The App Store Accountability Act directs app stores with more than 5,000,000 U.S. users to verify account holders’ ages at registration, create verified parental accounts for minors, and withhold downloads, purchases, or in‑app purchases for minors until a verifiable parental consent is obtained. It requires stores to share an age‑category “signal” and parental consent status with app developers in real time, limits how age‑verification data may be collected and stored, and requires clear, plain‑language age ratings and content descriptions.
This bill shifts primary operational responsibility to covered app store providers while imposing specific duties on app developers to use the store signal, limit sharing of age category data, and seek renewed consent on significant app changes. The Federal Trade Commission enforces the statute as an unfair or deceptive practice, will run a voluntary one‑year certification process for compliant stores, and states can bring parens patriae suits subject to federal preemption of state laws on the same topic.
The Act takes effect one year after enactment.
At a Glance
What It Does
Requires covered app stores (those with >5,000,000 U.S. users) to collect and verify age information at account creation, affiliate minor accounts with verified parental accounts, and provide a secure, real‑time age category 'signal' and parental consent status to app developers. App developers must rely on that signal to determine age categories, request it only under limited circumstances, and may not share age category data with unaffiliated third parties.
Who It Affects
Covered app store providers, app developers with apps available in the United States, commercial age‑verification vendors, and parents of minors who use mobile apps. The FTC and state attorneys general get enforcement roles; small developers face new integration and compliance steps.
Why It Matters
It creates a store‑mediated infrastructure for age gating and parental consent, changing how age and consent evidence flow across the app ecosystem. That centralized approach reallocates compliance burdens, sets a federal floor that displaces state laws on this subject, and may drive demand for age‑verification services and operational changes in app distribution.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Act defines four discrete age categories—young child (under 13), child (13–15), teenager (16–17), and adult (18+)—and designates any app store with over 5,000,000 U.S. users as a “covered app store provider.” Covered stores must ask for age information when users create accounts and verify the age category with a commercially available method reasonably designed for accuracy. If verification indicates a minor, the store must require that account be linked to a verified parental account and must not permit downloads, purchases, or in‑app purchases until the parent gives verifiable parental consent via a clear parental consent disclosure.
The bill creates a technical pattern: covered stores supply app developers, in real time, with a secure “signal” that conveys the user’s age category and, if the user is a minor, whether verifiable parental consent exists. Receipt of that signal counts as the developer’s actual knowledge of age category.
Developers must use the signal to gate age‑restricted features, notify the store of significant app changes, and limit requests for age data to specified triggers (e.g., once per 12 months for re‑verification, reasonable suspicion of account transfer, or account creation).Data‑handling rules limit how much age‑verification information stores may collect and require reasonable safeguards, including industry‑standard encryption, while forbidding developers from sharing age category data with unaffiliated third parties (other than processors). The Act also requires plain‑language age ratings and content descriptions, mandates FTC guidance and a voluntary certification process for stores (30‑day review after request, certification valid one year), and treats violations as unfair or deceptive practices enforceable by the FTC.
States may bring parens patriae suits but the statute expressly preempts state laws on the same subject.Practically, the Act creates a compliance triangle: covered stores must build or buy age‑verification and signaling infrastructure and protect verification data; developers must accept and act on store signals and alter app flows (consent screens, gating, content changes); and the FTC must operationalize guidance, a certification pathway, and complaint review within statutory constraints. A safe‑harbor shields developers who act in good faith and follow the store signal and recognized standards.
The statute becomes effective one year after enactment, giving stakeholders a limited window to implement technical and policy changes.
The Five Things You Need to Know
A ‘covered app store provider’ is any app store available in the U.S. with more than 5,000,000 users; that threshold triggers the Act’s full obligations.
Covered stores must verify age at account creation using a commercially available method, affiliate minor accounts to verified parental accounts, and block downloads/purchases for minors until verifiable parental consent is obtained.
The Act requires a real‑time secure ‘signal’ (API or OS mechanism) from the store to app developers that communicates the user’s age category and parental consent status; reception of that signal constitutes actual knowledge.
App developers may request age category data from the store only in narrow circumstances (once per 12 months for re‑verification, reasonable suspicion of misuse, or on new account creation) and may not share that age data with unaffiliated third parties.
The FTC enforces the law as an unfair or deceptive practice, will publish guidance and run a one‑year certification process for stores (30‑day review window), and states may sue as parens patriae, though the Act preempts state laws on this subject.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions and the age‑category framework
This section sets the operational vocabulary that drives the rest of the bill: four age categories, what counts as an app, app store, parental account, 'signal', 'verifiable parental consent', and 'significant change.' Those definitions matter because they determine when obligations trigger (for example, the 5,000,000 user threshold and when a change requires re‑consent). The inclusion of both a defined 'signal' and a 'know' standard (actual knowledge or willful disregard) shapes later liability and evidentiary rules.
Obligations imposed on covered app store providers
This core operational section requires stores to collect and verify age at account creation, affiliate minors to parental accounts, obtain verifiable parental consent before allowing downloads/purchases for minors, provide a real‑time age category and consent signal to developers, notify developers when parents revoke consent, and limit collection and retention of age‑verification data. It also mandates plain‑language age ratings and content descriptions and allows stores to take security and content‑filtering steps so long as they are not arbitrary or anti‑competitive.
App developer duties and limits
Developers must use the store’s verification method or signal to determine a user’s age category, notify stores of significant app changes, and only request age data under narrow circumstances. The section prohibits developers from enforcing contracts against a minor unless parental consent is verified, forbids knowingly misleading parental disclosures, and stops developers from sharing age category data with unaffiliated third parties (except processors). The bill also makes receipt of the store signal 'actual knowledge'—a legal pivot that tightens developer liability if they ignore the signal.
FTC guidance, certification mechanism, and complaint review
The FTC must issue non‑binding guidance within one year and create a mechanism for covered stores to request a compliance review; the agency must respond within 30 days and, if compliant, publish a one‑year certification. The FTC will also field complaints, periodically reassess certifications, and require certified stores to notify the agency of significant policy changes. The statutory text restricts the FTC from turning guidance into automatic enforcement grounds; enforcement still requires alleging a specific statutory violation.
Federal enforcement through the FTC
Violations of the Act are treated as unfair or deceptive acts under the FTC Act, giving the FTC its standard investigatory and remedial toolkit (orders, civil penalties where authorized, injunctions). The bill explicitly leaves intact other FTC authorities and privileges, so enforcement can leverage existing procedures but must tie claims back to specific statutory duties in sections 3 or 4.
State enforcement and parens patriae suits
State attorneys general can sue as parens patriae for harms to residents, seek injunctive relief, restitution, and other remedies, and must give the FTC notice before filing (with some exceptions). The FTC may intervene in state suits. At the same time, Section 9 preempts state laws on the same subject, so states can enforce the federal statute but cannot maintain divergent state regulatory regimes on the same topic.
Safe harbor for developers and federal preemption
Section 8 creates a narrow safe harbor: developers who rely in good faith on store‑provided age data/signals, comply with developer obligations, and follow accepted industry practices are deemed not liable under the Act (though other laws still apply). Section 9 preempts state or local laws that would regulate the same subject, but preserves contract and tort law, which means private litigation still operates in parallel even if states cannot enact different statutory rules.
Effective date
Unless otherwise specified, the Act takes effect one year after enactment, giving covered stores, developers, and vendors a single year to implement verification, signaling, consent flows, and security safeguards. That timeline is the single explicit implementation clock in the statute.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Parents of minors — obtain explicit, standardized parental consent disclosures, clearer age ratings and content descriptions, and the ability to control downloads and in‑app purchases for linked minor accounts.
- Minors (privacy/consumer protection) — see reduced risk of unauthorized purchases and increased gates on apps and monetization features targeted at under‑18 users, plus limits on third‑party sharing of age category data.
- App developers that adopt the store signal and follow the rules — gain a defined compliance pathway and a statutory safe harbor if they rely in good faith on store‑provided age signals and common standards.
- Commercial age‑verification and identity vendors — increased market demand for commercially available, accuracy‑focused age verification services and integrations with covered stores’ signals.
Who Bears the Cost
- Covered app store providers (≥5,000,000 U.S. users) — must operationalize age verification, parental account linking, secure real‑time signaling, data minimization and encryption, and a notice/consent lifecycle; these are nontrivial engineering, privacy, and product costs.
- App developers, especially small developers — must integrate with store signals, change onboarding/consent flows, handle revoked consents and significant‑change workflows, and face potential loss of revenue from gated access to minors.
- FTC and enforcement infrastructure — the agency must write guidance, administer certification reviews on a 30‑day clock, handle complaints and re‑evaluations, and litigate enforcement actions, creating resource and prioritization questions.
- Third‑party service providers and advertisers reliant on age data — face restrictions on receiving age category data from developers and may need to redesign targeting or measurement practices to comply.
Key Issues
The Core Tension
The central dilemma is between protecting children (and parents’ ability to consent) through a centralized, store‑mediated verification and consent infrastructure, and the privacy, security, and competition risks that centralization creates: stronger gates reduce some harms but create sensitive centralized data, operational burdens on stores and developers, and potential market effects that may limit functionality for teens or disadvantage smaller developers.
The Act centralizes age verification at large app stores and treats the store’s signal as dispositive 'actual knowledge.' That reduces decentralized verification but creates single points of operational and legal failure: if a store’s verification is wrong or the signal is compromised, many downstream developers will be deemed to have knowledge. The statute tries to limit privacy risk (data minimization, encryption) but still requires stores to collect age evidence that could itself become a sensitive target for attackers or for cross‑service linking.
The law’s reliance on commercially available verification methods and industry standards leaves ambiguity about acceptable accuracy thresholds and acceptable tradeoffs between false positives (misclassifying minors) and false negatives (misclassifying adults).
The enforcement model raises implementation questions. The FTC must review compliance requests within 30 days and issue one‑year certifications, a tight timeline for technically complex audits.
The bill’s safe harbor protects developers only under the Act, not against other statutory or tort claims, and the 'know' definition includes willful disregard—raising litigation risk where developers choose to override signals or create parallel verification. Preemption simplifies the regulatory landscape for national operators but also forecloses state experimentation and could create gaps where states previously imposed distinct protections.
Finally, the practical effect on user experience—account friction, re‑verification cycles, and parental account ecosystems—may push some families to seek workarounds (shared accounts, false ages) that defeat the law’s protective intent.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.