Data Privacy

Texas App Store Law Now Enforceable Following SCOTUS Ruling: What App Developers Should Do

After months of uncertainty over whether and when Texas’s App Store Accountability Act (“Texas’s App Store Law”) would take effect, on the Supreme Court has ruled that it will not stand in the way of its enforcement while the Fifth Circuit considers constitutional challenges. The law which in part requires app stores to verify users’ ages and obtain parental consent to allow minors to download or purchase apps or to make in-app purchases and requires app developers to ingest those age signals is now in effect and enforceable.

Organizations subject to the law should be prepared to immediately comply or risk an enforcement action. Our analysis and recommendations are below.

As similar age-assurance laws in Alabama, California, Louisiana, and Utah now seem more likely to survive similar injunctive relief efforts and constitutional challenges, organizations should start preparing to comply with these laws as well. Look for our upcoming post comparing and contrasting the requirements under these other laws.

What did the SCOTUS decide and what happens next?

Texas’s App Store Accountability Act-- was set to take effect on January 1, 2026. The law was preliminarily enjoined from enforcement by a lower court on the basis that it likely violated the First Amendment under strict scrutiny. On June 1, 2026, the Fifth Circuit stayed the injunction pending its review, concluding that the law would likely survive intermediate scrutiny and that “The balance of equities and public interest are clearcut in Texas’s favor.” A trade group submitted an emergency request to the Supreme Court to vacate the stay. On Monday, July 6, 2026, the Supreme Court ruled, in a one sentence order, denying the request with the effect of making the law immediately enforceable.

While the law is still pending review by the Fifth Circuit for constitutionality challenges, those challenges seem less likely to prevail given the Fifth Circuit’s strong statements in favor of Texas in its prior ruling staying the injunction and the SCOTUS ruling supporting that stay. In the meantime, while the Texas State AG has not stated whether it will enforce the law immediately or wait for the Fifth Circuit to decide the constitutional issues, the AG may be emboldened to act more immediately given the Fifth Circuit’s supportive statements.

What are the requirements of Texas App Store Law?

The following summarizes requirements under the Texas App Store Law. While there are numerous requirements for app stores, we focus primarily on requirements for app developers.

Age and consent information ingestion and verification. The Texas app store law and similar state age-verification laws will require app stores to collect age information from account holders and for app developers to ingest age category data and status of parental consent from the app store and use it to verify age. Ingestion of age information that includes ages of children and minors triggers a complex set of obligations under other laws, including COPPA and state laws that apply if you have actual knowledge that someone is a child or a minor. The Texas Data Privacy and Security Act (TDPSA), in particular, is triggered if you gain actual knowledge of a child under 13 using your services. Under the TDPSA, data about a child is considered sensitive data and subject to requirements beyond those under COPPA, including requirements to conduct a data protection assessment.

Safe-harbor. The Texas App Store Law does not address what happens if an app developer has inconsistent information about age that it may have collected through its own age-gating process as compared to what it receives from an app store. But under the law, a software application has incentive to rely on the age of the app store as it is not liable for requirements to verify age if it has relied on the age category and consent information from the app store (and otherwise complies with the law). Relying on more robust means to determine age than the current self-declaration method used by many app stores (i.e., when a user simply states their age without confirming evidence) can create interesting issues for app developers. Further, many more app developers are relying on more robust means of age verification because UK regulators have recently advised against relying on self-declaration for age gating.

Age rating designation. App developers will need to assign age ratings to their apps, document the elements that led to that rating, and provide the rating and such elements to the app store.

Notice of significant changes. App developers will need to notify app stores about any significant changes to the terms of service or privacy policy of their application. App stores will in turn need to provide new notice and obtain new parental consent for any significant changes. A change is significant if it (1) changes the type or category of personal data collected, stored, or shared by the developer; (2) affects or changes the rating of the software application or the content or elements that led to that rating; (3) adds new monetization features to the software application, including: (A) new opportunities to make a purchase in or using the software application; or (B) new advertisements in the software application; or (4) materially changes the functionality or user experience of the software application.

Limits on use of age and consent information. App developers may only use age and consent information obtained from app stores to 1) enforce age-based restrictions in their application, 2) ensure compliance with laws and regulations, and 3) implement safety features and default settings. App developers may not share or disclose personal data of users obtained from the app stores in connection with the law.

What should app developers do?

  • Comply with Texas’s law. If you have not already, review the obligations under the app law to assess if and how it applies to your organization. Develop a strategy to quickly come into compliance.

  • Understand app store rules. Review (and have your engineers review) Apple (here and here) and Google’s (here) developer pages for information about how to ingest age information and how to provide age rating and related documentation. Both platforms have indicated they will only send signals in each state as they go into effect. Google has stated that they have begun rolling out their Play Age Signals API "for new users in Texas who created their accounts after May 28, 2026," while Apple describes its Declared Age Range API as available "in certain regions, where legally required."

  • Determine your strategy for ingesting age signals. Decide on whether you will ingest age signals for all states or just states with laws currently in effect (Google currently only makes Texas available where Apple appears to allow ingestion of age range for all states). In making this decision review and assess COPPA and Texas’ and other state laws that have obligations triggered by knowledge that a user is a child or a teen.

  • Formalize how you handle receiving age signals. Formalize processes for when you gain knowledge of users’ ages through these age signals or other means. Determine your strategy for compliance with laws triggered by knowledge of age and whether blocking, deletion, or obtaining parental or teen consent is appropriate under these laws.  

  • Consider your strategy for responding to conflicting age signals. If you currently age gate, you may receive conflicting information about age from app stores. Decide what approach you will use to resolve conflicting age signals. Evaluate the relative risks of your approach taking into consideration other state laws with clearer guidelines.

  • Get ready for additional laws set to take effect early next year. Although Texas  is the only state app store law currently in effect and enforceable, get ready for Alabama (January 1, 2027 - for new accounts after October 2, 2026; October 1, 2027, for accounts in existence on October 2, 2026) California (January 1, 2027), and Louisiana (July 1, 2027), and Utah (May 6, 2027).

Susan Hintze is the founder and co-managing partner of Hintze Law. Recognized by Chambers, Legal 500, & Best Lawyers, Susan serves on the International Association of Privacy Professionals (IAPP) Board of Directors and is an IAPP Westin Emeritus Fellow. She is also co-chair of the firm’s Regulatory Defense Group.

Emily Litka Sanford is a Senior Associate at Hintze Law. Emily focuses her practice on global privacy and emerging AI laws and regulations.


Hansy Piou is an Associate at Hintze Law. Hansy has experience with global data protection issues, including kids’ global privacy laws, AADC, privacy impact assessments, GDPR, and privacy statements.



Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Hintze & Partners Recognized by Chambers in 2026 Global Rankings

Hintze & Partners Recognized by Chambers in 2026 Global Rankings

Hintze Law and its lawyers have once again been recognized in Chambers & Partners for expertise in Privacy and Data Security in the 2026 Chambers Global Guide. These recognitions include Hintze Law’s fifth year being ranked as an Elite Law Firm for Privacy and Data Security as well as the firm’s third year receiving recognition for Privacy and Data Security: Healthcare.

Read More

New York’s Algorithmic Pricing Disclosure Act Takes Effect

New York’s Algorithmic Pricing Disclosure Act Takes Effect

By Felicity Slater,Sam Castic, Clara De Abreu E Souza

New York's Algorithmic Pricing Disclosure Act, signed into law by Governor Kathy Hochul on May 9th, 2025, officially took effect this week. The act regulates algorithmic pricing and requires covered entities to clearly and conspicuously disclose to consumers when such pricing methods are used.

Read More

Washington Marijuana Retailer Sued Under My Health My Data Act for Website Pixel Use

Washington Marijuana Retailer Sued Under My Health My Data Act for Website Pixel Use

by Sam Castic and Felicity Slater

A class action suit was recently filed against the companies that operate Uncle Ike's, a Seattle-area marijuana retailer. The suit filed in Washington federal court alleges common law tort claims, ECPA claims, and a claim under the My Health My Data Act (‘MHMDA’ or ‘the Act’). 

Read More

Federal District Court Dismisses VPPA Case, Ruling Apartments.com "Not a Videotape Business"

Federal District Court Dismisses VPPA Case, Ruling Apartments.com "Not a Videotape Business"

By Cameron Cantrell

On Monday, October 20, 2025, the Eastern District of Missouri dismissed a proposed class action based on the federal Video Privacy Protection Act ("VPPA") against CoStar, the company behind apartments.com. It isn't clear at this point whether the plaintiff will appeal.

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

California Amends Artificial Intelligence Transparency Act and Passes AI Defenses Act

California Amends Artificial Intelligence Transparency Act and Passes AI Defenses Act

By Leslie Veloz

On October 13th, 2025, Governor Gavin Newsom signed into law AB 853, which amends the California Artificial Intelligence Transparency Act (AI Transparency Act (SB 942)), a law placing obligations on makers of generative AI systems aimed at increasing transparency to allow individuals to more easily assess whether digital content is generated or modified using AI.

Read More

California Passes Law on AI Companion Chatbot Safety

California Passes Law on AI Companion Chatbot Safety

By Clara De Abreu E Souza

On Oct. 13, 2025, California Governor Gavin Newsom signed into law Senate Bill 243 – Companion Chatbots. SB 243, authored by Senator Steve Padilla, requires operators of companion chatbot platforms to notify users that the chatbot is AI, provide specific disclosures to minors, and restrict harmful content. The law also includes a private right of action.

Read More

California Passes Digital Age-Assurance Act Into Law

California Passes Digital Age-Assurance Act Into Law

By Hansenard Piou

On October 13th, 2025, Governor Newsom signed the Digital Age Assurance Act (AB 1043) into law. Introduced by co-authors Assembly Member Buffy Wicks and Senator Tom Umberg, the law establishes age-assurance requirements for computer and mobile operating system providers and app stores as well as app developers with an aim to protect children’s online safety. The Digital Age Assurance Act enters into effect on January 1, 2027.

Read More

California’s Social Media Account Cancellation Act Signed into Law

California’s Social Media Account Cancellation Act Signed into Law

By Clara De Abreu E Souza

On October 8, 2025, California Governor Gavin Newsom signed into law Assembly Bill 656 — Account Cancellation. AB 656, authored by Assembly member Pilar Schiavo, focuses on social media platforms and requires them to provide users with a clear and accessible way to delete their accounts. This action must also trigger the complete deletion of the user’s personal data.

Read More

California Opt Me Out Act Signed into Law

California Opt Me Out Act Signed into Law

By Cameron Cantrell

On October 8, 2025, California’s Governor Newsom signed AB 566—the California Opt Me Out Act—into law. The California Opt Me Out Act, using the same definitions as the CCPA, requires any business that develops or maintains an internet browser to build in an opt-out preference signal (“OOPS”) functionality. The law takes effect on January 1, 2027.

Read More

California Further Amends its Data Broker Registration Law

California Further Amends its Data Broker Registration Law

By Hansenard Piou

On October 8, 2025, Governor Gavin Newsom signed SB 361 into law. Introduced by Senator Josh Becker, the bill amends California’s Data Broker Registration Law (and amendments to the law under the Delete Act) with additional disclosure requirements for data brokers.

Read More

What is “Bulk U.S. Sensitive Personal Data”?

What is “Bulk U.S. Sensitive Personal Data”?

By Emily Litka

This is the second in a series of blog posts about the DOJ Rule regarding Access To U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”). It provides an overview of one of the categories of data that is in scope under the DOJ Rule: bulk U.S. sensitive personal data.

Read More

IAPP Publishes EU Digital Laws Report 2025

IAPP Publishes EU Digital Laws Report 2025

By Hansenard Piou

On September 30th, the IAPP (formerly the International Association of Privacy Professionals) released its EU Digital Laws Report 2025, a comprehensive analysis explaining and synthesizing the requirements of core EU digital laws. The report aims to provide a resource to help the broadest possible class of organizations, platforms, and developers comply with the Data Governance Act, the Data Act, the Digital Markets Act, the Digital Services Act, the EU AI Act, and the NIS2 Directive.

Read More

Does the DOJ Rule Apply?

Does the DOJ Rule Apply?

By Hansenard Piou and Sam Castic

This is the first in a series of blog posts about the DOJ Rule regarding Access To U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”).  It provides a high-level overview of the kinds of cross-border data transfers that are regulated by the DOJ Rule. Future blog posts will more closely examine the DOJ Rule, its requirements, potential impacts, and strategies to address compliance.

Read More

California Adopts Privacy, Cybersecurity, ADMT Regulations and Amendments

California Adopts Privacy, Cybersecurity, ADMT Regulations and Amendments

By Sam Castic

The California Privacy Protection Agency (CPPA) has adopted final regulations on privacy risk assessments, cybersecurity audits, and automated decisionmaking technology (ADMT), as well as amendments to existing CCPA regulations.  Final publication of the regulations is pending review by the Office of Administrative Law, and depending on when that occurs, the regulations will likely take effect 10/1/2025 or 1/1/2026.  Some key concepts from these regulations, and actions to consider, are below.

Read More

California’s Healthline.com Enforcement Action Shows CCPA’s Teeth – and Sensitive Data Reach

California’s Healthline.com Enforcement Action Shows CCPA’s Teeth – and Sensitive Data Reach

By Mason Fitch and Kate Black

The California Attorney General’s Office (“OAG”) announced an enforcement action against Healthline.com on July 1 that marks a significant development in California Consumer Privacy Act (CCPA) enforcement. This action, accompanied by the largest fine under CCPA yet at $1.55 million, highlights critical areas of consideration for any company engaging in the advertising ecosystem as well as any company that processes sensitive personal information.

Read More

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

by Cameron Cantrell and Felicity Slater 

On June 19, 2025, the U.S. District Court in the Northern District of Texas vacated the vast majority of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “HIPAA Reproductive Privacy Rule” or “Rule”). The Department of Health and Human Services (“HHS”) published the Rule in the Federal Register in April 2024 with a compliance date of December 23, 2024. The District Court’s decision to vacate the reproductive privacy aspects of the Rule has an immediate and nationwide effect.

Read More

State Privacy Regulators Announce Formation of Collaboratory Consortium

State Privacy Regulators Announce Formation of Collaboratory Consortium

by Felicity Slater and Susan Hintze

On April 16, 2025, the California Privacy Protection Agency (CPPA) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the formation of the bipartisan "Consortium of Privacy Regulators." The focus of the Consortium will be to foster multi-state coordination, including sharing of expertise and resources, in investigation of potential violations of and enforcement of their state's respective comprehensive privacy laws.

Read More

Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

By Sam Castic

On Friday April 11, 2025, the DOJ released a Compliance Guide and more than 100 FAQs on the Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons Rule (the “DOJ Rule”).  It also released an Implementation and Enforcement Policy, which indicates it will not prioritize enforcement against companies making good faith efforts to comply until July 8, 2025. 

Read More

GenAI in the Workplace: Hong Kong PCPD Releases Checklist for Employer Policies

GenAI in the Workplace: Hong Kong PCPD Releases Checklist for Employer Policies

By Leslie Veloz and Jennifer Ruehr

The Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) recently published its Checklist on Guidelines for the Use of Generative AI by Employees (“Checklist”). The goal of the Checklist is to help organizations draft internal policies and procedures governing employee use of generative AI (“GenAI”) tools, especially where GenAI is used to process personal data.

Read More