Blog

Texas App Store Accountability Act Injunction Lifted and CalPrivacy Issues Consumer Guidance

Julie Rubash, General Counsel and Chief Privacy Officer
June 9, 2026

Want to receive these privacy recaps in your inbox each week? Subscribe here.

As the Texas App Store Accountability Act takes effect following a lifted injunction, app developers face new compliance obligations around age verification and parental consent, with similar laws in Alabama, Utah, and Louisiana set to follow by mid-2027. Meanwhile, CalPrivacy has issued consumer-facing guidance outlining the privacy rights and opt-out mechanisms websites are required to honor.


Keep reading to learn more and discover my takeaways.

United states

Injunction on Texas App Store Accountability Act Lifted

The Fifth Circuit lifted an injunction barring enforcement of the Texas App Store Accountability Act pending a ruling on the merits, finding that Texas made a “strong showing” of likely success on the merits.

TAKEAWAY

This ruling puts app developers in a tight spot regarding compliance. The law, which was stayed before its original January 1, 2026, effective date, is now operative and supported by a preliminary merits assessment favorable to Texas. However, the First Amendment challenge remains active, and the Fifth Circuit has not issued a final ruling. App developers should treat the law as currently in effect while monitoring the merits decision. Significant overlap exists with laws in Alabama, Utah and Louisiana, which take effect on January 1, 2027, May 6, 2027 and July 1, 2027, respectively. App developers may therefore consider this injunction to be an acceleration of many requirements that will soon be mandated in other states anyway. The following outlines what app developers can expect under each law. 

Note: the California Digital Age Assurances Act, effective January 1, 2027, is not included in the comparison below due to its different structure. However, it does require developer obligations, including requesting an age signal from operating systems and app stores at download and launch, treating it as the primary age indicator for compliance, and not sharing it with third parties for non-required purposes. Developers should not ignore California when creating an age signal recognition program.    

What all four laws (Texas, Utah, Alabama and Louisiana) require of app developers:

Under all four laws, app developers generally must:

  • Build an active system that queries the App Store for each user’s age category and, for minor users, their parental consent status. 
  • Affirmatively notify the app store before deploying significant changes so it can re-obtain parental consent for affected minor users. 
  • Limit the use of age information received from the App Store to enforcing age-related restrictions and protections within the app, ensuring compliance with applicable laws and regulations, and implementing safety-related features and default settings.
  • refrain from invoking its terms of service or any contractual provision against a minor user when that minor entered into the agreement without the required parental consent; and Refrain from knowingly misrepresenting an age rating or the reason for that age rating. 

What Texas adds (absent from Louisiana and Alabama):

Texas requires developers to affirmatively assign age ratings to every app and every in-app purchase, and to provide those ratings, plus the specific content elements that drove each rating, to each app store. Alabama, Utah, and Louisiana all include age ratings in the parental consent disclosure only “if available”; none mandates that developers create them.

What Alabama and Utah will add:

Alabama and Utah are closely aligned and together impose three requirements not found in Texas: 

  • When implementing any age-related restriction or safety default, developers must apply whichever age signal indicates the younger user, whether that comes from the app store or from the developer’s own independently collected data. Texas doesn’t have a conflict resolution provision. In Louisiana, a developer may rely on the app store signal by default, but if the developer has actual knowledge that its internal signal is more accurate (for example, because the user provided proof of age), the developer must use the internal signal or the lower of the two signals.
  • Developers may request age category data only once per 12-month period for routine accuracy verification (outside of downloads, launches, significant changes, or new account creation). Louisiana also imposes this limitation, but Texas imposes no equivalent limit.
  • Developers may not share age category data with any person, under any circumstances not required by law. Texas restricts use; Louisiana prohibits sales.

What Alabama Uniquely Adds:

App store providers must verify the age of all existing account holders (those in existence on October 2, 2026) by October 1, 2027. Developers must be prepared to receive and act on those retroactive signals.

What Louisiana will add: 

Not much. Louisiana is the least restrictive of the four laws, so if you’re already complying with Texas, Utah and Alabama as of Louisiana’s effective date, you are essentially good to go, unless you want to take advantage of some of the flexibility Louisiana offers (e.g., a carve-out for subscription apps with payment-verified adult primary accounts, or the more flexible conflict resolution provision described above).  

CalPrivacy Issues Tips for Consumers to Spot Non-Compliant Websites.

In recognition of National Internet Safety Month, CalPrivacy published a list of “tips to identify websites that may not be honoring your online privacy” for consumers.


TAKEAWAY

Although the list is intended for consumers, it creates a useful checklist for companies detailing the fundamental requirements CalPrivacy wants consumers to look out for, including the following:

  • Give customers a way to opt-out of the sale or sharing of their personal information
  • Either through a “Do Not Sell or Share My Personal Information” link found at the bottom of a website or through a notice banner or pop-up message that gives consumers the ability to turn off tracking technologies (e.g., cookies) that sell or share personal information
  • must be user-friendly and easy to understand
  • Can’t use dark patterns, confusing or misleading opt-out processes that make it hard to exercise choice, such as poorly labeled choices, choices that don’t work properly, choices requiring an unreasonable number of steps, or choices designed to be confusing.
  • Must honor opt-out preference signals
  • Provide a privacy policy that includes the following:
  • Explains that consumers have rights over the information that the business collects about them
  • Describes how consumers can exercise those rights
  • Provides a webform for opting out of sale/sharing
  • Describes how it processes opt-out preference signals, like the global privacy control
  • Explains how to access, delete or correct a consumer’s personal information
  • Tells consumers how the business uses their information and whether it sells or shares their personal information. 

 

A LITTLE MORE PRIVACY, IF YOU PLEASE

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

New Jersey Passes Age Appropriate Design Code and Amends Data Privacy Act with New Data Broker Rules

July 7, 2026

New Jersey's latest privacy laws include a narrow AADC,...

New York’s S9269 Advances as ICO Finalizes Consumer IoT Guidance

June 16, 2026

NY's S9269 health privacy bill heads to the Governor...

Texas App Store Accountability Act Injunction Lifted and CalPrivacy Issues Consumer Guidance

June 9, 2026

Texas App Store Accountability Act injunction lifted and CalPrivacy...

Latest White Papers

Connecting Legal & Marketing Teams on Consent and Preferences

February 4, 2025

Break down data silos and unlock better collaboration. Marketing...

Navigating Sensitive Data in the U.S.

February 4, 2025

Download our comprehensive guide to learn how different states...

Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

    First name *

    Last name *

    Email address *

    Company *

    Message *

    * indicates required fields