Texas has joined the growing list of states trying to solve a real problem with a dangerous tool. Senate Bill 2420, the Texas App Store Accountability Act, is intended to protect children from inappropriate online content, exploitative design, risky in-app purchases, adult strangers, and harmful digital environments. That is a legitimate and important governmental interest. But the mechanism chosen by the statute is blunt, privacy-invasive, and conceptually mismatched to the way the Internet actually works.

The law requires app stores operating in Texas to verify the age category of every user when the user creates an account. It then requires parental consent before minors may download an app, purchase an app, or make in-app purchases. It further requires developers to assign age ratings to apps and in-app purchases using statutory age categories: Children under 13, younger teenagers ages 13 to 15, older teenagers ages 16 to 17, and adults 18 and older. See Tex. Bus. & Com. Code ch. 121, added by Tex. S.B. 2420, 89th Leg., R.S. (2025).

In late May 2026, the Fifth Circuit allowed the statute to go into effect temporarily by staying a district court injunction. The administrative stay did not decide the merits. It simply suspended Judge Robert Pitman’s preliminary injunction while the appeal proceeds. Judge Pitman had found that the statute likely violated the First Amendment, comparing it to a law requiring every bookstore to verify the age of every customer at the door and then obtain parental consent before a child could enter or buy a book. Computer & Communications Industry. Ass’n v. Paxton, No. 1:25-cv-01660, W.D. Tex. Dec. 23, 2025; Students Engaged in Advancing Texas v. Paxton, No. 1:25-cv-01662, W.D. Tex. Dec. 23, 2025; Paul Cobler, Texas’s age verification law allowed to go into effect for now, Tex. Tribune, May 28, 2026.

The problem is not that Texas wants parents to have better tools. The problem is that the statute requires platforms and developers to collect, process, classify, transmit, and retain information about users that many of them neither need nor want. To protect children, the law creates a surveillance architecture for everyone.

That is the paradox of age verification law. A privacy-protective law begins by demanding more identification. A child-safety statute begins by requiring the collection of personal data about children. A law designed to reduce risk creates new databases of age status, parental relationships, consent decisions, and app usage. Those data sets will be valuable to advertisers, litigants, hackers, government investigators, and every plaintiff’s lawyer who later wants to know what the platform knew, when it knew it, and why it classified the app the way it did.

Texas tries to mitigate this by limiting collection to the “minimum amount necessary” and requiring encryption. That is better than nothing. But “minimum necessary” is not the same as “unnecessary.” The statute still requires app stores to determine age categories, verify adults, affiliate minors with parent accounts, maintain consent records, disclose rating information, and provide developers with age-category and consent-status information. The statute, therefore, forces the creation of precisely the kind of age-and-identity infrastructure that privacy law otherwise tries to avoid.

The statute also assumes that apps can be labeled like cans of peas. They cannot. A can of peas has ingredients, nutritional content, an expiration date, and a manufacturer. An app is a dynamic environment. It may change daily. It may contain user-generated content. It may include chat, messaging, geolocation, live video, advertising, third-party plug-ins, AI-generated recommendations, in-app purchases, and community interaction. Its risk profile may depend less on what the developer built than on who shows up, what they say, and how they behave.

A video game platform may contain content that is appropriate for teenagers. But other users on the platform may not be appropriate for teenagers. A mapping app may help a child find a library, a hospital, or a bus stop. The same app may help locate a liquor store, a strip club, or the home address of another child. A camera app may be used for homework, sextortion, journalism, bullying, or evidence preservation. A payment app may be used to buy lunch or to facilitate fraud. A browser is not “for” one thing. Neither is a social platform, search engine, generative AI tool, messaging app, dating app, game, map, or marketplace.

The statute’s age-rating requirement, therefore, has a standards problem. Developers must assign age ratings and identify the “specific content or other elements” that led to the rating. But the statute does not provide a workable substantive standard for what makes an app appropriate for a 12-year-old, a 15-year-old, a 17-year-old, or an adult. It does not explain how to classify mixed-use apps, general-purpose tools, AI systems, browsers, educational platforms, communications tools, or services where most of the risk comes from other users rather than the app itself.

That ambiguity creates civil liability risk. Texas makes violations actionable as deceptive trade practices. If a developer rates an app as appropriate for younger teenagers and a minor is later harmed, the rating itself becomes Exhibit A. Plaintiffs will argue that the developer failed to warn, mislabeled the app, misrepresented its risks, or failed to anticipate foreseeable misuse. Regulators will argue that the label was false, misleading, or incomplete. Developers will respond by over-warning, over-classifying, or excluding minors altogether. That is not child protection. It is liability management.

The First Amendment problem follows directly from this structure. The law burdens access to lawful speech by requiring age verification and parental consent before minors can download apps used for reading, learning, organizing, communicating, creating, and political participation. It also burdens adult access because age verification systems generally require adults to prove they are adults. The Supreme Court has treated minors’ access to speech differently in some contexts, particularly sexually explicit material harmful to minors, but it has also warned that the government may not reduce the adult population to reading only what is fit for children. See Reno v. ACLU, 521 U.S. 844 (1997).

Texas will rely heavily on Free Speech Coalition, Inc. v. Paxton, 606 U.S. ___ (2025), where the Supreme Court upheld age-verification requirements for websites containing material harmful to minors. But SB 2420 is broader. It is not limited to pornography sites or material obscene to minors. It applies at the app-store level to the distribution of general-purpose software, including apps used for news, education, religion, political advocacy, communication, navigation, productivity, art, entertainment, and commerce. That breadth matters.

Texas is not alone. Utah enacted a similar App Store Accountability Act, requiring app stores to verify user age categories and obtain parental consent before minors download apps or make in-app purchases. Louisiana has passed similar legislation. California has pursued a different but related model through the California Age-Appropriate Design Code Act, which imposes obligations on businesses likely to be accessed by children, including duties related to privacy, design, and risk assessment. See Utah S.B. 142, 66th Leg., Gen. Sess. (2025); NetChoice, LLC v. Bonta, 113 F.4th 1101 (9th Cir. 2024); NetChoice, LLC v. Bonta, No. 25-2366, 9th Cir. Mar. 12, 2026.

These laws share a common assumption: That child safety can be engineered through age classification, parental consent, and platform accountability. Sometimes it can. App stores can provide parental controls. Developers can create safer defaults. Platforms can restrict adult messaging to minors, limit geolocation sharing, reduce manipulative design, prevent targeted advertising to children, and make reporting easier. Those are targeted safety measures. But universal age verification is different. It changes the architecture of access.

The better model is risk-specific, data-minimizing, and context-sensitive. Laws should focus on harmful conduct and harmful design: Adult contact with minors, sexual exploitation, dark patterns, addictive monetization, nonconsensual geolocation exposure, targeted advertising to children, algorithmic amplification of self-harm content, and deceptive billing. They should not require every user of every app store to present age credentials as the price of digital life.

The Internet is not a can of peas. It cannot be labeled once, placed on a shelf, and safely consumed by everyone in the same way. It is interactive, mutable, social, adversarial, and constantly repurposed. A statute that treats apps as static products will both overreach and underprotect. It will collect too much data from too many people while still failing to stop the harms that arise from misuse, manipulation, and human behavior.

Texas is trying to protect children. But in cybersecurity and privacy law, means matter. A child-protection law that requires unnecessary identity collection, vague labeling, broad access restrictions, and litigation-driven over-warning may make children no safer while making everyone less private. That is not accountability. That is a label slapped on a moving target.

Recent Articles By Author

• Florida Sues OpenAI Over ChatGPT “Safety”
• 23andMe and the Incident Response Problem Written in DNA
• Give a Mouse a Cookie – California Court Partially Dismisses Cookie Tracking Case Against Capitol One Under “No Harm, No Foul” Doctrine

More from Mark Rasch