A recent “Myth vs. Fact” sheet defending the App Store Accountability Act (ASAA) claims the legislation offers a workable solution for protecting young people online. In reality, the bill would impose sweeping age verification mandates on app stores to check every user’s age and share that data with millions of app developers.
The Myth vs. Fact sheet attempts to wave away constitutional challenges, dismiss privacy concerns, and insist that Congress has found a narrow, workable path forward. The small businesses in your district probably have an app, from the barbershop to the hog farm, and everyone in between. Unfortunately for these small businesses who will be caught in the ASAA crossfire, none of the Myth vs. Fact sheet’s claims hold up to scrutiny—or to recent federal court rulings.
Here’s what the Myth vs. Fact sheet gets wrong, point by point:
Privacy and Data Security: A Massive, Mandated Exposure
The Myth vs. Fact sheet insists that age verification can be done in a “privacy-protective way” without risking consumer data. But age verification cannot be done without collecting “direct evidence” of a person’s age and identity. Even if a flag can be sent without those details, they must be collected to create the flag. And because ASAA would impose a mandate, the app stores would be compelled to show compliance—and that means maintaining records of all of it. Moreover, ASAA doesn’t just ask app stores to verify age and parental consent status—it mandates that they share flags signifying that information with
every single app developer, whether the app in question is TikTok or a weather widget built by a solo developer in Ohio. This isn’t targeted regulation; it’s a forced data-sharing pipeline that turns millions of general-audience apps into new repositories of key information about kids. Backed by verification, the flags also show a child’s under-13 status, compelling all developers to create new federal Children’s Online Privacy Protection Act (COPPA) compliance programs even if their apps have nothing to do with serving kids or content with age-related risks.
It also replaces the existing parental consent mechanism with a new version with additional failure points. Currently (without ASAA), if a parent declines a download by their child, the download is stopped at the operating system level. But ASAA would require a flag indicating parental consent status to be sent to the developer, which may or may not be received or properly adhered to, depending on whether the developer has updated their app. This leaves developers holding the bag and robs parents of a consent mechanism that actually works.
An open letter signed by 371 security experts from 29 countries recently warned that rolling out large-scale age verification is “dangerous and socially unacceptable,” citing severe risks to both security and privacy. For small developers, this means navigating a compliance minefield: you’re now legally obligated to receive, store, and manage sensitive age data you never asked for, creating new liability exposures and new honeypots for hackers. The Myth vs. Fact sheet ignores this cascading risk entirely.
Chilling Adult Speech: More Than an “Incidental Burden”
The Myth vs. Fact sheet waves away First Amendment concerns by pointing to the Supreme Court’s decision upholding Texas’s age verification law for pornography sites, calling any burden on adult speech merely “incidental.” But ASAA would impose the age verification barrier between users and any mobile software app—news apps, fitness trackers, small business tools—making it far more burdensome than a law that imposes the same burden only on porn websites.
On December 23, 2025, a federal judge blocked Texas’s version of the ASAA (SB 2420), holding that forcing users to verify their age to download harmless apps is “akin to a law that would require every bookstore to verify the age of every customer at the door.” Judge Robert Pitman ruled that this broad restriction cuts teenagers o from the “democratic forum of the Internet” and acts as an unconstitutional prior restraint on protected speech.
The majority’s claim that this is just a minor inconvenience doesn’t survive contact with actual litigation.
Constitutionality: The “Narrowly Tailored” Test ASAA Can’t Pass
The Myth vs. Fact sheet insists that the Supreme Court has given a “constitutional green light” for federal action and that ASAA is “content-neutral” and constitutionally sound. Yet the federal court in CCIA v. Paxton just ruled that the Texas law ASAA is modeled after triggers strict scrutiny and fails it definitively. Similarly, the court also noted that ASAA would fail intermediate scrutiny because it would try to impose barriers to accessing every
single app that would be available on one of the stores.
Judge Pitman found the Texas app store mandate “exceedingly overbroad” because it puts an age verification barrier between individuals and all apps, not just those posing demonstrated age-related risks. Instead of narrowly targeting apps with “specific addictive qualities” or incentivizing voluntary content filters, the law sweeps up everything—calculator apps, news readers, transit schedules—forcing app stores and developers to treat every download as a potential legal landmine. The court ruled this fails the “least restrictive means” requirement of the First Amendment. ASAA seeks to replicate this constitutional flaw at the federal level. For small developers, that means building businesses on a regulatory foundation a federal court has already condemned.
The Government ID Trap: Liability Forces Invasive Collection
The Myth vs. Fact sheet claims ASAA doesn’t require government IDs and points to alternatives like Apple Pay. It is unclear why there is a claim here about Apple Pay, which does not serve as an identifier, nor does it indicate age. Either way, the bill’s strict liability standards make invasive ID collection a practical inevitability. ASAA demands that app stores verify users into four highly granular age categories—”young child” (under 13), “child” (13-15), “teenager” (16-17), and “adult” (18+)—using methods “reasonably designed to ensure accuracy.” Platforms face FTC enforcement and crushing financial penalties if they misclassify a 12-year-old as a 13-year-old or a 17-year-old as an 18-year-old.
Distinguishing between adjacent age groups is technically impossible using privacy preserving age assurance methods. As Graham Dufault, General Counsel at ACT | The App Association, noted in a recent FTC workshop on age verification, the accuracy demands of the ASAA proposals push platforms toward “direct evidence” of age and identity—government IDs, birth certificates—to avoid liability. Even the majority’s example of Apple Pay requires users to verify their identity with hard credentials before Apple Pay can be used for downstream verification. And roughly 20 percent of Americans don’t have a credit card; for them, compliance means submitting a government ID or being locked out of the app economy entirely. For small developers, it means being force-fed age information that places them under the federal COPPA regime. In turn, COPPA requires operators to enable parents to revoke previously provided consent to collect data about their children, which further requires operators to retain information about the kids and parents they serve and associate them with each other.
Bipartisan Support vs. What Parents Actually Want
The Myth vs. Fact sheet touts “bipartisan support” as proof that ASAA reflects what families want. But polling tells a different story. 70 percent of parents say protections should continuously keep minors safe while they use apps, not just rely on a one-time age check at the app store gate. Another 70 percent worry that requiring parental approval for every single app download will restrict access to important information, and only 34 percent believe app store age verification alone will keep kids safe.
Parents want continuous accountability from platforms, not a bureaucratic chokepoint that creates “consent fatigue” and cuts teens o from resources they need. For small developers, this means complying with a law that misreads its own constituency—building systems that parents don’t trust and that saddle developers with compliance burdens parents never asked for. Currently, app stores enable parental controls based on how parents set up their child’s device. The app stores can improve the methods and mechanisms used to effectuate notices and execute parental preferences. Under current conditions, consumer experience and feedback expressed through the market mechanism drives the design. ASAA would make this feedback loop much worse and more convoluted
by interjecting a layer of compliance between parents and their devices. Under such a regime, instead of designing for parental control and experience, app stores and developers would be designing for compliance.
Accuracy and Reliability: The Honeypot Problem
The Myth vs. Fact sheet insists that innovations in AI and biometrics have made age verification “accurate and reliable.” Yet the same 371 security experts who warned about privacy risks also noted that current age verification technologies are “not effective and carry significant risks.” Implementing robust age verification across the internet would require “checking government-issued IDs with strong cryptographic protection for every single interaction,” centralizing sensitive data in the hands of a few companies and creating massive honeypots for cybercriminals.
For small developers, this creates an impossible dynamic: you’re forced to rely on centralized verification systems controlled by platform giants, or you’re expected to build your own infrastructure to handle government IDs—both of which introduce unnecessary risks for developers that have no reason to verify age. The majority’s confidence in technological solutions ignores the consensus of the experts who actually build these systems and the additional risks that materialize when all of it is under a compliance mandate.
Age Estimation vs. Verification: The FTC’s Own Guidance
The Myth vs. Fact sheet dismisses age estimation as just a “guess” and insists that strict verification is the “only way” to protect families. But the Federal Trade Commission recently issued an enforcement policy statement specifically to promote the adoption of age assurance technology—explicitly defined to include age estimation and inference tools.
Experts know that age assurance is on a spectrum, with the most accurate (age verification) also posing the highest risks because it requires “direct evidence” of age and identity (government-issued IDs). Because verification is the highest-risk form of assurance, it is used only sparingly—in order to block access to goods or services that themselves pose especially severe age-related risks—and IDs that are checked in real life are usually not collected and stored. Creation of a credential, however—especially if doing so is required by law—necessitates the retention of ID information. ASAA demands more than just a quick check of an ID at the door. By requiring absolute “verification” instead of encouraging innovation in privacy-preserving age assurance sensitive to the risks it presents (and the risks it must address), ASAA fails the risk-based approach test age assurance requires.
What Small Business Innovators Should Watch
The Energy and Commerce majority’s fact sheet can’t wish away the constitutional, privacy, and technical problems that federal courts have already identified. For small business developers, the stakes are clear: ASAA would force you to handle sensitive data you’re not equipped to protect, expose you to liability for verification systems you don’t control, and require you to comply with a law a federal judge has already called unconstitutionally overbroad. If Congress is serious about protecting kids online, it should listen to the courts, the cybersecurity experts, and the parents who actually want continuous accountability—not a one-size-fits-all mandate that buries innovation in liability.