When Alabama Governor Kay Ivey signed HB 161 on February 17, 2026, the state became the fourth in the nation to enact an App Store Accountability Act. The bill passed both chambers unanimously — 103-0 in the House — signaling bipartisan consensus that the mobile app ecosystem needs age-based guardrails, even as federal courts continue to strike down nearly identical laws in other states.
Alabama now joins Texas, Utah, and Louisiana in a legislative movement that is reshaping how app stores operate and how developers distribute software. But the legal landscape is anything but settled. Two of the four laws have been blocked by federal judges on First Amendment grounds, a third faces an active lawsuit, and only one — Louisiana’s app store law — currently stands unchallenged.
This guide breaks down every active state app store accountability law, their compliance requirements, the legal battles surrounding them, and what app developers and store operators need to do now.
The Four State Laws at a Glance
| Alabama (HB 161) | Texas (SB 2420) | Utah (SB 142) | Louisiana (HB 570) | |
|---|---|---|---|---|
| Signed | Feb 17, 2026 | May 2025 | March 2025 | June 30, 2025 |
| Effective Date | Jan 1, 2027 | Jan 1, 2026 | May 7, 2025 (compliance by May 6, 2026) | July 1, 2026 |
| Current Status | Active, no legal challenge yet | Blocked — preliminary injunction Dec 23, 2025 | Active, CCIA lawsuit filed Feb 2026 | Active, no legal challenge to app store law |
| Age Categories | Under 13, 13-15, 16-17, 18+ | Under 13, 13-15, 16-17, 18+ | Under 13, 13-15, 16-17, 18+ | Under 13, 13-15, 16-17, 18+ |
| Enforcement | AG only | AG + private action | AG + private right of action ($1,000 min/violation) | AG only |
| Max Civil Penalty | $7,500/violation | $10,000/violation | $1,000+/violation (private suits) | Varies under consumer protection law |
| Developer Safe Harbor | Yes (good faith reliance) | Limited | Limited | None |
| Private Right of Action | No | Yes | Yes | No |
All four laws share the same core architecture: app stores must verify user ages, categorize users into four brackets, require parental account linkage for minors, and obtain verifiable parental consent (VPC) before minors can download apps or make purchases. Developers must check VPC status and notify app stores of significant changes.
The differences are in enforcement teeth and safe harbors — and those differences matter enormously.
Alabama’s App Store Accountability Act: What’s New
Alabama’s HB 161 is modeled closely on the Texas and Utah frameworks but incorporates refinements that reflect lessons learned from the legal challenges those states are facing.
Requirements for App Store Providers
Under HB 161, app store operators — primarily Apple and Google — must implement the following by January 1, 2027:
- Age verification at account creation. Use “commercially reasonable methods” or methods adopted by the Alabama Attorney General to verify each user’s age category.
- Parental account linkage. Any user identified as under 18 must have their account linked to a verified parent or legal guardian account.
- Transaction-level parental consent. Obtain verifiable parental consent before a minor can download an app, make a purchase, or complete an in-app transaction. Blanket or one-time consents are not sufficient.
- Encrypted data sharing. Provide developers with access to user age category and VPC status using industry-standard encryption, collecting only the minimum data necessary for compliance.
Existing accounts created before October 2, 2026 must be categorized and verified by October 1, 2027, giving platforms a transition window for their current user base.
Requirements for App Developers
Developers offering apps to Alabama users face their own set of obligations:
- VPC verification. Before allowing a minor to access the app or make purchases, developers must use the app store’s data-sharing methods to confirm VPC has been obtained.
- Significant change notifications. Developers must notify the app store when an app undergoes changes to its age rating, privacy policy, terms of service, data collection practices, or monetization features. The app store then alerts parents, who must provide renewed consent.
- Lowest age category rule. When implementing safety features, restrictions, or default privacy settings, developers must apply protections appropriate for the youngest applicable user.
- Contract enforceability. Terms of service cannot be legally enforced against a minor unless VPC was obtained first.
- Data request limits. Developers cannot request age category data more than once per 12-month period, absent suspected misuse or new account creation.
Enforcement and Penalties
Alabama’s enforcement model is AG-exclusive — there is no private right of action. Knowing or reckless violations are treated as deceptive trade practices under the Alabama Deceptive Trade Practices Act, carrying civil penalties of up to $7,500 per violation, plus attorney fees and court costs. Punitive damages are available for patterns of misconduct. The statute of limitations is one year from discovery.
The AG-only enforcement model is significant. Unlike Utah’s private right of action (which exposes developers to individual lawsuits with minimum $1,000 damages per violation) or Texas’s deceptive trade practice classification (which opens the door to private litigation), Alabama’s approach gives the state more control over enforcement priorities and may reduce the risk of frivolous litigation.
Safe Harbors
Alabama provides two notable safe harbors:
- Developer safe harbor: Developers are not liable if they relied in good faith on age category data and VPC notices provided by the app store.
- App store safe harbor: App stores are protected from liability for erroneous age signals if they used commercially reasonable verification processes with due care.
This dual safe harbor structure is more protective than Louisiana’s framework, which provides no safe harbor for developers who rely on app store data — making Louisiana the strictest of the four states for developer liability.
Texas: Blocked but Appealing
Texas SB 2420 was the most ambitious of the four laws — and the first to face a constitutional reckoning.
On December 23, 2025, U.S. District Judge Robert Pitman issued a preliminary injunction blocking the law just days before its January 1, 2026 effective date. The ruling applied strict scrutiny and found the law “more likely than not unconstitutional.”
Judge Pitman’s comparison was memorable: “The Act is akin to a law that would require every bookstore to verify the age of every customer at the door and, for minors, require parental consent before the child or teen could enter and again when they try to purchase a book.”
The court found the law both overbroad — restricting minors’ access to news apps, fitness trackers, educational resources, and mental health tools alongside genuinely harmful content — and unconstitutionally vague in key provisions around age ratings and “significant changes.”
Texas Attorney General Ken Paxton filed an appeal the same day to the Fifth Circuit, where briefing is ongoing in early 2026. The injunction remains in effect, and the law is not being enforced.
For a complete breakdown of Texas’s compliance requirements, see our Texas SB2420 compliance guide.
Utah: The Pioneer Under Siege
Utah blazed the trail with SB 142, signed in March 2025. The law technically went into effect on May 7, 2025, but the operational compliance deadline is May 6, 2026 — the date by which app stores must have functional age verification and parental consent systems in place.
Utah’s law stands out for its aggressive private right of action. Individual plaintiffs can sue developers for non-compliance with minimum damages of $1,000 per violation, plus attorney fees. This creates potentially catastrophic liability exposure for developers who serve Utah users without proper VPC systems.
However, the law’s future is uncertain. On February 5, 2026, the Computer & Communications Industry Association (CCIA) filed suit in U.S. District Court for the District of Utah, arguing the law violates the First Amendment. CCIA’s legal brief cites its successful challenge against Texas’s law as precedent.
As of mid-March 2026, no preliminary injunction has been issued, and the May compliance deadline continues to approach. Compliance teams cannot assume the lawsuit will produce relief before the deadline.
Louisiana: Two Laws, Two Fates
Louisiana’s legislative landscape requires careful distinction between two separate laws:
Act 456 — Social Media Age Verification (STRUCK DOWN): This law, which required social media platforms to verify users’ ages and obtain parental consent for minors, was permanently enjoined on December 15, 2025 in NetChoice v. Murrill. Judge John W. deGravelles found it simultaneously “wildly underinclusive” and “vastly overinclusive.”
HB 570 / Act 481 — App Store Accountability Act (ACTIVE): This is a separate law, signed June 30, 2025, with an effective date of July 1, 2026. It has not been challenged in court and remains on track for enforcement.
Louisiana’s app store law is notable for one critical distinction: it provides no safe harbor for developers. Unlike Texas, Utah, and Alabama, where developers receive some protection for relying in good faith on app store data, Louisiana holds developers independently liable regardless of what information the app store provided. This makes Louisiana the most punishing state for developer compliance.
The Legal Battlefield: Constitutional Challenges
The pattern across federal courts has been remarkably consistent. Eight federal district courts have now granted injunctive relief against state age verification laws, with only one declining to do so.
The core constitutional arguments are:
- Content-based speech restrictions trigger strict scrutiny. Because these laws regulate access to speech based on content (age ratings), courts apply the highest level of constitutional review.
- Overbreadth. The laws sweep in vast categories of protected, harmless speech — weather apps, news readers, educational tools — alongside content that might genuinely harm minors.
- Vagueness. Terms like “commercially reasonable methods,” “significant changes,” and “knowingly misrepresenting” age ratings provide inadequate guidance for compliance.
- Less restrictive alternatives exist. Courts note that parents already have device-level controls, platform parental settings, and family sharing features.
However, the appellate landscape is shifting. The Eleventh Circuit — hearing appeals of Florida and Georgia social media laws — signaled in March 2026 oral arguments that it may be less receptive to the broad facial challenges that have succeeded at the district court level. If an appellate court upholds one of these laws, even in part, the compliance calculus changes overnight.
The Expanding Map: States to Watch
Alabama is unlikely to be the last state to act in 2026. Several parallel efforts are advancing:
Colorado SB 26-051 takes a fundamentally different approach. Rather than regulating app stores, the bill requires operating systems to collect user age at device setup and expose age bracket signals to apps via API. It passed the Colorado Senate 28-7 on March 3, 2026, with an effective date of January 1, 2028. This OS-level model, inspired by California’s AB 1043 (effective January 1, 2027), represents the next evolution of age verification policy.
Federal legislation is also advancing. The federal App Store Accountability Act (H.R. 3149 / S. 1586), sponsored by Rep. John James and Sen. Mike Lee, passed a House subcommittee by unanimous voice vote in December 2025. A federal law would preempt the patchwork — but could also codify requirements that courts have found unconstitutional at the state level.
Active bills in Alaska, Arizona, Florida, Hawaii, Mississippi, Ohio, South Carolina, South Dakota, Virginia, and West Virginia follow the same app store accountability template, with hearings also held in Kansas and New Hampshire.
Compliance Checklist: App Store Operators
If you operate an app marketplace, the following actions should be underway regardless of legal uncertainty:
- Implement age verification infrastructure. Build or integrate commercially reasonable age verification at account creation. Google’s Play Signals API beta is one model; explore third-party verification services and biometric options.
- Create four-tier age categorization. Systems must categorize users as under 13, 13-15, 16-17, or 18+. These brackets are uniform across all four states.
- Build parental account linkage. Develop workflows for linking minor accounts to verified parent/guardian accounts, including parent identity verification.
- Implement per-transaction consent flows. Each download, purchase, and in-app transaction by a minor requires fresh parental approval. Blanket consents are prohibited.
- Develop encrypted data-sharing APIs. Provide developers with secure, encrypted access to age category and VPC status. Minimize data collection to compliance purposes only.
- Create consent revocation mechanisms. Parents must be able to revoke consent on a per-app basis, with real-time notification to developers.
- Establish notification infrastructure. Build systems to alert parents when developers report significant app changes, triggering renewed consent requirements.
- Track compliance deadlines by state. Louisiana (July 1, 2026), Utah (May 6, 2026), Alabama (January 1, 2027), and Texas (pending appeal).
Compliance Checklist: App Developers
Developers face obligations under all four laws regardless of app category or audience:
- Integrate with app store VPC APIs. Implement systems to query the app store’s age category and parental consent data before granting access to minors. Google’s Play Signals API and Apple’s forthcoming equivalent are the primary integration points.
- Assign and maintain accurate age ratings. Provide honest, defensible age ratings for your app and all in-app content. Document the rationale.
- Build significant change notification workflows. Create processes to notify app stores when your app changes its privacy policy, data collection practices, age rating, terms of service, or monetization model.
- Apply the lowest-age-category rule. Default privacy settings, safety features, and content restrictions must be calibrated to the youngest user in any applicable age bracket.
- Do not enforce contracts against unverified minors. Terms of service are unenforceable against minors unless VPC has been obtained.
- Understand state-specific liability exposure. Utah allows private lawsuits with $1,000 minimum per violation. Louisiana provides no safe harbor. Alabama and Texas (if reinstated) offer limited good-faith reliance protections.
- Minimize data retention. Delete age verification and consent data after it has served its compliance purpose. Do not repurpose it for advertising, analytics, or profiling.
- Document everything. Maintain records of compliance efforts, VPC verifications, and notification timestamps. In an enforcement action, documentation of good-faith efforts is your strongest defense.
The Privacy Paradox
Every one of these laws creates a fundamental tension: legislation designed to protect children requires collecting sensitive identity data from every user, including adults.
As Google’s Play Signals API rollout demonstrated, the verification process requires users to submit government-issued IDs, facial scans, credit card information, or third-party identity checks. This data — even when processed through intermediaries — creates new attack surfaces, new breach risks, and new surveillance capabilities.
Federal courts have consistently flagged this problem. Judge Pitman noted that Texas’s law would require collection of “sensitive, personally identifiable information that isn’t currently gathered” for even basic app downloads. Judge deGravelles found Louisiana’s social media law would “all but kill anonymous speech online.”
Meanwhile, Meta has been actively lobbying for app store-level age verification — a move critics describe as shifting liability from platforms to Apple and Google while building the infrastructure for comprehensive identity surveillance across the mobile ecosystem.
The privacy implications extend beyond individual breaches. Once identity verification becomes mandatory for app store access, Apple and Google become identity gatekeepers for the entire mobile internet. Every app download, every transaction, every interaction flows through systems that know exactly who you are and how old you are.
What Happens Next
The next 12 months will determine whether app store age verification becomes the norm or collapses under constitutional weight.
Key dates to watch:
- May 6, 2026: Utah compliance deadline (absent injunctive relief)
- July 1, 2026: Louisiana app store law takes effect
- Mid-2026: Fifth Circuit ruling expected on Texas appeal
- Late 2026: Eleventh Circuit rulings on Florida/Georgia social media laws could set broader precedent
- January 1, 2027: Alabama and California laws take effect
- January 1, 2028: Colorado OS-level age attestation takes effect (if enacted)
For compliance teams, the strategic question is whether to build for the world these laws envision or wait for judicial clarity. The pragmatic answer: build the infrastructure now, but design it to be modular. The core requirements — age categorization, parental consent, encrypted data sharing — are consistent across all four states. Even if individual laws are struck down, the direction of travel is clear. More states are coming. Federal legislation is advancing. And the app stores themselves are already building the technical plumbing to support these requirements.
The era of anonymous app downloads is ending. The only question is how fast — and at what cost to privacy.
For ongoing coverage of age verification legislation and compliance requirements, follow our COPPA compliance guide, KOSA analysis, and state privacy law tracker.
