During a recent House Energy & Commerce Subcommittee on Commerce, Manufacturing, and Trade hearing, Legislative Solutions to Protect Children and Teens Online, proponents of the App Store Accountability Act (ASAA, H.R. 3149) described it as an effective, privacy-protective solution to protect children online. The thinking behind the proposal is argued that by requiring app stores to conduct age verification, the bill would empower parents to safeguard their children and extend offline protections to the digital ecosystem. However, this framing overlooks the substantial compliance burdens the bill would create in practice. As introduced and without reasonable amendments, the ASAA would impose significant obligations on developers and expose consumers to privacy and cybersecurity risks without meaningfully advancing online safety. Accomplishing the goals of the bill need not impose complex new obligations on developers, or pose additional privacy risks that go beyond those necessary to protect kids. For guidance on a path to do this, policymakers should look to the Parents Over Platforms Act (POPA, H.R. 6333) a more pragmatic, tailored solution that would give parents and guardians more meaningful control online.
While proponents portray the ASAA as a simple requirement for app stores to verify ages, that framing obscures the significant downstream consequences for developers. The bill requires app stores to collect age information and transmit a user’s age category to developers whenever an app is downloaded. This seemingly small data handoff functions as a legal landmine for developers. Under the ASAA, receiving the age flag constitutes actual knowledge of a user’s age, which consequently pulls developers into the Children’s Online Privacy Protection Act’s (COPPA) complex compliance framework even if their products were never designed for or marketed to children. If passed as is, estimates suggest small U.S. developers could face up to $280 billion in compliance costs. For small tech developers operating with limited resources, this regulatory burden could mean missed payroll, delayed updates, and entire products shelved just to cover legal costs, effectively turning the ASAA into an innovation tax only the largest firms can afford.
Proponents argue that the ASAA is more privacy protective than alternative online safety bills. However, this claim ignores the substantial privacy and security risks created by mandatory age verification at the app store level, especially when the bill would require verification to be done for virtually all potential users of an app store. Requiring app stores to verify users’ ages will likely push them to collect government-issued identification, biometric scans, or similarly sensitive documentation. This process erodes online anonymity by forcing far more users than necessary to hand over their sensitive information to access basic digital services. Moreover, app stores, since they do not currently conduct age verification for all of their users, they would need to collect more highly sensitive data than they do now, and they may do exactly what developers currently do: contract with a digital identity verification provider. A breach of these repositories, whether collected from developers or stores, could expose identification or age information for millions of Americans at once. With cyberattacks growing more frequent and sophisticated, treating a breach as a hypothetical instead of an inevitable outcome is a policy failure that puts consumers at real and immediate risk.
Finally, claims that the ASAA merely extends familiar offline age gates into the digital world by requiring parental consent for minors who cannot consent to app store contracts fundamentally misunderstands longstanding contract law. Even if parental consent is required at the app store level, it does not preclude or modify the separate contractual relationship formed between a minor and the app developer when the user accepts an app’s terms of service. Contracts with unemancipated minors are generally voidable in every state in the union, so even if a developer tries to enforce the agreement, the minor can void it at will. Including language that prohibits the enforcement of those contracts without proof of verifiable parental consent does not advance online safety, it simply preserves the status quo. Put differently, the ASAA confuses paperwork with protection. The theory that parental consent at the app store level substitutes for a valid contract with the app itself creates only the illusion of online safety, leaving children no safer than before.
In contrast, POPA accomplishes the ASAA’s stated online safety goals without dragging every developer into costly and complex regulatory frameworks. POPA requires app stores to ask users for their ages at account creation and, with parental consent, make available an age signal to apps. Crucially, only apps that offer different experiences for adults and minors or are adults-only must assess users’ ages and can do so via the provided age signal. As a result, developers of general-audience apps are not swept into broad COPPA-level obligations simply because a minor downloads the app. This targeted scope significantly reduces regulatory burdens and compliance costs, and enables small developers to focus on innovation instead. POPA’s approach to online safety will empower parents to protect their kids online without sacrificing the vibrant app ecosystem.
POPA also avoids introducing sweeping privacy and cybersecurity risks inherent in ASAA’s age verification approach. Instead of requiring users to upload identifying information to app stores, POPA allows users to report their ages and only requires sharing to apps that differentiate experiences by age. This distributed approach reduces breach exposure, protects consumers’ sensitive information, and keeps parents, not platforms, in control of when sensitive personal information is shared. POPA helps parents, platforms, and developers build safer online experiences without creating a surveillance-grade data pipeline.
While ASAA aims to protect children online, its provisions would impose unsustainable compliance costs on small businesses, create serious privacy and security risks through mandatory age verification, and rely on flawed contract law logic that fails to achieve its stated goals. We urge ASAA’s sponsors to amend the bill to mirror or closely track POPA’s. If lawmakers can come together on these reasonable changes, the Committee can confidently report a pragmatic and privacy-protective framework that advances online safety without crushing small businesses or innovation.