Lawmakers across the United States are introducing a wave of age-verification and parental-consent laws aimed at protecting kids online. While well-intentioned, these state-by-state approaches create a confusing and costly patchwork for startups and independent developers. And, as we have seen in other efforts to use age verification methods, the very people these laws aim to protect often become more vulnerable to the harms they were meant to prevent. To help our members stay ahead, we’re breaking it down into two living guides that will be updated periodically:

  • The ABCs of Age Verification: Our part one directory tracks where each state stands on age verification proposals.
  • The 1-2-3s of Age Verification Compliance: Our part two compliance guide outlines how to 1) understand requirements, 2) prepare systems, and 3) better stay compliant as rules take effect.

This overview is for informational purposes only and does not constitute legal advice, but together these resources aim to offer startups and small tech companies a clear path through the evolving landscape of age verification laws. Let’s dive into the 1-2-3s: what they mean, why they matter, and where things stand across the states.

The 1-2-3s: Understand Requirements, Prepare Systems, and Stay Compliant

  1. Understand Requirements: Start by identifying which state laws apply to your products. Map where your apps are available, where your users are based, and how each law defines covered services and minors, so you are working from a clear, accurate picture of your obligations.
  2. Prepare Systems: Once you know what is required, translate those obligations into technical and internal guideline changes. Build or adapt systems that can handle and receive age and consent signals, minimize the data you collect, and align new flows with your existing privacy and security practices.
  3. Stay Compliant: After systems are in place, keep them aligned with a fast-changing legal landscape. Regularly check in on new age verification laws, timelines, and guidance, and update your documentation and implementations so you remain compliant as rules take effect and evolve.

What’s at Stake

If every state develops its own age verification law, developers could soon face 50 different sets of rules, each with its own standards, timelines, and enforcement mechanisms. For small tech, that’s not just confusing; it’s unsustainable.

For our small tech members, this fragmented patchwork means higher compliance costs, conflicting technical requirements, and increased exposure to liability. It also risks creating direct conflicts with federal law, particularly the Children’s Online Privacy Protection Act (COPPA), which already establishes clear guidelines for protecting minors’ data. Most importantly, these laws often fail to protect the very children they’re designed to help, forcing developers to collect and store even more personal information, which increases, rather than reduces, the risk of data misuse or exposure.

State Compliance Directory (1-2-3s by State)

Upon publication of this edition, four states have enacted app-store–centric age-assurance laws that create new obligations for app stores and the developers who distribute through them. All four rely on age signals and parental approval to gate minors’ access to apps and certain features, but they differ in timelines, age bands, and data-use rules. Those differences may look small on paper, but they can create serious compliance traps for small developers trying to ship nationwide. If you distribute through major app stores, review their implementation guidance; you can find next steps from Apple here and Google here.

California AB 1043

Compliance tips coming soon!

Louisiana HB 570

  1. Understand requirements: Beginning July 1, 2026, HB 570 applies to app stores and requires age verification at the point of download, triggering parental consent for users under 18. Stores conduct the verification, then pass the age category and verifiable parental consent (VPC) signals down to apps. That VPC obligation applies to consent to download rather than consent to collect information and therefore does not satisfy COPPA’s requirement to obtain VPC to collect information about a child under 13.

 You must obtain both forms of VPC before providing services to a minor under 13. The age category signal you must receive under HB 570 will subject you to COPPA’s compliance regime, even if you do not serve children, because it will be deemed to provide you with “actual knowledge” of the users’ under-13 status. It may be possible to prevent children under 13 from accessing your service in the first place to avoid the “COPPA trap” and remain compliant with HB 570.

However, you should review these requirements carefully before making any decisions, and you may want to consult an attorney. Unlike Texas, Louisiana allows age signals to be retained rather than deleted, even though they can still be used only for age verification and age-appropriate content management. There does not appear to be a conflict between HB 570’s requirements and COPPA’s requirement that you retain information associating parents and kids in order to facilitate any request to revoke any VPC previously given under COPPA.

  1. Prepare systems: Make sure your apps can receive and act on Louisiana age and VPC signals through the same internal age-and-consent layer you are building for Texas and Utah (both of which take effect earlier), rather than standing up a separate Louisiana-only flow. In practice, that means:
    • Integrating age ranges and parental-approval status from your app stores or platforms into your internal age-and-consent layer so they drive content, features, and purchases for Louisiana minors, including when a “significant change” triggers a fresh approval step.
    • Treating Louisiana’s VPC as its own compliance flag alongside COPPA and aligning your retention policy so you keep only what you need to show you used those signals for age verification and age-appropriate experiences, without repurposing them.
    • Using any available sandbox or test tools to confirm your flows behave as expected before you ship and reviewing the major app stores’ implementation guidance for Louisiana, so you plug their tools into this common layer.
  2. Stay compliant: Keep a simple record of how you handle Louisiana age and VPC signals, how long you retain them, and how you limit their use. Revisit those choices as the July 1, 2026, compliance date approaches, and as app stores refine their tools, so your shared age-and-consent layer stays workable across states without drifting out of step with Louisiana’s specific rules.

Texas SB 2420

  1. Understand requirements: As of January 1, 2026, apps available to new accounts in Texas must work with age assurance and parent or guardian consent for users under 18, treat certain “significant changes” as events that need fresh consent, and honor parental revocation when a parent withdraws approval.
  2. Prepare systems: Build or update a single internal age-and-consent layer you are building for Louisiana and Utah, and plug in the tools your app stores provide, rather than building separate Texas-only versions of your app. In practice, that means:
    • Making sure your age rating and app metadata are accurate and kept up to date, and deciding in advance what your team will treat as a “significant change.”
    • Integrating age ranges, consent status, and revocation signals from your app stores or platforms into your internal age-and-consent layer so they drive content, features, and purchases for Texas minors.
    • Using any available sandbox or test tools to confirm your flows behave as expected before you ship and minimizing the data you collect and retain to what you need to show you followed the signals and rules.
    • Similar to Louisiana’s requirements, building a process to separately obtain VPC as required by the federal COPPA. Again, thanks to SB 2420’s requirement that you receive, maintain, and respond to an age category flag, you will be considered as having “actual knowledge” of a user’s under-13 status under COPPA. You must now comply with COPPA, which obligates you to obtain VPC (and honor requests to revoke any previously provided VPC) under COPPA’s separate provisions, unless you prevent access to your app or apps by children under 13. We recommend consulting an attorney if you intend to take this route, as it’s unclear whether simply preventing access would satisfy the requirement to receive and manage the age signal.
  3. Stay compliant: Keep a simple record of how you defined significant changes, how your system responds to age and consent signals, and when you update those choices, and revisit that setup as the Texas law takes effect and app stores refine their tools.

BONUS: Click here to watch our webinar “Countdown to Compliance: What the Texas Age Verification Rules Mean for Startups and Small Tech.”

EXTRA BONUS: Read our amicus brief supporting a challenge to the Texas law and asking for a preliminary injunction so that it does not go into effect.

Utah SB 142

  1. Understand requirements: As of January 1, 2026, apps available to new accounts in Utah must work with age assurance and parent or guardian consent for users under 18, treat certain “significant changes” as events that need fresh consent, and honor parental revocation when a parent withdraws approval.
  2. Prepare systems: Make sure your apps can receive and respond to Utah’s age and consent signals through the same internal age-and-consent layer you are building for Texas and Louisiana, rather than standing up a Utah-only flow. In practice, that means:
    • Integrating age ranges and parental-approval status from both device-level and app-store signals into your internal age-and-consent layer so they drive content, features, and purchases for Utah minors.
    • Configuring that layer to respect Utah’s limits on how age information can be stored and shared and avoiding any repurposing of age data beyond age verification and age-appropriate experiences.
    • Using any available sandbox or test tools from your platforms to confirm your flows behave as expected before you ship and aligning your retention practices so you only keep what you need to demonstrate that you followed the signals and rules.
    • Requiring developers to know when a user is under 13, just like the laws in Louisiana and Texas, which again puts developers under the federal COPPA compliance regime. Preventing access by children under 13 may be a viable method of avoiding the “COPPA trap,” but we recommend consulting an attorney on this point.
  3. Stay compliant: Keep a simple record of how you handle Utah age and consent signals, including how you apply the data-use limits, and revisit those choices as the May 7, 2026, compliance date approaches and as app stores and device platforms roll out more detailed tools and guidance for Utah users.

 

Moving Forward

We will continue to advocate for consistent, privacy-protective, innovation-friendly policies that align with existing compliance obligations, promote digital literacy, and empower parents without overwhelming developers.

ACTivated by this issue? Reach out to Brad Simonich here for future activations and opportunities to get involved!