PRIVO Blog

Texas Tightens Rules for Protecting Kids Online: How to Handle Users Under TASAA, SCOPE & the Texas Data Privacy and Security Act

Written by PRIVO | 10/8/25 4:52 PM

Texas now has a three-layer framework affecting how apps and platforms handle youth privacy and consent:

  • Texas App Store Accountability Act (TASAA) – effective January 1, 2026

  • Texas SCOPE Act (HB 18)in force but partially enjoined (litigation ongoing)

  • Texas Data Privacy and Security Act (TDPSA)in force now (effective July 1, 2024)

Below we explain what’s enforceable, what’s coming, and how to prepare without collecting more data than required for the purpose or disrupting the user experience.


1) Texas App Store Accountability Act (TASAA): Consent at the Point of Access (App Stores), Compliance in-App (Developers)

The Texas App Store Accountability Act (TASAA) goes into effect on January 1, 2026.

Who does what?

  • App Stores (e.g., Apple, Google) must verify users into age categories (child <13; younger teen 13–15; older teen 16–17; adult 18+) and obtain parental consent before a minor can download an app, purchase an app, or make an in-app purchase. They must present parents with the app’s rating, the reasons for that rating, a summary of data practices, and protective measures.

  • Developers must assign age ratings (for the app and each in-app purchase), provide “significant change” notices to the store, consume the store’s age/consent signal, and then apply appropriate in-app protections.

Enforcement: Unlike most state privacy laws, the TASAA can be enforced by both the Texas Attorney General and private citizens under the Texas Deceptive Trade Practices Act. This means violations could trigger lawsuits, injunctive relief, and civil penalties of up to $10,000 per violation, making compliance especially critical.

Critical nuance: The app store’s consent covers the download/purchase event. It does not replace in-app COPPA/GDPR consent for account creation, data collection, messaging, profiling, etc. Developers remain responsible for ongoing, in-app compliance.


2) Securing Children Online through Parental Empowerment (SCOPE) Act: Big Ambitions, Partial Injunction

The SCOPE Act (HB 18) targeted minors’ social experiences (age registration, content filtering, ads limits, parental tools and consent). A federal court has blocked key provisions (e.g., content filtering and broad age-verification mandates). The case is on appeal, so requirements may change.

Low-regret prep while litigation continues:

  • Continue age capture/registration in account flows (and log immutable age status/changes).

  • Keep parental-consent workflows ready for higher-risk features (posting, messaging, data sharing).

  • Maintain a feature flag/toggle approach so stricter controls can be re-enabled quickly if the injunction narrows.


3) Texas Data Privacy and Security Act (TDPSA): General Texas Privacy Duties (Live Now)

The Texas Data Privacy and Security Act applies to most companies doing business in Texas (with SBA “small business” carve-outs). It grants Texans rights to access, correct, delete, portability, and to opt out of sales, targeted ads, and certain profiling. It requires privacy notices, data minimization, security, and Data Protection Assessments (DPAs) for targeted ads, sales, profiling with risk, and sensitive data (which includes children’s data).

Enforcement: Texas AG only, with a 30-day cure period.

Note: If you comply with COPPA’s verifiable parental consent online, TDPSA treats that as satisfying parental-consent requirements for children’s data.


What This Means in Practice

Touchpoint Primary Duty What Must Happen
Pre-download / purchase App Store Verify age category; link to verified parent account for minors; obtain per-transaction parental consent; disclose rating/reasons/data summary; pass consent status to developer.
In-app engagement Developer Apply age-appropriate experiences; obtain in-app consent where required (COPPA/GDPR/SCOPE Act); limit/minimize data; provide parental controls; honor revocations.
General privacy Controller (most companies) TDPSA notice/rights (access, correct, delete, portability, opt-outs), security, data minimization, DPAs for targeted ads/sales/profiling/sensitive data; special handling of kids’ data.


Developer & Product Checklist 

Account & Age Handling

  • Capture date of birth/age at account creation; prevent casual age downgrades/upgrades; log changes.

  • When the store indicates a user is a minor, respect that signal everywhere in-app.

Parental Consent & Controls

  • Integrate in-app parental-consent workflows for data collection, accounts, messaging, and social features (COPPA/GDPR alignment).

  • Honor parental revocation and reflect status across data flows and features.

  • Maintain audit-ready logs (timestamp, method, parent identity verification evidence).

Data Practices (TDPSA)

  • Publish/update a Texas-compliant privacy notice (categories, purposes, sensitive data, opt-out methods).

  • Implement opt-outs for sale, targeted ads, and profiling with significant effects.

  • Run DPAs for targeted ads, sales, profiling presenting risks, and sensitive data (incl. children).

  • Minimize collection; secure data; document retention/deletion and DSAR handling (45 days + one 45-day extension; appeals).

App Store Interfaces (TASAA Prep)

  • Provide age ratings for the app and each in-app purchase, plus the content/elements that drove those ratings.

  • Implement a “significant change” notification pipeline to app stores (privacy policy, monetization, functionality changes).

  • Consume and enforce the store’s age/consent signal (e.g., gate features, require in-app VPC where needed).

Operational Resilience

  • Design compliance as config flags so you can adapt quickly to SCOPE court changes or new state rules.

  • Avoid over-collection: verify just enough, keep signals, encrypt at rest/in transit, and delete verification data when no longer needed.

How PRIVO Bridges the Gaps

  • Smart Age Gate™, Age Aware™ Signal , Age Verification – Privacy-preserving age-assurance that aligns with TASAA’s “commercially reasonable” standard and interoperates with app-store signals.

  • PRIVO iD Platform – End-to-end parental consent (download-level and in-app), revocations, and audit logs that satisfy COPPA/GDPR and support SCOPE Act and TDPSA documentation.

  • Kids Privacy Assured Program – Ongoing alignment with privacy regulations protecting children.


Closing Thought

Texas is connecting the dots between platform-level access control (TASAA), social engagement safeguards (SCOPE), and baseline privacy rights (TDPSA). The smartest path is an interoperable compliance stack that separates download consent (app store) from in-app consent and data duties (developer) — all backed by strong privacy engineering and clear parental engagement.

PRIVO helps you do exactly that — in Texas and beyond.

🔗 Contact us to learn how PRIVO’s Age Aware™ Solutions can help your organization comply with the Texas laws and other emerging regulations requiring age verification and consent.

Status Disclaimer: This post is for general information and reflects our understanding as of October 2025. SCOPE litigation is ongoing and may change obligations; consult counsel for specific advice.

#AgeVerification #TASAA #AgeAssurance #ChildPrivacy #ParentalConsent #PRIVO

 
View full post