Part Two of ACT’s Two-Part Resource: The ABCs and 1-2-3s of Age Verification and Compliance

Lawmakers across the United States are introducing a wave of age-verification and parental-consent laws aimed at protecting kids online. While well-intentioned, these state-by-state approaches create a confusing and costly patchwork for startups and independent developers. And, as we have seen in other efforts to use age-verification methods, the very people these laws aim to protect often become more vulnerable to the harms the bills are meant to prevent. To help our members stay ahead, we’re breaking it down into two living guides that will be updated periodically:

    • The ABCs of Age Verification: Our part-one directory tracks where each state stands on age-verification proposals.
    • The 1-2-3s of Age Verification Compliance: Our part two compliance guide outlines how to 1) understand requirements, 2) prepare systems, and 3) better stay compliant as rules take effect.

This overview is for informational purposes only and does not constitute legal advice, but together, these resources aim to offer startups and small tech companies a clear path through the evolving landscape of age-verification laws. Let’s dive into the 1-2-3s: what they mean, why they matter, and where things stand across the states.

The 1-2-3s: Understand Requirements, Prepare Systems, and Stay Compliant

  1. Understand Requirements: Start by identifying which state laws apply to your products. Map where your apps are available, where your users are based, and how each law defines covered services and minors, so you are working from a clear, accurate picture of your obligations.
  2. Prepare Systems: Once you know what is required, translate those obligations into technical changes. Build or adapt systems that can handle and receive age and consent signals, minimize the data you collect, and align new flows with your existing privacy and security practices.
  3. Stay Compliant: After systems are in place, keep them aligned with a fast-changing legal landscape. Regularly check in on new age-verification laws, timelines, and guidance, and update your documentation and implementations to remain compliant as rules take effect and evolve.

What’s at Stake

If every state develops its own age verification law, developers could soon face 50 different sets of rules, each with its own standards, timelines, and enforcement mechanisms. For small tech, that’s not just confusing; it’s unsustainable.

For our small tech members, this fragmented patchwork means higher compliance costs, conflicting technical requirements, and increased exposure to liability. It also risks creating direct conflicts with federal law, particularly the Children’s Online Privacy Protection Act (COPPA), which already establishes clear guidelines for protecting minors’ data. Most importantly, these laws often fail to protect the very children they’re designed to help, thereby forcing developers to collect and store even more personal information, which increases rather than reduces the risk of data misuse or exposure.

State Compliance Directory (1-2-3s by State)

Since this edition was originally published on December 12, 2025, six states have enacted app-store–centric age-assurance laws that impose new obligations on app stores and the developers who distribute through them. They are Alabama, Colorado, California, Louisiana, Texas, and Utah, and each relies on age signals and parental approval to gate minors’ access to apps and certain features, but they differ in timelines, age bands, and data-use rules.

Four of the five states with enacted laws (Utah, Texas, Alabama, and Louisiana) share a similar framework: they require the major app stores to conduct age verification (the strictest level of age assurance), which requires collecting sensitive personal information, such as birth certificates, to verify the age of every potential user. Similarly, all the laws require that apps on the stores receive age-category and parental-consent signals before enabling downloads by minors. Texas’s law is currently on hold under a federal preliminary injunction, so it is not in effect at this time.

There are also differences among these laws that seem small but, in reality, create major compliance headaches. For example, Louisiana and Texas prohibit using an age signal for anything other than age verification and age-appropriate content management, but Texas requires deletion of that data after use, while Louisiana and Utah permit its retention. That’s a real trap for developers shipping across states, because proving compliance often requires keeping records. Meanwhile, California’s law differs more significantly from the other three, stopping short of requiring verification and providing more flexibility for developers.

Those differences may look small on paper, but they can create serious compliance traps for small developers trying to ship nationwide. If you distribute through major app stores, review their implementation guidance; you can find next steps from Apple here and Google here.

Alabama HB 161

  1. Understand requirements: Beginning October 1, 2027, HB 161 requires app store providers to verify users’ age categories, link minor accounts to a parent account, and obtain verifiable parental consent before minors can download apps or make in-app purchases. For developers, the key issue is that app stores must share age category and parental-consent status with them, and developers must be prepared to use those signals appropriately. The law also limits how developers may use age category data, includes significant-change notification requirements, and provides some liability protection when developers rely in good faith on app store-provided information.
  2. Prepare systems: Make sure your apps can receive and respond to Alabama’s age-category and parental-consent signals through the same internal age-and-consent layer you are building for other app store age-assurance laws, rather than creating a separate Alabama-only workflow. In practice, that means:
    • Integrating age category and consent signals from app stores into the systems that govern access, purchases, and age-appropriate experiences.
    • Treating Alabama’s parental-consent signal as separate from any COPPA-required consent process for users under 13 unless further guidance indicates otherwise.
    • Building an internal review process for identifying “significant changes” that may trigger notice or renewed consent obligations through app store partners.
    • Limiting internal use of Alabama age category data to the purposes permitted by the law.
  3. Stay compliant: Maintain records showing how your app receives and uses Alabama age and parental-consent signals, how you limit use of that data, and how your team evaluates significant product changes. Revisit those processes as the October 1, 2027, deadline approaches and as app stores release implementation guidance, so your shared compliance systems remain aligned with Alabama’s requirements.

Colorado SB 051

  1. Understand requirements: Beginning July 1, 2028, Colorado’s age attestation bill would require operating system providers to implement an accessible account setup process that prompts account holders to provide a user’s birth date or age. The operating system provider would then use that information to generate an “age signal,” which is non-personally identifiable data indicating the user’s age bracket, such as under 13, 13-15, 16-17, or 18+. For developers, the key issue is that covered applications would need to request the age signal via a real-time application programming interface (API) when the app launches or when a user creates an account. Once received, that signal may give the developer actual knowledge of the user’s age range, which raises the stakes for compliance. If the signal indicates that a user is under 13, the developer may be pulled into separate federal obligations under the Children’s Online Privacy Protection Act (COPPA), unless the developer takes reliable measures to prevent under-13 users from accessing the app. Developers also must use more accurate age information if they already have it, meaning the Colorado signal may not be the end of the analysis if the app has other reliable age-related data.
  2. Prepare systems: Colorado’s model is similar to California’s operating system-level signal approach, but developers should still account for Colorado’s specific age brackets, timing, and data-use limits. In practice, that means:
    • Making sure your app can request, receive, and process Colorado age signals through a real-time API when the app is launched or when a user creates an account.
    • Integrating Colorado’s age signal into the same internal age-and-consent layer used for other states so your app can manage age-based compliance obligations consistently across jurisdictions.
    • Building logic to treat the OS-provided signal as the default age indicator unless your team has more accurate internal information that must be used instead.
    • Limiting the collection, use, retention, and sharing of age-signal information to what is necessary for compliance, and avoiding any sharing with third parties for purposes not required by the bill.
  3. Stay compliant: Keep records showing how your app requests and uses Colorado age signals, when more accurate internal information overrides the OS-provided signal, and how your team limits sharing to the minimum necessary information. Revisit those processes before the July 1, 2028, compliance date, and as operating system providers release technical guidance, so your broader age-and-consent infrastructure remains aligned with Colorado’s requirements.

California AB 1043

  1. Understand requirements: Beginning January 1, 2027, AB 1043 requires operating system providers to generate an age bracket signal during device account setup based on the primary user’s age or birth date. For developers, the key implication is that apps must request this signal when downloaded and launched and generally treat it as the primary indicator of a user’s age for age-related compliance purposes unless the developer has clear internal evidence to the contrary. Because receipt of the signal may shape how developers apply age-based rules, content restrictions, or other compliance obligations, teams should understand how this OS-level age signal fits into their broader compliance framework. For example, AB 1043 includes a provision clarifying that the age bracket signal constitutes “actual knowledge” of a person’s age. This means that if the person is under 13, you must comply with the federal Children’s Online Privacy Protection Act (COPPA), unless you take reliable measures to prevent anyone under 13 from accessing your app.
  2. Prepare systems: California’s model differs from app-store parental-consent laws because it relies on operating system-level age signals rather than app store download gating. In practice, that means:
    • Making sure your app can request, receive, and process California age bracket signals from operating system providers.
    • Integrating those signals into the same internal age-and-consent layer used for other states so age-based experiences can be managed consistently across jurisdictions.
    • Building logic to treat the OS-provided signal as the default age indicator unless your team has documented grounds to rely on contrary internal evidence.
    • Minimizing retention and use of age-related data to what is necessary for compliance, unless other laws, such as COPPA, require you to retain such data. In case of an apparent conflict, you may need to consult a privacy attorney.
  3. Stay compliant: Keep records of how your app requests and uses California age signals, including any policies governing when internal information may override an OS-provided signal. Revisit your implementation as operating system providers release technical guidance and as other states adopt different signaling models, so your broader age-and-consent infrastructure remains interoperable and defensible.

Louisiana HB 570 and HB 977

  1. Understand requirements: In the 2026 legislative session, Louisiana lawmakers amended HB 570 to replace it with HB 977. Beginning July 1, 2027, HB 977 applies to app stores and requires age verification, including age attestation by a parent for users under 18, at the point of download, triggering parental consent for users under 18. Stores conduct the verification, then pass the age category and verifiable parental consent (VPC) signals down to apps. That VPC obligation applies to consent to download rather than consent to collect information and therefore does not satisfy COPPA’s requirement to obtain VPC to collect information about a child under 13. You must obtain both forms of VPC before providing services to a minor under 13. Importantly, the age category signal you must receive under HB 977 will put you under COPPA’s compliance regime even if you do not serve children, because it will be considered to provide you with “actual knowledge” as to the user’s under-13 status. It may be possible to prevent children under 13 from accessing your service in the first place in order to avoid this “COPPA trap,” and still be compliant with HB 977. However, you should look closely at these requirements before making any decisions on this, and you may want to consult with an attorney. Unlike Texas, Louisiana allows age signals to be retained rather than deleted, even though they still can only be used for age verification and age-appropriate content management. As a result, there does not appear to be a conflict between HB 977’s requirements and COPPA’s requirement that you retain information associating parents and kids in order to facilitate any request to revoke any VPC previously given under COPPA.
  2. Prepare systems: Make sure your apps can receive and act on Louisiana age and VPC signals through the same internal age-and-consent layer you are building for Texas and Utah, rather than standing up a separate Louisiana-only flow. In practice, that means:
    • Integrating age ranges and parental-approval status from your app stores or platforms into your internal age-and-consent layer so they drive content, features, and purchases for Louisiana minors, including when a “significant change” triggers a fresh approval step.
    • Treating Louisiana’s VPC as its own compliance flag alongside COPPA and aligning your retention policy so you keep only what you need to show you used those signals for age verification and age-appropriate experiences, without repurposing them.
    • Using any available sandbox or test tools to confirm your flows behave as expected before you ship and reviewing the major app stores’ implementation guidance for Louisiana, so you plug their tools into this common layer.
  3. Stay compliant: Keep a simple record of how you handle Louisiana age and VPC signals, how long you retain them, and how you limit their use. Revisit those choices as the July 1, 2027, compliance date approaches, and as app stores refine their tools, so your shared age-and-consent layer stays workable across states without drifting out of step with Louisiana’s specific rules.

Texas SB 2420

  1. Understand requirements: Texas’s App Store Accountability Act (ASAA) has temporarily gone into effect as of May 28, 2026. The law would have originally gone into effect on January 1, 2026, but a district court judge issued a preliminary injunction blocking enforcement of the law. The Fifth Circuit of Appeals is reviewing the preliminary injunction and has issued an administrative stay, temporarily allowing the law to go into effect until further review. As a result, apps available to new accounts in Texas must work with age assurance and parent or guardian consent for users under 18, treat certain “significant changes” as events that need fresh consent, and honor parental revocation when a parent withdraws approval.
  2. Prepare systems: Build or update a single internal age-and-consent layer you are building for Louisiana and Utah, and plug in the tools your app stores provide, rather than building separate Texas-only versions of your app. In practice, that means:
    • Making sure your age rating and app metadata are accurate and kept up to date, and deciding in advance what your team will treat as a “significant change.”
    • Integrating age ranges, consent status, and revocation signals from your app stores or platforms into your internal age-and-consent layer so they drive content, features, and purchases for Texas minors.
    • Using any available sandbox or test tools to confirm your flows behave as expected before you ship, and minimizing the data you collect and retain to what you need to show you followed the signals and rules.
    • Building a process to separately obtain VPC as required by the federal COPPA, similar to Louisiana’s requirements. Here again, thanks to SB 2420’s requirement that you receive, maintain, and respond to an age category flag, you will be considered as having “actual knowledge” of a user’s under-13 status under COPPA. You must now comply with COPPA, which obligates you to obtain VPC (and honor requests to revoke any previously provided VPC) under COPPA’s separate provisions, unless you prevent access to your app or apps by children under 13. We recommend consulting with an attorney if you want to go this route because it’s unclear if simply preventing access would satisfy the requirement to receive and manage the age signal.
  3. Stay compliant: Keep a simple record of how you defined significant changes, how your system responds to age and consent signals, and when you update those choices, and revisit that setup as the Texas law takes effect and app stores refine their tools.

BONUS: Click here to watch our webinar “Countdown to Compliance: What the Texas Age Verification Rules Mean for Startups and Small Tech.”

EXTRA BONUS: Read our amicus brief supporting a challenge to the Texas law and asking for a preliminary injunction so that it does not go into effect.

Utah SB 142

  1. Understand requirements: Utah recently enacted a delay in the effective date of its version of ASAA to May 6, 2027, and removed the state Attorney General’s ability to enforce the law, leaving only the ability for private litigants to sue. As a result, the pending lawsuit challenging the law was withdrawn and will likely be refiled. If that lawsuit is unsuccessful and the law goes into effect in 2027, apps available to new accounts in Utah must work with age assurance and parent or guardian consent for users under 18, treat certain “significant changes” as events that need fresh consent, and honor parental revocation when a parent withdraws approval.
  2. Prepare systems: Make sure your apps can receive and respond to Utah’s age-and-consent signals through the same internal age-and-consent layer you are building for Texas and Louisiana, rather than standing up a Utah-only flow. In practice, that means:
    • Integrating age ranges and parental-approval status from both device-level and app-store signals into your internal age-and-consent layer so they drive content, features, and purchases for Utah minors.
    • Configuring that layer to respect Utah’s limits on how age information can be stored and shared, and avoiding any repurposing of age data beyond age verification and age-appropriate experiences.
    • Using any available sandbox or test tools from your platforms to confirm your flows behave as expected before you ship, and aligning your retention practices so you only keep what you need to demonstrate that you followed the signals and rules.
    • Requiring developers to know when a user is under 13, just like the laws in Louisiana and Texas, which again puts developers under the federal COPPA compliance regime. Preventing access by children under 13 may be a viable method of avoiding the “COPPA trap,” but we recommend consulting an attorney on this point.
  3. Stay compliant: Keep a simple record of how you handle Utah age and consent signals, including how you apply the data-use limits, and revisit those choices as the May 6, 2027 enforcement date approaches and as app stores and device platforms roll out more detailed tools and guidance for Utah users.

Moving Forward

We will continue to advocate for consistent, privacy-protective, innovation-friendly policies that align with existing compliance obligations, promote digital literacy, and empower parents without overwhelming developers.

ACTivated by this issue? Reach out to Brad Simonich here for future activations and opportunities to get involved, and check out the ABC’s of Age Verification here!

The original version of this resource was published on November 18, 2025.