New App Store Accountability Laws In 2026: If Your Business Has An App, Read On

Effective Dates of ASA Laws

• California ASA Law – Pending, effective January 1, 2027.*
• Louisiana ASA Law – Pending, effective July 1, 2026.
• Texas ASA Law – Pending, effective January 1, 2026.
• Utah ASA Law – In Effect as of May 07, 2025, with delayed compliance dates for certain sections, in effect as of May 6, 2026.

*Please note California's ASA Law is unique and the core requirements under the CA ASA Law will be addressed in a separate blog.

Who is Regulated?

The ASA Laws regulate covered application stores, application store providers and app developers.

• "App Store" or "Covered Application Store" generally means a publicly available website, software application, or electronic service that allows users to download applications from third-party developers onto a mobile device, like the App Store or Google Play Store.

• "App Store Provider" or "Covered Application Store provider" means a person who owns, operates, or controls a covered application store that allows users to download applications (e.g., Google and Apple).

• "Developer" means a person who owns or controls an application made available through a covered application store.

Who is Considered a Minor Under these Laws?

"Minor" under the ASA laws will be anyone under the age of 18, while an "adult" is anyone over the age of 18. Notably, the Louisiana law makes a carve out for individuals under 18 who are emancipated or married.

Within the ASA Laws, is divided into subcategories "younger teenager," "older teenager" and "child."

• Child: under 13.
• Younger teenager: 13-15.
• Older teenager: 16-17.

App Store Obligations

• Age Verification. App store providers must implement commercially reasonable methods to verify the age of each user (i) at the time the user creates an account, (ii) upon implementing a significant change to the app (described below), (iii) to comply with applicable law, or (iv) when making a purchase under certain ASA Laws. App stores must also provide developers processes to (i) verify a user's age and (ii) confirm parental consent if needed. Commercially reasonable methods include affirmative age attestation by a parent or guardian, along with information collected during account setup.

• Parental Consent. If age verification reveals an app user is a minor, the app store provider must obtain verifiable parental consent before allowing any minor to (i) download the app, (ii) purchase the app or (iii) make an in-app purchase (e.g., purchasing more game tokens).
  
  • Revocation. The app store provider must notify a developer when a parent revokes consent.
  • Material Change. Additionally, if a developer notifies the store about a significant change to the app, the store must notify users of the change and for minor accounts, notify the holder of the affiliated parent account and obtain renewed verifiable parent consent.

• Age Rating. App stores must categorize apps based on the following age ratings: (i) adult, (ii) older teenager; (iii) younger teenager; or (iv) child. This requirement also trickles down to developers to properly rate each app published on the app store and provide an explanation justifying the rating.

• Data Minimization. The ASA Laws reinforce data minimization principles by limiting the collection and processing of personal data by app store providers to the minimum amount that is necessary for (i) age verification; (ii) obtaining parental consent; and (iii) maintaining compliance records.

• Respond to Developer Requests. App store providers must answer requests from developers and provide the (i) age category for a user located in an ASA Law state; and (ii) the status of verified parent consent for a minor in an ASA Law state. When providing age verification information, the app store provider must use industry-standard encryption protocols to ensure the confidentiality and integrity of the data.

Developer Obligations

Businesses with mobile apps must understand how their app functions and its target audience. Most will qualify as "developers" under ASA Laws and be responsible for meeting the requirements below.

• Age Verification, Enforcement and Deletion. Developers must verify through the app store's data sharing methods, the (i) age category of users located in an ASA Law state; and (ii) for a minor account, whether verifiable parental consent has been obtained. Once the age of a user is verified, developers must promptly delete personal data received from the app store and ensure all age-related restrictions on the app are enforced.

• App Rating. As noted above, developers must ensure their apps are properly rated, based on the adult, older teenager; younger teenager; or child definitions, and provide a description of the app's content and features to justify such rating.

• Notice of Significant Change. A developer must provide app stores notice before making any significant changes to an application. A "significant change" includes:
  
  
  • changes in the category of personal data collected, store or shared by developer;
  • changes that affect the rating assigned to an app or the content or elements that led to that rating;
  • new monetization features added to an application, such as new opportunities to make a purchase in app or new advertisements in the application; or
  • material changes to the functionality or user experience of the app.

• Safety Features. Developers must implement safety features or defaults and use the lowest age category indicated by verified data when applying the safety features.

Enforcement

Enforcement varies under the ASA laws as follows:

• Louisiana. The state's attorney general has enforcement power. An app store provider or developer that violates the ASA Law is also subject to a civil fine of up to $10,000 per violation set by the attorney general. Notably, Louisiana offers a cure period that prevents the attorney general from initiating an action under the Louisiana law if a business cures the violation within 45 days of receiving notice of said violation.
• Texas. Violations are treated as deceptive trade practices under Texas law.
• Utah. Violations are treated as deceptive trade practices under Utah law. Additionally, there is a private right of action for minors, or the parent of that minor, who has been harmed by a violation of the ASA Law by either the app store provider or developer. The damages are capped:
  
  • at the greater of (i) actual damages; or (ii) $1,000 for each violation;reasonable attorney fees; and
  • litigation costs.

Business Considerations

• Assign Age Ratings. Businesses should assess their apps and begin to assign age ratings, in conjunction with the company's existing application Privacy Policies and Terms of Use. Businesses should also see how similar apps apply age ratings. Many of the ASA Laws provide a safe harbor on liability for age ratings if they follow widely adopted industry standards applied consistently and in good faith.
  
• Review App Store Age Verification Tools. Businesses should check app store guidance to understand compliance expectations. Additionally, ASA Laws offer liability safe harbors when developers rely in good faith on app store data for age verification. Apple and Google provide resources and APIs:
  
  • New requirements for apps available in Texas – Latest News – Apple Developer
  • Changes to Google Play for upcoming app store bills for users in applicable US states – Play Console Help
• Implement Internal Systems for Age Verification. Create systems to verify user age categories and confirm parental consent using app store-provided data.
• Develop a Significant Changes Process. Update existing audit processes to flag significant changes (as defined in the ASA laws) to mobile applications.

Looking Ahead

State laws and federal regulators, including the Federal Trade Commission (FTC), are increasing efforts to protect children's privacy. ASA Laws signal the importance of safeguarding minors and their data and the lengths regulators will go to protect that data.

We will continue to monitor updates involving consumer health data. For more information on data privacy and security regulations and other data privacy questions, please visit Taft's Privacy & Data Security Insights blog.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.