02-19 07:55 6th Sub. (Cherry) S.B. 142
Todd Weiler proposes the following substitute bill:
1
App Store Accountability Act
2025 GENERAL SESSION
STATE OF UTAH
Chief Sponsor: Todd Weiler
House Sponsor: James A. Dunnigan
2
3
LONG TITLE
4
General Description:
5
This bill enacts provisions governing app store operations and creates requirements for age
6
verification and parental consent.
7
Highlighted Provisions:
8
This bill:
9
▸ defines terms;
10
▸ requires app store providers to:
11
● verify a user's age category;
12
● obtain parental consent for minor accounts;
13
● notify users and parents of significant changes;
14
● share age category and consent data with developers; and
15
● protect age verification data;
16
▸ prohibits app store providers from:
17
● enforcing contracts against minors without parental consent; and
18
● misrepresenting parental content disclosures;
19
▸ requires developers to:
20
● verify age category and consent status through app stores; and
21
● notify app stores of significant changes;
22
▸ prohibits developers from:
23
● enforcing contracts against minors without verified parental consent; and
24
● misrepresenting parental content disclosures;
25
▸ designates violations of certain provisions as deceptive trade practices;
26
▸ requires the Division of Consumer Protection to establish standards for age verification
27
methods;
28
▸ creates a private right of action for parents of harmed minors;
6th Sub. S.B. 142 6th Sub. (Cherry) S.B. 142 02-19 07:55
29
▸ provides a safe harbor for compliant developers; and
30
▸ includes a severability clause.
31
Money Appropriated in this Bill:
32
None
33
Other Special Clauses:
34
This bill provides a special effective date.
35
Utah Code Sections Affected:
36
ENACTS:
37
13-75-101 (Effective 05/07/25), Utah Code Annotated 1953
38
13-75-201 (Effective 05/06/26), Utah Code Annotated 1953
39
13-75-202 (Effective 05/06/26), Utah Code Annotated 1953
40
13-75-301 (Effective 05/07/25), Utah Code Annotated 1953
41
13-75-401 (Effective 12/31/26), Utah Code Annotated 1953
42
13-75-402 (Effective 05/07/25), Utah Code Annotated 1953
43
13-75-403 (Effective 05/07/25), Utah Code Annotated 1953
44
13-75-404 (Effective 05/07/25), Utah Code Annotated 1953
45
46
Be it enacted by the Legislature of the state of Utah:
47
Section 1. Section 13-75-101 is enacted to read:
48
CHAPTER 75. APP STORE ACCOUNTABILITY ACT
49
Part 1. General Provisions
50
13-75-101 (Effective 05/07/25). Definitions.
51
As used in this chapter:
52
(1) "Age category" means one of the following categories of individuals based on age:
53
(a) "child" which means an individual who is under 13 years old;
54
(b) "younger teenager" which means an individual who is at least 13 years old and under
55
16 years old;
56
(c) "older teenager" which means an individual who is at least 16 years old and under 18
57
years old; or
58
(d) "adult" which means an individual who is at least 18 years old.
59
(2) "Age category data" means information about a user's age category that is:
60
(a) collected by an app store provider; and
61
(b) shared with a developer.
- 2 - 02-19 07:55 6th Sub. (Cherry) S.B. 142
62
(3) "Age rating" means a classification that provides an assessment of the suitability of an
63
app's content for different age groups.
64
(4) "App" means a software application or electronic service that a user may run or direct
65
on a mobile device.
66
(5) "App store" means a publicly available website, software application, or electronic
67
service that allows users to download apps from third-party developers.
68
(6) "App store provider" means a person that owns, operates, or controls an app store that
69
allows users in the state to download apps.
70
(7) "Content description" means a description of the specific content elements that informed
71
an app's age rating.
72
(8) "Developer" means a person that owns or controls an app made available through an
73
app store in the state.
74
(9) "Division" means the Division of Consumer Protection, established in Section 13-2-1.
75
(10) "Knowingly" means to act with actual knowledge or to act with knowledge fairly
76
inferred based on objective circumstances.
77
(11) "Minor" means an individual under 18 years old.
78
(12) "Minor account" means an account with an app store provider that:
79
(a) is established by an individual who the app store provider has determined is under 18
80
years old through the app store provider's age verification methods; and
81
(b) requires affiliation with a parent account.
82
(13) "Mobile device" means a portable computing device that:
83
(a) provides cellular or wireless connectivity;
84
(b) is capable of connecting to the Internet;
85
(c) runs a mobile operating system; and
86
(d) is capable of running apps through the mobile operating system.
87
(14) "Mobile operating system" means software that:
88
(a) manages mobile device hardware resources;
89
(b) provides common services for mobile device programs;
90
(c) controls memory allocation; and
91
(d) provides interfaces for applications to access device functionality.
92
(15) "Parent" means, with respect to a minor, any of the following individuals who have
93
legal authority to make decisions on behalf of the minor:
94
(a) an individual with a parent-child relationship under Section 78B-15-201;
95
(b) a legal guardian; or
- 3 - 6th Sub. (Cherry) S.B. 142 02-19 07:55
96
(c) an individual with legal custody.
97
(16) "Parent account" means an account with an app store provider that:
98
(a) is verified to be established by an individual who the app store provider has
99
determined is at least 18 years old through the app store provider's age verification
100
methods; and
101
(b) may be affiliated with one or more minor accounts.
102
(17) "Parental consent disclosure" means the following information that an app store
103
provider is required to provide to a parent before obtaining parental consent:
104
(a) if the app store provider has an age rating for the app or in-app purchase, the app's or
105
in-app purchase's age rating;
106
(b) if the app store provider has a content description for the app or in-app purchase, the
107
app's or in-app purchase's content description;
108
(c) a description of:
109
(i) the personal data collected by the app from a user; and
110
(ii) the personal data shared by the app with a third party; and
111
(d) if personal data is collected by the app, the methods implemented by the developer to
112
protect the personal data.
113
(18) "Significant change" means a material modification to an app's terms of service or
114
privacy policy that:
115
(a) changes the categories of data collected, stored, or shared;
116
(b) alters the app's age rating or content descriptions;
117
(c) adds new monetization features, including:
118
(i) in-app purchases; or
119
(ii) advertisements; or
120
(d) materially changes the app's:
121
(i) functionality; or
122
(ii) user experience.
123
(19) "Verifiable parental consent" means authorization that:
124
(a) is provided by an individual who the app store provider has verified is an adult;
125
(b) is given after the app store provider has clearly and conspicuously provided the
126
parental consent disclosure to the individual; and
127
(c) requires the parent to make an affirmative choice to:
128
(i) grant consent; or
129
(ii) decline consent.
- 4 - 02-19 07:55 6th Sub. (Cherry) S.B. 142
130
Section 2. Section 13-75-201 is enacted to read:
131
Part 2. App Store Provider and Developer Requirements
132
13-75-201 (Effective 05/06/26). App store provider requirements.
133
(1) An app store provider shall:
134
(a) at the time an individual who is located in the state creates an account with the app
135
store provider:
136
(i) request age information from the individual; and
137
(ii) verify the individual's age category using:
138
(A) commercially available methods that are reasonably designed to ensure
139
accuracy; or
140
(B) an age verification method or process that complies with rules made by the
141
division under Section 13-75-301;
142
(b) if the age verification method or process described in Subsection (1)(a) determines
143
the individual is a minor:
144
(i) require the account to be affiliated with a parent account; and
145
(ii) obtain verifiable parental consent from the holder of the affiliated parent account
146
before allowing the minor to:
147
(A) download an app;
148
(B) purchase an app; or
149
(C) make an in-app purchase;
150
(c) after receiving notice of a significant change from a developer:
151
(i) notify the user of the significant change; and
152
(ii) for a minor account:
153
(A) notify the holder of the affiliated parent account; and
154
(B) obtain renewed verifiable parental consent;
155
(d) provide to a developer, in response to a request authorized under Section 13-75-202:
156
(i) age category data for a user located in the state; and
157
(ii) the status of verified parental consent for a minor located in the state;
158
(e) notify a developer when a parent revokes parental consent; and
159
(f) protect personal age verification data by:
160
(i) limiting collection and processing to data necessary for:
161
(A) verifying a user's age;
162
(B) obtaining parental consent; or
163
(C) maintaining compliance records; and
- 5 - 6th Sub. (Cherry) S.B. 142 02-19 07:55
164
(ii) transmitting personal age verification data using industry-standard encryption
165
protocols that ensure:
166
(A) data integrity; and
167
(B) data confidentiality.
168
(2) An app store provider may not:
169
(a) enforce a contract or terms of service against a minor unless the app store provider
170
has obtained verifiable parental consent;
171
(b) knowingly misrepresent the information in the parental consent disclosure; or
172
(c) share personal age verification data except:
173
(i) between an app store provider and a developer as required by this chapter; or
174
(ii) as required by law.
175
Section 3. Section 13-75-202 is enacted to read:
176
13-75-202 (Effective 05/06/26). Developer requirements.
177
(1) A developer shall:
178
(a) verify through the app store's data sharing methods:
179
(i) the age category of users located in the state; and
180
(ii) for a minor account, whether verifiable parental consent has been obtained;
181
(b) notify app store providers of a significant change to the app;
182
(c) use age category data received from an app store provider to:
183
(i) enforce any developer-created age-related restrictions;
184
(ii) ensure compliance with applicable laws and regulations; and
185
(iii) implement any developer-created safety-related features or defaults.
186
(d) request personal age verification data or parental consent:
187
(i) at the time a user:
188
(A) downloads an app; or
189
(B) purchases an app;
190
(ii) when implementing a significant change to the app; or
191
(iii) to comply with applicable laws or regulations.
192
(2) A developer may request personal age verification data or parental consent:
193
(a) no more than once during each 12-month period to verify:
194
(i) accuracy of user age verification data; or
195
(ii) continued account use within the verified age category;
196
(b) when there is reasonable suspicion of:
197
(i) account transfer; or
- 6 - 02-19 07:55 6th Sub. (Cherry) S.B. 142
198
(ii) misuse outside the verified age category; or
199
(c) at the time a user creates a new account with the developer.
200
(3) When implementing any developer-created safety-related features or defaults, a
201
developer shall use the lowest age category indicated by:
202
(a) age verification data provided by an app store provider; or
203
(b) age data independently collected by the developer.
204
(4) A developer may not:
205
(a) enforce a contract or terms of service against a minor unless the developer has
206
verified through the app store provider that verifiable parental consent has been
207
obtained;
208
(b) knowingly misrepresent any information in the parental consent disclosure; or
209
(c) share age category data with any person.
210
Section 4. Section 13-75-301 is enacted to read:
211
Part 3. Division Rulemaking
212
13-75-301 (Effective 05/07/25). Division rulemaking.
213
In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the
214
division shall make rules establishing processes and means by which an app store provider
215
may verify whether an account holder is a minor in accordance with Subsection
216
13-75-201(1)(a)(ii).
217
Section 5. Section 13-75-401 is enacted to read:
218
Part 4. Enforcement and Safe Harbor
219
13-75-401 (Effective 12/31/26). Enforcement.
220
(1) A violation of Subsection 13-75-201(2)(b) or Subsection 13-75-202(4)(b) constitutes a
221
deceptive trade practice under Section 13-11a-3.
222
(2)(a) Only a minor, or the parent of that minor, who has been harmed by a violation of
223
Subsection 13-75-201(2) may bring a civil action against an app store provider.
224
(b) Only a minor, or the parent of that minor, who has been harmed by a violation of
225
Subsection 13-75-202(4) may bring a civil action against a developer.
226
(3) In an action described in Subsection (2), the court shall award a prevailing parent:
227
(a) the greater of:
228
(i) actual damages; or
229
(ii) $1,000 for each violation;
230
(b) reasonable attorney fees; and
- 7 - 6th Sub. (Cherry) S.B. 142 02-19 07:55
231
(c) litigation costs.
232
Section 6. Section 13-75-402 is enacted to read:
233
13-75-402 (Effective 05/07/25). Safe harbor.
234
(1) A developer is not liable for a violation of this chapter if the developer demonstrates
235
that the developer:
236
(a) relied in good faith on:
237
(i) personal age verification data provided by an app store provider; and
238
(ii) notification from an app store provider that verifiable parental consent was
239
obtained if the personal age verification data indicates that the user is a minor; and
240
(b) complied with the requirements described in Section 13-75-202.
241
(2) For purposes of setting the age category of an app and providing content description
242
disclosures to an app store provider, a developer complies with Subsection
243
13-75-202(4)(b) if the developer:
244
(a) uses widely adopted industry standards to determine:
245
(i) the app's age category; and
246
(ii) the content description disclosures; and
247
(b) applies those standards consistently and in good faith.
248
(3) The safe harbor described in this section:
249
(a) applies only to actions brought under this chapter; and
250
(b) does not limit a developer or app store provider's liability under any other applicable
251
law.
252
(4) Nothing in this chapter shall displace any other available remedies or rights authorized
253
under the laws of this state or the United States.
254
Section 7. Section 13-75-403 is enacted to read:
255
13-75-403 (Effective 05/07/25). Severability.
256
(1) If any provision of this chapter or the application of any provision to any person or
257
circumstance is held invalid by a final decision of a court of competent jurisdiction, the
258
remainder of this chapter shall be given effect without the invalid provision or
259
application.
260
(2) The provisions of this chapter are severable.
261
Section 8. Section 13-75-404 is enacted to read:
262
13-75-404 (Effective 05/07/25). Application and limitations.
263
Nothing in this chapter shall be construed to:
264
(1) prevent an app store provider or developer from taking reasonable measures to:
- 8 - 02-19 07:55 6th Sub. (Cherry) S.B. 142
265
(a) block, detect, or prevent distribution to minors of:
266
(i) unlawful material;
267
(ii) obscene material; or
268
(iii) other harmful material;
269
(b) block or filter spam;
270
(c) prevent criminal activity; or
271
(d) protect app store or app security;
272
(2) require an app store provider to disclose user information to a developer beyond:
273
(a) age category; or
274
(b) verification of parental consent status;
275
(3) allow an app store provider or developer to implement measures required by this
276
chapter in a manner that is:
277
(a) arbitrary;
278
(b) capricious;
279
(c) anticompetitive; or
280
(d) unlawful;
281
(4) require an app store provider or developer to obtain parental consent for an app that:
282
(a) provides direct access to emergency services, including:
283
(i) 911;
284
(ii) crisis hotlines; or
285
(iii) emergency assistance services legally available to minors;
286
(b) limits data collection to information necessary to provide emergency services in
287
compliance with 15 U.S.C. Sec. 6501 et seq., Children's Online Privacy Protection
288
Act;
289
(c) provides access without requiring:
290
(i) account creation; or
291
(ii) collection of unnecessary personal information; and
292
(d) is operated by or in partnership with:
293
(i) a government entity;
294
(ii) a nonprofit organization; or
295
(iii) an authorized emergency service provider; or
296
(5) require a developer to collect, retain, reidentify, or link any information beyond what is:
297
(a) necessary to verify age categories and parental consent status as required by this
298
chapter; and
- 9 - 6th Sub. (Cherry) S.B. 142 02-19 07:55
299
(b) collected, retained, reidentified, or linked in the developer's ordinary course of
300
business.
301
Section 9. Effective Date.
302
(1) Except as provided in Subsections (2) and (3), this bill takes effect May 7, 2025.
303
(2) The actions affecting the following sections take effect on May 6, 2026:
304
(a) Section 13-75-201 (Effective 05/06/26); and
305
(b) Section 13-75-202 (Effective 05/06/26).
306
(3) The actions affecting Section 13-75-401 (Effective 12/31/26) take effect on December
307
31, 2026.
- 10 -