Back to Ohio

SB167 • 2026

Require certain application store-based parental controls

Require certain application store-based parental controls

Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Michele Reynolds
Last action
Official status
As Introduced
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Require certain application store-based parental controls

To enact section 1349.07 of the Revised Code to require certain application store-based parental controls.

What This Bill Does

  • To enact section 1349.07 of the Revised Code to require certain application store-based parental controls.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. Ohio Legislature

    As Introduced

Official Summary Text

To enact section 1349.07 of the Revised Code to require certain application store-based parental controls.

Current Bill Text

Read the full stored bill text
As Introduced

136th
General Assembly

Regular
Session
S. B. No. 167

2025-2026

Senator Reynolds

To
enact section 1349.07 of the Revised Code
to
require certain application store-based parental controls.

BE
IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:

Section
1.
That
section 1349.07 of the Revised Code be enacted to read as follows:

Sec.
1349.07.
(A)
As used in this section:

(1)
"Application store" means a publicly available web site,
software application, or online service that distributes a
third-party platform's software applications to a computer, mobile
device, or any other general purpose computing device.

(2)(a)
"Broadband internet access service" means a mass-market
retail service by wire or radio that provides the capability to
transmit data to and receive data from all or substantially all
internet endpoints, including any capabilities that are incidental to
and enable the operation of the communications service, but excluding
dial-up internet access service.

(b)
"Broadband internet access service" includes any service
that the federal communications commission finds to be providing a
functional equivalent of the service described in division (A)(2)(a)
of this section or that is used to evade the protections set forth in
this section.

(3)
"Child" means an individual consumer known to be under
eighteen years of age.

(4)(a)
"Covered application" means a software application, web
site, or other online service that is likely to be accessed by
children and that is intended to be run or directed by a user on a
computer, mobile device, or other general purpose computing device.

(b)
"Covered application" does not include any of the
following:

(i)
A broadband internet access service;

(ii)
A telecommunications service, as defined in 47 U.S.C. 153;

(iii)
The delivery or use of a physical product unconnected to the
internet.

(5)
"Covered entity" means a covered manufacturer or developer
of a covered application.

(6)
"Covered manufacturer" means a manufacturer of a device, an
operating system for a device, or an application store.

(7)
"Developer" means any person, entity, or organization that
creates, owns, or controls an application and is responsible for the
design, development, maintenance, and distribution of the application
to users through an application store.

(8)(a)
"Device" means a device or portion of a device that is
designed for and capable of communicating across a computer network
with other computers or devices for the purpose of transmitting,
receiving, or storing data, including a desktop computer, laptop,
cellular telephone, tablet, or other device designed for and capable
of communicating with or across a computer network and that is used
for such purpose.

(b)
"Device" does not include any of the following:

(i)
Cable, fiber, or wireless modems;

(ii)
Home routers, whether standalone or combined with cable, fiber, or a
wireless modem;

(iii)
Managed set-top boxes;

(iv)
Any physical object that only supports communications within a closed
user group or private network available to a limited set of users.

(9)
"Likely to be accessed by children" means, in the context
of an application, that either or both of the following apply:

(a)
Competent and reliable evidence regarding audience composition
demonstrates that the application is routinely accessed by children;

(b)
Internal research findings determine that the application is
routinely accessed by children.

(10)
"Parent" includes a legal guardian.

(11)
"User" means an individual consumer.

(B)
Beginning January 1, 2026, no developer shall distribute an
application to users in this state or design, develop, or maintain an
application distributed to users in this state without first
determining whether the application is likely to be accessed by
children and, if so, providing notice of that determination to each
application store that distributes the application to users in this
state.

(C)(1)
The covered manufacturer of a device sold in this state on or after
January 1, 2026, shall, upon the initial activation of the device,
take commercially reasonable and technically feasible steps to
determine or estimate the age of the primary user of the device.

(2)
The covered manufacturer of an operating system for a device sold in
this state before January 1, 2026, shall take commercially reasonable
and technically feasible steps to determine or estimate the age of
the primary user of the device following the first update to the
operating system that occurs after January 1, 2027.

(D)
On and after January 1, 2026, the covered manufacturer of an
application store with users in this state shall take commercially
reasonable and technically feasible steps to do all of the following:

(1)
Provide a mechanism for developers to provide notice that an
application is likely to be accessed by children;

(2)
Obtain parental consent before permitting a user in this state who
the covered manufacturer knows or should know is under sixteen years
of age to download a covered application from the application store;

(3)
Provide developers of covered applications in the application store
with a signal regarding whether a parent has provided consent when
required under division (D)(2) of this section;

(4)
Provide a parent who consents to a child downloading an application
under division (D)(2) of this section with the option to connect with
the developer of the application for the purpose of facilitating
parental supervision tools.

(E)
On and after January 1, 2026, a covered manufacturer shall take
commercially reasonable and technically feasible steps to provide
developers of covered applications with a digital signal via a
real-time application programming interface regarding whether the
covered manufacturer knows or estimates a user to be:

(1)
Under thirteen years of age;

(2)
At least thirteen years of age, and under sixteen years of age;

(3)
At least sixteen years of age, and under eighteen years of age;

(4)
At least eighteen years of age.

(F)
On and after January 1, 2026, a developer of a covered application
shall, to the extent applicable and technically feasible, provide
readily available features for parents to support a child's use of
the covered application. Such features shall, at minimum, do all of
the following:

(1)
Manage which accounts are affirmatively linked to the child;

(2)
Manage the delivery of age appropriate content;

(3)
Limit the amount of time that the child spends daily on the covered
application.

(G)(1)
This section shall not be construed to require a covered entity to
access, collect, retain, re-identify, or link information that the
covered entity would not otherwise access, collect, retain,
re-identify, or link in the ordinary course of business, except as
absolutely necessary to comply with divisions (C), (D), and (E) of
this section.

(2)
A covered entity is not required to implement new account controls or
safety settings if the covered entity's existing account controls and
safety settings are sufficient to comply with this section.

(H)(1)
Nothing in this section shall be construed to modify, impair, or
supersede the operation of any antitrust law, including Chapter 1331.
of the Revised Code and 15 U.S.C. 1, et seq.

(2)
An application store shall comply with this section in a
nondiscriminatory manner, including by:

(a)
Imposing at least the same restrictions and obligations on the
application store's own applications and application distribution as
the application store does on third-party applications or application
distributors;

(b)
Not using data collected from third parties, or consent mechanisms
deployed for third parties, in the course of compliance with this
section, for any of the following:

(i)
To compete against those third parties;

(ii)
To give the application store's services preference relative to those
of third parties;

(iii)
To act in a manner adverse to competition.

(I)(1)
The attorney general may bring a civil action against a covered
entity that the attorney general believes to have violated this
section. Before initiating such an enforcement action, the attorney
general shall provide written notice to the covered entity
identifying and explaining the basis for each alleged violation.

(2)
Except as otherwise provided in division (I)(4) of this section, the
attorney general shall not commence an enforcement action if the
covered entity, within forty-five days after notice of the alleged
violations is sent, does both of the following:

(a)
Cures all violations described in the notice;

(b)
Provides the attorney general with a written statement indicating
that the violations are cured and agreeing to refrain from further
violations of this section.

(3)
If the covered entity does not timely respond or continues to violate
this section after receiving the notice, the attorney general may
initiate the enforcement action and seek damages of up to two
thousand five hundred dollars for each violation. Except as otherwise
provided in division (I)(4) of this section, damages begin to accrue
on the forty-sixth day following the date the attorney general sends
notice of the violation.

(4)
Division (I)(2) of this section does not apply if the covered entity
fails to timely cure all of the violations described in the notice or
commits a subsequent violation of the same type after curing the
initial violation under that division. Notwithstanding division
(I)(3) of this section, if a covered entity commits a subsequent
violation of the same type after reporting that the initial violation
is cured, the attorney general may bring a civil action at any time
after sending notice of the violation under division (I)(1) of this
section. Damages for the subsequent violation begin to accrue on the
date the violation occurs.

(5)
It is an affirmative defense to a violation of division (F) of this
section if the covered entity acted in reasonable reliance on a
covered manufacturer's signals regarding a user's age or parental
consent.

(6)
It is an affirmative defense to a violation of this section if the
covered entity took commercially reasonable and technically feasible
steps to comply.

(7)
Nothing in this section shall be construed to provide a private right
of action. The attorney general has the exclusive authority to
enforce this section.