In May 2025, the state of Texas passed Senate Bill 2420 (SB 2420), also known as the “App Store Accountability Act”. The law will take effect on January 1, 2026.

Texas’s Child-Safety Bill introduces significant new obligations related to age verification, parental consent, and personal data processing. It requires app stores to obtain parental consent before minors can download apps.

Texas follows Utah, which adopted a similar law earlier this year.

Read about the key provisions of the App Store Accountability Act, what SB 2420 means for your business, and how to stay compliant with Texas’s New Child-Safety law.

How Texas’s SB 2420 Expands Online Child Protection and Data Privacy Rules

In May 2025, Texas Governor Greg Abbott signed an online child safety bill that requires Apple and Google to verify the age of users in Texas.

SB 2420 mandates that app stores link parent and minor accounts to obtain parental consent, prevent downloads without parental approval, and share user age and consent data with developers.

Under the law, children are considered individuals under 13.

Effective date: January 1, 2026.

The main requirements of SB 2420

Here are the requirements for compliance:

• Age verification
  App stores must verify the age of all users in Texas. Under SB 2420, app-store operators and the developers distributing through them must use a “commercially reasonable method of verification” of the user’s age at account creation. Age categories are defined as: child (<13), younger teenager (13-15), older teenager (16-17), and adult (18+).
• Age rating of apps
  Apps must assign and disclose age ratings for apps and in-app purchases.
• Account affiliation
  Businesses must affiliate minor accounts with verified parent/guardian accounts.
• Parental consent for minors
  For users under 18, parents must provide explicit parental consent for each app download, purchase, and in-app purchase.
• Age and consent information sharing
  SB 2420 requires app stores to share age and consent information with developers.
• App developer requirements
  The law mandates disclosing the age rating for each software application and purchase. Developers must assign age ratings to their apps, underlying content elements used for the rating, and notify app stores of any software updates.
• Data minimization and retention
  App stores must limit personal data collection from minors and process personal data only to the extent necessary to verify age, obtain consent, and maintain compliance records. When the data is no longer needed, it must be deleted.
• Data safeguards
  App stores must protect user data by storing and transmitting data using industry-standard encryption and secure data-handling practices.

Who does SB 2420 apply to?

New Texas’s Child-Safety Bill applies to:

• Businesses, platforms, and vendors, that distribute mobile or software applications to Texas residents.
• App developers whose apps are available through those stores.
• Businesses using third-party SDKs, analytics tools, or advertising platforms that collect data from Texas minors.

Note that Texas’s Child-Safety Bill might not be limited to traditional mobile app stores. It could also extend to platforms distributing software or apps on mobile devices beyond mobile phones such as handheld gaming devices, wearables or other hardware devices that have the capability to access such platforms to download software applications remotely.

Enforcement of Texas’s Child-Safety Bill

The law is enforced by the Texas Attorney General. Individuals (consumers or guardians) also have the right to private lawsuits.

The Act classifies all violations as deceptive trade practices under the Texas Deceptive Trade Practices-Consumer Protection Act (DTPA).

Because DTPA violations can result in significant consequences, non-compliance with the SB 2420 may raise regulatory and financial risks, including fines, injunctive relief, and attorneys’ fees.

Businesses that need to comply with SB 2420 must check user age, obtain explicit consent from parents or legal guardians, share consent with app developers, and keep parental consent for proof of compliance.

Businesses should use Consent Management Platforms (CMPs) and cookie-tracking tools to obtain age verification and store consent.

With CookieScript Cookie Scanner, you can automatically scan your website for cookies and add them to your site’s list of cookies:

Texas’s Child-Safety Bill and Data Privacy: What SB 2420 Means for Your Business

SB 2420 intersects significantly with data-privacy obligations, affecting app stores, businesses, users, and developers.

• Impact on users
  Users under 18 will need a parent or guardian to approve app access and purchases and provide explicit consent.
• Impact on developers
  Developers must adapt their apps to meet the law's age-related requirements for notifications and data management by assigning age ratings to their apps and notifying app stores of any software updates.
• Impact on pp stores
  App stores will be responsible for implementing tough age verification systems and managing the process of parental consent collection and sharing with developers.
• Impact on businesses
  SB 2420 introduces a significant burden on businesses operationally, technically, and legally.

What SB 2420 means for your business:

• Operational impact
  Texas’s Child-Safety Bill sets age verification requirements that could need new identity-verification workflows, linking children’s accounts with parent/guardian accounts, and managing consent revocation. These are non-trivial UX changes and will require significant operational development.
• Privacy engineering
  Businesses must ensure compliance with data encryption, minimization, verification, and deletion principles. All these requirements need careful engineering and testing.
• Legal impact
  Businesses must update their vendor contracts and Data Processing Agreements (DPAs) to reflect the new law. Ensure that third-party vendors are aware of and aligned to the new obligations when dealing with Texas users.
• Disclosures for users
  Businesses must update their privacy notices, terms and conditions, and Cookie Consent banners to reflect the requirements of the new Texas Child-Safety Bill. When collecting personal data from Texas users under 18, businesses must comply with additional rules — user age categories and verification, parental consent, and data minimization.
• Global compliance alignment
  SB 2420 shares some common principles with data privacy laws like GDPR or CCPA, so if you comply with these laws, compliance with the Texas’s Child-Safety Bill could be easier. However, note that SB 2420 is specific in its definitions (age categories, minor/adult, parental-linked account) and its deadline. Thus, compliance with global privacy laws is not enough – you must also comply with all specific requirements of SB 2420.

Penalties for non-compliance with SB 2420

Non-compliance with the Texas Child-Safety Bill could lead to the following consequences:

• Regulatory investigations The Attorney General could start regulatory investigations and issue financial fines or other enforcement actions.
• Private lawsuits: Individuals (consumers or guardians) also have the right to civil action against app stores.
• Reputational risk: Failure to comply with SB 2420 could decrease brand trust and lead to regulatory inquiries.

Child online privacy regulation is not unique for Texas. In Utah, similar regulation was passed even before SB 2420.  Other states consider similar legislation as well, so you need to prepare your business for the new requirements of Texas law and monitor for other state obligations.

Use Consent Management Platform like CookieScript to access the user’s geo-location, obtain parental user consent, and store it for proof of compliance.

Navigating SB 2420: How to Stay Compliant with Texas’s New Child-Safety Law?

Businesses working with children or teens, or operating in Texas, must take proactive steps to achieve compliance with the App Store Accountability Act:

1. Conduct Data Protection Impact Assessment (DPIA)
   Evaluate whether you have minors in Texas. Which of your products or apps are affected?
2. Stuff training
   Get product, engineering, legal, marketing and compliance teams aligned on SB 2420. Incorporate SB 2420 into your privacy risk register, vendor-management program, and global data-protection roadmap.
3. Vendor & partner review
   Identify third-party SDKs, ad networks, payment processors, and app-store relationships that involve Texas minors.
4. Audit your age and consent flows
   Are you currently distinguishing minors and adults, linking parent and child accounts, and verifying age? If not, implement necessary changes.
5. Update UX/UI design
   Implement parental consent flows, age-category verification, child/teen/adult account separation, and affiliate parent account linkage.
6. Privacy engineering
   Align with data collection minimization, secure transmission, and deletion principles, and maintain consent logs for proof of compliance.
7. User notification
   Update privacy notices, T&Cs, and Cookie Consent banner to reflect SB 2420 obligations.
8. Log user consent
   Log all parental consent for audits and proof of compliance.
9. Comply with the data minimization principle
   Keep just the minimal personal data you need. Delete the personal data after age verification is complete.
10. Implement an incident and complaint mechanism
    Prepare processes for parent/guardian complaints, revocation of consent, audits, and external inquiries.
11. Get ready for review and update
    Developers must notify app stores if they change data collection, add new purchases, or ads. Prepare processes for updates of your new app version, new monetization features, in-app purchases, or ads.
12. Implement geo-targeting & user segmentation
    Because SB 2420 is specific to Texas, it may make sense to deploy region-specific flows for Texas users rather than globally disrupting your user base.
13. Implement privacy by design & default principles
    Integrate age and consent flows early in product design.
14. Document your decision-making
    Keep internal documents, assessments, design decisions, vendor reviews and mitigation steps on file to demonstrate good-faith compliance.
15. Use a Consent Management Platform (CMP)
    Implement a CMP to deliver cookie banners, obtain and store parental consent to reflect that for Texas minors (including age verification, parent account affiliation, and consent for each download/purchase).

CookieScript can help businesses to comply with SB 2420. It can:

• Determine user location, so businesses know whether they target Texas residents.
• Display localized consent banners for Texas users.
• Deliver cookie notices, so that users become aware of the SB 2420 requirements.
• Collect and manage verifiable parental consent.
• Record audit logs for consent and age verification for proof of compliance for regulators or auditors.
• Automate data deletion workflows post-verification.
• Block third-party cookies before consent is given.

In 2025, CookieScript received the fourth consecutive badge in a row as the leader on G2, a peer review site, and became the best CMP on the market for a whole year! 

Frequently Asked Questions

What is Texas SB 2420?

Texas Senate Bill 2420, also known as the App Store Accountability Act, is a law in Texas that will come into force on January 1, 2026, and is designed to protect minors online. It requires app stores and developers to verify user age categories, obtain parental consent for minors, safeguard personal data during the verification process, and prevents downloads without parental approval. Use CookieScript CMP to obtain and store parental consent.

When does SB 2420 go into effect?

SB 2420 takes effect on January 1, 2026. Businesses operating in or serving users in Texas should have their compliance mechanisms ready before that date. Use CookieScript CMP to comply with SB 2420.

Who must comply with SB 2420?

New Texas’s Child-Safety Bill applies to businesses, platforms and vendors, that distribute mobile or software applications to Texas residents, app developers whose apps are available through those stores, and businesses using third-party SDKs, analytics tools, or advertising platforms that collect data from Texas minors. CookieScript CMP can help you to obtain user consent and comply with the bill.

What are the main requirements of SB 2420?

The key obligations include verifying the user’s age category at account creation, affiliating minor accounts with verified parent/guardian accounts, obtaining explicit parental consent before minors download or purchase apps, assigning and disclosing age ratings for apps and in-app purchases, limiting data collection and retention to what is necessary for verification, and using encryption and secure data-handling practices.

What happens if my business doesn’t comply with SB 2420?

Non-compliance could result in regulatory investigations by the Attorney General of Texas, private lawsuits, and reputational risk. CookieScript CMP can help you to deliver a compliant cookie notice, obtain and store user consent, and comply with the bill.

Are there any exemptions to SB 2420?

Currently, there are no exemptions to SB 2420SB. The law does not exempt even small developers or platforms based outside Texas if they serve Texas minors. Use CookieScript CMP to deliver a compliant cookie notice, obtain and store user consent, and comply with the bill.

What documentation should be kept for compliance proof?

In the cases of audits or legal inquiries, businesses must keep records of age verification logs, parental consent and revocation events, privacy notice updates, data deletion and encryption processes, and vendor compliance checks. Use CookieScript CMP to deliver compliant cookie notice and obtain and store parental consent.