Photo of Niloufar Massachi

Niloufar Massachi

Contact:Read more about Niloufar Massachi
  • Which states have passed app store age verification legislation?
    • The effective dates are:
      • Jan. 1, 2026 (Texas)
      • May 7, 2026 (Utah)
      • July 1, 2026 (Louisiana)
      • Jan. 1, 2027 (California)
  • What types of organizations are covered?
    • App stores (TX, LA, UT) and operating system providers (CA) include Google, Apple, and other app store operators.
    • A developer, as defined in the California law, refers to a person that owns, operates, or maintains a mobile app. Developer is used but not defined in the other states’ laws.
  • What are the app stores’ age verification obligations?
    • Texas, Utah, and Louisiana’s laws all require app stores to “use a commercially reasonable method” to verify an individual’s age category into one of the following categories:
      • Under 13 (“child”)
      • At least 13 and under 16 (“younger teenager”)
      • At least 16 and under 18 (“older teenager”)
      • At least 18 (“adult”)
    • Those laws therefore open up the possibility of methods beyond self-declared age (e.g., an age gate).
    • California’s law requires app stores to provide an accessible interface at account setup that requires an accountholder to indicate the birth date, age, or both, of the user of that device, and categorize the user into age categories that are identical to the above categories (though, all under 18 users are referred to as a “child”). California’s law, therefore, effectively only requires an age gate.
  • Who do the laws contemplate will be verifying a minor user’s age to the app stores?
    • Texas, Utah, Louisiana: The individual who creates the app store account, which may be the minors themselves, or potentially parents. Apple’s guidance confirms this approach. 
    • California: The parent. The law requires the app stores provide an interface to the “account holder,” which is an individual over 18 or the parent or guardian of an individual under 18. It seems that the app stores will need to take a different approach than is currently contemplated in relation to Texas’ law in order to comply with California’s law.
  • What are the app stores’ obligations regarding parent accounts?
    • The non-California laws require app stores to associate each minor account with a parent account.
    • There is not an explicit requirement to do so in California. However, it does, in effect, require association of a minor account with an adult account. “Account holder” means “an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state,” and age verification must be carried out by an “account holder.”
  • What are the app stores’ parental consent obligations under the Texas, Louisiana, and Utah laws?
    • For minor accounts, Texas, Louisiana, and Utah will require app stores to obtain parental consent for each and every (1) app download, (2) app purchase, and (3) in-app purchase*. One-time and other bundled consents are not permitted.
    • App stores will also have consent requirements when an app developer notifies the app store of a “significant change” (see discussion below), i.e., app stores must re-consent each minor account, via parental consent.
    • *As to the scope of in-app purchases that would be impacted, Apple has clarified that the consent requirement applies only to purchases made using Apple’s In-App Purchase system—such as subscriptions or digital content. Purchases of physical goods (e.g., ordering food through a delivery app) are not covered. Google has not yet provided similar clarification.
  • What are app stores’ parental consent obligations under the California law?
    • None.
  • What are developers’ age assurance obligations under the Texas, Louisiana, and Utah laws?
    • Developers must verify, using the app stores’ data sharing methods (e.g., APIs, as discussed in the app stores’ guidance), (i) the age category of users and (ii) for minor accounts, whether parental consent has been obtained.
    • Louisiana also requires developers to obtain parental consent for app downloads, purchases, and in-app purchases. It is unclear how this would work in practice, such as if developers will have to build their own consent interface or whether the app store-provided consent flow will suffice.
    • The Texas law will require app developers to assign each app and each in-app purchase an age rating pursuant to the age categories discussed above.
  • What are developers’ age assurance obligations under the California law?
    • Developers must:
      • Request a signal with respect to a particular user when an app is downloaded and launched.
      • Apply age received “across all platforms of the [app] and points of access to the [app].”
      • Use the age range signal to comply with applicable law.
  • Is actual knowledge of age imputed to a developer through receipt of age information from app stores?
    • Texas, Louisiana, and Utah: Yes, implicitly.
    • California: Yes, explicitly.
    • With actual knowledge of users’ age being thrust upon developers, developers – in particular, those that do not independently carry out age assurance – will be forced to address obligations and restrictions under the Children’s Online Privacy Protection Act (COPPA), state consumer privacy laws that regulate children’s and teens’ personal data, and online safety laws that impose obligations and restrictions based on users’ ages.
    • By way of example, many developers that obtain actual knowledge of users under 13 from the app store will need to restrict ongoing access to their service by such users and delete such users’ personal information (if they process personal information for more than the narrow permitted internal operational purposes) in order to remain compliant with COPPA. Of course, there may be developers in this situation that have already otherwise obtained verifiable parental consent or are in the small minority of services (such as social media and gaming platforms) in which they are able to transition users to an age-appropriate experience (though, the COPPA deletion requirement would still apply). By way of another example, developers that obtain actual knowledge of users at least 13 but younger than 16 in California would have to apply age-related restrictions from the CCPA to such users, such as needing the users to opt in to sale and sharing, rather than only offering an opt-out right.
  • How do the laws address conflicts in age information possessed by developers and received from app stores?
    • Texas, Louisiana, and Utah: Each law provides a safe harbor based on “good faith” reliance on age and consent information from app stores.
    • California: The law provides that “a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.” However, it further provides that a “developer must not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than age range received from app store.”
  • If we do not want to have minors download or purchase our app, can we prevent them from doing so?
    • It is not clear, though it seems unlikely that developers will be able to prevent minors from downloading their apps if a parent has provided consent. This is because the age verification and consent requirements extend to all apps. App developers will, therefore, likely be unable to prevent the app stores from requesting such consent (except perhaps in the event that the content rating of the app is more mature than the child user’s age range).
  • Can parental consent be revoked?
    • Yes, it can be revoked. Under the Texas, Louisiana, and Utah laws, app stores must notify each developer upon revocation of parental consent. The Google guidance seems to contemplate that revocation of consent will be possible on a per-app basis.
  • How will app developers address revoked consent?
    • Certainly, restricting an in-app purchases when a parent refuses consent will easily be accomplished by the app stores.
    • However, there are no details in the laws regarding what steps the app stores and developers must take with respect to a minor’s use of already downloaded apps, i.e., there is no obligation in these laws to prevent the use of the app by a minor whose parent revoked consent. To our knowledge, neither app stores nor developers have the ability to remove downloaded apps from a device (and that is not required of them by these laws).
    • The app stores are working on mechanisms to notify developers when a parent revokes consent for a minor’s ongoing use of an app. The app stores’ guidance provides some details in this regard. Google has stated that developers will “get a report in Play Console showing when a parent revokes approval for your app.” Apple’s press release states that “parents will be able to revoke consent for a minor continuing to use an app.” Both have alluded to further details in technical documentation later this year. Developers will need to monitor any guidance provided by regulators as well as the app stores on this issue and will need to utilize existing and potentially new features provided by the app stores to disable use of their app by minors whose parents have revoked consent.
  • How do the laws restrict developers from enforcing contracts against minors?
    • Under the non-California laws, a developer may not enforce a contract or terms of service agreement against a minor unless the developer has obtained verifiable parental consent. In Utah and Louisiana, the developer must verify through the app store that verifiable parental consent has been obtained.
  • Is it true that re-consent will be required if an app makes a “significant change?”
    • Yes, as mentioned above, the non-California laws require, upon being notified of a significant change by an app developer, app stores to re-consent all applicable accounts via parental consent.Under the non-California laws, developers must provide notice to the app stores before making any “significant change” to an app. A change is “significant” if it:
      • (1) changes the type or category of personal data collected, stored, or shared by the developer; (2) affects or changes the rating assigned to the app or content elements that led to that rating;(3) adds new monetization features to the app, including new opportunities to make a purchase in or using the app; or new ads in the app; or(4) materially changes the functionality or user experience of the app.
    • There is no equivalent requirement under the California law.
  • Do the laws impose obligations only as to new app store accountholders/ users?
    • Texas, Utah, and Louisiana: Yes. The laws only apply to new app store accounts.
    • California: Initially, yes; the law provides a six-month grace period for both app stores and developers to comply with the law as to existing accountholders and users.
  • How do the laws restrict a developer’s use of personal data received from an app store?
    • Under the Texas and Utah laws, a developer may only use personal data provided by app stores to:
      • (1) enforce age-related restrictions on the app;
      • (2) ensure compliance with applicable laws and regulations; and
      • (3) implement safety-related features and default settings on the app.
    • The Texas law requires developers to delete personal data provided by app stores upon performing the required age verification.
    • All four states prohibit sharing such personal data for a purpose not required by these laws. Utah and Louisiana explicitly prohibit sharing age category data with any person.
  • Which app stores have released guidance addressing these laws?
    • Both Apple and Google have released guidance. Apple’s guidance mentions only the Texas law, while Google’s mentions Texas, Louisiana, and Utah. The app stores are developing the aforementioned technical features to enable their and app developers’ compliance, namely APIs that enable developers to receive users’ age information and consent status, as well as to report significant changes to an app, and permit parents to revoke consent for a minor’s use of an app. As we understand it, these tools and features are currently under development and subject to change. The app stores’ documentation and press releases should be consulted often to ensure that you and your technical teams are relying on the most up-to-date information.
  • What happens if my company does not take the actions required by the app stores?
    • If a developer fails to integrate with the app stores’ provided technical measures, it is likely that app store accountholders who are verified minors (in the states where the laws are in place) will not be able to download the developer’s app(s), and in-app purchase flows will be blocked for under-18 accounts.
    • In addition, developers that do not implement the app stores’ technical measures will likely be out of compliance with these state laws.
  • How will these laws be enforced, and what are the penalties for non-compliance?
    • Violations of the Texas and Utah laws (in the case of Utah, a specific sub-section) are considered deceptive trade practices under their respective UDAAP laws.
    • Texas’ law is enforced by the consumer protection division of the attorney general’s office; injunctive relief and up to $10,000 per violation in penalties are available.
    • In addition, Utah’s law provides for multiple avenues of a private right of action with statutory damages:
      • First, a violation of Subsection 13-75-202(4)(b) (restricting developers from knowingly misrepresenting any information in the parental consent disclosure) constitutes a deceptive trade practice under Subsection 13-11a-3 of Utah’s UDAAP law. Pursuant to Subsection 13-11a-4, “any person or the state may bring an action” for injunctive relief and, if injured, damages in the amount of the actual damages or $2,000, whichever is greater.
      • Second, a harmed minor (or parent) may bring a civil action against an app store or developer for a violation of the law for actual damages or $1,000 per violation, whichever is greater, along with reasonable attorneys’ fees and litigation costs. The private right of action has limited application; in the case of developers, it only applies to violation of Subsection 13-75-202(4), which provides that:
        • A developer may not: (a) enforce a contract or terms of service against a minor unless the developer has verified through the app store provider that verifiable parental consent has been obtained; (b) knowingly misrepresent any information in the parental consent disclosure;  or (c)share age category data with any person.
    • In Louisiana and California, the attorney general may bring a civil action to enforce violations of the law.
      • Louisiana: Covered app stores or developers found to violate the law may be subject to injunctive relief and/or a fine of up to $10,000 per violation following a 45-day curing period.
      • California: Violations are subject to an injunction or civil penalties of up to $2,500 per affected child for each negligent violation, and up to $7,500 per affected child for each intentional violation
  • Are any of these laws being challenged?
    • Yes. As of Oct. 16, the Texas law is being challenged by the Computer and Communications Industry Association on constitutional grounds. It is unclear whether the enforcement of the law will be stayed pending resolution of the challenge. In the event of a stay, it is unclear whether, but it seems unlikely that, app stores will require companies to implement the age verification and consent measures. Developers should prepare to integrate with the app stores’ technical measures by Jan. 1, 2026, but also should continue monitoring the status of the law’s challenge and app stores’ plans to address in the absence of a stay in enforcement.
Continue Reading App Store Age Verification Laws: Your Questions, Answered.

Companies in all industries take note: regulators are scrutinizing how companies offer and manage privacy rights requests and looking into the nature of vendor processing in connection with application of those requests. This includes applying the proper verification standards and how cookies are managed. Last month, the California Privacy Protection Agency (“CPPA” or “Agency”) provided

Washington’s My Health My Data Act (“MHMDA”) and Nevada’s SB 370 (“NV CHD Law”) (collectively, “CHD Laws”) went into effect at the end of last month, on March 31, 2024 (as many know, MHMDA’s geofencing prohibition went into effect last summer). Unlike the Health Insurance Portability and Accountability Act (“HIPAA”), a federal law which governs privacy and security in traditional healthcare settings, CHD Laws regulate “consumer health data” or “CHD”– a very broadly defined term as we discuss below and in a prior post – collected by companies in a broad swath of health and non-health related industries alike. Even ancillary purposes like providing accessibility accommodations and defending personal injury claims are enough to trigger the laws. CHD Laws impose restrictions and obligations on regulated entities far more burdensome than state consumer privacy laws, many of which already regulate some of the same health data, and unlike those general consumer privacy laws are not proposed to be preempted by the potential federal America Privacy Rights Act.

As such, compliance programs that businesses may have developed to comply with state consumer privacy laws, such as the California Privacy Protection Act (“CCPA”), will not be sufficient to address the requirements of the CHD Laws, though they can be leveraged such as for consumer rights request and processor management. There are some material differences beyond the scope of the data regulated. For example, businesses must add another website footer link (and potentially elsewhere, such as in mobile apps) and post a separate privacy policy applicable to the processing of CHD. The facilitation of consumer rights must be CHD-specific, for example providing the right to delete just CHD, rather than all personal information. Moreover, businesses that have CHD use cases not within narrow exceptions (e.g., as necessary to provide a requested product or service), which differ somewhat as between the two laws, will have to grapple with the foreboding consent and authorization requirements which, in some cases, could result in subjecting visitors or customers to a litany of notices and pop-ups in an environment already plagued by what some dub as “consent fatigue.”Continue Reading Are you Ready for Washington and Nevada’s Consumer Health Data Laws?

Hundreds of lawyers and several privacy regulators from California, Washington State, Oregon, Colorado, Connecticut, and the Federal Trade Commission gathered in Los Angeles last week for the second annual California Lawyers Association Privacy Summit (“Summit”). Among many engaging sessions on pressing topics, the panels with privacy regulators stood out discussions on enforcement priorities and administrative fines and injunctions, along with punchy and newsworthy statements – including that they are “plotting” and that considering the typical investigation presents “hundreds or thousands of violations,” potential fines are “significant.”

Perhaps even more newsworthy is that due to a California Court of Appeal order laid down as the Summit wound down on Friday, the stay in enforcement of the CCPA regulations was lifted. This happened as many companies were treating March 29, 2024, the end of the stay period, as the effective and enforcement date of regulations promulgated under the CPRA’s amendments by the California Privacy Protection Agency. The appeals order also nullifies the year delay in effectiveness of issued CCPA regulations that the trial court had required, making almost certain that CCPA regulations on risk assessments, cybersecurity assessments, and automated decision-making and profiling will be promulgated and in effect sometime this year, perhaps as early as Q2 or Q3.

Will 2024 be the year of privacy enforcement? In view of signaling from California regulators and those in other jurisdictions, and in view of several upcoming effective dates and regulatory deadlines, ongoing enforcement by regulators in California and beyond, and an impending uptick in privacy enforcement, it just might be. Stay tuned for future posts on these issues. Keep reading for more detailed takeaways regarding the Summit.Continue Reading Potential CCPA Fines “Significant”, California AG’s Office “Plotting” and Other Takeaways From Privacy Regulators during Privacy Summit in Los Angeles

On Friday, February 9, the Court of Appeal of the State of California sided with the California Privacy Protection Agency (“CPPA” or “Agency”), finding that a California Superior Court judge erred when he issued an order staying the Agency’s enforcement of the regulations promulgated pursuant to the CPRA’s amendments to the CCPA until March 29

Until late August 2023, California’s data protection law, the California Consumer Privacy Act, or “CCPA,” only provided for future rulemaking on automated decision-making, including profiling, on risk assessments, and on cybersecurity audits. However, during a board meeting it held this past Friday, September 8th, the California Privacy Protection Agency (“CPPA” or “Agency”), which shares enforcement authority of the CCPA with the California Attorney General, discussed a new set of draft regulations (“Regs”) it released for Agency discussion purposes in late August 2023. While not yet part of the official rulemaking, the draft and the discussions around it provides direction on its upcoming rulemaking on these topics. We will refer to the draft and related commentary as the “Roadmap.” Most notably, the Roadmap proposes that condensed versions of assessments and audits completed by businesses pursuant to their CCPA obligations be filed with the CPPA and sets forth detailed obligations surrounding such assessments and audits. The implication of this is that it may become obvious to the Agency which companies are or are not conducting assessments or audits and thus complying with their CCPA obligations. It may also provide the Agency an easily accessible way to review the evaluate businesses’ practices, especially with regard to higher risk processing activities. Furthermore, the Agency’s Roadmap suggests assessment requirements that not only incorporate, but exceed, what is required in the Colorado regulations, including risk / harm assessments of any monitoring of personnel or students, or monitoring of consumers in public places. We will be co-hosting a webinar with Ankura to take a deeper dive into what companies should be doing regarding assessments and audits. Register here to join us on October 18 to learn more.Continue Reading California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer

Part 1 of How to Approach DPAs in view of Final CCPA Regs: A Series

This is the first in our series of blog posts on top considerations for approaching data processing terms required under the state privacy laws that have, or will, come into effect this year, namely the California Consumer Privacy Act, as

Join SPB’s Kyle Fath and Niloufar Massachi for a timely webinar hosted by the Association of National Advertisers (ANA) on Tuesday, March 14 at 1 PM EST (10 AM PST).  The ANA program will offer an engaging discussion on navigating unique compliance challenges in the digital advertising ecosystem.

Key areas of focus will include:

  • Analysis

In a CLE webinar earlier this week, Niloufar Massachi (Associate, Los Angeles) discussed evaluating, drafting, and updating vendor agreements to meet the privacy and security requirements of new US privacy laws and the GDPR.
Continue Reading Niloufar Massachi Discuss Vendor Contracting Requirements Under New US Privacy Laws and the GDPR

The California Consumer Privacy Act (CCPA) currently has limited carve-outs for personal information (PI) collected from a job applicant, employee, owner, director, officer, medical staff member, or independent contractor of a business acting in such capacity (including, without limitation, communications, emergency contact and benefits PI) (HR data). An even broader exception applies to B-to-B communications and related PI (e.g., vendor, supplier and business customer contacts and communications) (B-to-B data). As a result, businesses subject to the CCPA are not currently required to honor CCPA rights requests received from persons concerning HR data and B-to-B data. These carve-outs are set to sunset on January 1, 2023, when the California Privacy Rights Act (CPRA), which substantially amends the CCPA, goes into full effect, at which point HR data and B-to-B data will be fully subject to all of the requirements of the CCPA/CPRA. Many business administrators had hoped that either the California legislature would extend the HR data exceptions (or maybe even make them permanent), or a federal law that limited data subject rights to traditional consumers would pass and preempt CCPA/CPRA. It is now clear that the former is impossible and the latter is highly unlikely. Accordingly, many companies have a lot to do by year-end to prepare to stand up a CCPA/CPRA program for HR data and B-to-B data.
Continue Reading HR and B-to-B Data Compliance Deadline Looming – Legislative Efforts to Extend California Consumer Privacy Act Exemptions Fail