If you publish apps on Apple's App Store or Google Play, the legal ground shifted under you in 2025 and 2026. Four states have passed App Store Accountability Acts, a federal bill is moving through Congress, and both Apple and Google have updated their developer agreements to reflect these new requirements. If your terms of service and privacy policy have not been updated to match, you are out of compliance right now.
These laws go beyond the platform-level requirements you already follow. They impose obligations directly on you as the developer, regardless of what Apple or Google require in their store guidelines. Non-compliance can trigger enforcement actions from state attorneys general, removal from app stores, and private litigation.
This guide covers every major requirement under the state and federal App Store Accountability Acts, explains what they mean for your terms of service and privacy policy, and gives you a practical compliance checklist.
Which States Have Passed App Store Accountability Acts
As of mid-2026, four states have enacted App Store Accountability Acts: California, Louisiana, Texas, and Utah. Each law has slightly different requirements, but they share a core framework focused on age verification, parental consent, content ratings, and data handling for verification information.
California's law applies to any app available for download by California residents, which effectively means every app on major platforms. Louisiana's and Utah's laws have similar broad scope. Texas passed its law but it is currently subject to a preliminary injunction on First Amendment grounds that is being litigated in federal court.
At the federal level, the App Store Accountability Act was introduced in both chambers of Congress as H.R. 3149 and S. 1586. The bill has bipartisan support and would create a single national standard, but it has not yet passed as of mid-2026.
Core Requirements That Apply to App Developers
The state laws share several requirements that apply directly to app developers, not just to Apple and Google as platform operators.
First, you must publish accurate age ratings and content descriptions for your app. These ratings must reflect the actual content and features of your app, not a conservative estimate designed to avoid scrutiny. If your app includes user-generated content, social features, or in-app purchases, those features must be reflected in your ratings.
Second, you must use age and consent verification information provided by the app store platforms. Both Apple and Google are building APIs to share age-bracket data with developers. Once these APIs are available and required by law, you cannot substitute your own verification method unless it meets a higher standard.
Third, you cannot enforce your terms of service against minors without verifiable parental consent. This is a significant change for apps that have historically used a simple age-gate checkbox. If your app's terms include arbitration clauses, limitation of liability provisions, or data processing consents, those provisions are unenforceable against minors unless a parent or guardian has given verifiable consent.
What Your Terms of Service Must Now Include
Your terms of service need several new sections or modifications to comply with these laws.
You must include a clear age verification disclosure that explains how your app determines a user's age, what data you use for verification, and how long that data is retained. This disclosure must be in plain language and must appear before the user creates an account or accesses age-restricted content.
Your terms must include a separate parental consent mechanism for minor users. The laws require "verifiable" parental consent, which is more than a checkbox. Acceptable methods typically include providing a credit card, using a government-issued ID verification service, or confirming through an existing verified adult account.
You must also include a section on content ratings that explains what content your app contains, what age group it is appropriate for, and how users can report content that violates your rating. This section should be consistent with the age rating you submitted to the app store.
Finally, your terms must address your notification obligations to the app store platform. Under these laws, you are required to notify Apple and Google before making certain changes to your app, and your terms should inform users that such notifications occur.
Data Handling and Deletion Requirements
The Accountability Acts include strict rules about how you handle personal data collected during age and consent verification. These rules apply in addition to, not instead of, existing requirements under CCPA, COPPA, and other privacy laws.
Your privacy policy must specifically address verification data as a separate category. It must state what data is collected during age verification, the purpose of that collection, how long it is retained, and when it is deleted. Most state laws require deletion of verification data within a short period after the verification purpose is fulfilled, typically 30 to 90 days.
If you use a third-party service for age or identity verification, your privacy policy must name that service and explain what data is shared with it. You are responsible for your service provider's compliance with these requirements, so you also need a data processing agreement with any verification vendor.
Notification Requirements to App Store Platforms
One of the most operationally significant requirements in these laws is the obligation to notify app store platforms of significant changes before those changes go live. This creates a pre-notification workflow that many developers have not built.
Under the state laws, "significant changes" include any modification to your data collection practices, any new category of in-app purchases, any change to your age rating, and any modification to your parental consent mechanism. The notification window varies by state, but California requires at least 30 days notice for most significant changes.
The practical impact is that you can no longer update your terms of service and push them live immediately. You need a notification workflow, a waiting period, and a process for handling any platform objections before your update goes live. Build this into your release process now, before you need it.
The Texas Injunction and What It Means for Other States
A federal court issued a preliminary injunction against the Texas App Store Accountability Act, finding that certain provisions likely violated First Amendment protections for app developers. The injunction is narrow and covers only the provisions that compel speech, not the data handling or notification requirements.
However, the Texas injunction does not affect the California, Louisiana, or Utah laws. Each state's law has different language, and the constitutional challenge is specific to Texas's wording. Until the injunction is resolved or appealed, the Texas law's compelled-speech provisions are blocked, but everything else is enforceable.
If the federal bill passes, it would preempt the state laws and create a single national standard. But until that happens, you need to comply with whichever state laws apply to your users, which for most apps means California's law at minimum.
The Federal App Store Accountability Act
H.R. 3149 and S. 1586 would establish federal requirements that mirror the state laws but with some important differences. The federal bill includes a safe harbor for developers who use app store platform APIs for age verification, which would reduce the burden on smaller developers.
The federal bill also includes stronger enforcement mechanisms, including FTC oversight and the ability for state attorneys general to bring civil actions. Penalties under the federal bill would be significantly higher than most state laws, up to $50,000 per violation for knowing violations.
Even if you are currently compliant with the state laws, monitor the federal bill's progress. If it passes, you may need to update your terms and privacy policy again to align with the federal standard, and the safe harbor provisions may change your compliance strategy.
Practical Compliance Steps for Developers
Start by auditing your current age-rating and content-description practices. Compare your app store listing's age rating against your app's actual features and content. If your app allows user-generated content or social interactions, your rating may need to be updated to reflect that.
Implement age verification that uses the data Apple and Google provide. Both platforms are building APIs to share age-bracket data with developers. Integrate with these APIs as they become available so you are not building your own verification infrastructure that may not meet the legal standard.
Build a parental consent workflow that meets the "verifiable" standard. A simple "I am over 18" checkbox does not qualify. Work with a legal counsel to design a consent flow that meets California's requirements, which are the most stringent, and your consent flow will likely meet other state requirements as well.
Update your terms of service and privacy policy to include the disclosures described above. This is not a small edit. You are adding new substantive sections that did not exist before these laws. A terms of service lawyer who tracks app store compliance can draft these sections efficiently and accurately.
Create an internal process for notifying app store platforms before you change your terms, privacy policy, or monetization model. Assign responsibility for this process to a specific team member and build the 30-day notification window into your release planning calendar.
Why Generic Terms of Service Templates Fall Short
The App Store Accountability Acts require terms of service provisions that did not exist in any template before 2025. Any template that was drafted before these laws were enacted does not include the required age verification disclosures, parental consent mechanisms, or platform notification obligations.
Even if a template vendor updates their product, templates cannot account for the specific way your app collects data, the specific age groups it targets, or the specific platform APIs you are using for verification. The required disclosures must be accurate for your app, not accurate for a generic app.
A technology lawyer who tracks these laws can draft terms that address your app's specific compliance needs, build in the notification workflow, and update your privacy policy to cover verification data handling. This is not optional compliance work. It is a legal requirement that is currently being enforced.
Frequently Asked Questions
Do these laws apply if my app is free and does not collect payment information?
Yes. The App Store Accountability Acts apply based on whether your app is available to users in states that have passed the law, not based on whether your app is paid or free. If your app collects any personal data, includes any social features, or allows user-generated content, the requirements apply regardless of pricing.
What counts as "verifiable parental consent" under these laws?
Verifiable parental consent requires proof that an actual adult has provided consent, not just a self-declaration. Acceptable methods under most state laws include credit card verification, knowledge-based authentication, government ID verification, or confirmation through a verified adult account. A simple age gate asking users to enter their birth date does not qualify.
If the federal bill passes, do I still need to comply with state laws?
The federal bill includes a preemption provision that would supersede the state laws once enacted. Until it passes and takes effect, however, state laws are the operative legal requirements. And even if the federal bill passes, you will need to update your terms and privacy policy to align with the new federal standard.
How quickly must I delete personal data collected during age verification?
The state laws require deletion "promptly" once the verification purpose is fulfilled, with most laws specifying a maximum retention period of 30 to 90 days. Your privacy policy must state your specific retention period, and you must have technical systems in place to enforce that deletion timeline automatically.
Does the Texas injunction mean I can ignore the Texas law entirely?
Not safely. The preliminary injunction blocks enforcement of the specific provisions that compel speech, but the data handling and notification requirements remain in effect. Additionally, the injunction is preliminary, meaning it can be lifted if the court's First Amendment analysis changes on appeal. Monitor the Texas litigation and maintain compliance with the non-enjoined provisions.
Get Your App's Terms Right Before Enforcement Begins
The App Store Accountability Acts represent a fundamental shift in how app developers must approach their terms of service and privacy policies. The requirements are detailed, specific, and already being enforced in states that have enacted the law.
Hansen Tong and the team at TOS Lawyer help app developers draft terms of service that satisfy both platform requirements and state law obligations. Contact TOS Lawyer to get your app's terms and privacy policy updated for the current legal landscape before enforcement actions begin.