cross-posted from: https://lemmy.world/post/37439450
S.B. No. 2420AN ACT relating to the regulation of platforms for the sale and distribution of software applications for mobile devices. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: SECTION 1. Subtitle C, Title 5, Business & Commerce Code, is amended by adding Chapter 121 to read as follows: CHAPTER 121. SOFTWARE APPLICATIONS SUBCHAPTER A. GENERAL PROVISIONS Sec. 121.001. SHORT TITLE. This chapter may be cited as the App Store Accountability Act. Sec. 121.002. DEFINITIONS. In this chapter: (1) “Age category” means information collected by the owner of an app store to designate a user based on the age categories described by Section 121.021(b). (2) “App store” means a publicly available Internet website, software application, or other electronic service that distributes software applications from the owner or developer of a software application to the user of a mobile device. (3) “Minor” means a child who is younger than 18 years of age who has not had the disabilities of minority removed for general purposes. (4) “Mobile device” means a portable, wireless electronic device, including a tablet or smartphone, capable of transmitting, receiving, processing, and storing information wirelessly that runs an operating system designed to manage hardware resources and perform common services for software applications on handheld electronic devices. (5) “Personal data” means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a person who processes or determines the purpose and means of processing the data in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information. SUBCHAPTER B. DUTIES OF APP STORES Sec. 121.021. DUTY TO VERIFY AGE OF USER; AGE CATEGORIES. (a) When an individual in this state creates an account with an app store, the owner of the app store shall use a commercially reasonable method of verification to verify the individual’s age category under Subsection (b). (b) The owner of an app store shall use the following age categories for assigning a designation: (1) an individual who is younger than 13 years of age is considered a “child”; (2) an individual who is at least 13 years of age but younger than 16 years of age is considered a “younger teenager”; (3) an individual who is at least 16 years of age but younger than 18 years of age is considered an “older teenager”; and (4) an individual who is at least 18 years of age is considered an “adult.” Sec. 121.022. PARENTAL CONSENT REQUIRED. (a) If the owner of the app store determines under Section 121.021 that an individual is a minor who belongs to an age category that is not “adult,” the owner shall require that the minor’s account be affiliated with a parent account belonging to the minor’s parent or guardian. (b) For an account to be affiliated with a minor’s account as a parent account, the owner of an app store must use a commercially reasonable method to verify that the account belongs to an individual who: (1) the owner of the app store has verified belongs to the age category of “adult” under Section 121.021; and (2) has legal authority to make a decision on behalf of the minor with whose account the individual is seeking affiliation. © A parent account may be affiliated with multiple minors’ accounts. (d) Except as provided by this section, the owner of an app store must obtain consent from the minor’s parent or guardian through the parent account affiliated with the minor’s account before allowing the minor to: (1) download a software application; (2) purchase a software application; or (3) make a purchase in or using a software application. (e) The owner of an app store must: (1) obtain consent for each individual download or purchase sought by the minor; and (2) notify the developer of each applicable software application if a minor’s parent or guardian revokes consent through a parent account. (f) To obtain consent from a minor’s parent or guardian under Subsection (d), the owner of an app store may use any reasonable means to: (1) disclose to the parent or guardian: (A) the specific software application or purchase for which consent is sought; (B) the rating under Section 121.052 assigned to the software application or purchase; © the specific content or other elements that led to the rating assigned under Section 121.052; (D) the nature of any collection, use, or distribution of personal data that would occur because of the software application or purchase; and (E) any measures taken by the developer of the software application or purchase to protect the personal data of users; (2) give the parent or guardian a clear choice to give or withhold consent for the download or purchase; and (3) ensure that the consent is given: (A) by the parent or guardian; and (B) through the account affiliated with a minor’s account under Subsection (a). (g) If a software developer provides the owner of an app store with notice of a change under Section 121.053, the owner of the app store shall: (1) notify any individual who has given consent under this section for a minor’s use or purchase relating to a previous version of the changed software application; and (2) obtain consent from the individual for the minor’s continued use or purchase of the software application. (h) The owner of an app store is not required to obtain consent from a minor’s parent or guardian for: (1) the download of a software application that: (A) provides a user with direct access to emergency services, including: (i) 9-1-1 emergency services; (ii) a crisis hotline; or (iii) an emergency assistance service that is legally available to a minor; (B) limits data collection to information: (i) collected in compliance with the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. Section 6501 et seq.); and (ii) necessary for the provision of emergency services; © allows a user to access and use the software application without requiring the user to create an account with the software application; and (D) is operated by or in partnership with: (i) a governmental entity; (ii) a nonprofit organization; or (iii) an authorized emergency service provider; or (2) the purchase or download of a software application that is operated by or in partnership with a nonprofit organization that: (A) develops, sponsors, or administers a standardized test used for purposes of admission to or class placement in a postsecondary educational institution or a program within a postsecondary educational institution; and (B) is subject to Subchapter D, Chapter 32, Education Code. Sec. 121.023. DISPLAY OF AGE RATING FOR SOFTWARE APPLICATION. (a) If the owner of an app store that operates in this state has a mechanism for displaying an age rating or other content notice, the owner shall: (1) make available to users an explanation of the mechanism; and (2) display for each software application available for download and purchase on the app store the age rating and other content notice. (b) If the owner of an app store that operates in this state does not have a mechanism for displaying an age rating or other content notice, the owner shall display for each software application available for download and purchase on the app store: (1) the rating under Section 121.052 assigned to the software application; and (2) the specific content or other elements that led to the rating assigned under Section 121.052. © The information displayed under this section must be clear, accurate, and conspicuous. Sec. 121.024. INFORMATION FOR SOFTWARE APPLICATION DEVELOPERS. The owner of an app store that operates in this state shall, using a commercially available method, allow the developer of a software application to access current information related to: (1) the age category assigned to each user under Section 121.021(b); and (2) whether consent has been obtained for each minor user under Section 121.022. Sec. 121.025. PROTECTION OF PERSONAL DATA. The owner of an app store that operates in this state shall protect the personal data of users by: (1) limiting the collection and processing of personal data to the minimum amount necessary for: (A) verifying the age of an individual; (B) obtaining consent under Section 121.022; and © maintaining compliance records; and (2) transmitting personal data using industry-standard encryption protocols that ensure data integrity and confidentiality. Sec. 121.026. VIOLATION. (a) The owner of an app store that operates in this state violates this subchapter if the owner: (1) enforces a contract or a provision of a terms of service agreement against a minor that the minor entered into or agreed to without consent under Section 121.022; (2) knowingly misrepresents information disclosed under Section 121.022(f)(1); (3) obtains a blanket consent to authorize multiple downloads or purchases; or (4) shares or discloses personal data obtained for purposes of Section 121.021, except as required by Section 121.024 or other law. (b) The owner of an app store is not liable for a violation of Section 121.021 or 121.022 if the owner of the app store: (1) uses widely adopted industry standards to: (A) verify the age of each user as required by Section 121.021; and (B) obtain parental consent as required by Section 121.022; and (2) applies those standards consistently and in good faith. Sec. 121.027. CONSTRUCTION OF SUBCHAPTER. Nothing in this subchapter may be construed to: (1) prevent the owner of an app store that operates in this state from taking reasonable measures to block, detect, or prevent the distribution of: (A) obscene material, as that term is defined by Section 43.21, Penal Code; or (B) other material that may be harmful to minors; (2) require the owner of an app store that operates in this state to disclose a user’s personal data to the developer of a software application except as provided by this subchapter; (3) allow the owner of an app store that operates in this state to use a measure required by this chapter in a manner that is arbitrary, capricious, anticompetitive, or unlawful; (4) block or filter spam; (5) prevent criminal activity; or (6) protect the security of an app store or software application. SUBCHAPTER C. DUTIES OF SOFTWARE APPLICATION DEVELOPERS Sec. 121.051. APPLICABILITY OF SUBCHAPTER. This subchapter applies only to the developer of a software application that the developer makes available to users in this state through an app store. Sec. 121.052. DESIGNATION OF AGE RATING. (a) The developer of a software application shall assign to each software application and to each purchase that can be made through the software application an age rating based on the age categories described by Section 121.021(b). (b) The developer of a software application shall provide to each app store through which the developer makes the software application available: (1) each rating assigned under Subsection (a); and (2) the specific content or other elements that led to each rating provided under Subdivision (1). Sec. 121.053. CHANGES TO SOFTWARE APPLICATIONS. (a) The developer of a software application shall provide notice to each app store through which the developer makes the software application available before making any significant change to the terms of service or privacy policy of the software application. (b) For purposes of this section, a change is significant if it: (1) changes the type or category of personal data collected, stored, or shared by the developer; (2) affects or changes the rating assigned to the software application under Section 121.052 or the content or elements that led to that rating; (3) adds new monetization features to the software application, including: (A) new opportunities to make a purchase in or using the software application; or (B) new advertisements in the software application; or (4) materially changes the functionality or user experience of the software application. Sec. 121.054. AGE VERIFICATION. (a) The developer of a software application shall create and implement a system to use information received under Section 121.024 to verify: (1) for each user of the software application, the age category assigned to that user under Section 121.021(b); and (2) for each minor user of the software application, whether consent has been obtained under Section 121.022. (b) The developer of a software application shall use information received from the owner of an app store under Section 121.024 to perform the verification required by this section. Sec. 121.055. USE OF PERSONAL DATA. (a) The developer of a software application may use personal data provided to the developer under Section 121.024 only to: (1) enforce restrictions and protections on the software application related to age; (2) ensure compliance with applicable laws and regulations; and (3) implement safety-related features and default settings. (b) The developer of a software application shall delete personal data provided by the owner of an app store under Section 121.024 on completion of the verification required by Section 121.054. © Notwithstanding Subsection (a), nothing in this chapter relieves a social media platform from doing age verification as required by law. Sec. 121.056. VIOLATION. (a) Except as provided by this section, the developer of a software application violates this subchapter if the developer: (1) enforces a contract or a provision of a terms of service agreement against a minor that the minor entered into or agreed to without consent under Section 121.054; (2) knowingly misrepresents an age rating or reason for that rating under Section 121.052; or (3) shares or discloses the personal data of a user that was acquired under this subchapter. (b) The developer of a software application is not liable for a violation of Section 121.052 if the software developer: (1) uses widely adopted industry standards to determine the rating and specific content required by this section; and (2) applies those standards consistently and in good faith. © The developer of a software application is not liable for a violation of Section 121.054 if the software developer: (1) relied in good faith on age category and consent information received from the owner of an app store; and (2) otherwise complied with the requirements of this section. SUBCHAPTER D. ENFORCEMENT Sec. 121.101. DECEPTIVE TRADE PRACTICE. A violation of this chapter constitutes a deceptive trade practice in addition to the practices described by Subchapter E, Chapter 17, and is actionable under that subchapter. Sec. 121.102. CUMULATIVE REMEDIES. The remedies provided by this chapter are not exclusive and are in addition to any other action or remedy provided by law. SECTION 2. It is the intent of the legislature that every provision, section, subsection, sentence, clause, phrase, or word in this Act, and every application of the provisions in this Act to every person, group of persons, or circumstances, is severable from each other. If any application of any provision in this Act to any person, group of persons, or circumstances is found by a court to be invalid for any reason, the remaining applications of that provision to all other persons and circumstances shall be severed and may not be affected. SECTION 3. This Act takes effect January 1, 2026.
______________________________ ______________________________ President of the Senate Speaker of the House I hereby certify that S.B. No. 2420 passed the Senate on April 16, 2025, by the following vote: Yeas 30, Nays 1; and that the Senate concurred in House amendments on May 14, 2025, by the following vote: Yeas 30, Nays 1. ______________________________ Secretary of the Senate I hereby certify that S.B. No. 2420 passed the House, with amendments, on May 9, 2025, by the following vote: Yeas 120, Nays 9, three present not voting. ______________________________ Chief Clerk of the House Approved: ______________________________ Date ______________________________ Governor


Apps definitely qualify as products with digital elements. The term that determines whether Google has obligations is this scenario is ‘economic operator’ Here’s the definition for that:
When Google distributes apps via the Play Store, it is very obviously the distributor, which is defined:
If someone else distributes apps using other infrastructure that happen to run on an OS that Google made, Google is not the distributor and does not incur any obligations that apply to distributors. (For completeness, Google is obviously not the manufacturer, authorised representative, or importer either.)
The verification demand is for Google certified Android.
The OS or a phone both fit that definition.
An app fits the definition of a component.
Maybe you would have to argue that an app is not actually a component. But if it’s a stand-alone thing, then why does it rely on an OS?
I think you can make a good argument that a phone without an OS is not a system. It’s not capable of much. Maybe custom roms will remain an option.
Anyway, Google is not abusing that loophole. So, no problem. F-Droid encourages users to complain to EU lawmakers about Google being a meanie. Maybe the EU will close it anyway as part of future tech regulation.
Yes it does, and it means someone making and selling either has to have a certain level of knowledge about it supply chain.
If it’s bundled with the OS, it probably does. In that case, the OS vendor is a manufacturer and has a variety of obligations relative to the app detailed in article 13.
If the user is obtaining it directly from the developer and installing themselves, it doesn’t really matter if it’s a component or a product because the OS vendor is not distributing or manufacturing anything. If the app/OS combination were to be treated as a system of which the app is a component, it is the user who has manufactured that product by combining the two. If the user is not selling that system, they have no obligations under the CRA.
Components “placed on the market separately” are explicitly included a being part of the product.
Let me try to gather this together:
The manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person shall, on request, provide the market surveillance authorities with the name and address of any economic operator who has supplied them with a software product, including software or hardware components being placed on the market separately;
The who has supplied them part is the critical point here.
I’ll give an example outside of digital technology. If Ford sells a car with Michelin tires on it, Ford has some responsibility for those tires even though I can also buy them from Joe’s Tire Shop and put them on any car with the right size wheels. I can also buy Continental tires from Joe’s Tire Shop and put them on my Ford car. Ford has no responsibilities in relation to Continental Tires or Joe’s Tire Shop.
If Samsung preloads WhatsApp and Android on a phone, Samsung has to know where it got WhatsApp and Android. If I download Signal from https://signal.org/android/apk/ and install it on a Samsung phone running Google Android, neither Samsung nor Google is a party to that.
The CRA, including the parts you’re quoting does not impose any obligation on anyone with respect to a product or component they never touch.
I don’t see what makes you so certain. The EU unambiguously wants computing devices to be more locked down. It wants responsible developers to be tracked.
If your argument holds, then that only means that there is a loophole allowing devs to distribute apps anonymously. That’s where the car analogy fails. There are exceptions for small enterprises and “open source stewards”. These exist so that small players and start-ups won’t be overwhelmed by bureaucracy. They are not supposed to protect dev privacy or user freedom.
I can only repeat that I find your argument valid. I just don’t believe it would stand up in court. If Google was pushing back on this, I would still back them up on such arguments. But they understandably don’t.
Unless there is a major change in attitudes in Europe, we are going to see much more mandated control and surveillance, anyway.
Reading the text of the law makes me pretty certain. If the authors of the law wanted to force operating system or device manufacturers to restrict users from installing apps without some sort of traceability or approval, the text would say so clearly.
Google’s own statements about the policy are also a factor. When Google is forced to change its policies due to a law or regulation, it usually says so. Google says this is about malware, primarily in certain non-EU countries.
Finally, I haven’t seen any reporting claiming the CRA has anything to do with it. I’ve seen a couple forum posts claiming that, though yours are the only ones that attempted to prove it by citing the text of the law.