Last month, Texas Governor Greg Abbott signed into law a bill that would require app stores to verify the age of their users and require parental consent for users under 18 to download apps. Among the bill’s top supporters, if the fact that it bankrolled a wildly expensive lobbying campaign is anything to go by, is Facebook and Instagram operator Meta. At first glance, it may seem odd that Meta would be so supportive of bills that will lead to costly compliance requirements. But a closer look at how the Texas bill and others like it will work in the real world (hint: not in the best interests of kids, parents, or app developers) reveals Meta’s true motivation. Policymakers around the world would do well to take note as Meta takes its Texas rodeo global.
By attempting to put the onus on app stores to handle age verification, it is likely that the intention of Texas lawmakers was to spare small app developers from the expense of having to build their own compliance systems. It is ironic, then, that the Texas bill when implemented would require exactly that. While the advocacy around the bill focuses on requirements on app stores, the plain text imposes direct mandates on every company offering apps to people in Texas, regardless of audience, under a strict, costly compliance regime that comes into conflict with the federal Children’s Online Privacy Protection Act (COPPA). Many would also be immediately and unknowingly out of compliance with federal law.
Enacted in 1998, COPPA[1] seeks to protect children’s privacy by creating a series of strict requirements for commercial websites and online services (including mobile apps) that are either 1) directed to children under 13, or 2) for general audiences, but have actual knowledge that they are collecting, using, or disclosing personal information from children under 13. Once covered by COPPA, operators must comply with a number of requirements, including providing a mechanism for verifiable parental consent (VPC) for collection and processing of their child’s data, creating a means for parents to access their child’s data or have it deleted, restricting its sharing to third parties, and complying with additional data retention and data security requirements.
Since COPPA’s enactment, the large majority of general audience websites and services (i.e., point-of-sale systems, machinists’ CNC calculators, farming apps, tax preparation apps) do not intend to serve children and have not had actual knowledge of minor users, and so have not built COPPA compliance procedures or systems. The Texas age verification bill upends this system. It requires app stores to develop a system to get parental consent for the download of the application and to send a notification or “flag” to each app upon that approval. If the user is under 13, this flag would constitute actual knowledge under COPPA for any app that receives it. If the operator proceeds to initiate the download, the app would necessarily begin collecting data on the minor, such as IP address and device ID, which is considered personally identifiable information under COPPA. If the app did not have COPPA compliance procedures already in place, including their own means of securing VPC, they would immediately be in violation of federal law. Some have estimated that this would lead to imposing $70 billion in compliance costs on app developers at large.
So with such a high price tag and new liability exposure, why is Meta fighting so hard to put app store age verification laws in place? Because unlike for regular app developers, the alternative for Meta is potentially much worse. It all comes down to that actual knowledge concept in COPPA. The vast majority of apps don’t collect much data on their users, so they have nowhere close to actual knowledge that any given user is under 13. Meta, however, has a massive trove of data on the users of its platforms Facebook and Instagram, including names, birthdays, and photos. If federal investigators ever take a close look at how Meta uses all this data and determines that it has actual knowledge about millions of kids on its platforms after all, the company could face a one-time fine under COPPA of tens of billions of dollars. Given those stakes, it’s clear why Meta would want to shift responsibility for determining age to the app stores and happily start afresh with a much simpler actual knowledge regime of acting on flags, with no regard for the damage it would do to the rest of the app ecosystem.
After its success in Texas, Meta is already ramping up efforts to make app store age verification the law of the land in the United States. In May 2025, Senator Mike Lee (R-UT) and Representative John James (R-MI) introduced the App Store Accountability Act (ASAA), a bill that would require app stores to verify users’ ages and obtain parental consent for users under 18. And it won’t stop there, because the United States is by no means the only jurisdiction with laws around kids’ data of which Meta risks running afoul.
In Japan, for example, the Personal Information Protection Commission has begun a process to update the Act on the Protection of Personal Information, the country’s privacy law. Updates under consideration include significant new specific protections for children’s data and strengthening enforcement, including a new administrative fine system.[2] Meta therefore has the same incentive to run the Texas playbook in Japan as it does at the U.S. federal level: shift liability to the app stores, throw up its hands, and say “we’re just acting on the age verification flags like anyone else.
Perhaps the most surprising part of this story is that, so far, many lawmakers have seen Meta swearing up and down that these bills are the solution for kids’ privacy and safety and have taken the company’s word for it. After all, Meta has a long track record of prioritizing engagement and growth over child safety, including promoting AI-powered chatbots that engage in explicit conversations with minors, exploiting youth psychology to drive use, and recruiting kids and tweens to its platforms.
When Meta takes its Texas age verification rodeo global, we urge policymakers in Japan and elsewhere not to be distracted by the rope tricks. Meta’s claims that app store age verification will defeat all the threats children face online are all hat, no cattle.
[1] Federal Trade Commission, Complying with COPPA: Frequently Asked Questions, www.ftc.gov, https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions.
[2] https://iapp.org/news/a/japan-s-dpa-publishes-interim-summary-of-amendments-to-data-protection-regulations.