Alabama Flag

Key point: Alabama joins the growing list of states that have enacted app store laws.

On February 17, 2026, Alabama Governor Kay Ivey signed HB 161 into law. In doing so, Alabama joins Texas, Utah, and Louisiana as states having passed app store laws. California passed a similar-in-concept Digital Age Assurance Act last year. Alabama is the first of what could be multiple states to pass app store laws this year. We are currently tracking bills in 10 states: Arizona, Florida, Georgia, Iowa, Kansas, Kentucky, Maryland, New Hampshire, South Dakota, and Wisconsin. Utah is also considering a bill to amend its law. Lawmakers are pursuing these bills even though a Texas federal district court ruled that the Texas law is unconstitutional (although that ruling is being appealed) and a trade association sued to block Utah’s law.

In the below post, we provide a brief overview of the Alabama law.

Applicability

Similar to Louisiana, Texas, and Utah — Alabama’s app store law applies to both app store providers and developers. App store providers are entities that own, operate, or control an app store that allows Alabama account holders to download mobile apps. Whereas, developers are entities that own or control an app that is either made available through an app store or is a pre-installed app.

Requirements

Developers

The law requires developers to:

  • Age Verification: Use the app store’s data sharing methods to verify user age categories and for minors (under 18), confirm whether verifiable parental consent (VPC) has been obtained.
  • Significant Changes: Notify app store providers of any significant changes to an app.
  • Age Data Use: Use age category data only to enforce age-related restrictions, protections, or defaults, ensure legal compliance, or implement safety-related features.
  • Consent: Request age category data or VPC when an account holder downloads or purchases an app, launches a pre-installed app for the first time, or when implementing a significant change to an app.
  • Features and Defaults: Apply the lowest applicable age category when implementing any age-related restrictions, features, or default settings.

Developers may request age category data: (1) no more than once in any 12-month period to confirm the accuracy of age category data or continued account use within that age category; (2) when there is a reasonable suspicion of an account transfer or misuse; and (3) when a user creates a new account.

App Store Providers

The law requires app store providers to request age category information from individuals and to verify each individual’s age category using either a commercially available method or an age verification system that complies with the law. When an app store provider determines that an individual is a minor, the provider must:

  • Require that account to be affiliated with a parent account;
  • Obtain VPC from the parent account holder before the minor downloads an app, purchases an app, or makes an in-app purchase; and
  • Provide a mechanism for the parent to withdraw consent and notify developers when consent is withdrawn.

If an app store provider receives notice of a significant change from a developer, it must notify the user of the change and for a minor account, notify the parent and obtain renewed VPC before providing access to the changed version of the app.

App store providers must give developers real-time access to the age-category data for each Alabama user and the status of VPC for each Alabama minor.

The law also requires app store providers to safeguard age verification data by limiting the collection and processing to what is necessary to verify a user’s age, obtain parental consent, or maintain compliance records. Age verification data may only be transmitted using industry-standard encryption protocols that ensure data integrity and confidentiality.

Developer and App Store Providers

Developers and app store providers may not: (1) enforce a contract or terms of service against a minor unless the provider has obtained VPC; (2) knowingly misrepresent information in the parental consent disclosure; or (3) share age category data or any other associated data except as required by law.

Enforcement

Any knowing or reckless violation of the law constitutes a deceptive trade practice, and the attorney general (AG) may bring an action under Alabama’s Deceptive Trade Practice Act. The law authorizes the AG to seek civil penalties of up to $7,500 per violation, as well as reasonable attorneys’ fees and court costs. The AG may also pursue punitive damages if a violation is part of a consistent pattern of knowing or reckless conduct. An action must be brought within one year from the date the AG knew or should have known of the alleged violation.

Developers are not liable for violating the app store law if they can demonstrate that they (1) relied in good faith on age category data and VPC notice provided by the app store provider, and (2) complied with the law’s requirements.

App store providers are not liable for violating the app store law based on an erroneous age category signal if they can demonstrate that they (a) used a commercially reasonable age verification process, (b) exercised due care in conducting the process, and (c) made reasonable efforts to reconcile any discrepancies between a parent’s attestation and other age data collected.

Rulemaking

The law requires the AG to adopt rules that will establish age verification processes for app store providers.

Effective Date

January 1, 2027