Read the full stored bill text
30
13-76-101
13-76-201
13-76-202
13-76-301
13-76-401
13-76-402
13-76-404
37
37
Utah App Store Accountability Act Amendments
2026 GENERAL SESSION
STATE OF UTAH
Chief Sponsor: James A. Dunnigan
Senate Sponsor: Todd Weiler
LONG TITLE
General Description:
This bill amends the App Store Accountability Act.
Highlighted Provisions:
This bill:
defines terms;
adds requirements for pre-installed applications;
modifies app store provider and developer requirements;
modifies provisions relating to age-related restrictions and defaults;
modifies enforcement and safe harbor provisions; and
makes technical and conforming changes.
Money Appropriated in this Bill:
None
Other Special Clauses:
This bill provides a special effective date.
Utah Code Sections Affected:
AMENDS:
13-76-101
Effective
upon governor's approval
, as enacted by Laws of Utah 2025,
Chapter 446
13-76-201
Effective
upon governor's approval
, as enacted by Laws of Utah 2025,
Chapter 446
13-76-202
Effective
upon governor's approval
, as enacted by Laws of Utah 2025,
Chapter 446
13-76-401
Effective
upon governor's approval
, as enacted by Laws of Utah 2025,
Chapter 446
13-76-402
Effective
upon governor's approval
, as enacted by Laws of Utah 2025,
Chapter 446
13-76-404
Effective
upon governor's approval
, as enacted by Laws of Utah 2025,
Chapter 446
REPEALS:
13-76-301
Effective
upon governor's approval
, as enacted by Laws of Utah 2025,
Chapter 446
Be it enacted by the Legislature of the state of Utah:
Section 1. Section
13-76-101
is amended to read:
13-76-101
Effective
upon governor's approval
. Definitions.
As used in this chapter:
(1)
"Account holder" means an individual who is associated with a mobile device.
(2)
"Age category" means one of the following categories of individuals based on age:
(a)
"child" which means an individual who is under 13 years old;
(b)
"younger teenager" which means an individual who is at least 13 years old and under
16 years old;
(c)
"older teenager" which means an individual who is at least 16 years old and under 18
years old; or
(d)
"adult" which means an individual who is at least 18 years old.
(2)
(3)
"Age category data" means information about a user's age category that is:
(a)
collected by an app store provider; and
(b)
shared with a developer.
(3)
(4)
"Age rating" means a classification that provides an assessment of the suitability of
an app's content for different age groups.
(4)
(5)
"App" means a software application or electronic service that a user may run or
direct on a mobile device.
(5)
(6)
"App store" means a publicly available website, software application, or electronic
service that allows users to download apps from third-party developers onto a mobile
device.
(6)
(7)
"App store provider" means a person that owns, operates, or controls an app store
that allows users in the state to download apps onto a mobile device.
(7)
(8)
"Content description" means a description of the specific content elements that
informed an app's age rating.
(8)
(9)
"Developer" means a person that owns or controls an app made available through
an app store in the state.
(9)
"Division" means the Division of Consumer Protection, established in Section
13-2-1
.
(10)
"In-app purchase" means a charge associated with any user conduct within an app and
billed by an app store for the acquisition of virtual currency, digital goods, digital
services, or other apps.
(10)
(11)
"Knowingly" means to act with actual knowledge or to act with knowledge fairly
inferred based on objective circumstances.
(11)
(12)
"Minor" means an individual under 18 years old.
"Minor" means an individual
under 18 years old that:
(a)
has not been emancipated as that term is defined in Section
80-7-102
; or
(b)
has not been married.
(12)
(13)
"Minor account" means an account with an app store provider that:
(a)
is established by an individual who the app store provider has determined is under 18
years old through the app store provider's age verification methods; and
(b)
requires affiliation with a parent account.
(13)
(14)
"Mobile device" means a phone or general purpose tablet that:
(a)
provides cellular or wireless connectivity;
(b)
is capable of connecting to the
Internet
internet
;
(c)
runs a mobile operating system; and
(d)
is capable of running apps through the mobile operating system.
(14)
(15)
"Mobile operating system" means software that:
(a)
manages mobile device hardware resources;
(b)
provides common services for mobile device programs;
(c)
controls memory allocation; and
(d)
provides interfaces for applications to access device functionality.
(15)
(16)
"Parent" means, with respect to a minor,
any of the following individuals who
have legal authority to make decisions on behalf of the minor
an individual who is
reasonably believed to be
:
(a)
an individual with a parent-child relationship under Section
78B-15-201
81-5-201
;
(b)
a legal guardian;
or
(c)
an individual with legal custody
.
; or
(d)
any other individual who has legal authority to make decisions on behalf of a minor.
(16)
(17)
"Parent account" means an account with an app store provider that:
(a)
is verified to be established by an individual who the app store provider has
determined is
at least 18 years old
not a minor
through the app store provider's age
verification methods; and
(b)
may be affiliated with one or more minor accounts.
(17)
(18)
"Parental consent disclosure" means the following information that an app store
provider is required to provide to a parent before obtaining
verifiable
parental consent:
(a)
if the app store provider has an age rating for the app
or in-app purchase
, the app's
or in-app purchase's
age rating;
(b)
if the app store provider has a content description for the app
or in-app purchase
,
the app's
or in-app purchase's
content description;
(c)
a description of:
(i)
the personal data collected by the app from a user; and
(ii)
the personal data shared by the app with a third party; and
(d)
if personal data is collected by the app, the methods implemented by the developer to
protect the personal data.
(19)
(a)
"Pre-installed application" means an app, or portion of an app, that is present on
a mobile device at the time of:
(i)
purchase;
(ii)
initial activation; or
(iii)
first use by a consumer.
(b)
"Pre-installed application" includes:
(i)
an app, or portion of an app, installed or partially installed by:
(A)
the device manufacturer;
(B)
a wireless service provider;
(C)
a retailer; or
(D)
any other party before purchase, initial activation, or first use by the
consumer; and
(ii)
browsers, search engines, and messaging applications.
(c)
"Pre-installed application" does not include:
(i)
core operating system functions;
(ii)
essential device drivers;
(iii)
applications necessary for basic device operation, including:
(A)
phone applications;
(B)
settings applications; or
(C)
emergency services applications; or
(iv)
security or system maintenance applications essential to device functionality.
(18)
(20)
"Significant change" means a material modification to an app's terms of service
or privacy policy that:
(a)
changes the categories of data collected, stored, or shared;
(b)
alters the app's age rating or content descriptions;
(c)
introduces in-app purchases where no in-app purchases were previously present in
the app; or
(d)
introduces advertisements where no advertisements were previously present in the
app.
(c)
adds new monetization features, including:
(i)
in-app purchases; or
(ii)
advertisements; or
(d)
materially changes the app's:
(i)
functionality; or
(ii)
user experience.
(19)
(21)
"Verifiable parental consent" means authorization that:
(a)
is provided by an individual who the app store provider has verified is an adult;
(b)
is given after the app store provider has clearly and conspicuously provided the
parental consent disclosure to the individual; and
(c)
requires the parent to make an affirmative choice to:
(i)
grant consent; or
(ii)
decline consent.
Section 2. Section
13-76-201
is amended to read:
13-76-201
Effective
upon governor's approval
. App store provider
requirements.
(1)
An
Beginning May 6, 2027, an
app store provider shall:
(a)
at the time an individual who is located in the state creates an account with the app
store provider
, or for an existing account, within 12 months after the day on which
the obligations described in this section take effect
:
(i)
request age
category
information from the individual; and
(ii)
verify the individual's age category using commercially available methods that
are reasonably designed to ensure accuracy, which for a minor shall include
affirmative age attestation by a parent together with other age information
collected as part of the creation or use of an account;
(ii)
verify the individual's age category using:
(A)
commercially available methods that are reasonably designed to ensure
accuracy; or
(B)
an age verification method or process that complies with rules made by the
division under Section
13-76-301
;
(b)
if the age verification method or process described in Subsection
(1)(a)
determines
the individual is a minor:
(i)
require the account to be affiliated with a parent account; and
(ii)
obtain verifiable parental consent from the holder of the affiliated parent account
before allowing the minor to:
(A)
download an app;
(B)
purchase an app; or
(C)
make an in-app purchase;
(c)
after receiving notice of a significant change from a developer:
(i)
notify the
user
account holder
of the significant change; and
(ii)
for a minor account:
(A)
notify the holder of the affiliated parent account; and
(B)
obtain renewed verifiable parental consent;
(d)
provide to a developer, in response to a request authorized under Section
13-76-202
:
(i)
age category data for a user located in the state; and
(ii)
the status of verified parental consent for a minor located in the state;
(e)
notify a developer when a parent revokes parental consent;
and
(f)
protect
personal age verification data
age category data and any associated
verification data
by:
(i)
limiting collection and processing to data necessary for:
(A)
verifying
a user's
an account holder's
age;
(B)
obtaining
verifiable
parental consent; or
(C)
maintaining compliance records; and
(ii)
transmitting
personal age verification
age category
data using industry-standard
encryption protocols that ensure:
(A)
data integrity; and
(B)
data confidentiality
.
;
(g)
for a pre-installed application:
(i)
provide available age category information in response to a request from a
developer; and
(ii)
take reasonable measures to facilitate verifiable parental consent for use of the
app in response to a request from a developer; and
(h)
comply with a developer's request made in accordance with Subsection
13-76-202(6)
to prevent minor accounts from downloading or purchasing the developer's app.
(2)
An
Beginning May 6, 2027, an
app store provider may not:
(a)
enforce a contract or terms of service against a minor unless the app store provider
has obtained verifiable parental consent;
(b)
knowingly misrepresent the information in the parental consent disclosure; or
(c)
share
personal age verification
age category data or any associated verification
data
except:
(i)
between an app store provider and a developer as required by this chapter; or
(ii)
as required by law.
Section 3. Section
13-76-202
is amended to read:
13-76-202
Effective
upon governor's approval
. Developer requirements.
(1)
A
Beginning May 6, 2027, a
developer shall:
(a)
verify through the app store's data sharing methods:
(i)
the age category
data
of
users
account holders
located in the state; and
(ii)
for a minor account, whether verifiable parental consent has been obtained;
(b)
notify app store providers of a significant change to the app;
and
(c)
use age category data received from an app store provider to:
(i)
enforce any developer-created age-related restrictions;
(ii)
ensure compliance with applicable laws and regulations; and
(iii)
implement any developer-created safety-related features or defaults;
(d)
(c)
request
personal
age
verification
category
data or parental consent:
(i)
at the time
a user
an account holder
:
(A)
downloads an app;
or
(B)
purchases an app;
or
(C)
launches a pre-installed application for the first time;
(ii)
when implementing a significant change to the app; or
(iii)
to comply with applicable laws or regulations.
(2)
A
Beginning May 6, 2027, a
developer may request
personal age verification
age
category
data
or parental consent
:
(a)
no more than once during each 12-month period to verify:
(i)
accuracy of
user age verification data
age category data associated with an
account holder
; or
(ii)
continued account use within the verified age category;
(b)
when there is reasonable suspicion of:
(i)
account transfer; or
(ii)
misuse outside the verified age category; or
(c)
at the time
a user
an account holder
creates a new account with the developer.
(3)
(a)
When
Beginning May 6, 2027, when
initially
implementing any
developer-created safety-related features or defaults, a developer shall use the lowest
age category indicated by:
(a)
(i)
age verification data provided by an app store provider; or
(b)
(ii)
age data independently collected by the developer.
(b)
Subsection
(3)(a)
does not prohibit a developer from allowing a parent to customize
age-related restrictions, safety-related features, or content settings for individual users
within a minor account after the initial defaults described in Subsection
(3)(a)
are set.
(4)
A
Beginning May 6, 2027, a
developer may not:
(a)
enforce a contract or terms of service against a minor unless the developer has
verified through
the app store provider
the app store's data sharing methods
that
verifiable parental consent has been obtained;
(b)
knowingly misrepresent any information in the parental consent disclosure; or
(c)
share age category data with any person.
(5)
Beginning May 6, 2027, a developer may only use age category data received through
the app store's data sharing methods to:
(a)
enforce any developer-created age-related restrictions;
(b)
ensure compliance with applicable laws and regulations; or
(c)
implement any developer-created safety-related features or defaults.
(6)
Beginning May 6, 2027, a developer may request that an app store provider prevent
minor accounts from downloading or purchasing the developer's app.
Section 4. Section
13-76-401
is amended to read:
13-76-401
Effective
12/31/26
Effective
upon governor's approval
.
Enforcement.
(1)
A violation of Subsection
13-75-201(2)(b)
or Subsection
13-75-202(4)(b)
constitutes a
deceptive trade practice under Section
13-11a-3
.
(2)
(1)
(a)
Only
Beginning May 6, 2027, only
a minor, or the parent of that minor, who
has been harmed by a violation of Subsection
13-75-201(2)
13-76-201(2)
may bring
a civil action against an app store provider.
(b)
Only
Beginning May 6, 2027, only
a minor, or the parent of that minor, who has
been harmed by a violation of Subsection
13-75-202(4)
13-76-202(4)
may bring a
civil action against a developer.
(3)
(2)
In an action described in Subsection
(2)
(1)
, the court shall award a prevailing
parent:
(a)
the greater of:
(i)
actual damages; or
(ii)
$1,000 for each violation;
(b)
reasonable attorney fees; and
(c)
litigation costs.
Section 5. Section
13-76-402
is amended to read:
13-76-402
Effective
upon governor's approval
. Safe harbor.
(1)
A developer is not liable for a violation of this chapter if the developer demonstrates
that the developer:
(a)
relied in good faith on:
(i)
personal age verification
age category
data
provided by an app store provider
received through an app store's data sharing methods
; and
(ii)
notification from an app store provider that verifiable parental consent was
obtained if the
personal age verification data
age category data
indicates that the
user
account holder
is a minor; and
(b)
complied with the requirements described in Section
13-76-202
.
(2)
For purposes of setting the age category of an app and providing content description
disclosures to an app store provider, a developer complies with Subsection
13-75-202(4)(b)
if the developer:
(a)
uses widely adopted industry standards to determine:
(i)
the app's age category; and
(ii)
the content description disclosures; and
(b)
applies those standards consistently and in good faith.
(3)
(2)
The safe harbor described in this section:
(a)
applies only to actions brought under this chapter; and
(b)
does not limit a developer or app store provider's liability under any other applicable
law.
(4)
Nothing in this chapter shall displace any other available remedies or rights authorized
under the laws of this state or the United States.
Section 6. Section
13-76-404
is amended to read:
13-76-404
Effective
upon governor's approval
. Application and limitations.
Nothing in this chapter shall be construed to:
(1)
prevent an app store provider or developer from taking reasonable measures to:
(a)
block, detect, or prevent distribution to minors of:
(i)
unlawful material;
(ii)
obscene material; or
(iii)
other harmful material;
(b)
block or filter spam;
(c)
prevent criminal activity; or
(d)
protect app store or app security;
(2)
require an app store provider to disclose user information to a developer beyond:
(a)
age category
data
; or
(b)
verification of parental consent status;
(3)
allow an app store provider or developer to implement measures required by this
chapter in a manner that is:
(a)
arbitrary;
(b)
capricious;
(c)
anticompetitive; or
(d)
unlawful;
(4)
require an app store provider or developer to obtain parental consent for an app that:
(a)
provides direct access to emergency services, including:
(i)
911;
(ii)
crisis hotlines; or
(iii)
emergency assistance services legally available to minors;
(b)
limits data collection to information necessary to provide emergency services in
compliance with 15 U.S.C. Sec. 6501 et seq., Children's Online Privacy Protection
Act;
(c)
provides access without requiring:
(i)
account creation; or
(ii)
collection of unnecessary personal information; and
(d)
is operated by or in partnership with:
(i)
a government entity;
(ii)
a nonprofit organization; or
(iii)
an authorized emergency service provider; or
(5)
(4)
require a developer to collect, retain, reidentify, or link any information beyond
what is:
(a)
necessary to verify age categories and parental consent status as required by this
chapter; and
(b)
collected, retained, reidentified, or linked in the developer's ordinary course of
business
.
;
(5)
require an app store provider or developer to block access to an application that an
account holder has downloaded or installed onto a mobile device before the day on
which the obligations described in Sections
13-76-201
and
13-76-202
take effect, except
to the extent that:
(a)
a parent account revokes verifiable parental consent for an affiliated minor account;
or
(b)
a significant change to the application has occurred;
(6)
require a developer or app store provider to create, adopt, or implement an app age
rating system or content classification framework; or
(7)
displace any other available remedies or rights authorized under the laws of this state or
the United States.
Section 7.
Repealer.
Division rulemaking.
Section 8.
Effective Date.
This bill takes effect:
(1)
except as provided in Subsection (2),
May 6, 2026
; or
(2)
if approved by two-thirds of all members elected to each house:
(a)
upon approval by the governor;
(b)
without the governor's signature, the day following the constitutional time limit of
Utah Constitution, Article VII, Section 8; or
(c)
in the case of a veto, the date of veto override.
3-12-26 12:42 PM