Children's Privacy

Texas App Store Law Now Enforceable Following SCOTUS Ruling: What App Developers Should Do

After months of uncertainty over whether and when Texas’s App Store Accountability Act (“Texas’s App Store Law”) would take effect, on the Supreme Court has ruled that it will not stand in the way of its enforcement while the Fifth Circuit considers constitutional challenges. The law which in part requires app stores to verify users’ ages and obtain parental consent to allow minors to download or purchase apps or to make in-app purchases and requires app developers to ingest those age signals is now in effect and enforceable.

Organizations subject to the law should be prepared to immediately comply or risk an enforcement action. Our analysis and recommendations are below.

As similar age-assurance laws in Alabama, California, Louisiana, and Utah now seem more likely to survive similar injunctive relief efforts and constitutional challenges, organizations should start preparing to comply with these laws as well. Look for our upcoming post comparing and contrasting the requirements under these other laws.

What did the SCOTUS decide and what happens next?

Texas’s App Store Accountability Act-- was set to take effect on January 1, 2026. The law was preliminarily enjoined from enforcement by a lower court on the basis that it likely violated the First Amendment under strict scrutiny. On June 1, 2026, the Fifth Circuit stayed the injunction pending its review, concluding that the law would likely survive intermediate scrutiny and that “The balance of equities and public interest are clearcut in Texas’s favor.” A trade group submitted an emergency request to the Supreme Court to vacate the stay. On Monday, July 6, 2026, the Supreme Court ruled, in a one sentence order, denying the request with the effect of making the law immediately enforceable.

While the law is still pending review by the Fifth Circuit for constitutionality challenges, those challenges seem less likely to prevail given the Fifth Circuit’s strong statements in favor of Texas in its prior ruling staying the injunction and the SCOTUS ruling supporting that stay. In the meantime, while the Texas State AG has not stated whether it will enforce the law immediately or wait for the Fifth Circuit to decide the constitutional issues, the AG may be emboldened to act more immediately given the Fifth Circuit’s supportive statements.

What are the requirements of Texas App Store Law?

The following summarizes requirements under the Texas App Store Law. While there are numerous requirements for app stores, we focus primarily on requirements for app developers.

Age and consent information ingestion and verification. The Texas app store law and similar state age-verification laws will require app stores to collect age information from account holders and for app developers to ingest age category data and status of parental consent from the app store and use it to verify age. Ingestion of age information that includes ages of children and minors triggers a complex set of obligations under other laws, including COPPA and state laws that apply if you have actual knowledge that someone is a child or a minor. The Texas Data Privacy and Security Act (TDPSA), in particular, is triggered if you gain actual knowledge of a child under 13 using your services. Under the TDPSA, data about a child is considered sensitive data and subject to requirements beyond those under COPPA, including requirements to conduct a data protection assessment.

Safe-harbor. The Texas App Store Law does not address what happens if an app developer has inconsistent information about age that it may have collected through its own age-gating process as compared to what it receives from an app store. But under the law, a software application has incentive to rely on the age of the app store as it is not liable for requirements to verify age if it has relied on the age category and consent information from the app store (and otherwise complies with the law). Relying on more robust means to determine age than the current self-declaration method used by many app stores (i.e., when a user simply states their age without confirming evidence) can create interesting issues for app developers. Further, many more app developers are relying on more robust means of age verification because UK regulators have recently advised against relying on self-declaration for age gating.

Age rating designation. App developers will need to assign age ratings to their apps, document the elements that led to that rating, and provide the rating and such elements to the app store.

Notice of significant changes. App developers will need to notify app stores about any significant changes to the terms of service or privacy policy of their application. App stores will in turn need to provide new notice and obtain new parental consent for any significant changes. A change is significant if it (1) changes the type or category of personal data collected, stored, or shared by the developer; (2) affects or changes the rating of the software application or the content or elements that led to that rating; (3) adds new monetization features to the software application, including: (A) new opportunities to make a purchase in or using the software application; or (B) new advertisements in the software application; or (4) materially changes the functionality or user experience of the software application.

Limits on use of age and consent information. App developers may only use age and consent information obtained from app stores to 1) enforce age-based restrictions in their application, 2) ensure compliance with laws and regulations, and 3) implement safety features and default settings. App developers may not share or disclose personal data of users obtained from the app stores in connection with the law.

What should app developers do?

  • Comply with Texas’s law. If you have not already, review the obligations under the app law to assess if and how it applies to your organization. Develop a strategy to quickly come into compliance.

  • Understand app store rules. Review (and have your engineers review) Apple (here and here) and Google’s (here) developer pages for information about how to ingest age information and how to provide age rating and related documentation. Both platforms have indicated they will only send signals in each state as they go into effect. Google has stated that they have begun rolling out their Play Age Signals API "for new users in Texas who created their accounts after May 28, 2026," while Apple describes its Declared Age Range API as available "in certain regions, where legally required."

  • Determine your strategy for ingesting age signals. Decide on whether you will ingest age signals for all states or just states with laws currently in effect (Google currently only makes Texas available where Apple appears to allow ingestion of age range for all states). In making this decision review and assess COPPA and Texas’ and other state laws that have obligations triggered by knowledge that a user is a child or a teen.

  • Formalize how you handle receiving age signals. Formalize processes for when you gain knowledge of users’ ages through these age signals or other means. Determine your strategy for compliance with laws triggered by knowledge of age and whether blocking, deletion, or obtaining parental or teen consent is appropriate under these laws.  

  • Consider your strategy for responding to conflicting age signals. If you currently age gate, you may receive conflicting information about age from app stores. Decide what approach you will use to resolve conflicting age signals. Evaluate the relative risks of your approach taking into consideration other state laws with clearer guidelines.

  • Get ready for additional laws set to take effect early next year. Although Texas  is the only state app store law currently in effect and enforceable, get ready for Alabama (January 1, 2027 - for new accounts after October 2, 2026; October 1, 2027, for accounts in existence on October 2, 2026) California (January 1, 2027), and Louisiana (July 1, 2027), and Utah (May 6, 2027).

Susan Hintze is the founder and co-managing partner of Hintze Law. Recognized by Chambers, Legal 500, & Best Lawyers, Susan serves on the International Association of Privacy Professionals (IAPP) Board of Directors and is an IAPP Westin Emeritus Fellow. She is also co-chair of the firm’s Regulatory Defense Group.

Emily Litka Sanford is a Senior Associate at Hintze Law. Emily focuses her practice on global privacy and emerging AI laws and regulations.


Hansy Piou is an Associate at Hintze Law. Hansy has experience with global data protection issues, including kids’ global privacy laws, AADC, privacy impact assessments, GDPR, and privacy statements.



Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Hintze Law Global Privacy Updates

The Hintze Law team monitors global privacy and data security developments to provide timely, practical insights for clients. Below is a summary of key updates from mid-April 2026 to date.

 

US Privacy Updates

Alabama Legislature Passes Comprehensive Privacy Bill

The Alabama legislature passed a bill, which if signed by the governor, would make Alabama the twenty-second state to enact a broadly applicable comprehensive privacy law.  The law would take effect May 1, 2027, and would be enforced by the attorney general (following a mandatory forty-five-day right to cure violations).  There do not appear to be any provisions that impose materially stricter obligations on companies than those that are required under other state comprehensive privacy laws.

CPPA Public Comment Period re: Employee Data

California regulators are signaling increased oversight. On April 20, 2026, the California Privacy Protection Agency (CalPrivacy) opened a public comment period on potential updates to California Consumer Privacy Act (CCPA) requirements related to employee data. The proposed changes focus on notice, disclosure, and transparency obligations, particularly in nontraditional interfaces and employment contexts. Comments are being accepted through May 20, 2026.

In parallel, the CPPA’s newly established Audits Division is expected to begin proactive compliance reviews later in 2026. Unlike the Enforcement Division, which investigates violations, the Audits Division will evaluate business practices and identify compliance gaps, with findings potentially referred for enforcement.

Illinois BIPA Ruling

In a significant ruling interpreting the Illinois Biometric Information Privacy Act (BIPA), the U.S. Court of Appeals for the Seventh Circuit held in Clay v. Union Pacific Railroad Company (April 1, 2026) that the 2024 amendment to BIPA applies retroactively. The amendment limits damages to a “per person” basis rather than “per scan,” substantially reducing potential exposure for businesses. As a result, claims pending as of, or brought after, August 2, 2024, are subject to this reduced damages framework.

 

Maryland Legislature Passes Comprehensive Privacy Law Amendment To Restrict Data Sharing

Maryland passed HB 711, amending the Maryland Online Data Privacy Act (MODPA) to impose new restrictions on sharing personal data with government entities involved in civil immigration enforcement. The amendment limits when organizations may respond to subpoenas or cooperate with law enforcement in this context, while still allowing compliance with court-issued warrants. These changes take effect July 1, 2026.

New Jersey Health Privacy Law

New Jersey’s newly enacted Privacy Protection Act, signed March 25, 2026, introduces targeted restrictions affecting government entities and healthcare providers. The provisions for health care facilities include:

  • Prohibiting the collection of information relating to a patient's "immigration status, citizenship status, place of birth, social security number, or individual taxpayer identification number," except when necessary to ensure the safe and appropriate delivery of health care services, as applicable by law, or to provide a requested public service, benefit, or program.

·         Providing that any record relating to such information used for health care services shall not be considered a government record or disclosed except under limited statutory exceptions; and

·         Clarifying that this prohibition does not apply when the patient to whom the record or information pertains has knowingly provided written consent for disclosure.

    • "The Department of Health, in consultation with the Attorney General, shall develop and make publicly available a standardized written consent form."

These provisions take effect on April 1, 2027.

Nebraska Age-Appropriate Design Code (AAADC)

Nebraska amended its Age-Appropriate Design Code (AAADC) through legislation signed on April 17, 2026. The amendments expand the scope of regulated entities and design features, lower applicability thresholds, and introduce new requirements such as tools enabling minors to delete or unpublish accounts. The law also strengthens protections against default settings or design practices that reduce minors’ privacy protections.

Idaho Passes Social Media Child Protection Law

On April 2, 2026, Idaho’s governor signed HB 542, which applies to any social media platform that, across their corporate group (parents, subsidiaries, and affiliates), has earned at least $1 billion in advertising revenue worldwide in one or more of the preceding three years.

Covered platforms will be subject to the following requirements for Idaho users:

·         Periodic age estimation triggered by users’ cumulative use of the platform

·         Collection of date of birth for new accounts

·         Verifiable parent consent (VPC) prior to creating or maintaining an account for a child user (age 16 or younger), changing terms and conditions applicable to a child account, and changing privacy settings of a child account

·         High-privacy default settings

·         No “addictive interface features” or “profile-based paid commercial advertising” in a child account’s display/feed

·         Account deletion requirements depending on whether the request comes from a child user or their parent

This law may be enforced by a private right of action (by a child or parent), including claims of harm to mental health and emotional distress. The Idaho AG may also investigate and enforce reckless or knowing violations as per se violations of state consumer protection act. There is a three-year statute of limitations for all claims. A successful action has penalties of actual damages or $10,000, whichever is greater, and there are punitive damages available in the event of “consistent pattern[s] of reckless or knowing conduct.”

All requirements except age estimation take effect July 1, 2026. Age estimation requirements functionally* take effect January 1, 2027.

Iowa AG Files Lawsuit Against Meta for Misrepresentation of Material Harmful to Minors and Addictive Design Features

On April 8, Iowa Attorney General Bird announced a state consumer protection lawsuit against Instagram alleging youth safety and “addictive” design claims. The lawsuit alleges that Meta allow adult sexual content, alcohol, tobacco, and drug use and references, and mature/suggestive themes on Instagram despite the app’s “T for Teen” rating. The lawsuit also alleges that Instagram has addictive design features, including notifications, infinite scroll, ephemeral content, quantification and display of social interaction, and algorithmic recommendation feeds.

The lawsuit seeks a permanent injunction against Meta’s alleged misrepresentations about the content available on Instagram and “civil penalties, disgorgement, and other costs and fees.”

West Virginia and Alabama Settles Children's Safety Claims with Roblox

On April 21, 2026, the Alabama AG and the West Virginia AG both announced settlements with Roblox. (Alabama's settlement can be found here.) The agreements levee $12.5M and $11M fines respectively and impose additional requirements which include:

  • Verifying the age of all users before granting chat access,

  • Restricting adults from contacting U16 users except through verified trusted friends

  • Alerting minors upon first entering a private chat

  • Defaulting all U16 and unverified users to safe content mode

  • Allocating funds and resources to internet safety compliance and enforcement.

Multiple states also recently reached settlements with Roblox regarding children’s data and online safety practices. These agreements impose new requirements, including age verification for chat access, restrictions on adult-minor interactions, default safety settings for younger users, and enhanced compliance investments. These settlements reflect a coordinated enforcement trend focused on protecting minors online. Read about in depth in our latest blog post.

 

International Updates

China PIPL Enforcement Campaigns: Increased Scrutiny Across Key Sectors

On April 2, 2026, Cyberspace Administration of China (CAC), together with the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS), announced a set of nationwide enforcement initiatives under the Personal Information Protection Law (PIPL). The announcement lays out the most detailed and coordinated PIPL enforcement roadmap to date.

Unlike earlier enforcement efforts that were largely complaint‑driven or ad hoc, the 2026 initiatives take a structured, sector‑by‑sector approach, with regulators spelling out exactly what they plan to inspect and where.

Key highlights include:

  • Seven targeted enforcement campaigns, covering:

    • Apps and embedded SDKs

    • Internet advertising and adtech

    • Education (with a strong focus on children’s data)

    • Transportation and mobility platforms

    • Healthcare providers

    • Financial services

    • Criminal data‑trafficking and “insider” cases

  • Explicit focus on adtech and automated decision‑making, including profiling, personalized advertising, and failure to honor opt‑out choices.

  • Increased scrutiny of SDKs, signaling that third‑party code is no longer a compliance blind spot.

  • Escalation risk: the involvement of public security authorities underscores that serious or repeated violations may move beyond administrative penalties to criminal enforcement.

European Data Protection Board 2025 Report

On April 9, 2026, the European Data Protection Board (EDPB) published a report on its work in 2025. Over the year the EDPB:

  • Published guidelines on interactions between the GDPR and other EU digital laws, including the Digital Services Act, Digital Markets Act, and the EU AI Act;

  • Published guidelines and opinions on topics such as pseudonymisation

  • Focused on the right to erasure through the 2025 Coordinated Enforcement Framework, with participation from 32 supervisory authorities and responses from 764 controllers.

 

Industry / Tech Updates

Google Analytics Changes Affecting “Sales”

Changes to Google Analytics taking effect June 15, 2026, may have significant compliance implications. Businesses will no longer be able to prevent data collected through Google Analytics from being shared with Google Ads through Analytics settings alone. Instead, service configurations will determine whether Google acts as a data processor or controller, which may affect whether data sharing constitutes a “sale” or targeted advertising under applicable laws. This change increases both regulatory risk and potential exposure under statutes such as California’s privacy laws and the California Invasion of Privacy Act (CIPA).

 

 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique law firm that provides counseling exclusively on data protection, including privacy, AI, and data security. Our attorneys and consultants support clients across technology, advertising, media, fintech, healthcare, biotech, e-commerce, and mobile sectors.

Roblox Settles with Three States Over Alleged Child and Teen Online Safety Failures

By Emily Litka Sanford

In mid to late April 2026, Roblox settled with Alabama, Nevada, and West Virginia over allegations that its interactive gaming platform exposed children and teens to harmful content and predatory users. The three separate settlement orders will require Roblox to pay a total of $33 million to the three states and implement robust privacy and online safety controls. Note that, at this time, draft complaints have not been provided by Alabama, Nevada, or West Virginia, and the press releases do not describe the specific laws Roblox allegedly violated leading to the settlements.

Roblox faces similar scrutiny in Iowa, Kentucky, Nebraska, Tennessee, Texas, Florida, Louisiana, and Los Angeles County, as well as suits from private plaintiffs. Those complaints generally allege that Roblox was in violation of the states’ consumer protection laws because it misrepresented and had insufficient controls related to chat safety and content moderation.

Roblox will be required to take the following measures under the Alabama, Nevada, and West Virginia orders. While not all of these requirements are present in each states’ order, many are similar, and we describe these collectively. Note also that, at this time, the settlement order with West Virginia is not yet available — only a summary of the measures is provided in the press release issued by the West Virginia Attorney General.

  • Conducting heightened age assurance prior to accessing chat functionality: Roblox currently requires all users to self-report their age prior to accessing the platform. Roblox will be required to take heightened age assurance measures prior to enabling users to access chat functionality (Roblox began rolling out age checks via facial age estimation and ID verification late last year). Roblox also agreed to continue its practice of behavioral monitoring to assess whether a user is of a different age than they self-reported or was estimated.  

  • Implementing chat safety measures: The order provides detailed obligations for when adults can communicate with minor users, requiring parental consent for users under 13 and other approval mechanisms for users under 16 (in Nevada, the order also seeks to protect users under 16–17-years of age, obligating Roblox to “take steps” to address harms they may encounter). Roblox will also be required to surface an alert each time a user under 18 enters a private chat with another user about the dangers of communicating with strangers. To help law enforcement act on illegal interactions on the platform, Roblox agreed to not encrypt messages between minor users and other users.  

  • Providing an age-gated minor experience: To address minors’ access to inappropriate or unsafe content, Roblox will be required to create a default minor-safe experience for users under 16 and for users whose age hasn’t been verified. The orders will require parental consent to be obtained for users under 16 to access more mature experiences.

  • Assigning content maturity ratings for experiences: Roblox will be required to assign, or ensure that developers publishing experiences on its platform assign, a content maturity rating to its experiences. Roblox will need to have enforcement mechanisms in place to moderate developers that do not accurately represent their experiences and will be required to publish (among other public reporting requirements) the “statistics and measures” taken to address developer violations of Roblox policies.

  • Maintaining parental controls: Roblox is not required to ensure parents have accounts linked to their minor under the order; however, Roblox is required to take steps to increase the adoption of linked accounts. The settlement orders obligate Roblox to maintain parental controls (e.g., Alabama requires controls to set how much time a minor spends on the platform and spending limits).

  • Restricting personalized advertising and push notifications: The orders restrict Roblox from providing personalized advertising on the platform to children under 16, although it is unclear if this is a full prohibition or whether parental consent can be provided for these users to receive ads. Further, the orders also provide detailed requirements for when push notifications and other notifications can be sent to children under 16.

  • Awareness capabilities: The order with Nevada will require Roblox to conduct a multi-media public safety awareness campaign to the public about online safety, including its parental controls and age assurance practices.

 

Key Takeaways: These orders follow a current trend of increased scrutiny into child and teen online safety and experiences that are appealing to minors, especially those that permit engagement between users. As was reaffirmed in the Alabama Attorneys General press release, the settlement with Roblox “sends a clear message to every platform operating in this space” that they will continue to “aggressively enforce” child and teen online safety.

The obligations in the settlement orders are similar to many of the new obligations placed on online operators that have been established under the new age-appropriate design and minor privacy and safety laws in Colorado, Vermont, Nebraska, Arkansas, and New York, particularly around communication limitations between users, parental controls, limits on personalized adverting, and when notifications can be sent. The orders also introduce net new obligations on Roblox not specifically required under any current law like bans on encrypted messages with minors imposed by Alabama and Nevada.

With the new COPPA regulations having taken effect in April, the newly effective and soon to be effective state laws (New York, effective June 20, 2025; Colorado, effective October 1, 2025; Nebraska, effective January 1, 2026, with additional amendments coming into effect on July 17,2026; Arkansas, effective on July 1, 2026), and other recent state enforcement activity related to child and teen online safety under consumer protection laws, we expect to see continued regulatory enforcement activity in this space.

If you haven’t already, assess whether your organization’s online user experience will likely be considered appealing to, or have known users that are, children and teens. Organizations offering such experiences should devote significant resources and time to comply with this increasingly complex space, including, potentially, to develop processes and mechanisms to obtain parental consent, build or leverage third-party tools for age assurance, and conduct vendor and third-party management processes and tools to ensure that data isn’t shared or sold in manner that triggers additional consent and other obligations.


Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on data protection including AI, privacy, and data security. Hintze attorneys and data consultants support technology, advertising, media, fintech, health, biotech, ecommerce, and mobile industries.


Emily Litka Sanford is a Senior Associate at Hintze Law PLLC. She focuses her practice on global privacy and emerging AI laws and regulations. She regularly counsels on risk during product development, the development and operationalization of privacy programs, the preparation of data protection impact assessments, and the development of internal privacy policies and processes.