HB317INTRODUCED
Page 0
HB317
EJS5X99-1
By Representatives Sells, Mooney, Stadthagen, Bracy
RFD: Children and Senior Advocacy
First Read: 20-Feb-25
1
2
3
4
5 EJS5X99-1 02/20/2025 THR (L)ma 2025-868
Page 1
First Read: 20-Feb-25
SYNOPSIS:
This bill would require app store providers to
verify the age of users.
This bill would require app store providers to
affiliate minor accounts with parent accounts and
obtain consent from the holder of the parent account.
This bill would require app store providers to
notify users when an app makes a significant change.
This bill would require app store providers to
give developers real-time access to the age category
and consent status for minor accounts.
This bill would require app store providers to
protect personal age verification data.
This bill would prevent app store providers and
developers from enforcing contracts against minors,
misrepresenting information in disclosures and sharing
personal age verification data.
This bill would require developers to verify the
age of users, notify users of significant changes to
the app, and limit the use of age category data in
compliance with laws or regulations.
This bill would require the Attorney General to
adopt certain rules.
This bill would also authorize the Attorney
General to bring an action for a violation as a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28 HB317 INTRODUCED
Page 2
General to bring an action for a violation as a
deceptive trade practice.
A BILL
TO BE ENTITLED
AN ACT
Relating to consumer protection; to require an app
store provider to take certain actions regarding age
verification, parental notification, and data protection; to
prohibit an app store provider or developer from taking
certain actions that allow minors to access apps without
parental consent; and to authorize the Attorney General to
bring an action for a violation as a deceptive trade practice.
BE IT ENACTED BY THE LEGISLATURE OF ALABAMA:
Section 1. For the purposes of this act, the following
terms have the following meanings:
(1) AGE CATEGORY. Whether an individual is: (i) under
13 years of age; (ii) at least 13 years of age but less than
16 years of age; (iii) at least 16 years of age but less than
18 years of age; or (iv) at least 18 years of age.
(2) AGE CATEGORY DATA. Information about a user's age
category that is collected by an app store developer and
shared with a developer.
(3) APP. A software application or electronic service
that a user may run or direct on a mobile device.
(4) APP STORE. A publicly available website, software
application, or electronic service that distributes apps from
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56 HB317 INTRODUCED
Page 3
application, or electronic service that distributes apps from
third-party developers to users.
(5) APP STORE PROVIDER. An entity that owns, operates,
or controls an app store that distributes apps to users in
this state.
(6) DEVELOPER. An entity that owns or controls an app
made available through an app store in this state.
(7) MINOR. An individual under 18 years of age.
(8) MINOR ACCOUNT. An account with an app store
provider that is established by an individual who the app
store provider has determined is a minor.
(9) PARENT. With respect to a minor, any of the
following individuals:
a. A biological parent.
b. A legal guardian.
c. An individual with legal custody.
(10) PARENT ACCOUNT. An account with an app store
provider that is affiliated with one or more minor accounts
and that is verified to have been established by an individual
who the app store provider has determined is at least 18 years
of age.
(11) PARENTAL CONSENT DISCLOSURE. The following
information that an app store provider is required to provide
to a parent before obtaining parental disclosure:
a. A description of the personal data collected by the
app from a user.
b. A description of the personal data shared by the app
with any third party.
c. Any methods implemented by the developer to protect
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84 HB317 INTRODUCED
Page 4
c. Any methods implemented by the developer to protect
personal data.
d. The age rating of the app or in-app purchase, if
available.
e. The content description of the app or in-app
purchase, if available.
(12) SIGNIFICANT CHANGE. A modification to an app's
terms of service or privacy policy that does any of the
following:
a. Changes the categories of data collected, stored, or
shared.
b. Adds new monetization features, including, but not
limited to, in-app purchases or advertisements.
c. Materially changes the app's functionality or user
experience.
(13) VERIFIABLE PARENTAL CONSENT. Authorization that
meets all of the following criteria:
a. Is provided by an individual who the app store
provider has verified is at least 18 years of age.
b. Is given after the app store provider has clearly
and conspicuously provided the parental consent disclosure to
the individual.
c. Requires the parent to make an affirmative choice to
either grant consent or decline consent.
Section 2. An app store provider shall do both of the
following when an individual located in this state creates an
account with the app store provider:
(1) Request age information from the individual.
(2) Verify the individual's age using one of the
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112 HB317 INTRODUCED
Page 5
(2) Verify the individual's age using one of the
following:
a. Commercially available methods that are reasonably
designed to ensure accuracy.
b. An age verification system that complies with rules
adopted pursuant to this act.
Section 3. An app store provider shall do both of the
following when an individual is determined to be a minor
pursuant to Section 1:
(1) Require the account to be affiliated with a parent
account.
(2) Obtain verifiable parental consent from the holder
of the affiliated parent account before allowing the minor to:
(i) download an app; (ii) purchase an app; or (iii) make an
in-app purchase.
Section 4. An app store provider shall do both of the
following after receiving notice of a significant change from
a developer:
(1) Notify the user of the significant change.
(2) For a minor account, do both of the following:
a. Notify the holder of the affiliated parent account.
b. Obtain renewed verifiable parental consent.
Section 5. An app store provider shall provide
developers with real-time access to both of the following:
(1) Age category data for each user located in this
state.
(2) The status of verifiable parental consent for each
minor located in this state.
Section 6. An app store provider shall protect personal
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140 HB317 INTRODUCED
Page 6
Section 6. An app store provider shall protect personal
age verification data by doing both of the following:
(1) Limiting the collection and processing to data
necessary to: (i) verify a user's age; (ii) obtain parental
consent; or (iii) maintain compliance records.
(2) Transmitting personal age verification data using
industry-standard encryption protocols that ensure data
integrity and data confidentiality.
Section 7. An app store provider may not do any of the
following:
(1) Enforce a contract or terms of service against a
minor unless the app store provider has obtained verifiable
parental consent.
(2) Knowingly misrepresent the information in the
parental consent disclosure.
(3) Share personal age verification data except as
required by law or as required by this act between an app
store provider and a developer.
Section 8. (a) A developer shall do all of the
following:
(1) Verify through the app store's data sharing
methods: (i) the age category of users located in this state;
and (ii) for a minor account, whether verifiable parental
consent has been obtained.
(2) Notify app store providers of any significant
change to an app.
(3) Limit use of age category data received from an app
store provider to: (i) enforcing age-related restrictions or
protections; (ii) ensuring compliance with applicable laws or
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168 HB317 INTRODUCED
Page 7
protections; (ii) ensuring compliance with applicable laws or
regulations; or (iii) implementing safety-related features or
defaults.
(b) A developer may not do any of the following:
(1) Enforce a contract or terms of service against a
minor unless the developer has verified through the app store
provider that verifiable parental consent has been obtained.
(2) Knowingly misrepresent any information in the
parental consent disclosure.
(3) Share age category data with any person.
Section 9. The Attorney General shall adopt rules
establishing processes and means by which an app store
provider may verify whether an account holder is a minor in
accordance with this act.
Section 10. (a) Any knowing or reckless violation of
this act is deemed a deceptive trade practice actionable under
Chapter 19 of Title 8 of the Code of Alabama 1975. If the
Attorney General has reason to believe that an entity is in
violation of this act, the Attorney General may bring an
action against the entity for an unfair or deceptive trade
practice. In addition to other remedies available under
Chapter 19 of Title 8 of the Code of Alabama 1975, the
Attorney General may collect a civil penalty of up to fifty
thousand dollars ($50,000) per violation, reasonable attorney
fees, and court costs.
(b) If a violation described in subsection (a) is part
of a consistent pattern of knowing or reckless conduct, the
Attorney General may seek punitive damages against the entity.
(c) An action for a claim under this section must be
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196 HB317 INTRODUCED
Page 8
(c) An action for a claim under this section must be
brought within one year from the date the Attorney General
knew or reasonably should have known of the alleged violation.
(d) This section does not preclude any other available
remedy at law or equity.
Section 11. (a) A developer is not liable for a
violation of this act if the developer demonstrates all of the
following:
(1) The developer relied in good faith on personal age
verification data provided by an app store provider.
(2) The developer relied in good faith on notification
from an app store provider that verifiable parental consent
was obtained.
(3) The developer complied with the requirements of
this act.
(4) The developer relied upon a widely held industry
standard when submitting information concerning parental
consent disclosures.
(b) Notwithstanding subsection (a), the safe harbor
provision applies only to actions brought under this act and
does not limit a developer or app store provider's liability
under any other applicable law.
Section 12. Nothing in this act shall be construed to
do any of the following:
(1) Prevent an app store provider from taking
reasonable measures to do any of the following:
a. Block, detect, or prevent distribution to minors of:
(i) unlawful material; (ii) obscene material; or (iii) other
harmful material.
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224 HB317 INTRODUCED
Page 9
harmful material.
b. Block or filter spam.
c. Prevent criminal activity.
d. Protect app store or app security.
(2) Require an app store provider to disclose user
information to a developer beyond age category or verification
of parental consent status.
(3) Allow an app store provider to implement measures
required by this chapter in a manner that is: (i) arbitrary;
(ii) capricious; (iii) anticompetitive; or (iv) unlawful.
Section 13. This act shall become effective on October
1, 2026.
225
226
227
228
229
230
231
232
233
234
235