App Stores Shouldn’t Have to Parent the Internet

Lawmakers in Congress and several states, including Texas, Utah, and Louisiana, have been considering rules that would require app stores to verify users’ ages and obtain parental consent. But a recent federal court decision blocking Texas’s law highlights the risks of this approach: App-store–level mandates can invade privacy, chill adult access to legal content, and leave websites unregulated. Congress can adopt a better approach by requiring device-level, opt-in parental controls that give parents meaningful oversight while avoiding these constitutional and practical pitfalls.

While legislation requiring app stores to verify users’ age may seem appealing,— it would be less burdensome than registering a user’s age on every single online platform and give parents more oversight over the apps their children can use—it would also create a considerable gap between apps and websites, while simultaneously introducing serious privacy risks, threatening legitimate adult access to legal content, and undermining online anonymity.

One of the major federal bills targeting app-level age verification is the App Store Accountability Act. The Senate version is sponsored by Senator Mike Lee (R-UT), while the House version is sponsored by Representatives John James (R-MI) and Gus Bilirakis (R-FL). This bill puts the onus on app store providers to obtain verifiable parental consent before allowing a minor to download, purchase, or use apps from an app store. Aside from this federal approach, Louisiana, Texas, and Utah have all passed their own “App Store Accountability Acts” this year, with eight more states introducing similar bills.

When introducing the App Store Accountability Act, Rep. James said, “Big Tech companies [should be held] to the same standard as local corner stores,” suggesting the Federal Trade Commission (FTC) should hold app stores responsible for not providing age-restricted digital material to minors in the same way physical stores check IDs to ensure they do not sell children alcohol or tobacco. But this analogy misrepresents the privacy implications of app stores checking IDs. At a corner store, a customer shows their ID to the cashier, who glances at their birthdate to make sure they are of legal age to purchase the age-restricted product, and then hands the card back. To translate this online, the user would instead upload that ID, turning over not just their birthdate but full name, address, gender, and other personal information to the app store, which could keep a copy. This subjects consumers to increased risk of data breaches in addition to being more intrusive.

Furthermore, requiring users to disclose a copy of their identification to access legal content could spiral into chilling effects on free expression and information that extend far beyond the safety interests of children. This is more than a hypothetical concern. A federal judge blocked enforcement of Texas’ age verification law over First Amendment concerns for imposing content-based restrictions on speech. Adults have the right to access legal sexual content online, which nearly every major social media platform hosts in some form. Children, meanwhile, have a right to access information that some people might find controversial, such as political debates, mental health topics, and LGBTQ+ content.

Finally, app store-level age verification does nothing to address age-restricted material that children encounter on websites. The result is that the legislation would prevent minors, for example, from downloading gambling apps, but would not prevent them from going to gambling websites.

A more effective approach involves device-level parental controls that create an opt-in “trustworthy child flag” for user accounts, available when first setting up a device and later in a device’s settings, that signals to apps and websites that a user is underage and requiring apps and websites that serve age-restricted content to check for this signal for their users and block underage users from this content. Congress should pass legislation to formalize this approach to give parents more control over their children's online experience, avoid any impact on adult access to legal content online, and sidestep the privacy and security risks of age verification.

Ultimately, while app store-level age verification may appear to simplify the complex challenge of protecting children online, it falls short of providing comprehensive safety and introduces significant privacy drawbacks. By failing to cover websites and requiring invasive identity disclosure, it creates gaps in protection and risks to privacy that opt-in, device-level controls avoid. A device-level approach offers a more holistic solution—one that protects children across their entire digital experience, preserves adult access to legal content, and empowers parents with meaningful control.