Texas App Store Accountability Act Ushers in Sweeping Age-Verification Mandates

On May 27, 2025, Texas Governor Greg Abbott signed the Texas App Store Accountability Act (the “Act”), catapulting the Lone Star State to the forefront of state-level efforts to regulate children’s online safety. Taking effect on January 1, 2026, the Act reshapes the compliance landscape for companies that operate app stores and those that make their applications available on app stores to mobile device users in Texas. By tacking on age verification and parental consent obligations to app stores and requiring coordination with developers, Texas has adopted one of the most extensive approaches to minors’ online safety in the country—bringing with it a novel regulatory landscape filled with unique privacy and operational challenges.

Key Obligations for App Stores

The Act applies to any publicly available website, software application, or other electronic service that “distributes software applications” to Texas consumers for download or purchase on a mobile device. Although directed at the dominant app stores, the Act’s downstream data-sharing obligations effectively rope in every mobile application developer that receives age-category information from the app stores.

Mirroring legislation recently adopted in Utah that will take effect in May 2026, the Act aims to protect minors from online harms by shifting primary responsibility for age-screening from individual applications to the gatekeeping platforms through which those apps are obtained. This law applies to all applications regardless of whether they target or are directed to minors, which makes it broader in application than the federal children’s privacy law, the Children’s Online Privacy Protection Act.

First, every app store that offers applications to Texas mobile device users must verify the age of every prospective user (not merely minors) seeking to download or purchase an application using a commercially reasonable method. Upon doing so, the store must assign one of four age brackets: child (under 13), young teen (13–15), older teen (16–17), or adult. That age-category information must then be securely transmitted to the developer of any application that the user downloads.

Second, if the user is under 18, the app store must obtain affirmative, verifiable parental or guardian consent before permitting any download or in-app purchase. The minor’s account must be affiliated with their parent’s or guardian’s account, and the app store must use commercially reasonable methods to verify that the adult has legal authority to make decisions on the minor’s behalf. Parental consent is not a one-time box-check: the Act requires a fresh authorization for “each individual download or purchase sought by the minor.”

Third, app stores have an ongoing duty to keep developers and consumers informed. For example, app store owners must notify the developer of a downloaded software application whether consent has been obtained for each minor and if the parent or guardian revokes that consent. Additionally, when a developer provides notice regarding a change in the terms of service or privacy policy as required by the Act, the app store must notify every parent or guardian who previously consented and obtain renewed consent before the minor can continue using the application.

Fourth, app stores that already display age-ratings must explain their rating system to users and prominently post a rating for each application. If a store does not maintain its own rating methodology, it must display the rating supplied by the developer.

Finally, the Act sharply restricts what personal data an app store may collect and how that data may be used. Unless it is deidentified or publicly available, information gathered for age-verification or parental consent may be processed only for compliance purposes, must be encrypted in transit, and must be deleted once its narrow statutory purpose has been fulfilled.

Duties for Developers

Developers are not passive recipients of these new requirements. Under the Act, developers must assign an age rating to each of their applications based on the four age categories (child, young teen, older teen, adult) and provide both the rating and a description of the specific content or elements that led to the rating to every app store where their application is available. Unlike other state privacy laws, which apply only if a business meets certain thresholds for revenue, number of customers, or amount of data shared, the Act has no such minimum requirements. It applies to any developer that offers its application to Texas residents, regardless of the developer’s size or business volume.

Developers are also required to implement systems to use the age category information received from app stores and to determine whether minors have received the necessary parental consent. Before making any significant change to their terms of service or privacy policy, developers must notify each app store where their software is available. The Act limits developers’ use of personal data received from app stores to enforcing age restrictions, ensuring legal compliance, and implementing safety features and default settings. Once the age and parental consent verification process is complete, developers must delete any personal data received from the app store.

Looking Ahead: Compliance and Enforcement

The Texas App Store Accountability Act imposes one of the nation’s most rigorous age-verification regimes and signals a profound shift in the regulatory landscape governing platform obligations for child safety. Its passage coincides with federal deliberations on parallel measures—most notably the Kids Online Safety Act—underscoring a broader legislative trend toward heightened protections for minors online. Opponents contend that the Texas Act could prompt unnecessary data collection, thereby amplifying the risk of breaches; they note, for example, that even low-risk applications such as weather and sports-score services would be swept into the verification requirements, and potentially compel the transfer of personal information to developers whose data-security practices may be insufficient.

Covered entities now face an accelerated timetable: the Act takes effect on January 1, leaving fewer than twelve months to recalibrate internal controls and update compliance protocols. A violation constitutes a deceptive trade practice under Texas law, empowering the Attorney General to seek injunctive relief, civil penalties, restitution, and reimbursement of the State’s investigative and litigation costs.

O’Melveny & Myers will continue to track interpretive guidance, enforcement trends, and any legal challenges as they develop. Please reach out to any member of our team if you have any questions about the Texas App Store Accountability Act or related regulations.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Sid Mody, an O’Melveny partner licensed to practice law in Texas; Randall W. Edwards, an O’Melveny partner licensed to practice law in California; Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois; and Juan Antonio Solis, an O’Melveny associate licensed to practice law in Texas, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2025 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, 1301 Avenue of the Americas, Suite 1700, New York, NY, 10019, T: +1 212 326 2000.