Imagine having to provide a government ID before downloading an app to clock in at work, submit homework, check the weather, or access your bank account. Under a new Texas law, that could become a reality for millions of people.
The Internet Society led an amicus brief filing on 24 June with the Center for Democracy & Technology and New America’s Open Technology Institute in CCIA v Paxton before the United States Fifth Circuit Court of Appeals. The case challenges the state’s age verification requirements for app stores and parental consent requirements for children and teens under 18 to download virtually all apps.
The Internet Society is actively working towards the important goal of improving online safety for children and provides recommendations for more effective approaches to online age checks and safety improvements in the filing.
The problem is that the law relies on broad age-verification requirements that create new privacy, security, and accessibility risks for everyone in the state while offering few, if any, new protections for young people online. Measures that require the routine collection of sensitive personal information risk weakening trust while doing little to address the underlying causes of online harm.
Creating a safer Internet requires solutions that strengthen online safety without undermining the privacy, security, and trust that people rely on every day. This is at the heart of the Internet Society’s Safer Internet Initiative.
About the Texas App Store Accountability Act
Under the Texas App Store Accountability Act, HB 2420, everyone in the state is required to complete an age verification process, typically requiring a government ID or credit card, before accessing almost any app or service available in app stores on phones or tablets. The only exceptions are apps for standardized testing or emergency services.
Children and teenagers under 18 must also ask their parent or guardian to verify their relationship and request permission each time they want to download an app. Each time there is a “significant change” to the terms of service, they must request permission again. Parents must provide even more sensitive information about their child, such as a birth certificate, to enable their access to an app store.
Just two weeks ago, the Texas government disclosed a third-party breach that exposed 3 million driver’s licenses and passports of Texans who applied for hunting or fishing licenses. This data breach of IDs and sensitive personal information will affect millions of people for years to come. The incident illustrates the data security risks with collecting and storing sensitive identity information at scale.
People’s access to apps on a mobile device is no longer trivial. Mobile banking, the ability to call a rideshare home, and even homework and many jobs require access to apps—such as email, document editing, or the ability to clock in for work—that this law would restrict.
The law is unlikely to improve youth online safety and there are much better alternatives the state can pursue.
A Better Approach to Age Checks and Online Safety
Consistent with the Internet Society’s Safer Internet Initiative, our amicus brief argues that protecting children online and protecting people’s privacy are complementary goals—not competing ones.
Rather than relying on broad identity checks, the filing makes recommendations for less invasive, more effective approaches that improve online safety while limiting risks to privacy, security, and accessibility. The amicus brief provides recommendations for more suitable age check approaches and improvements that would directly improve online safety for minors.
This law fails to deliver on what children and their parents want by requiring invasive age verification and automatically requiring permission for any app. Parents and young people report that they want more safeguards and support requirements to approve certain app downloads or in-app payments, but they don’t want to be overwhelmed with restrictions and approvals on daily activities that pose little risk.
People will be forced to send age information to all app developers, regardless of whether they need that information under the law. This requirement runs the risk of scooping up additional data about people’s devices and locations, which directly opposes the law’s objectives to better regulate data collection for children.
Age checks for online safety must focus on improving safety and should not be required to access online services that don’t have age-based experiences or restrictions.
When age assurance is necessary, age check methods must minimize data collection, be purpose-limited, and restrict when and what age information is provided to online services. While no perfect solution exists, there are a few approaches that go a long way towards mitigating privacy, security, and accessibility risks, while still supporting age-appropriate experiences online.
- Trusted Adult Age Confirmation: The device owner sets the age of device users at the time of purchase, during the setup process, or in the settings of a previously purchased device. The device shares age range information—rather than precise personal data—with apps and services for each user using an application programming interface (API).
- Double-Blind: Privacy‑preserving age assurance systems can verify and provide a user’s age range without revealing which services they are accessing or sharing additional data beyond necessary age information. This should be done only with a user’s consent and when there is a legitimate purpose to check a user’s age.
- Token-Based: Once an age check is completed, people can use tokens that signal age eligibility (e.g., 13-16 or 18+) for services to verify access without storing or repeatedly collecting sensitive information. Tokens should age with the user without repeated age verification to reissue age signal tokens.
Everyone should be able to easily submit an age check and limit how many times sensitive data or information, like credit card information, a government ID, or facial scans, are collected. There must be enough options for anyone to easily complete age checks regardless of their device, any disabilities, or the strength and reliability of their Internet connection.
Protecting children and protecting privacy online go hand in hand. These are not competing goals. Effective online safety measures must focus on creating safer experiences for young people while minimizing the collection of sensitive personal information and ensuring proper security safeguards.
The Texas law falls short of this standard. There are more effective and less invasive ways to improve online safety when age checks are necessary.
This case reflects a principle underpinning the Internet Society’s Safer Internet Initiative: people should not have to choose between online safety or privacy. A safer Internet depends on trust. When governments require people to routinely hand over sensitive personal information to access everyday digital services, they risk weakening that trust while doing little to improve safety. Solutions must protect children online while preserving the privacy, security, and openness that make the Internet trustworthy for everyone.
