Apple App Store age verification in Texas: new rules explained

Starting today, anyone creating a new Apple Account in Texas must confirm their age before accessing the App Store. SB 2420, signed into law in May 2025, was supposed to take effect January 1 but was blocked by a federal district court in December 2025. The Fifth Circuit stayed that injunction on June 1, allowing enforcement to resume while the constitutional question remains open.

The rules apply only to new Apple Accounts created in Texas. Existing accounts are not affected, according to MacRumors. What has changed is the on-ramp: new accounts now require an age confirmation, and any account belonging to a minor must be linked to a parent before that minor can download an app or make a purchase.

Enforcement is live. Whether the law survives scrutiny is another matter entirely.

What Texas SB 2420 requires from app stores

SB 2420 requires app store operators to use "commercially reasonable methods" to determine each new account holder's age at the time of account creation, per the bill text. The statute defines four age brackets: under 13, ages 13 to 15, ages 16 to 17, and adults 18 and older. Any account outside the adult category must be linked to a parent or guardian account, and that parent must consent before the minor can download apps or make purchases, the Texas Tribune reported last week.

Apple's public implementation, as described in its developer guidance, presents this as a single threshold: new account holders in Texas confirm whether they are 18 or older. Those who are not must join a Family Sharing group under a parent or guardian account. Parents can also revoke consent for any app they previously approved, with immediate downstream effects on the minor's access, per Apple Developer.

Apple has not publicly disclosed what verification method it is actually using. The statute permits "commercially reasonable methods" without specifying what those must be, so it remains unclear from available reporting whether the confirmation step involves self-declaration, identity document checks, or something else. There is also a gap between the statute's four-bracket framework and what Apple has described publicly. The law requires sub-categorization among minors; Apple's guidance describes a binary adult/minor split at account creation. How those sub-categories map to Apple's Family Sharing structure is not explained in any available source.

On data protection, the statute limits personal data collection to the minimum necessary for age verification, parental consent, and compliance recordkeeping, and requires transmission using industry-standard encryption, per the bill text.

Google's Play Store is also covered by SB 2420, though how Google has implemented compliance is not addressed in available reporting, MacRumors noted.

What developers are now on the hook for under Texas age verification rules

Apple has built the account-level infrastructure, but the statute places direct obligations on app developers. Under Section 121.054, developers must use information provided by the app store to verify each user's assigned age category and confirm that parental consent is in place for any minor. Account-level controls are not enough on their own.

Apple is providing four tools to support this. The Declared Age Range API lets developers retrieve an account's assigned age category. The Significant Change API, within the PermissionKit framework, handles cases where an app undergoes a meaningful update requiring renewed parental approval. A new age rating property type in StoreKit rounds out the in-app compliance layer. App Store server notifications fire when a parent revokes consent for a specific app, so developers can respond accordingly, per Apple Developer.

The sharpest unresolved issue is the "significant change" standard. Apple's guidance states that "it's the developer's responsibility to determine when there's a significant change to their app," per Apple Developer. The statute does not define the term with precision, and Apple has offered no clearer threshold. Developers must make their own judgment calls on whether a given update a new monetization feature, a content category shift, a redesigned onboarding flow crosses the line and requires re-consent. Civil penalties of up to $10,000 per violation are waiting on the wrong answer, according to MacRumors.

The legal fight that isn't over

The law is being enforced today on procedural grounds, not because it survived constitutional review. The Fifth Circuit's June 1 action was an administrative stay: it temporarily suspends the lower court's injunction while the appeals court conducts a fuller review, and says nothing about whether the district court's First Amendment analysis was correct, the Texas Tribune reported last week.

The district court's December 2025 ruling was pointed. Judge Robert Pitman compared the law to requiring every bookstore to card customers at the door and obtain parental permission before any minor could buy a book a system that burdens all users to restrict access for a subset, AppleInsider reported. He found the law "more likely than not unconstitutional" and likely in violation of the First Amendment.

Texas Attorney General Ken Paxton has argued the opposite. "Texas has not only the right, but the duty, to protect children from the harms of our modern digital space," Paxton wrote after the stay was issued, according to the Texas Tribune. "Parents deserve to know what their children are downloading and to have the ability to stop them from accessing harmful or inappropriate content." The legislature built data minimization and encryption requirements into the statute, an apparent attempt to address privacy objections, but those provisions do not touch the First Amendment question the district court raised, per the bill text.

Apple opposed the law before it passed. CEO Tim Cook personally called Governor Greg Abbott urging a veto; Abbott signed it anyway, MacRumors reported. Lobbying and advertising efforts having failed, AppleInsider reported, Apple turned to building compliance infrastructure. The company first outlined its planned changes in October 2025, when January 1 was still the target effective date. The December injunction paused the rollout; last week's stay allowed it to resume.

Three things remain genuinely unresolved. Apple has not disclosed what verification method it is actually using. Developers must determine on their own what qualifies as a "significant change" requiring re-consent, with civil penalties of up to $10,000 per violation if they judge wrong. And the law's constitutional status is unsettled: a federal judge called it likely unconstitutional, and the Fifth Circuit has yet to rule on the merits.

Apple, developers, and Texas users are now operating inside a compliance framework that the same court system could still unwind. The Fifth Circuit's fuller review is the next consequential moment, and until it arrives, everything that went live today sits on provisional legal ground.