← All Publications
July 8, 2026

Age Data for App Developers Primed to Trigger Cascading Effects

In this Cybersecurity Law & Strategy article, Zach Lerner and Rushil Mehta examine how app store accountability laws, now enacted in states including Texas, Utah, Louisiana, California, and Alabama, are fundamentally altering the children’s privacy risk model for app developers, stripping away the longtime defense that businesses simply did not know whether minors were using their services. Please note the original newsletter is paywalled.

The piece breaks down the cascading compliance obligations that follow once a developer receives age or consent signals from an app store, touching on COPPA, state comprehensive privacy laws, teen privacy statutes, and age-appropriate design code laws. Zach and Rushil also lay out concrete steps companies should take now, from pinpointing which processing activities will be affected to designating a system of record for age category and parental-consent status.

“The children’s privacy landscape is shifting from ‘Do we target children?’ to ‘What do we know, and what should we do once we know it?'” Zach and Rushil wrote. “…Once developers receive reliable age or consent signals, their compliance posture may materially change. The company will have knowledge, and with knowledge comes obligation.”

Read the newsletter here →


The children’s privacy risk model is changing in the United States. Historically, many businesses could credibly say they did not know whether children or teens were using their apps and services. Now, that defense is becoming harder to sustain, bringing with it a wave of potential compliance obligations.

User Age Incoming

App store accountability laws passed by state legislatures over the past few years are designed to make age and consent signals from app stores available to app developers. For users in some states, app stores will be required to verify the age of app store users and that information will be available to developers through a signal that contains their age category (e.g., younger than 13; at least 13 but younger than 16; at least 16 but younger than 18; and at least 18). Once those signals are received, developers will possess new information about the ages of specific users and the composition of their user base, creating legally sufficient knowledge that may trigger obligations with respect to those specific users and potentially the platform design as a whole.

Many children’s privacy and online-safety laws begin with a question about the platform’s audience: does the company know it has minor users, is the service directed to minors, or are minors reasonably likely to access it? App store accountability laws change the sequence by applying broadly to covered app distribution channels (i.e., app stores) and then requiring those app stores to make age signals available to developers who must be prepared to operationalize them. As such, all app developers will be impacted. For example, a fitness platform with an Android app that historically treated itself as adult/general audience as well as a B2B platform with an iOS app are in scope, meaning developers cannot assume these laws are irrelevant simply because the app is intended for adults.

As a result, many app developers will — for the first time — receive information about whether a user is a minor and whether parental consent to use their service has been obtained. This can trigger obligations under the Children’s Online Privacy Protection Act (COPPA), state comprehensive privacy laws, teen privacy statutes and online safety regimes. For instance, the fitness platform may need to rethink its approaches to targeted-advertising, profiling, consent and cross-surface account controls.

TexasUtahLouisianaCalifornia and Alabama have enacted App Store Accountability Acts. Though the architectures, requirements and implementation timelines vary, two key points are consistent: 1) Age signals will be provided by app stores, and 2) Though app developers have independent compliance obligations, they are partially beholden to the information and tools provided by app stores.

To be clear, not every app store signal will automatically trigger every children’s privacy statute. However, once a developer receives user-level age category or consent information, it may have legally significant knowledge for some regimes, and, at minimum, a record of age data that regulators and plaintiffs may try to leverage in future investigations, enforcement actions and litigation. When a developer receives age-category information, the platform must be prepared to act on it and address its cascading implications. It is critical to closely follow the enactment of these app store accountability laws (including the constitutional challenges that may cause enforcement of these laws to be delayed) as well as guidelines and rules imposed by Apple, Google and other app store platforms. Developers should distinguish between user-level age-category signals, parental-consent-status indicators, aggregate audience metrics, and internally inferred age attributes, as each may carry different legal significance.

Why This Matters

At the same time state legislatures are passing app store laws that are poised to provide platforms with age information, the patchwork of state children’s privacy laws is growing. Children’s privacy is no longer a narrow COPPA issue, nor are compliance obligations focused on apps “directed to children.” Laws increasingly apply based on what a company knows, what it willfully disregards, or whether minors are reasonably likely to access the service — information that is being provided by, or arguably can be deduced from, app store signals.

That shift has practical consequences. A specific signal indicating a particular user is under 13 or 16 or 18 may raise actual knowledge issues, while broader age-related demographic evidence may implicate state-law standards, design-code obligations, and whether the company can continue treating the service as general audience. A company may need to alter its targeted advertising practices, consent flows, data retention, product defaults, and internal data uses (such as user profiling) once it has reason to know a user is a minor. Once age information enters the system, what previously passed muster as general audience processing may look more like a regulated use of data belonging to a minor. Blocking certain users from using the service may be a partial fix, but that approach brings with it business consequences and is not a one-stop solution to minor’s privacy in the U.S.

The risk is not limited to regulatory enforcement. Once a company receives age information, plaintiffs may argue that the company had notice of minor use and failed to adjust advertising, addictive design, safety or data-use practices accordingly.

Determining a compliance strategy is particularly fraught because of the rapid introduction of state laws applying to minors, paired with sporadically successful injunctions won by trade organizations seeking to stop the enforcement of such laws. Though enforcement of many laws has been paused, there are still currently effective app store accountability laws, state privacy laws, and age-appropriate design code laws (AADCs) — each with its own set of obligations.

The Federal Baseline

The Children’s Online Privacy Protection Act remains the federal floor. In effect since 2000, COPPA imposes a notice and consent framework for users under 13 online. It applies to online services directed to children under 13 and to operators with actual knowledge that they collect personal information from children under 13. The Federal Trade Commission’s 2025 COPPA Rule amendments emphasize obtaining separate verifiable parental consent before disclosing children’s personal information to third parties for purposes such as targeted advertising, making app-store under-13 signals especially consequential for ad-tech, analytics, and SDK governance, not just for sign-up flows.

For businesses that have considered themselves out of scope of COPPA, a signal that a segment of users is under 13 may challenge previously held assumptions. If the business intends to permit those under 13 users to use the services, it must meet COPPA’s extensive requirements. If the platform decides not to allow such users and is not otherwise directed to children (a multi-factor and fact-specific test), the platform can block those under 13 users. However, merely blocking them from using the app may not be enough — the business must also consider whether that same user is already a known user (e.g., through a web interface) and may need to block them from accessing the service through those mediums as well. Additionally, depending on the scale of under 13 age signals received, the underlying data may challenge the business’s position that it is not “directed to children.” Regardless of approach, some action may be required to address COPPA where previously the law was not a consideration (or an afterthought) for many platforms.

States Raise the Stakes

In recent years, states have enacted a range of privacy laws aimed at protecting children and minors under 18. They do so through different mechanisms: consent requirements, targeted-advertising restrictions, data-minimization rules, or safety duties, often imposing age knowledge as a trigger for applicability. As such, when app stores provide developers with an age signal identifying the age range of specific app users to comply with app store accountability laws, developers will accumulate knowledge that may trigger compliance with state privacy laws. Again, a platform may choose not to permit users under 16 or 18 years old (similar to banning under 13 due to COPPA), however it may not be such a clear-cut decision. Teens may constitute a sizeable portion of the userbase or otherwise be important to the platforms’ growth plans or brand recognition. Additionally, building an infrastructure to exclude minors (not only within the app but across other surfaces where that individual interacts with the service) will require resources.

Many comprehensive state privacy laws include special protections for children under 13 as well as teens, often ages 13 through 17 (though the exact age ranges vary). These provisions typically apply when a business knows, or willfully disregards, that the user is a minor. The details vary materially. Some require consent before processing known minors’ data for targeted advertising or sale (NJ), while others impose outright restrictions for certain age bands or certain covered services (MD). The issues will be particularly pronounced in California where an app store accountability law is set to take effect in 2027, which will compound obligations under the state’s existing privacy regime imposed by the California Consumer Privacy Act.

The New York Child Data Protection Act is especially relevant. It applies to platforms that know their users are minors or whose services are primarily directed to minors. Note that even if minors are blocked, if a portion of service is deemed primarily directed to minors, the platform may still have obligations. The law provides that covered operators may not process personal data of users ages 13 to 18 unless the processing is strictly necessary for a defined permissible purpose or supported by informed consent. Routine marketing or internal business uses may not fit within those permissible purposes. That creates a direct governance issue. Once a company receives age information from an app store or another source, it must know where that information flows, which systems use it, and which downstream processing activities must change.

Arkansas also has a state-specific law, H.B.1717 (2025), that applies to platforms directed at children or teens or when the operator has actual knowledge that it is collecting personal information from children or teens. The law, modeled after COPPA, requires that the collection of a teen’s information must be consistent with the particular service or relationship with the teen. Extending some COPPA obligations to teens (an approach that Congress has been considering for years), will impose a number of compliance obligations. Again, blocking known minors may bring a platform out of scope, but if it is still considered directed at teens, then the law applies.

The practical consequence is that an app store age signal may require a state-by-state control matrix rather than a single nationwide rule.

Design Laws Expand the Inquiry

AADCs are a separate category of laws that do not depend solely on actual knowledge of a specific user’s age. These laws ask whether minors are reasonably likely to access the service — though one factor here is if the platform has actual knowledge of minor users. Nebraska and Vermont AADCs provide exceptions for services with actual knowledge that fewer than 2% of users are under 18.

AADCs focus on product design, default settings, transparency, profiling, dark patterns, and foreseeable harms. These laws can require companies to assess their likely audience before launch, configure privacy-protective defaults, explain privacy practices in age-appropriate language, and restrict profiling or tracking by default.

This means children’s privacy is a multi-faceted challenge. Product, engineering, data science, advertising, trust and safety, and compliance teams all need a shared operating model. Additionally, blocking users under 18 is not a standalone solution here. These laws apply based on if the service is reasonably likely to be accessed by minors, so factors like content and advertising may tip the scale into applicability even if known minor users are blocked.

The receipt of age signals may trigger additional compliance complications in specific industries and use cases. For instance, as a result of recently enacted AI chatbot regulations, an app store age signal in the hands of a developer of a companion chatbot may trigger additional privacy control and safety escalation obligations.

Compliance Action Items

To prepare for the compliance obligations that app store age and consent signals may trigger, companies should consider the following action items:

  • Determine when and how the company will receive age category information from app stores.
  • Identify which processing activities and product design will be impacted, including targeted advertising, profiling, personalization, retention, marketing, analytics and disclosures to third parties.
  • Decide which, if any, potential users need to be subject to restrictions, including a potential total ban from the platform.
  • Consider compliance for existing users and current practices, including actions to take based on imputed knowledge about userbase makeup.
  • Designate the system of record for age category and parental-consent status and determine which teams may access the signal.

The Bottom Line

The children’s privacy landscape is shifting from “Do we target children?” to “What do we know, and what should we do once we know it?”

App store accountability laws may make that question unavoidable. Once developers receive reliable age or consent signals, their compliance posture may materially change. The company will have knowledge, and with knowledge comes obligation.

For business leaders, the priority is not just monitoring new children’s privacy laws. It is building the internal machinery to recognize minor-status signals, route them correctly, and change data practices accordingly.


Reprinted with permission from the July 2026 issue of Cybersecurity Law & Strategy. © 2026 ALM Media Properties, LLC. Further duplication without permission is prohibited.  All rights reserved.