2026 SESSION

INTRODUCED

26102074D

SENATE BILL NO. 237

Offered January 14, 2026

Prefiled January 12, 2026

A BILL to amend the Code of Virginia by adding in Title 59.1 a chapter numbered 60, consisting of sections numbered 59.1-614 through 59.1-619, relating to App Store Accountability Act; civil penalties; civil action.

—————

Patron—Head

—————

Referred to Committee on General Laws and Technology

—————

Be it enacted by the General Assembly of Virginia:

1. That the Code of Virginia is amended by adding in Title 59.1 a chapter numbered 60, consisting of sections numbered 59.1-614 through 59.1-619 as follows:

CHAPTER 60.

APP STORE ACCOUNTABILITY ACT.

§ 59.1-614. Definitions.

As used in this chapter, unless the context requires a different meaning:

"Account holder" means an individual who is associated with a mobile device.

"Age category" means information collected by an app store provider to designate an individual as follows:

1. For an individual who is younger than 13 years of age, a "child";

2. For an individual who is age 13 through 15, a "younger teenager";

3. For an individual who is age 16 through 17, an "older teenager"; and

4. For an individual who is 18 years of age or older, an "adult."

"Age rating" means one or more classifications that (i) correspond to one or more age categories and (ii) are assigned to an app or in-app purchase to assess the suitability of the app's content and functions.

"App" means a software application or electronic service that an individual may run or direct on a mobile device, including pre-installed applications.

"App store" means a publicly available website, software application, or other electronic service or platform that allows account holders in the Commonwealth to download apps from third-party developers onto a mobile device.

"App store provider" means any person doing business in the Commonwealth that owns, operates, or controls an app store made available to account holders.

"Content description" means a description of the specific elements or functions that inform an app's age rating.

"Developer" means any person doing business in the Commonwealth that owns, operates, or controls an app made available to account holders through an app store or an app pre-installed onto a mobile device.

"Minor" means an individual who is younger than 18 years of age.

"Minor account" means an account with an app store provider that is established by an individual who is a minor and that is required to be affiliated with a parent account.

"Mobile device" means a portable, wireless electronic device, including a tablet or smartphone, that (i) provides cellular or wireless connectivity, (ii) is capable of connecting to the internet, (iii) runs a mobile operating system, and (iv) is capable of running apps through such mobile operating system.

"Mobile operating system" means software that (i) manages mobile device hardware resources, (ii) provides common services for mobile device programs, (iii) controls memory allocation, and (iv) provides interfaces for apps to access device programs.

"Parent" means an individual who is reasonably believed to be a parent or legal guardian of a minor.

"Parent account" means an account with an app store provider that (i) is associated with an individual who the app store provider has verified is 18 years of age or older through such app store provider's age verification methods and (ii) may be affiliated with one or more minor accounts.

"Parental consent disclosure" means:

1. The age rating for an app or in-app purchase;

2. The content description for an app or in-app purchase;

3. A description of the personal data collected by the developer of an app from an account holder and shared by such developer with any third party; and

4. If personal data is collected by the developer of an app, the methods implemented by the developer to protect such personal data.

"Pre-installed application" means any app or portion thereof that is present on a mobile device at the time of purchase, initial activation, or first use by a consumer, including a browser, search engine, or messaging app. "Pre-installed application" includes any app or portion thereof that is installed or partially installed by a manufacturer of a mobile device, wireless service provider, retailer, or any other party prior to the purchase, initial activation, or first use by the consumer and that may be updated thereafter. "Pre-installed application" does not include any core operating system function, essential device driver, or software application necessary for basic device operation, such as a phone, settings, or emergency services app.

"Significant change" means a material modification to an app's terms of service or privacy policy that (i) materially changes the categories of data collected, stored, or shared; (ii) materially changes the app's age rating or content description; or (iii) introduces in-app purchases or advertisements where no in-app purchases or advertisements were previously present.

"Verifiable parental consent" means authorization that is provided by the account holder of a parent account to an app store provider after such provider has clearly and conspicuously provided the parental consent disclosure as part of the app download or purchase or in-app purchase process. "Verifiable parental consent" requires a parent account holder to make an affirmative choice to either grant or decline consent to a minor account.

§ 59.1-615. App store providers; duties; prohibitions.

A. An app store provider shall:

1. For each app that the app store provider makes available to account holders on its app store, provide a clear, accurate, and conspicuous parental consent disclosure.

2. At the time that an individual in the Commonwealth creates an account with the app store provider or, for existing accounts, by July 1, 2028:

a. Request age category information from such individual; and

b. Verify such individual's age category using a commercially available method that is reasonably designed to ensure accuracy. Such method may include, if such individual is a minor, an affirmative age attestation by another individual who is reasonably believed to be the parent of such minor.

3. If the app store provider determines in the process of an individual creating an account with such provider that such individual is a minor:

a. Require such minor to create a minor account to be affiliated with a parent account; and

b. Obtain verifiable parental consent from the account holder of the affiliated parent account each time before allowing such minor to download or purchase an app or make an in-app purchase.

4. After receiving notice from a developer of a significant change to an app:

a. Notify each account holder that has downloaded such app of the significant change; and

b. For minor accounts, (i) notify each account holder of a parent account that is affiliated with a minor account that has downloaded such app of the significant change and (ii) obtain renewed verifiable parental consent before providing access to the significantly changed version of the app.

5. In response to a request made pursuant to subdivision A 4 of § 59.1-616, provide to a developer data relating to the age category for an account holder located in the Commonwealth and, if applicable, the status of verifiable parental consent for a minor account.

6. Provide a mechanism for an account holder of a parent account to withdraw consent, and notify a developer when verifiable parental consent has been withdrawn for a minor account.

7. Protect data associated with age category and other verification data by:

a. Limiting data collection and processing only to data necessary for verifying an account holder's age category, obtaining verifiable parental consent, or maintaining compliance records; and

b. Transmitting age category data using industry-standard encryption protocols that ensure data integrity and data confidentiality.

8. For pre-installed apps:

a. Provide available age category information in response to a request from a developer; and

b. Take reasonable measures to facilitate verifiable parental consent for account holders' use of such an app in response to a request from a developer.

B. An app store provider shall not:

1. Enforce a contract or terms of service agreement against a minor account holder unless the app store provider has obtained verifiable parental consent;

2. Knowingly misrepresent information contained in the parental consent disclosure; or

3. Share data relating to age category except as required by this chapter or otherwise required by law.

§ 59.1-616. Developers; duties; prohibitions.

A. A developer shall:

1. For each of its apps and in-app purchases, assign an age rating and provide a content description, and, for each of its apps, provide each app store provider that makes the developer's app available on its app store a parental consent disclosure that includes such information;

2. Verify through an app store's data sharing methods the age category of an account holder located in the Commonwealth and, for a minor account, whether verifiable parental consent has been obtained;

3. Notify each app store provider that makes the developer's app available on its app store of a significant change to an app within a reasonable time frame;

4. Use data relating to age category received through an app store's data sharing methods to enforce any developer-created age-related restrictions, safety features, or defaults and ensure compliance with applicable laws; and

5. Request data relating to age category or verifiable parental consent (i) at the time that an account holder downloads or purchases an app or launches a pre-installed app for the first time, (ii) when implementing a significant change to the app, or (iii) to comply with applicable law.

B. A developer may request data relating to age category:

1. No more than once during each 12-month period to verify the accuracy of the age category of an account holder or continued account use within the age category;

2. When there is reasonable suspicion of account transfer or misuse outside of the age category; or

3. At the time that an account holder creates an account with the developer.

C. When implementing any developer-created age-related restrictions, safety features, or defaults, a developer shall use the lowest age category indicated by age category data received through an app store's data sharing methods or age data independently collected by the developer.

D. A developer shall not:

1. Enforce a contract or terms of service agreement against a minor unless the developer has verified through an app store's data sharing methods that verifiable parental consent has been obtained;

2. Knowingly misrepresent any information in the parental consent disclosure; or

3. Share data relating to age category with any person.

§ 59.1-617. Limitations.

Nothing in this chapter shall be construed to:

1. Prevent an app store provider or developer from taking reasonable measures to (i) block, detect, or prevent distribution to minors of unlawful, obscene, or harmful material; (ii) block or filter spam; (iii) prevent criminal activity; or (iv) protect app store or app security;

2. Require an app store provider to disclose account holder information to a developer beyond data relating to age category or status of verifiable parental consent;

3. Allow an app store provider or developer to implement measures required by this chapter in a manner that is arbitrary, capricious, anticompetitive, or unlawful;

4. Require an app store provider or developer to obtain verifiable parental consent for an app that:

a. Provides direct access to emergency services, including 911, crisis hotlines, or emergency assistance services legally available to minors;

b. Limits data collection to information necessary to provide such access in compliance with the federal Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.);

c. Provides such access without requiring account creation or collection of unnecessary personal information; and

d. Is operated by or in partnership with a government entity, a nonprofit organization, or an authorized emergency services provider;

5. Require a developer to collect, retain, reidentify, or link any information beyond the developer's ordinary course of business or beyond what is necessary to verify an account holder's age category as required by this chapter;

6. Require an app store provider or developer to block access to an app that an account holder has downloaded or installed onto a mobile device prior to this chapter's effective date, except where an account holder of a parent account has withdrawn verifiable parental consent for an affiliated minor account or there has been a significant change to the app; or

7. Prevent an app store provider or developer from complying with the provisions of the Consumer Data Protection Act (§ 59.1-575 et seq.).

§ 59.1-618. Safe harbor.

A. A developer is not liable for a violation of this chapter if:

1. The developer relies in good faith on the age category received through an app store's data sharing methods and, if the account holder is a minor, on notification from an app store provider that verifiable parental consent has been obtained.

2. In determining an app's age rating and content description, the developer uses widely adopted industry standards in making such determinations and applies such standards consistently and in good faith.

B. An app store provider is not liable for a violation of this chapter if the app store provider relies in good faith on a process to verify an individual's age category that is commercially reasonable and that such provider exercises reasonable care in conducting such process. An app store provider relies in good faith when, if there is reasonable suspicion that an account holder does not belong to the age category to which his account is assigned, such provider took reasonable measures to reverify the account holder's age category.

§ 59.1-619. Civil penalties; civil action.

A. The Attorney General may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations of this chapter and civil penalties of up to $7,500 for each violation under this chapter. All civil penalties, expenses, and attorney fees collected pursuant to this chapter shall be paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. The Attorney General may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees, in any such action.

B. Any minor or parent of a minor who suffers harm by reason of a violation of any provision of this chapter may bring a civil action against an app store provider or a developer to enforce such provision and may seek the greater of actual damages or $1,000 for each violation under this chapter and, if the violation was egregious, punitive damages. Any person who is successful in an action brought pursuant to this subsection shall recover reasonable attorney fees, expert witness fees, and court costs incurred by bringing such action.

2. That the provisions of this act shall become effective on July 1, 2027.