This bill creates a regulatory framework that forces app store providers and app developers to identify account-holders’ age categories, obtain verifiable parental consent for minors, and coordinate on age-related data and notifications. It applies to both downloadable and pre‑installed apps and includes limits on how age data may be used and shared.
The law builds compliance duties around repeated parental consent triggers, developer use of age data to set safety defaults, and requirements for app stores to protect and transmit age-category data securely. It also authorizes state enforcement, monetary penalties, and a private cause of action for harmed minors or parents.
At a Glance
What It Does
The bill requires app store providers to request and verify an account holder’s age category at account creation and, for existing accounts, within 12 months of the law taking effect. If verification indicates a minor, the app store must affiliate the minor’s account with a parent account and obtain verifiable parental consent before allowing purchases, downloads, or in-app purchases. The statute also mandates app-store-to-developer data sharing about age categories and parental-consent status, notifications for “significant changes” to apps, encryption of age verification data, and mechanisms for parents to revoke consent.
Who It Affects
App store providers that make mobile apps available to Wisconsin account-holders; app developers whose apps are distributed or pre‑installed on mobile devices sold or used by Wisconsin residents; device manufacturers and parties that pre‑install software; and parents and minors in Wisconsin who use mobile apps. State enforcement agencies and private plaintiffs gain new enforcement pathways.
Why It Matters
The bill moves compliance responsibility upstream to app stores for age gating and creates mandatory data flows that developers must use to apply safety defaults. By coupling technical requirements (encryption, data minimization) with civil penalties and a private right of action, it changes operational, legal, and product-design expectations across the mobile app ecosystem in Wisconsin.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The statute defines four age bands (child, younger teenager, older teenager, adult) and treats anyone under 18 (except married or emancipated minors) as a minor for consent purposes. At account creation an app store must ask the user their age category and run a commercially available verification method “reasonably designed” to ensure accuracy.
For accounts already active when the law takes effect, the app store has a 12‑month transition window to collect and verify age data.
When verification yields a minor classification, the app store must tie the minor’s account to a verified parent account and require the parent’s verifiable consent each time the minor attempts to purchase, download, or make an in‑app purchase. The parental-consent process must be preceded by a clear parental consent disclosure listing the app’s age rating and content description (if available), what personal data the app collects and shares, and how the developer protects that data.App stores must notify users who have downloaded an app whenever the developer reports a “significant change” — defined to include material changes to data categories collected or the introduction of in‑app purchases or ads — and must secure renewed parental consent for minors before delivering the changed app.
App stores must limit age-category data collection to what is necessary, protect verification data (including encrypting transmissions), provide developers with age-category and consent status on request, and give parents a way to revoke consent and notify developers when consent is revoked.Developers must verify age and consent status through the app store’s data-sharing mechanism before enforcing age‑based terms against a user, use age data to apply the lowest applicable age category when configuring safety defaults, notify app stores of significant changes, and limit requests for verification checks (generally no more than once in 12 months for routine rechecks). The statute includes a safe-harbor for developers who reasonably rely on app-store data and industry standards when setting age ratings and content descriptions.Enforcement is available to state agencies (forfeitures up to $7,500 per violation, injunctive relief, and recovery of costs) and to minors or their parents (actual damages or $1,000 per violation, possible punitive damages, and fees).
The bill takes effect December 1, 2026, with a 12‑month phase for existing accounts to be age-verified.
The Five Things You Need to Know
The bill prescribes four discrete age categories: child (<13), younger teenager (13–15), older teenager (16–17), and adult (18+).
App store providers must verify age at account creation and, for accounts existing on the effective date, within 12 months, using a commercially available method “reasonably designed” to ensure accuracy.
Before a minor may purchase, download, or make an in‑app purchase the app store must obtain verifiable parental consent—after a parental‑consent disclosure that lists the app’s age rating, content description, data collected/shared, and data‑protection methods.
Developers must use the lowest age category indicated by app-store data or their own age collection when implementing age‑related restrictions, and they may not enforce contracts against minors absent verified parental consent.
Enforcement includes state civil actions (forfeitures up to $7,500 per violation, injunctive relief, and recovery of costs) and a private right allowing a minor or parent to recover the greater of actual damages or $1,000 per violation, plus fees and possible punitive damages.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions and scope
This subsection defines core terms: account holder, app, app store, app store provider, developer, minor, parent account, pre‑installed app, significant change, verifiable parental consent, and age category. Practically, the definitions set jurisdictional reach (accounts “located in this state”) and carve a narrow meaning of “pre‑installed app” that excludes core OS functions but includes browsers, messaging, and other apps present at sale or activation.
App‑store obligations
This provision makes app stores the operational center for age verification and parental-consent workflows: they must collect age-category data, verify it with a commercial method, affiliate minor accounts with verified parent accounts, require parental consent before purchases/downloads/in‑app purchases, transmit age-category data to developers on request, notify parents of significant app changes, enable consent revocation, and protect verification data using industry‑standard encryption and data‑minimization. These mechanics impose systems, UI, and data‑security requirements on app‑store operators.
Developer duties
Developers must rely on app‑store data sharing to check age categories and consent status before enforcing age‑restricted terms and must notify app stores of significant changes to trigger re‑consent. They are instructed to apply the lowest applicable age category when configuring safety defaults and limited in how often they may request re‑verification (generally no more than once per 12 months for routine checks). The provision forbids developers from enforcing contracts against minors absent verified consent and prohibits developers from sharing age‑category data further.
Enforcement and remedies
Violations are treated as unfair and deceptive trade practices. The Department of Agriculture, Trade and Consumer Protection or the Attorney General may seek forfeitures (up to $7,500 per violation), injunctive relief, and recovery of investigation and attorney costs. Separately, a minor or the minor’s parent may sue and recover actual damages or statutory damages ($1,000 per violation), punitive damages for egregious conduct, and fees. This dual enforcement structure raises both public‑interest enforcement and private‑litigation risk.
Safe harbor for developers
The statute shields developers from liability if they show they acted in good faith relying on app‑store age data and consent notifications, and if they use widely adopted industry standards to set age ratings and content descriptions. The safe harbor applies only to claims under this statute and does not limit other legal exposure.
Transition, applicability, and effective date
A transition subsection requires app stores to verify existing accounts within 12 months after the law’s effective date and to apply account‑creation verification immediately to accounts created after the effective date. The bill’s effective date is December 1, 2026, which starts the compliance and transition clocks described elsewhere in the statute.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Parents of minors — gain affirmative, repeatable control over purchases, downloads, and in‑app purchases through a verifiable consent mechanism and the ability to revoke consent.
- Minors — receive more parental mediation and developer‑enforced safety defaults tied to age categories that can limit exposure to inappropriate content or monetization features.
- Child‑safety and privacy advocates — the statute establishes transparency (consent disclosures) and data minimization/encryption requirements that support safer app experiences for children.
- Compliant developers — obtain a statutory safe harbor when they reasonably rely on app‑store age and consent data, reducing legal risk if they follow the coordination rules.
Who Bears the Cost
- App store providers — must implement age‑verification systems, parent‑account affiliation flows, consent UI, notification pipelines, data encryption and retention controls, and mechanisms to notify developers and process revocations.
- App developers — must integrate with app‑store data sharing, adapt product defaults to the lowest age category, alter monetization and features where minors are present, and track significant changes that trigger re‑consent.
- Device manufacturers and parties that pre‑install apps — face new coordination duties to provide age data when available and to facilitate parental consent for pre‑installed apps.
- State enforcement agencies and the Department of Justice — while given enforcement powers, they may face investigation, litigation and oversight workloads without explicit appropriation language to fund enforcement.
- Advertisers, analytics vendors and other third‑party data recipients — may lose access to age‑category data and face limits on downstream data sharing, potentially reducing targeted ad revenues for apps used by minors.
Key Issues
The Core Tension
The bill pits two legitimate priorities against each other: protecting children online by requiring reliable age verification and parental consent, versus preserving user privacy and minimizing operational burden on app stores, developers, and device vendors; achieving both goals requires collecting more identity‑related data to stop harm, but that very collection creates privacy and security risks and substantial compliance costs.
The bill forces hard tradeoffs between reducing minors’ exposure to risky app features and the privacy risks created by collecting and verifying age. Age verification that is ‘‘reasonably designed’’ will often require identity evidence or device signals; collecting that information increases the sensitive footprint of app stores and could create new targets for misuse or breaches despite the encryption and minimization mandates.
Operationally, the statute assumes clean technical integration between app stores, developers, device manufacturers, and parent accounts — an assumption that will be costly to implement and brittle in cross‑platform or cross‑border contexts. The law ties certain duties to account location (“located in this state”), but it’s silent on how to treat users who change locations or who use VPNs and cloud‑based account services.
The private right of action and per‑violation statutory damages create litigation risk that can drive defensive design choices, over‑blocking of content to avoid liability, or increased costs for small developers who cannot absorb legal exposure.
Finally, the statute interacts with federal rules like COPPA and with other state privacy laws; it does not resolve preemption questions or harmonize standards for what counts as adequate verification or acceptable age ratings. Enforcement discretion, the contours of ‘‘commercially available’’ verification methods, and the definition of ‘‘significant change’’ will shape practical compliance more than the statute’s general text.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.