Utah Amends App Store Accountability Act (ASAA) – Key Obligations Delayed Until May 6, 2027

April 30, 2026

Utah has amended its App Store Accountability Act (ASAA). Importantly, the amendments (1) delay the date by which certain operational requirements must be implemented until May 6, 2027, and (2) remove enforcement authority for the Utah Attorney General, while preserving a private right of action. These changes affect app stores and app developers that may be subject to the ASAA’s requirements related to age verification and verified parental consent.

Background
The ASAA had been challenged in court by a trade association representing communications and technology companies. That challenge was withdrawn on April 21, 2026, after the law was amended to remove enforcement of violations as a deceptive trade practice – leaving private lawsuits as the primary enforcement mechanism.

The law imposes obligations on app stores and app developers to identify the age category of users that download or use apps and obtain parental consent when the individual is a minor (under 18). More information on app store accountability laws – and specifically, developer obligations – is available here. A summary of the key changes is summarized below.

Key Changes in the Amendments

Definitions

  • In-app purchase: This term was not defined in the original law. It is now defined as: “[a] charge associated with any user conduct within an app and billed by an app store for the acquisition of virtual currency, digital goods, digital services, or other apps.”
  • Pre-installed applications: The amendment distinguishes “pre-installed applications” from other key functions that are pre-installed in a device. Pre-installed applications include those that are already installed on a device when it is purchased or initially activated. These can include browsers, search engines, and messaging apps. When a pre-installed app is launched for the first time, developers must obtain age category data from the app store and verified parental consent (if the user is a minor). The amendment excludes from the definition of a “pre-installed application”: (i) core operating system functions; (ii) essential device drivers; and (iii) apps necessary for basic device operations (e.g., phone, settings, emergency services, security, or system maintenance). These do not require age category verification or parental consent.
  • Significant change: The law still requires developers to notify app stores when an app undergoes a significant change and to refresh parental consent. However, the amendment revises the definition of “significant change” to exclude changes to user experience and functionality, but include adding in-app purchases or advertisements if they previously were not present.

Developer-Related Changes

The amendment revises the developer’s obligations in three key ways:

  • A developer may request that an app store prohibit a minor from downloading or purchasing the developer’s app.
  • Developers are no longer required to use age category data to enforce developer-created age restrictions or safety features (though they still may do so). The amendments also clarify there is no restriction on a developer allowing a parent to customize age-, safety-, or content-related settings within minor accounts after initial setup.
  • Developers are prohibited from using age category data received from an app store for any purpose other than: (i) enforcing developer-created restrictions; (ii) ensuring compliance with applicable laws; and (iii) implementing developer-created safety-related features or defaults.

Enforcement: Private Lawsuits Only

The amended ASAA may be enforced only through a private right of action. Parents of a child harmed by an ASAA violation may bring a civil action and seek the greater of: (i) actual damages, or (ii) $1,000 per violation, plus litigation costs. The Utah Attorney General no longer has enforcement authority under the statute.

Safe Harbor for Developers

The developer safe harbor has been streamlined. In general, a developer may qualify for safe harbor protection when the developer acts in good faith reliance on the age category and verified parental consent information provided by the app store and otherwise complies with the developer’s obligations under the ASAA.

Practical Takeaways

  • Confirm applicability: For developers that were ready to comply with the original May 2026 implementation date, determine how this amendment changes your obligations. In particular, if your app is not intended for minors, consider whether to take advantage of the ability to restrict app stores from allowing minors to download your app.
  • Use the added time strategically: The operational compliance date is now May 6, 2027, but organizations may want to use the additional runway to evaluate technical options, vendor solutions, and product changes.
  • Assess private litigation exposure: With Attorney General enforcement removed, risk will be driven primarily by private suits (including potential statutory damages).
  • Review data governance: Developers receiving age category data should confirm that it is used only for the permitted purposes described in the amendments and that internal teams understand the limits.
Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek