The App Store Accountability Act would require covered app stores to verify a user’s age category at account creation and, if the user is a minor, affiliate the account with a verifiable parental account and obtain verifiable parental consent before downloads or in-app purchases. The act also requires app developers to verify age category data and obtain parental consent at key moments, while prohibiting certain data-sharing practices.
Enforcement would involve the Federal Trade Commission and state attorneys general, with a certification mechanism for compliant stores, a safe harbor for good-faith efforts, and a clear effective date.
At a Glance
What It Does
At account creation, covered app store providers must verify a user’s age category using a commercially available method designed for accuracy; minors must be affiliated with a parental account and obtain verifiable parental consent before downloads or purchases. Stores must share age-category and consent-status with app developers and notify changes.
Who It Affects
Large app stores serving the U.S. market (over 5 million users), app developers distributing apps through those stores, and parents and minors who use the services.
Why It Matters
The measure creates a uniform standard for age data and consent, aiming to reduce inappropriate data collection from minors while clarifying responsibilities across platforms and developers.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
Definitions lay out who is a minor and what counts as age category data, and establish the basic terminology used throughout the bill. The core obligations sit with covered app store providers, who must verify age at account creation, affiliate minor accounts to a verifiable parental account, and obtain parental consent before a minor can download or pay for apps or in-app purchases.
If a significant change occurs in an app, stores must notify the user and, for minor users, the affiliated parent, and obtain fresh consent when required. Stores must provide age-category data and parental-consent status to app developers and guard the privacy of verification-related data with strong safeguards.
App developers, in turn, must verify the age category of their users, report significant changes, and may request age data only under specified limits, while respecting restrictions on sharing such data with unaffiliated third parties. Guidance from the FTC will assist compliance, and a certification process will credential compliant stores for a period of one year.
The act also creates enforcement by the FTC and states, provides a safe harbor for good-faith compliance, and explains that the law preempts conflicting state rules while preserving contract and tort law. The effective date is one year after enactment.
The Five Things You Need to Know
Covered app stores with US-based users exceeding 5,000,000 must verify a new user’s age category at account creation.
Minor accounts must be affiliated with a verifiable parental account and require verifiable parental consent before app downloads or purchases.
App stores must share the user’s age category status and parental-consent status with app developers and notify changes.
App developers must verify age category data, report significant app changes, and may request age data only at limited, defined times without sharing it with unaffiliated third parties.
A Commission-based certification mechanism, FTC/state enforcement, a safe harbor for good-faith compliance, and a one-year post-certification validity period govern compliance and enforcement.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions
This section defines key terms: age category (Adult, Teenager, Child, Young Child); age category data; app, app store, and covered app store provider; the Commission (FTC); minor and parent; parental account; and parental consent disclosure. It also introduces terms like personal data and age-verification signals, establishing the language that frames later obligations and rights.
App Store Obligations
Stores must verify age at account creation using a commercially available method and affiliate minor accounts with parental accounts when necessary. They must notify users and, for minors, notify the affiliated parental account upon significant changes to apps or terms, and provide real-time signals of a user’s age category to developers. Age-rating and content descriptions must be clear and accessible.
App Developer Obligations
Developers must verify the age category of users and whether verifiable parental consent exists, and they must notify the store of significant changes. They may request age-category data only at specific points (e.g., at download/purchase, during changes, or to comply with laws). They may not share age data with unaffiliated third parties and must use the data to enforce age-related restrictions or features.
Compliance
The FTC will issue guidance to aid compliance but guidance cannot create enforceable rights beyond those in the Act. There is a formal mechanism for stores to certify compliance, which visits their policies and fixes circumvention risks. Periodic certification lasts one year, after which recertification is required.
Enforcement by the Federal Trade Commission
Violations are treated as unfair or deceptive practices under the FTC Act. The FTC has powers and duties parallel to those in the FTC Act, survives existing authorities, and can pursue enforcement with penalties under applicable law.
Enforcement by States
States may bring civil actions to enjoin unlawful practices, seek damages, and obtain relief for residents. Before filing, state AGs must notify the FTC and provide a copy of the complaint. The FTC can intervene in such actions to participate in proceedings and appeals.
Safe Harbor
App developers may be deemed not liable if they relied on age verification data, complied with section 4, and followed widely accepted industry standards for age ratings and disclosures. The safe harbor applies only to actions under this Act and does not limit other liabilities.
Preemption
States may not maintain laws that directly regulate the same provisions as this Act, ensuring a uniform federal framework, while contract and tort law remain unaffected by this preemption.
Severability
If any provision is held invalid, the remainder of the Act remains in effect and applies to other persons or circumstances.
Effective Date
The Act takes effect one year after enactment, providing time for implementation of verification, consent, and compliance mechanisms.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Parents gain clearer information about what data apps collect and when consent is required, enabling more informed decisions and safer use by their children.
- Minors receive stronger privacy protections through age-appropriate data practices and clearer parental controls.
- Covered app store providers gain a defined compliance framework and a mechanism to certify adherence, reducing uncertainty and enforcement risk.
- App developers who align with the framework benefit from clear rules for data use and consent, facilitating compliant product features and across-platform consistency.
- Consumer protection offices and state attorneys general gain a structured pathway to enforce protections and seek redress for residents.
Who Bears the Cost
- App stores face upfront and ongoing costs to implement age-verification systems, affiliate minor accounts, secure consent workflows, and maintain compliance records.
- App developers incur costs to verify user age, monitor consent, and adjust products to meet age-restriction requirements, including data-handling safeguards.
- Parents may experience friction in the form of consent flows and verification steps, which could slow down account access or purchases.
- States may incur enforcement costs to investigate, litigate, and remedy violations, as well as administrative overhead for coordination with the FTC.
- The general consumer population bears potential privacy and data-security risks during verification and data-sharing processes if protections falter.
Key Issues
The Core Tension
The central dilemma is balancing strong child-protection objectives through aggressive age-verification and consent requirements with the privacy, usability, and competitive dynamics of a diverse app ecosystem.
The bill creates a tight enforcement framework that relies heavily on age-verification data and parental consent. While it aims to protect children, it raises questions about the privacy implications of collecting and sharing age data across stores and developers, and about how verification processes will scale for smaller platforms that don’t meet the 5 million-user threshold.
There is a potential tension between robust protections and friction in user experience, as well as the risk of over-collection or misuse of sensitive age-related information if safeguards are not consistently applied. The interplay between federal preemption and state-level remedies also invites scrutiny over the balance of uniformity and local accountability.
The effectiveness of the safe harbor depends on robust, industry-wide standards that remain current as technology evolves, and the certification mechanism must be timely and credible to avoid giving an unfair compliance advantage to some providers.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.