- cross-posted to:
- technology@beehaw.org
- privacy@lemmy.dbzer0.com
- privacy@lemmy.world
- cross-posted to:
- technology@beehaw.org
- privacy@lemmy.dbzer0.com
- privacy@lemmy.world
cross-posted from: https://lemmy.world/post/37439450
S.B. No. 2420
AN ACT relating to the regulation of platforms for the sale and distribution of software applications for mobile devices. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: SECTION 1. Subtitle C, Title 5, Business & Commerce Code, is amended by adding Chapter 121 to read as follows: CHAPTER 121. SOFTWARE APPLICATIONS SUBCHAPTER A. GENERAL PROVISIONS Sec. 121.001. SHORT TITLE. This chapter may be cited as the App Store Accountability Act. Sec. 121.002. DEFINITIONS. In this chapter: (1) “Age category” means information collected by the owner of an app store to designate a user based on the age categories described by Section 121.021(b). (2) “App store” means a publicly available Internet website, software application, or other electronic service that distributes software applications from the owner or developer of a software application to the user of a mobile device. (3) “Minor” means a child who is younger than 18 years of age who has not had the disabilities of minority removed for general purposes. (4) “Mobile device” means a portable, wireless electronic device, including a tablet or smartphone, capable of transmitting, receiving, processing, and storing information wirelessly that runs an operating system designed to manage hardware resources and perform common services for software applications on handheld electronic devices. (5) “Personal data” means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a person who processes or determines the purpose and means of processing the data in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information. SUBCHAPTER B. DUTIES OF APP STORES Sec. 121.021. DUTY TO VERIFY AGE OF USER; AGE CATEGORIES. (a) When an individual in this state creates an account with an app store, the owner of the app store shall use a commercially reasonable method of verification to verify the individual’s age category under Subsection (b). (b) The owner of an app store shall use the following age categories for assigning a designation: (1) an individual who is younger than 13 years of age is considered a “child”; (2) an individual who is at least 13 years of age but younger than 16 years of age is considered a “younger teenager”; (3) an individual who is at least 16 years of age but younger than 18 years of age is considered an “older teenager”; and (4) an individual who is at least 18 years of age is considered an “adult.” Sec. 121.022. PARENTAL CONSENT REQUIRED. (a) If the owner of the app store determines under Section 121.021 that an individual is a minor who belongs to an age category that is not “adult,” the owner shall require that the minor’s account be affiliated with a parent account belonging to the minor’s parent or guardian. (b) For an account to be affiliated with a minor’s account as a parent account, the owner of an app store must use a commercially reasonable method to verify that the account belongs to an individual who: (1) the owner of the app store has verified belongs to the age category of “adult” under Section 121.021; and (2) has legal authority to make a decision on behalf of the minor with whose account the individual is seeking affiliation. © A parent account may be affiliated with multiple minors’ accounts. (d) Except as provided by this section, the owner of an app store must obtain consent from the minor’s parent or guardian through the parent account affiliated with the minor’s account before allowing the minor to: (1) download a software application; (2) purchase a software application; or (3) make a purchase in or using a software application. (e) The owner of an app store must: (1) obtain consent for each individual download or purchase sought by the minor; and (2) notify the developer of each applicable software application if a minor’s parent or guardian revokes consent through a parent account. (f) To obtain consent from a minor’s parent or guardian under Subsection (d), the owner of an app store may use any reasonable means to: (1) disclose to the parent or guardian: (A) the specific software application or purchase for which consent is sought; (B) the rating under Section 121.052 assigned to the software application or purchase; © the specific content or other elements that led to the rating assigned under Section 121.052; (D) the nature of any collection, use, or distribution of personal data that would occur because of the software application or purchase; and (E) any measures taken by the developer of the software application or purchase to protect the personal data of users; (2) give the parent or guardian a clear choice to give or withhold consent for the download or purchase; and (3) ensure that the consent is given: (A) by the parent or guardian; and (B) through the account affiliated with a minor’s account under Subsection (a). (g) If a software developer provides the owner of an app store with notice of a change under Section 121.053, the owner of the app store shall: (1) notify any individual who has given consent under this section for a minor’s use or purchase relating to a previous version of the changed software application; and (2) obtain consent from the individual for the minor’s continued use or purchase of the software application. (h) The owner of an app store is not required to obtain consent from a minor’s parent or guardian for: (1) the download of a software application that: (A) provides a user with direct access to emergency services, including: (i) 9-1-1 emergency services; (ii) a crisis hotline; or (iii) an emergency assistance service that is legally available to a minor; (B) limits data collection to information: (i) collected in compliance with the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. Section 6501 et seq.); and (ii) necessary for the provision of emergency services; © allows a user to access and use the software application without requiring the user to create an account with the software application; and (D) is operated by or in partnership with: (i) a governmental entity; (ii) a nonprofit organization; or (iii) an authorized emergency service provider; or (2) the purchase or download of a software application that is operated by or in partnership with a nonprofit organization that: (A) develops, sponsors, or administers a standardized test used for purposes of admission to or class placement in a postsecondary educational institution or a program within a postsecondary educational institution; and (B) is subject to Subchapter D, Chapter 32, Education Code. Sec. 121.023. DISPLAY OF AGE RATING FOR SOFTWARE APPLICATION. (a) If the owner of an app store that operates in this state has a mechanism for displaying an age rating or other content notice, the owner shall: (1) make available to users an explanation of the mechanism; and (2) display for each software application available for download and purchase on the app store the age rating and other content notice. (b) If the owner of an app store that operates in this state does not have a mechanism for displaying an age rating or other content notice, the owner shall display for each software application available for download and purchase on the app store: (1) the rating under Section 121.052 assigned to the software application; and (2) the specific content or other elements that led to the rating assigned under Section 121.052. © The information displayed under this section must be clear, accurate, and conspicuous. Sec. 121.024. INFORMATION FOR SOFTWARE APPLICATION DEVELOPERS. The owner of an app store that operates in this state shall, using a commercially available method, allow the developer of a software application to access current information related to: (1) the age category assigned to each user under Section 121.021(b); and (2) whether consent has been obtained for each minor user under Section 121.022. Sec. 121.025. PROTECTION OF PERSONAL DATA. The owner of an app store that operates in this state shall protect the personal data of users by: (1) limiting the collection and processing of personal data to the minimum amount necessary for: (A) verifying the age of an individual; (B) obtaining consent under Section 121.022; and © maintaining compliance records; and (2) transmitting personal data using industry-standard encryption protocols that ensure data integrity and confidentiality. Sec. 121.026. VIOLATION. (a) The owner of an app store that operates in this state violates this subchapter if the owner: (1) enforces a contract or a provision of a terms of service agreement against a minor that the minor entered into or agreed to without consent under Section 121.022; (2) knowingly misrepresents information disclosed under Section 121.022(f)(1); (3) obtains a blanket consent to authorize multiple downloads or purchases; or (4) shares or discloses personal data obtained for purposes of Section 121.021, except as required by Section 121.024 or other law. (b) The owner of an app store is not liable for a violation of Section 121.021 or 121.022 if the owner of the app store: (1) uses widely adopted industry standards to: (A) verify the age of each user as required by Section 121.021; and (B) obtain parental consent as required by Section 121.022; and (2) applies those standards consistently and in good faith. Sec. 121.027. CONSTRUCTION OF SUBCHAPTER. Nothing in this subchapter may be construed to: (1) prevent the owner of an app store that operates in this state from taking reasonable measures to block, detect, or prevent the distribution of: (A) obscene material, as that term is defined by Section 43.21, Penal Code; or (B) other material that may be harmful to minors; (2) require the owner of an app store that operates in this state to disclose a user’s personal data to the developer of a software application except as provided by this subchapter; (3) allow the owner of an app store that operates in this state to use a measure required by this chapter in a manner that is arbitrary, capricious, anticompetitive, or unlawful; (4) block or filter spam; (5) prevent criminal activity; or (6) protect the security of an app store or software application. SUBCHAPTER C. DUTIES OF SOFTWARE APPLICATION DEVELOPERS Sec. 121.051. APPLICABILITY OF SUBCHAPTER. This subchapter applies only to the developer of a software application that the developer makes available to users in this state through an app store. Sec. 121.052. DESIGNATION OF AGE RATING. (a) The developer of a software application shall assign to each software application and to each purchase that can be made through the software application an age rating based on the age categories described by Section 121.021(b). (b) The developer of a software application shall provide to each app store through which the developer makes the software application available: (1) each rating assigned under Subsection (a); and (2) the specific content or other elements that led to each rating provided under Subdivision (1). Sec. 121.053. CHANGES TO SOFTWARE APPLICATIONS. (a) The developer of a software application shall provide notice to each app store through which the developer makes the software application available before making any significant change to the terms of service or privacy policy of the software application. (b) For purposes of this section, a change is significant if it: (1) changes the type or category of personal data collected, stored, or shared by the developer; (2) affects or changes the rating assigned to the software application under Section 121.052 or the content or elements that led to that rating; (3) adds new monetization features to the software application, including: (A) new opportunities to make a purchase in or using the software application; or (B) new advertisements in the software application; or (4) materially changes the functionality or user experience of the software application. Sec. 121.054. AGE VERIFICATION. (a) The developer of a software application shall create and implement a system to use information received under Section 121.024 to verify: (1) for each user of the software application, the age category assigned to that user under Section 121.021(b); and (2) for each minor user of the software application, whether consent has been obtained under Section 121.022. (b) The developer of a software application shall use information received from the owner of an app store under Section 121.024 to perform the verification required by this section. Sec. 121.055. USE OF PERSONAL DATA. (a) The developer of a software application may use personal data provided to the developer under Section 121.024 only to: (1) enforce restrictions and protections on the software application related to age; (2) ensure compliance with applicable laws and regulations; and (3) implement safety-related features and default settings. (b) The developer of a software application shall delete personal data provided by the owner of an app store under Section 121.024 on completion of the verification required by Section 121.054. © Notwithstanding Subsection (a), nothing in this chapter relieves a social media platform from doing age verification as required by law. Sec. 121.056. VIOLATION. (a) Except as provided by this section, the developer of a software application violates this subchapter if the developer: (1) enforces a contract or a provision of a terms of service agreement against a minor that the minor entered into or agreed to without consent under Section 121.054; (2) knowingly misrepresents an age rating or reason for that rating under Section 121.052; or (3) shares or discloses the personal data of a user that was acquired under this subchapter. (b) The developer of a software application is not liable for a violation of Section 121.052 if the software developer: (1) uses widely adopted industry standards to determine the rating and specific content required by this section; and (2) applies those standards consistently and in good faith. © The developer of a software application is not liable for a violation of Section 121.054 if the software developer: (1) relied in good faith on age category and consent information received from the owner of an app store; and (2) otherwise complied with the requirements of this section. SUBCHAPTER D. ENFORCEMENT Sec. 121.101. DECEPTIVE TRADE PRACTICE. A violation of this chapter constitutes a deceptive trade practice in addition to the practices described by Subchapter E, Chapter 17, and is actionable under that subchapter. Sec. 121.102. CUMULATIVE REMEDIES. The remedies provided by this chapter are not exclusive and are in addition to any other action or remedy provided by law. SECTION 2. It is the intent of the legislature that every provision, section, subsection, sentence, clause, phrase, or word in this Act, and every application of the provisions in this Act to every person, group of persons, or circumstances, is severable from each other. If any application of any provision in this Act to any person, group of persons, or circumstances is found by a court to be invalid for any reason, the remaining applications of that provision to all other persons and circumstances shall be severed and may not be affected. SECTION 3. This Act takes effect January 1, 2026.
______________________________ ______________________________ President of the Senate Speaker of the House I hereby certify that S.B. No. 2420 passed the Senate on April 16, 2025, by the following vote: Yeas 30, Nays 1; and that the Senate concurred in House amendments on May 14, 2025, by the following vote: Yeas 30, Nays 1. ______________________________ Secretary of the Senate I hereby certify that S.B. No. 2420 passed the House, with amendments, on May 9, 2025, by the following vote: Yeas 120, Nays 9, three present not voting. ______________________________ Chief Clerk of the House Approved: ______________________________ Date ______________________________ Governor
Yes. Like a copy of their identity papers.
Consult Article 23 (“Identification of economic operators”) of the CRA. The entry into force fits Google’s timeline.
That says when Google distributes an app via the Play Store, Google must be able to name the developer.
It does not say that when I distribute an app via my website, Google has any obligations whatsoever.
You’re thinking of the DSA (Article 30), in force since last year. The CRA is on top (or beside) of that, starting in 2027. Some are also pointing the finger at the RED (Article 3 3.). That’s the one that made Apple do USB chargers.
I expect phones are going to become a lot more locked down, especially in the EU.
Yes. Google is only demanding verification for certified phones.
What I quoted was CRA Article 23.
It clearly doesn’t impose any obligations on an OS vendor with regard to app installation where the OS vendor isn’t a party to the transaction.
You’re arguing that a dev shouldn’t be seen as supplying to Google just because their apps run on a Google system. I agree, that could be a valid argument, but I am not too sure if it would work in court.
Google is certainly following the spirit of the law. Maybe there is a tiny loophole here but imagine Google leaves that open. A few people install some shady app store full of malware and scams. Would a court find that Google had fulfilled all its legal obligations to protect its users?
I’m saying there’s no reasonable interpretation of this provision where a dev would be seen as supplying to Google by distributing an app that runs on Android without using Google’s store. Given the broader context of the CRA, it should be more clear; the CRA is about supply chains, and generally imposes obligations on entities acting as links in the supply chain. Google can’t sell apps if it doesn’t know where they came from.
The fact that Google plans not to forbid installation of unsigned apps via ADB would be a huge loophole if the intent was to force OS vendors to control all app distribution for those operating systems.
Here’s a definition:
I don’t think it’s a stretch to say that such apps are components “placed on the market separately”. In fact, I think it’s exactly within the meaning. In any case, even if not, such loopholes are usually plugged by some of the vague, general obligations.
I don’t think ADB installation is a loophole. Once you poke around in the insides of a device, you’re generally on your own. I expect that devices are going to become more locked down before these regulations enter into force but only as far as absolutely necessary. Google doesn’t want to lock out the next generation of devs. Unless or until there is some fuss about people doing something bad and this is declared a loophole.
Apps definitely qualify as products with digital elements. The term that determines whether Google has obligations is this scenario is ‘economic operator’ Here’s the definition for that:
When Google distributes apps via the Play Store, it is very obviously the distributor, which is defined:
If someone else distributes apps using other infrastructure that happen to run on an OS that Google made, Google is not the distributor and does not incur any obligations that apply to distributors. (For completeness, Google is obviously not the manufacturer, authorised representative, or importer either.)
The verification demand is for Google certified Android.
The OS or a phone both fit that definition.
An app fits the definition of a component.
Maybe you would have to argue that an app is not actually a component. But if it’s a stand-alone thing, then why does it rely on an OS?
I think you can make a good argument that a phone without an OS is not a system. It’s not capable of much. Maybe custom roms will remain an option.
Anyway, Google is not abusing that loophole. So, no problem. F-Droid encourages users to complain to EU lawmakers about Google being a meanie. Maybe the EU will close it anyway as part of future tech regulation.