A Deeper Dive Into California’s App Store Accountability Law

As previously reported, states such as California, Louisiana, Texas and Utah have adopted App Store Accountability (ASA) Laws. These new laws require app store operators (e.g., Apple and Google) along with app developers (i.e., the business that owns the app) to implement safeguards for age verification. While these laws are framed as child-protection measures, their impact is universal. Every app must comply, regardless of its audience. For businesses, meeting the requirements outlined in ASA Laws is mandatory for apps to remain available for download.

Louisiana, Texas and Utah’s laws are similar and take effect at various points in 2026, while California’s Digital Age Assurance Act (CA ASA Law) is unique and takes effect January 1, 2027. This is what businesses should know about the unique features of the CA ASA Law.

Who is Regulated?

Like the other ASA Laws, the California law regulates covered application stores, operating system providers and developers.

“Covered Application Store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application, like the App Store or Google Play Store.

“Developer” means a person that owns, maintains, or controls an application.

“Operating System Provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device (e.g., Google and Apple).

Who is Considered a Minor Under the CA ASA Law?

Unlike the other ASA Laws which use the terms “minor” versus “adult,” the California law broadly defines “child” to include any natural person who is under 18 years of age. The California law outlines age bracket data to place prohibitions on how regulated entities share personal information of a child through the application. The age brackets include the following ranges:

Operating System Provider Obligations

What distinguishes the California law from the other ASA laws is the requirements it imposes on operating system providers. Entities that fall within this category must offer an accessible interface during device or account setup that allows the account holder to enter the user’s birth date, age, or both. This information is used to generate an age‑bracket “signal” that is securely transmitted to apps through an API or the operating system so developers know which age group the user falls into.

Example of How A Signal Works. Jane is 16 years old. On her 16th birthday, she receives a new smartphone and a new car. When she sets up the phone for the first time, the setup screen asks for her date of birth. Once she enters it, the operating system automatically determines that Jane falls within the 16‑17 age bracket.

Later, Jane downloads an app that connects to her new car. Because the operating system already has Jane’s date of birth, the phone’s operating system provider—not the car app developer—must send the app a secure signal indicating that Jane is a minor in the 16‑17 age group.

This signal allows the car‑related app to adjust any features, permissions, or safeguards required for users in that age bracket.

Developer Obligations

A developer’s obligations are slightly different under the California ASA Law as the signal provided to developers drives compliance obligations. Key Developer obligations include:

Requesting Signals. A developer must request a signal from operating system providers or covered application stores when their application is downloaded and launched.
Ensuring Child-Focused Safety Measures are in Place. Receiving a signal gives a developer “actual knowledge” of the user’s age range across all platforms. If signals show that children 16+ use an app, a developer cannot simply state the app is “not meant/intended for children.” Under this new law, and actual knowledge inputted from the signals, developers must ensure all required safeguards under applicable state and federal laws protect children’s data.
Treating Signals as the Primary Age Indicator. The California ASA Law makes clear that developers must treat the received signal as the primary and authoritative indicator of a user’s age range when determining applicable compliance obligations.
Restricting Further Use or Sharing of Signals. Once a signal is provided, developers may not: (i) request additional information from the operating system or app store beyond what is necessary for CA ASA Law compliance; or (ii) disclose the signal to a third party unless required to comply with the ASA Law.

How Will Signals Be Provided On Phones Used before CA ASA’s Effective Date?

The CA ASA Law is explicit in that for devices set up before January 1, 2027, an operating system provider must, before July 1, 2027, provide individuals with an easy-to-use way to enter their age, birthdate or both into the device so signals can be sent.

For any apps a user has already downloaded and currently uses, it will be the developer’s responsibility, before July 1, 2027, to request signals for all existing users to determine the age bracket of that individual.

Enforcement

The California Attorney General has enforcement power under the CA ASA Law. A person who violates this law can be subject to:

an injunction; and
civil penalties ranging from:
- $2,500 per affected child for each negligent violation; or
- $7,500 per affected child for each intentional violation.

Good Faith Exception. The California law includes a good-faith exception that limits liability when errors occur, such as an incorrect age‑range signal or actions taken by a developer who relies on that signal, so long as the company has made a genuine effort to comply. A “good faith effort” means the entity has attempted to meet the law’s requirements while taking into account the technology reasonably available to it, as well as reasonable technical limitations or system outages.

What Businesses Should Do Now?

State legislatures and federal regulators are ramping up their efforts to safeguard children’s privacy. The emergence of ASA Laws underscores how seriously regulators view the protection of minors’ data and the significant steps they are willing to take to enforce it.

Companies offering applications should reassess their products and become familiar with existing ASA Laws and app‑store requirements to understand what compliance will look like. Although the California ASA Law does not take effect for nearly a year and further updates are expected, major operating system providers such as Apple and Google have already begun releasing documentation explaining how their age‑signal systems work and what developers will need to implement:

As the regulatory landscape continues to evolve, staying ahead of these changes will be critical for risk management and compliance planning.

We will continue to monitor updates involving ASA Laws.

Register now for your free, tailored, daily legal newsfeed service.

A Deeper Dive Into California’s App Store Accountability Law
Blog Privacy and Data Security Insight

Filed under

Organisations

Popular articles from this firm

An interview with Taft Stettinius & Hollister LLP discussing remote working in USA *

The History and Origins of Bankruptcy *

New Executive Order Puts Healthcare Providers in the Crosshairs of Federal Fraud Enforcement *

Did you know a liquidating distribution of an installment note by an S corp can trigger gain? *

Court Decision May Open the Door to Refunds of COVID-Era Tax Penalties and Interest *

Professional development

Related practical resources PRO

Related research hubs

Google

USA

IT & Data Protection

Internet & Social Media