Read the full stored bill text
HB161 ENROLLED
Page 0
HB161
V7D54VP-3
By Representatives Sells, Mooney
RFD: State Government
First Read: 13-Jan-26
1
2
3
4
5
HB161 Enrolled
Page 1
First Read: 13-Jan-26
Enrolled, An Act,
Relating to consumer protection; to require an app
store provider to take certain actions regarding age
verification, parental notification, and data protection; to
prohibit an app store provider or developer from taking
certain actions that allow minors to access apps without
parental consent; to require the Attorney General to adopt
rules; and to authorize the Attorney General to bring an
action for a violation as a deceptive trade practice.
BE IT ENACTED BY THE LEGISLATURE OF ALABAMA:
Section 1. For the purposes of this act, the following
terms have the following meanings:
(1) ACCOUNT HOLDER. The individual associated with a
mobile device.
(2) AGE CATEGORY. Whether an individual is: (i) under
13 years of age; (ii) at least 13 years of age but less than
16 years of age; (iii) at least 16 years of age but less than
18 years of age; or (iv) at least 18 years of age.
(3) AGE CATEGORY DATA. Information about a user's age
category which is collected by an app store developer and
shared with a developer.
(4) AGE RATING. A classification that assesses the
suitability of an app's content and functions for different
age groups.
(5) APP. A software application or electronic service
that a user may run or direct on a mobile device. The term
includes pre-installed apps.
(6) APP STORE. A publicly available website, software
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
HB161 Enrolled
Page 2
(6) APP STORE. A publicly available website, software
application, or electronic service that allows account holders
to download apps from third-party developers onto a mobile
device.
(7) APP STORE PROVIDER. An entity that owns, operates,
or controls an app store that allows account holders in the
state to download apps onto a mobile device.
(8) CONTENT DESCRIPTION. A description of the specific
content elements or functions that inform an app's age rating.
(9) DEVELOPER. An entity that owns or controls an app
made available through an app store or a pre-installed app.
(10) IN-APP PURCHASE. A charge associated with any user
conduct within an app and billed by an app store, including,
but not limited to, the acquisition of virtual currency,
digital goods, digital services, or other apps.
(11) MINOR. An individual under 18 years of age, unless
the individual is married or legally emancipated.
(12) MINOR ACCOUNT. An account with an app store
provider that is established by an individual who the app
store provider has determined is a minor.
(13) MOBILE DEVICE. A phone or general-purpose tablet
that: (i) provides cellular or wireless connectivity; (ii) is
capable of connecting to the Internet; (iii) runs a mobile
operating system; and (iv) is capable of running apps through
the mobile operating system.
(14) MOBILE OPERATING SYSTEM. Software that: (i)
manages mobile device hardware resources; (ii) provides common
services for mobile device programs; (iii) controls memory
allocation; and (iv) provides interfaces for apps to access
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
HB161 Enrolled
Page 3
allocation; and (iv) provides interfaces for apps to access
device functionality.
(15) PARENT. With respect to a minor, any of the
following individuals:
a. A biological parent.
b. A legal guardian.
c. An individual with legal custody.
(16) PARENT ACCOUNT. An account with an app store
provider which is affiliated with one or more minor accounts
and which is verified to have been established by an
individual who the app store provider has determined is not a
minor.
(17) PARENTAL CONSENT DISCLOSURE. The following
information that an app store provider is required to provide
to a parent before obtaining parental disclosure:
a. A description of the personal data collected by the
app from a user.
b. A description of the personal data shared by the app
with any third party.
c. Any methods implemented by the developer to protect
personal data.
d. The age rating of the app or in-app purchase, if
available.
e. The content description of the app or in-app
purchase, if available.
(18) PRE-INSTALLED APP. Any app, or portion of an app,
that is present on a mobile device at the time of purchase,
initial activation, or first use by the consumer. The term
includes, but is not limited to: (i) browsers; (ii) search
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
HB161 Enrolled
Page 4
includes, but is not limited to: (i) browsers; (ii) search
engines; (iii) messaging apps; and (iv) other apps, or
portions of apps, that are installed or partially installed by
the device manufacturer, wireless services provider, retailer,
or any other party prior to the purchase, initial activation,
or first use of the device by the customer and that may be
updated thereafter. The term does not include: (i) core
operating system functions; (ii) essential device drivers; and
(iii) applications necessary for basic device operation such
as phone and settings applications.
(19) SIGNIFICANT CHANGE. A material modification to an
app's terms of service or privacy policy which does any of the
following:
a. Changes the categories of data collected, stored, or
shared.
b. Adds new monetization features, including, but not
limited to, in-app purchases or advertisements, where no such
features were previously present.
c. Alters the app's age rating or content descriptions.
(20) VERIFIABLE PARENTAL CONSENT. Authorization that
meets all of the following criteria:
a. Is provided by an individual who the app store
provider has verified is at least 18 years of age.
b. Is given after the app store provider has clearly
and conspicuously provided the parental consent disclosure to
the individual.
c. Requires the parent to make an affirmative choice to
either grant consent or decline consent.
Section 2. (a) An app store provider shall do both of
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
HB161 Enrolled
Page 5
Section 2. (a) An app store provider shall do both of
the following when an individual located in this state creates
an account with the app store provider, or before October 1,
2027, for all accounts in existence on October 2, 2026:
(1) Request age category information from the
individual.
(2) Verify the individual's age category using one of
the following:
a. Commercially available methods that are reasonably
designed to ensure accuracy.
b. An age verification system that complies with rules
adopted pursuant to this act.
(b) For the purposes of this section, a method is
commercially available if the method includes both: (i)
affirmative age attestation by an individual who is reasonably
believed to be the parent or legal guardian of the minor; and
(ii) other information collected in the ordinary course of
account creation or use.
Section 3. An app store provider shall do all of the
following when an individual is determined to be a minor
pursuant to Section 1:
(1) Require the account to be affiliated with a parent
account.
(2) Obtain verifiable parental consent from the holder
of the affiliated parent account before allowing the minor to:
(i) download an app; (ii) purchase an app; or (iii) make an
in-app purchase.
(3) Provide a mechanism for the holder of the
affiliated parent account to withdraw consent and notify
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
HB161 Enrolled
Page 6
affiliated parent account to withdraw consent and notify
developers when the holder of a parent account withdraws
consent.
Section 4. An app store provider shall do both of the
following after receiving notice of a significant change from
a developer:
(1) Notify the user of the significant change.
(2) For a minor account, do both of the following:
a. Notify the holder of the affiliated parent account.
b. Obtain renewed verifiable parental consent before
providing access to the significantly changed version of the
app.
Section 5. An app store provider shall provide
developers with real-time access to both of the following:
(1) Age category data for each user located in this
state.
(2) The status of verifiable parental consent for each
minor located in this state.
Section 6. An app store provider shall protect personal
age verification data by doing both of the following:
(1) Limiting the collection and processing to data
necessary to: (i) verify a user's age; (ii) obtain parental
consent; or (iii) maintain compliance records.
(2) Transmitting personal age verification data using
industry-standard encryption protocols that ensure data
integrity and data confidentiality.
Section 7. An app store provider shall do both of the
following with respect to pre-installed apps:
(1) Provide available age category information in
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
HB161 Enrolled
Page 7
(1) Provide available age category information in
response to a request from a developer.
(2) Take reasonable measures to facilitate verifiable
parental consent for use of a pre-installed app in response to
a request from a developer.
Section 8. An app store provider may not do any of the
following:
(1) Enforce a contract or terms of service against a
minor unless the app store provider has obtained verifiable
parental consent.
(2) Knowingly misrepresent the information in the
parental consent disclosure.
(3) Share age category data or any other associated
data except as required by law or as required by this act
between an app store provider and a developer.
Section 9. (a) A developer shall do all of the
following:
(1) Verify through the app store's data sharing
methods: (i) the age category of users located in this state;
and (ii) for a minor account, whether verifiable parental
consent has been obtained.
(2) Notify app store providers of any significant
change to an app.
(3) Limit use of age category data received from an app
store provider to: (i) enforce developer-created age-related
restrictions, protections, or defaults; (ii) ensure compliance
with applicable laws or regulations; or (iii) implement
safety-related features or defaults.
(4) Request age category data or verifiable parental
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
HB161 Enrolled
Page 8
(4) Request age category data or verifiable parental
consent in all of the following scenarios:
a. Whenever an account holder does any of the
following:
1. Downloads an app.
2. Purchases an app.
3. Launches a pre-installed app for the first time.
b. When implementing a significant change to an app.
c. To comply with applicable law.
(5) When implementing any developer-created age-related
restrictions, safety-related features, or defaults, use the
lowest age category indicated by either: (i) age category data
received through the app store's data sharing methods; or (ii)
age data independently collected by the developer.
(b) A developer may request age category data in any of
the following scenarios:
(1) No more than once during each 12-month period to
verify either of the following:
a. The accuracy of age category data associated with an
account holder.
b. Continued account use within the age category.
(2) When there is reasonable suspicion of either of the
following:
a. Account transfer.
b. Misuse outside of the age category.
(3) At the time an account holder creates a new account
with the developer.
(c) A developer may not do any of the following:
(1) Enforce a contract or terms of service against a
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
HB161 Enrolled
Page 9
(1) Enforce a contract or terms of service against a
minor unless the developer has verified through the app store
provider that verifiable parental consent has been obtained.
(2) Knowingly misrepresent any information in the
parental consent disclosure.
(3) Share age category data with any person.
Section 10. The Attorney General shall adopt rules
establishing processes and means by which an app store
provider may verify whether an account holder is a minor in
accordance with this act.
Section 11. (a) Any knowing or reckless violation of
this act is deemed a deceptive trade practice actionable under
Chapter 19 of Title 8 of the Code of Alabama 1975. Provided,
however, the Attorney General shall have the exclusive
jurisdiction to bring an action pursuant to Chapter 19 of
Title 8, Code of Alabama 1975. If the Attorney General has
reason to believe that an entity is in violation of this act,
the Attorney General may bring an action against the entity
for an unfair or deceptive trade practice. In addition to
other remedies available under Chapter 19 of Title 8 of the
Code of Alabama 1975, the Attorney General may collect a civil
penalty of up to seven thousand five hundred dollars ($7,500)
per violation, reasonable attorney fees, and court costs.
(b) If a violation described in subsection (a) is part
of a consistent pattern of knowing or reckless conduct, the
Attorney General may seek punitive damages against the entity.
(c) An action for a claim under this section must be
brought within one year from the date the Attorney General
knew or reasonably should have known of the alleged violation.
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
HB161 Enrolled
Page 10
knew or reasonably should have known of the alleged violation.
(d) This section does not preclude any other available
remedy at law or equity.
Section 12. (a) A developer is not liable for a
violation of this act if the developer demonstrates all of the
following:
(1) The developer relied in good faith on applicable
age category data received through an app store's data sharing
methods.
(2) The developer relied in good faith on notification
from an app store provider that verifiable parental consent
was obtained.
(3) The developer complied with the requirements of
this act.
(b) A developer is not liable for a violation of
Section 9(c)(2) if the developer: (i) uses widely adopted
industry standards to determine the app's age category and
content description; and (ii) applies those standards
consistently and in good faith.
(c) Notwithstanding subsection (a), the safe harbor
provision applies only to actions brought under this act and
does not limit a developer or app store provider's liability
under any other applicable law.
(d) An app store provider shall not be liable for a
violation of this act if the app store provider generates an
erroneous age category signal for a user as long as the app
store provider demonstrates that the app store provider did
all of the following:
(1) Used a commercially reasonable age verification
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
HB161 Enrolled
Page 11
(1) Used a commercially reasonable age verification
process.
(2) Exercised due care in conducting the age
verification process.
(3) Made reasonable efforts to reconcile any
discrepancies between a parent's attestation of the minor's
age and other age data collected in the ordinary course of
account creation or use.
Section 13. Nothing in this act shall be construed to
do any of the following:
(1) Prevent an app store provider or developer from
taking reasonable measures to do any of the following:
a. Block, detect, or prevent distribution to minors of:
(i) unlawful material; (ii) obscene material; or (iii) other
harmful material.
b. Block or filter spam.
c. Prevent criminal activity.
d. Protect app store or app security.
(2) Require an app store provider or developer to
disclose user information to a developer beyond age category
or verification of parental consent status.
(3) Allow an app store provider or developer to
implement measures required by this act in a manner that is:
(i) arbitrary; (ii) capricious; (iii) anticompetitive; or (iv)
unlawful.
(4) Require a developer to collect, retain, reidentify,
or link any information beyond what is both:
a. Necessary to verify age category data as required by
this act; and
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
HB161 Enrolled
Page 12
this act; and
b. Collected, retained, reidentified, or linked in the
developer's ordinary course of business.
(5) Require an app store provider or developer to block
access to an application that an account holder has downloaded
or installed onto a mobile device prior to October 1, 2026,
except to the extent that either:
a. A parent account revokes verifiable consent for an
affiliated minor account; or
b. There has been a significant change to the
application.
Section 14. Nothing in this act shall be construed to
relieve any person from compliance with any other law of this
state that requires age verification.
Section 15. This act shall become effective on January
1, 2027.
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
HB161 Enrolled
Page 13
1, 2027.
________________________________________________
Speaker of the House of Representatives
________________________________________________
President and Presiding Officer of the Senate
House of Representatives
I hereby certify that the within Act originated in and
was passed by the House 22-Jan-26, as amended.
John Treadwell
Clerk
Senate 05-Feb-26 Amended and Passed
House 10-Feb-26 Concurred in Senate
Amendment
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360