This video by David Dunmoyer regarding Texas HB 4901 contains statements that are demonstrably false and significantly mislead the public about the legislation’s impact on app developers, particularly small businesses.

Betsy Furler, from Houston, Texas and head of App Association member company For All Abilities–a person with decades of experience as a speech pathologist supporting students with disabilities and tireless champion of the power of technology to change lives—had it right in her testimony: HB 4901 imposes significant mandates with the potential to crush small firms attempting to comply.

Dunmoyer stated that “there is nothing in this bill that requires app developers to redevelop their apps.” At best, this shows his naivete, and at worst, Dunmoyer is intentionally trying to mislead people. Let’s take a look at the text of the bill itself:

In Section 121.054, subsection (a), HB 4901 clearly mandates that the developer of a software application

“shall create and implement a system to verify:

(1) for each user of the software application, the age category assigned to that user under Section 121.021(b); and

(2) for each minor user of the software application, whether consent has been obtained under Section 121.022.”

Furthermore, subsection (b) specifies that developers

“shall use information provided by the owner of an app store under Section 121.024 to perform the verification required by this section.”

How does Dunmoyer think app developers will comply with these requirements? There isn’t a magic coding wand that just makes this happen. This language necessitates that every app developer serving users in Texas must undertake significant development work to build or modify their applications to interact with the age verification data provided by app stores.

That might sound simple enough, but in the real world, app developers know this requirement to “create and implement a system to verify” imposes exorbitant new costs and intractable compliance issues on all apps, including those that have nothing to do with children or adult content. As ACT | The App Association outlined in our opposition to HB 4901, this mandate affects a vast range of Texas small businesses who would be forced to new write code and justify how that constitutes a “system to verify” ages of users and determine whether parental consent to download was given to an app store in order to comply with the law.

For example:

  • Developing and integrating a secure login or user identification system that can receive and process age verification data from app stores. Basic user authentication added to a brand-new app can cost a few thousand dollars, while more secure systems can reach $10,000 or more. Ensuring that the authentication system integrates with a third-party system (app stores) as mandated by HB 4901 would likely fall into the higher end of this range due to complexity and security considerations. What’s worse, as every developer knows, messing with existing code can quickly raise the time commitments 10-fold as you dig through bad documentation, elements the first developer added but didn’t actually turn on, and just general cruft.
  • What if I don’t collect information or serve kids? The bill puts developers into a legal quandary. What if I don’t collect any data from my users, and I have no interest in doing so? Sorry, you are still required to accept the flag and then deal with the information provided, regardless of the app itself. What will that mean? Additional backend development will be needed to 1) handle the logic of verifying user ages against the data provided by an app store and 2) enforce age-based restrictions within the app. This involves writing new software (which Dunmoyer falsely claimed is not required). The cost of mobile app development varies widely, from $10,000 to more than $300,000, depending on complexity. Even basic utility apps can cost between $10,000 and $50,000 and integrating a new verification system adds to this cost.
  • What about data minimization? Let’s say you add all that, but you still want to do data minimization. Not so fast! The bill may create the need for data retention and security features. While Section 121.055(b) mandates the deletion of personal data provided by an app store upon verification, developers may still need to maintain compliance records. Furthermore, securely handling any personal data, even temporarily, necessitates implementing appropriate security audits, encryption features, and ongoing vulnerability assessments, which can cost between $5,000 and $25,000 annually. Failing to prioritize security can lead to costly legal issues and damage user trust.
  • What about maintenance costs? These new features also mean more ongoing costs. Maintenance and updates to the verification system to ensure compatibility with app store changes and compliance with HB 4901 regulations will change every time a new state introduces one of these bills – even if you don’t serve customers in that particular state, app stores are going to implement global changes just to keep out of legal trouble. These ongoing costs can exceed the initial implementation investment.

And before you buy into Dunmoyer’s assertions, re-read section 121.053. This language imposes requirements directly on developers to notify app stores before making various changes to their apps, including changes to the terms of service or privacy policy that affect the type of personal data collected, stored, or shared, or that materially change the functionality or user experience.

 At first blush, this sounds pretty reasonable and is something responsible developers do today. The difference is how you show compliance. While this section doesn’t explicitly mandate data retention within the developer’s app, it implies the need for developers to track and manage changes to their data handling practices to fulfill these notification obligations. This adds another layer of complexity and potential development overhead, requiring systems to monitor and report such changes to app stores.

His suggestion that developers simply need to “clearly enumerate why they came up with 4+, 12+, 17+” for age ratings completely misunderstands the distinct and separate obligation outlined in Section 121.054. Developers already assign age ratings (Section 121.052); HB 4901 adds the significant new requirement to “create and implement a system to verify” the age category and parental consent information provided by the app stores (Section 121.054). These are not the same, and the latter imposes a substantial software development burden.

The mandate in Section 121.054 for developers to “create and implement a system to verify” age and parental consent is a significant new obligation that will necessitate code changes, incur considerable costs, and create ongoing compliance challenges for a wide range of Texas app developers, far beyond those focused on children’s content.

Dunmoyer’s lack of understanding of the legislation and the businesses and people it would affect is a disservice to the Texas small business community.