended Utah ASAA.
  • Enhance documentation: Maintain thorough records of compliance efforts, particularly in areas such as developer verification and user-protection measures.
  • Monitor enforcement: Stay informed about how regulators are interpreting and applying the amended law.
  • Prepare for continued evolution: Recognize that age assurance remains a dynamic area, with potential for further legislative and judicial developments.

If you have questions about the Utah ASAA or other age assurance requirements and the implications for your products and services, please contact any of the authors or your regular McDermott Will & Schulte lawyer.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Tyler Henry
Tyler Henry
Photo of Katelyn Ringrose
Katelyn Ringrose
Photo of David P. Saunders
David P. Saunders
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More