Enrolled Copy S.B. 142
1
App Store Accountability Act
2025 GENERAL SESSION
STATE OF UTAH
Chief Sponsor: Todd Weiler
House Sponsor: James A. Dunnigan
2
3
LONG TITLE
4
General Description:
5
This bill enacts provisions governing app store operations and creates requirements for age
6
verification and parental consent.
7
Highlighted Provisions:
8
This bill:
9
▸ defines terms;
10
▸ requires app store providers to:
11
● verify a user's age category;
12
● obtain parental consent for minor accounts;
13
● notify users and parents of significant changes;
14
● share age category and consent data with developers; and
15
● protect age verification data;
16
▸ prohibits app store providers from:
17
● enforcing contracts against minors without parental consent; and
18
● misrepresenting parental content disclosures;
19
▸ requires developers to:
20
● verify age category and consent status through app stores; and
21
● notify app stores of significant changes;
22
▸ prohibits developers from:
23
● enforcing contracts against minors without verified parental consent; and
24
● misrepresenting parental content disclosures;
25
▸ designates violations of certain provisions as deceptive trade practices;
26
▸ requires the Division of Consumer Protection to establish standards for age verification
27
methods; S.B. 142 Enrolled Copy
28
▸ creates a private right of action for parents of harmed minors;
29
▸ provides a safe harbor for compliant developers; and
30
▸ includes a severability clause.
31
Money Appropriated in this Bill:
32
None
33
Other Special Clauses:
34
This bill provides a special effective date.
35
Utah Code Sections Affected:
36
ENACTS:
37
13-75-101 (Effective 05/07/25), Utah Code Annotated 1953
38
13-75-201 (Effective 05/06/26), Utah Code Annotated 1953
39
13-75-202 (Effective 05/06/26), Utah Code Annotated 1953
40
13-75-301 (Effective 05/07/25), Utah Code Annotated 1953
41
13-75-401 (Effective 12/31/26), Utah Code Annotated 1953
42
13-75-402 (Effective 05/07/25), Utah Code Annotated 1953
43
13-75-403 (Effective 05/07/25), Utah Code Annotated 1953
44
13-75-404 (Effective 05/07/25), Utah Code Annotated 1953
45
46
Be it enacted by the Legislature of the state of Utah:
47
Section 1. Section 13-75-101 is enacted to read:
48
CHAPTER 75. APP STORE ACCOUNTABILITY ACT
49
Part 1. General Provisions
50
13-75-101 (Effective 05/07/25). Definitions.
51
As used in this chapter:
52
(1) "Age category" means one of the following categories of individuals based on age:
53
(a) "child" which means an individual who is under 13 years old;
54
(b) "younger teenager" which means an individual who is at least 13 years old and under
55
16 years old;
56
(c) "older teenager" which means an individual who is at least 16 years old and under 18
57
years old; or
58
(d) "adult" which means an individual who is at least 18 years old.
59
(2) "Age category data" means information about a user's age category that is:
60
(a) collected by an app store provider; and
- 2 - Enrolled Copy S.B. 142
61
(b) shared with a developer.
62
(3) "Age rating" means a classification that provides an assessment of the suitability of an
63
app's content for different age groups.
64
(4) "App" means a software application or electronic service that a user may run or direct
65
on a mobile device.
66
(5) "App store" means a publicly available website, software application, or electronic
67
service that allows users to download apps from third-party developers onto a mobile
68
device.
69
(6) "App store provider" means a person that owns, operates, or controls an app store that
70
allows users in the state to download apps onto a mobile device.
71
(7) "Content description" means a description of the specific content elements that informed
72
an app's age rating.
73
(8) "Developer" means a person that owns or controls an app made available through an
74
app store in the state.
75
(9) "Division" means the Division of Consumer Protection, established in Section 13-2-1.
76
(10) "Knowingly" means to act with actual knowledge or to act with knowledge fairly
77
inferred based on objective circumstances.
78
(11) "Minor" means an individual under 18 years old.
79
(12) "Minor account" means an account with an app store provider that:
80
(a) is established by an individual who the app store provider has determined is under 18
81
years old through the app store provider's age verification methods; and
82
(b) requires affiliation with a parent account.
83
(13) "Mobile device" means a phone or general purpose tablet that:
84
(a) provides cellular or wireless connectivity;
85
(b) is capable of connecting to the Internet;
86
(c) runs a mobile operating system; and
87
(d) is capable of running apps through the mobile operating system.
88
(14) "Mobile operating system" means software that:
89
(a) manages mobile device hardware resources;
90
(b) provides common services for mobile device programs;
91
(c) controls memory allocation; and
92
(d) provides interfaces for applications to access device functionality.
93
(15) "Parent" means, with respect to a minor, any of the following individuals who have
94
legal authority to make decisions on behalf of the minor:
- 3 - S.B. 142 Enrolled Copy
95
(a) an individual with a parent-child relationship under Section 78B-15-201;
96
(b) a legal guardian; or
97
(c) an individual with legal custody.
98
(16) "Parent account" means an account with an app store provider that:
99
(a) is verified to be established by an individual who the app store provider has
100
determined is at least 18 years old through the app store provider's age verification
101
methods; and
102
(b) may be affiliated with one or more minor accounts.
103
(17) "Parental consent disclosure" means the following information that an app store
104
provider is required to provide to a parent before obtaining parental consent:
105
(a) if the app store provider has an age rating for the app or in-app purchase, the app's or
106
in-app purchase's age rating;
107
(b) if the app store provider has a content description for the app or in-app purchase, the
108
app's or in-app purchase's content description;
109
(c) a description of:
110
(i) the personal data collected by the app from a user; and
111
(ii) the personal data shared by the app with a third party; and
112
(d) if personal data is collected by the app, the methods implemented by the developer to
113
protect the personal data.
114
(18) "Significant change" means a material modification to an app's terms of service or
115
privacy policy that:
116
(a) changes the categories of data collected, stored, or shared;
117
(b) alters the app's age rating or content descriptions;
118
(c) adds new monetization features, including:
119
(i) in-app purchases; or
120
(ii) advertisements; or
121
(d) materially changes the app's:
122
(i) functionality; or
123
(ii) user experience.
124
(19) "Verifiable parental consent" means authorization that:
125
(a) is provided by an individual who the app store provider has verified is an adult;
126
(b) is given after the app store provider has clearly and conspicuously provided the
127
parental consent disclosure to the individual; and
128
(c) requires the parent to make an affirmative choice to:
- 4 - Enrolled Copy S.B. 142
129
(i) grant consent; or
130
(ii) decline consent.
131
Section 2. Section 13-75-201 is enacted to read:
132
Part 2. App Store Provider and Developer Requirements
133
13-75-201 (Effective 05/06/26). App store provider requirements.
134
(1) An app store provider shall:
135
(a) at the time an individual who is located in the state creates an account with the app
136
store provider:
137
(i) request age information from the individual; and
138
(ii) verify the individual's age category using:
139
(A) commercially available methods that are reasonably designed to ensure
140
accuracy; or
141
(B) an age verification method or process that complies with rules made by the
142
division under Section 13-75-301;
143
(b) if the age verification method or process described in Subsection (1)(a) determines
144
the individual is a minor:
145
(i) require the account to be affiliated with a parent account; and
146
(ii) obtain verifiable parental consent from the holder of the affiliated parent account
147
before allowing the minor to:
148
(A) download an app;
149
(B) purchase an app; or
150
(C) make an in-app purchase;
151
(c) after receiving notice of a significant change from a developer:
152
(i) notify the user of the significant change; and
153
(ii) for a minor account:
154
(A) notify the holder of the affiliated parent account; and
155
(B) obtain renewed verifiable parental consent;
156
(d) provide to a developer, in response to a request authorized under Section 13-75-202:
157
(i) age category data for a user located in the state; and
158
(ii) the status of verified parental consent for a minor located in the state;
159
(e) notify a developer when a parent revokes parental consent; and
160
(f) protect personal age verification data by:
161
(i) limiting collection and processing to data necessary for:
162
(A) verifying a user's age;
- 5 - S.B. 142 Enrolled Copy
163
(B) obtaining parental consent; or
164
(C) maintaining compliance records; and
165
(ii) transmitting personal age verification data using industry-standard encryption
166
protocols that ensure:
167
(A) data integrity; and
168
(B) data confidentiality.
169
(2) An app store provider may not:
170
(a) enforce a contract or terms of service against a minor unless the app store provider
171
has obtained verifiable parental consent;
172
(b) knowingly misrepresent the information in the parental consent disclosure; or
173
(c) share personal age verification data except:
174
(i) between an app store provider and a developer as required by this chapter; or
175
(ii) as required by law.
176
Section 3. Section 13-75-202 is enacted to read:
177
13-75-202 (Effective 05/06/26). Developer requirements.
178
(1) A developer shall:
179
(a) verify through the app store's data sharing methods:
180
(i) the age category of users located in the state; and
181
(ii) for a minor account, whether verifiable parental consent has been obtained;
182
(b) notify app store providers of a significant change to the app;
183
(c) use age category data received from an app store provider to:
184
(i) enforce any developer-created age-related restrictions;
185
(ii) ensure compliance with applicable laws and regulations; and
186
(iii) implement any developer-created safety-related features or defaults;
187
(d) request personal age verification data or parental consent:
188
(i) at the time a user:
189
(A) downloads an app; or
190
(B) purchases an app;
191
(ii) when implementing a significant change to the app; or
192
(iii) to comply with applicable laws or regulations.
193
(2) A developer may request personal age verification data or parental consent:
194
(a) no more than once during each 12-month period to verify:
195
(i) accuracy of user age verification data; or
196
(ii) continued account use within the verified age category;
- 6 - Enrolled Copy S.B. 142
197
(b) when there is reasonable suspicion of:
198
(i) account transfer; or
199
(ii) misuse outside the verified age category; or
200
(c) at the time a user creates a new account with the developer.
201
(3) When implementing any developer-created safety-related features or defaults, a
202
developer shall use the lowest age category indicated by:
203
(a) age verification data provided by an app store provider; or
204
(b) age data independently collected by the developer.
205
(4) A developer may not:
206
(a) enforce a contract or terms of service against a minor unless the developer has
207
verified through the app store provider that verifiable parental consent has been
208
obtained;
209
(b) knowingly misrepresent any information in the parental consent disclosure; or
210
(c) share age category data with any person.
211
Section 4. Section 13-75-301 is enacted to read:
212
Part 3. Division Rulemaking
213
13-75-301 (Effective 05/07/25). Division rulemaking.
214
In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the
215
division shall make rules establishing processes and means by which an app store provider
216
may verify whether an account holder is a minor in accordance with Subsection
217
13-75-201(1)(a)(ii).
218
Section 5. Section 13-75-401 is enacted to read:
219
Part 4. Enforcement and Safe Harbor
220
13-75-401 (Effective 12/31/26). Enforcement.
221
(1) A violation of Subsection 13-75-201(2)(b) or Subsection 13-75-202(4)(b) constitutes a
222
deceptive trade practice under Section 13-11a-3.
223
(2)(a) Only a minor, or the parent of that minor, who has been harmed by a violation of
224
Subsection 13-75-201(2) may bring a civil action against an app store provider.
225
(b) Only a minor, or the parent of that minor, who has been harmed by a violation of
226
Subsection 13-75-202(4) may bring a civil action against a developer.
227
(3) In an action described in Subsection (2), the court shall award a prevailing parent:
228
(a) the greater of:
229
(i) actual damages; or
- 7 - S.B. 142 Enrolled Copy
230
(ii) $1,000 for each violation;
231
(b) reasonable attorney fees; and
232
(c) litigation costs.
233
Section 6. Section 13-75-402 is enacted to read:
234
13-75-402 (Effective 05/07/25). Safe harbor.
235
(1) A developer is not liable for a violation of this chapter if the developer demonstrates
236
that the developer:
237
(a) relied in good faith on:
238
(i) personal age verification data provided by an app store provider; and
239
(ii) notification from an app store provider that verifiable parental consent was
240
obtained if the personal age verification data indicates that the user is a minor; and
241
(b) complied with the requirements described in Section 13-75-202.
242
(2) For purposes of setting the age category of an app and providing content description
243
disclosures to an app store provider, a developer complies with Subsection
244
13-75-202(4)(b) if the developer:
245
(a) uses widely adopted industry standards to determine:
246
(i) the app's age category; and
247
(ii) the content description disclosures; and
248
(b) applies those standards consistently and in good faith.
249
(3) The safe harbor described in this section:
250
(a) applies only to actions brought under this chapter; and
251
(b) does not limit a developer or app store provider's liability under any other applicable
252
law.
253
(4) Nothing in this chapter shall displace any other available remedies or rights authorized
254
under the laws of this state or the United States.
255
Section 7. Section 13-75-403 is enacted to read:
256
13-75-403 (Effective 05/07/25). Severability.
257
(1) If any provision of this chapter or the application of any provision to any person or
258
circumstance is held invalid by a final decision of a court of competent jurisdiction, the
259
remainder of this chapter shall be given effect without the invalid provision or
260
application.
261
(2) The provisions of this chapter are severable.
262
Section 8. Section 13-75-404 is enacted to read:
263
13-75-404 (Effective 05/07/25). Application and limitations.
- 8 - Enrolled Copy S.B. 142
264
Nothing in this chapter shall be construed to:
265
(1) prevent an app store provider or developer from taking reasonable measures to:
266
(a) block, detect, or prevent distribution to minors of:
267
(i) unlawful material;
268
(ii) obscene material; or
269
(iii) other harmful material;
270
(b) block or filter spam;
271
(c) prevent criminal activity; or
272
(d) protect app store or app security;
273
(2) require an app store provider to disclose user information to a developer beyond:
274
(a) age category; or
275
(b) verification of parental consent status;
276
(3) allow an app store provider or developer to implement measures required by this
277
chapter in a manner that is:
278
(a) arbitrary;
279
(b) capricious;
280
(c) anticompetitive; or
281
(d) unlawful;
282
(4) require an app store provider or developer to obtain parental consent for an app that:
283
(a) provides direct access to emergency services, including:
284
(i) 911;
285
(ii) crisis hotlines; or
286
(iii) emergency assistance services legally available to minors;
287
(b) limits data collection to information necessary to provide emergency services in
288
compliance with 15 U.S.C. Sec. 6501 et seq., Children's Online Privacy Protection
289
Act;
290
(c) provides access without requiring:
291
(i) account creation; or
292
(ii) collection of unnecessary personal information; and
293
(d) is operated by or in partnership with:
294
(i) a government entity;
295
(ii) a nonprofit organization; or
296
(iii) an authorized emergency service provider; or
297
(5) require a developer to collect, retain, reidentify, or link any information beyond what is:
- 9 - S.B. 142 Enrolled Copy
298
(a) necessary to verify age categories and parental consent status as required by this
299
chapter; and
300
(b) collected, retained, reidentified, or linked in the developer's ordinary course of
301
business.
302
Section 9. Effective Date.
303
(1) Except as provided in Subsections (2) and (3), this bill takes effect May 7, 2025.
304
(2) The actions affecting the following sections take effect on May 6, 2026:
305
(a) Section 13-75-201 (Effective 05/06/26); and
306
(b) Section 13-75-202 (Effective 05/06/26).
307
(3) The actions affecting Section 13-75-401 (Effective 12/31/26) take effect on December
308
31, 2026.
- 10 -