Learn more about the latest security and privacy threats
Editorial illustration for the article "Supreme Court lets Texas enforce its app store age verification law".

The Supreme Court let Texas enforce its app store age verification law on 6 July 2026. What SB 2420 requires, and how to comply without a data honeypot.

Table of contents

On 6 July 2026 the US Supreme Court refused to block Texas from enforcing SB 2420, the first app store age verification law of its kind to reach the justices. The court acted on its emergency docket, without deciding the First Amendment question, so Apple and Google must keep verifying every user's age category while the challenge continues.

  • The Supreme Court denied two emergency applications, dockets 25A1389 and 25A1390, in brief unsigned orders with no public dissents.
  • SB 2420 took effect on 1 January 2026 and sorts every user into one of four age categories, requiring verified parental consent for minors before any download or in-app purchase.
  • The justices did not rule on the merits, so the constitutional fight moves to an expedited Fifth Circuit hearing set for early August 2026.
  • App stores must now collect and share age and consent signals with developers, creating a fresh privacy surface that data-minimising verification is built to shrink.
  • Texas follows Utah, whose parallel App Store Accountability Act carries a compliance deadline of 6 May 2026, signalling a widening state patchwork.

What did the Supreme Court actually decide?

The Supreme Court left Texas free to enforce its app store age verification law, but it decided far less than the headline suggests. On 6 July 2026 the justices denied emergency applications from a student group and a tech trade body seeking to vacate a Fifth Circuit stay. The orders were brief and unsigned, with no noted dissents.

Crucially, the court did not hold that SB 2420 is constitutional. It declined only to freeze the first broad app store age verification statute while litigation runs. The Computer and Communications Industry Association, whose members include Apple and Google, and Students Engaged in Advancing Texas can still argue the statute burdens protected speech. A federal judge in Austin, Robert Pitman, had blocked the law on 23 December 2025 before the Fifth Circuit stayed that injunction in June.

FactDetailSource
Date of order6 July 2026Supreme Court docket
Dockets25A1389, 25A1390Supreme Court
StatuteSB 2420, App Store Accountability ActTexas Legislature
Effective date1 January 2026SB 2420, Section 3
Merits statusPending, Fifth CircuitCourt filings

How does the Texas app store age verification law work?

SB 2420 turns the app store into the identity checkpoint for an entire device. When a Texan creates an account, the store owner "shall use a commercially reasonable method of verification to verify the individual's age category," in the statute's own words. Every user lands in one of four brackets: child, younger teenager, older teenager, or adult.

If the user is a minor, the account must be affiliated with a verified parent or guardian account. The store then has to obtain parental consent for each app download and each in-app purchase, and pass the age category and consent status through to developers, who must enforce age-appropriate access on their side. The design pushes a single verification event upstream to Apple and Google, then fans the resulting signals out across thousands of apps.

Age categoryStatutory age band
ChildUnder 13
Younger teenager13 to 15
Older teenager16 to 17
Adult18 or older

What this means for your compliance obligations

This is age assurance, not anti-money-laundering, but the obligations rhyme with regimes compliance teams already run. An app store age verification duty is no longer just to gate content; it is to verify an attribute, prove parental consent, and hand a defensible signal to a downstream party without over-collecting.

For app store operators, the concrete duties are age-category verification at account creation, verifiable parental consent tied to each transaction, and controlled transmission of age and consent data to developers. That mirrors the verifiable parental consent logic of the Children's Online Privacy Protection Act and the age-appropriate design expectations spreading through US state privacy law. For developers, the new obligation is to consume the app store's signal and restrict features by category, then resist repurposing that data. Utah's amended act already limits age-category data to three enumerated uses, a template Texas litigants will cite.

The record-keeping and data-protection duties are where this bites. Once you verify age for millions of accounts, you hold sensitive minority-status data that plugs straight into GDPR-style minimisation principles and state breach-notification laws. Evidencing that you collected the minimum, retained it briefly, and shared only a category flag becomes the audit you will be asked to produce. The safest posture is to verify the attribute, emit a yes or no, and store nothing reconstructable, the same discipline that keeps KYC data from becoming a liability.

What is still uncertain, and where are the risks?

The largest risk is that this is only a pause, not a resolution. The Supreme Court ruled on a stay, not the First Amendment, and the Fifth Circuit will hear the merits on an expedited basis in early August 2026. The case could return to the justices, so firms are engineering to a standard that a court might still narrow or strike. Building once and rebuilding later is the base-case cost.

The second risk is the honeypot. An app store age verification mandate forces the collection of government-grade identity signals for every account, exactly the concentration of personal data that recent breaches have punished. The CCIA warned of "enormous and unrecoverable compliance costs," and centralised age data adds breach exposure on top. A single leaked verification store would expose minors by name, the worst possible failure mode.

Third is fragmentation. Texas uses four brackets and one enforcement model under the state attorney general; Utah's law adds a private right of action from late 2026, and other states are drafting variants. Absent a federal standard, operators face inconsistent thresholds, verification methods, and liability splits. Finally, the methods themselves are contestable: "commercially reasonable" verification is undefined, document-based checks can be beaten by deepfakes, and account sharing quietly defeats the parental-consent step.

How does this compare to earlier age verification rulings?

This order sits downstream of Free Speech Coalition v. Paxton, the June 2025 decision in which the Supreme Court upheld Texas HB 1181's age checks for adult websites by a six to three vote. That ruling applied intermediate scrutiny rather than the strictest First Amendment test, and it is the doctrinal opening that made SB 2420 plausible. The difference is scope: HB 1181 gated explicit sites, while an app store age verification rule like SB 2420 reaches the entire app economy. The trend is not uniform, however: a Nebraska social media age check was blocked days before it took effect, so outcomes still turn on the exact drafting and forum.

LawScopeEffectiveStatus
Texas HB 1181Adult content sites2025Upheld, June 2025
Texas SB 2420All app downloads1 January 2026Enforced, merits pending
Utah SB 142All app downloadsCompliance by 6 May 2026In force

How should compliance teams respond?

Start by scoping exposure: confirm whether you operate a covered app store or a developer that must consume its signals, then map which of your account, download, and purchase flows touch Texas users. Treat age category as sensitive data, minimise what you retain, document your verification method against the "commercially reasonable" standard, and set retention to the shortest defensible window. Track the Fifth Circuit's August hearing, because the design target may move.

The strategic lesson generalises beyond Texas. Every new age assurance mandate rewards teams that can prove an attribute without hoarding the underlying identity. Zyphe verifies a document through an NFC chip read to ICAO 9303 and eIDAS standards with two-step liveness and no image upload, then shards the data across a decentralised network so no single node holds a complete record and there is no central honeypot to breach. That lets you emit an age or consent signal, reuse it elsewhere as a credential, and keep the audit trail exportable. If you are re-architecting onboarding for these rules, book a demo or see how it works.

The bottom line

The Supreme Court did not settle whether Texas can conscript app stores into age policing; it only let the experiment run while the courts think. For compliance and product teams the practical message is unchanged: age assurance mandates are multiplying, they are surviving early legal tests, and they all demand that you verify an attribute you did not have to collect before. The teams that win are the ones that treat that attribute as a signal to prove and discard, not a record to hoard, because the same law that forces verification will judge you on how little you kept.

Cited sources

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.

Frequently Asked Questions

No. On 6 July 2026 the court only declined to block enforcement while the case proceeds. It issued brief unsigned orders on its emergency docket and did not decide whether SB 2420 complies with the First Amendment. The constitutional challenge continues before the Fifth Circuit, which is expected to hear the merits on an expedited schedule in early August 2026.

The App Store Accountability Act requires app stores to verify each user's age category when an account is created, sorting users into child, younger teenager, older teenager, or adult. Minors' accounts must be linked to a verified parent or guardian, and the store must obtain parental consent before each download or in-app purchase, then share age and consent signals with the app developers.

SB 2420 took effect on 1 January 2026, though a federal injunction briefly paused it in late December 2025. The Fifth Circuit stayed that injunction in June 2026, and after the Supreme Court declined to intervene on 6 July 2026, the law is being enforced by the Texas attorney general while litigation continues.

Utah passed the first App Store Accountability Act, with a compliance deadline of 6 May 2026 and a private right of action taking effect later in 2026. Texas followed as the second state. The brackets and enforcement models differ, and more states are drafting their own versions, which creates a patchwork of overlapping age assurance duties rather than a single federal standard.

No. Age assurance can be done with data minimisation: verify the document, derive the age category, and emit only a yes or no rather than storing a full identity record. Decentralised verification that shards data and holds no central copy lets a business satisfy the mandate while shrinking the breach surface that centralised age databases create.

See privacy-first KYC in action

Verify identity without storing a single document. Reusable credentials, an exportable audit trail, and a 15-minute integration.

Book a demo