HB2920 - 572R

Be it enacted by the Legislature of the State of Arizona:

Section 1. Title 44, chapter 9, Arizona Revised Statutes, is amended by adding article 27, to read:

ARTICLE 27. SOFTWARE APPLICATIONS

START_STATUTE44-1383. Definitions

In this article, unless the context otherwise requires:

1. "Account holder" means the individual who is associated with a mobile device.

2. "Age category":

(a) Means a category that is based on an individual's age.

(b) Includes the following:

(i) An individual who is less than thirteen years of age.

(ii) An individual who is at least thirteen years of age and not more than sixteen years of age.

(iii) An individual who is at least sixteen years of age and less than eighteen years of age.

(iv) An individual who is eighteen or more years of age.

3. "Age category data" means information about an account holder's age category that is collected by an app store provider and that is shared with a developer.

4. "Age rating" means one or more classifications that assess the suitability of an app's content and function for different age groups.

5. "Application" or "App" means a software application or electronic service that a user may run or direct on a mobile device, including preinstalled applications.

6. "App store" means a publicly available website, software application or electronic service that allows account holders to download applications from third-party developers onto a mobile device.

7. "App store provider" means a person that owns, operates or controls an app store that allows account holders in this state to download apps to a mobile device.

8. "Content description" means a description of the specific content elements or functions that informed an app's age rating.

9. "Developer" means a person that owns or controls an application that was either made available through an app store or preinstalled onto a mobile device.

10. "Knowingly" means to act with actual knowledge or to act with knowledge fairly inferred based on objective circumstances.

11. "Minor":

(a) has the same meaning prescribed in section 1-215.

(b) Does not include an individual who is either:

(i) Married.

(ii) Legally emancipated.

12. "Minor account" means an account with an app store provider that is established by a minor and that is affiliated with a parent account.

13. "Mobile device" means a phone or general purpose tablet that:

(a) Provides cellular or wireless connectivity.

(b) Runs a mobile operating system.

(d) Is capable of running applications through the mobile operating system.

14. "Mobile operating system" means software that does all of the following:

(a) Manages mobile device hardware resources.

(b) Provides common services for mobile device programs.

(d) Provides interfaces for apps to access device functionality.

15. "Parent" means, with respect to a minor, an individual who is reasonably believed to be any of the following:

(a) A parent.

(b) A legal guardian.

(d) An individual who has the legal authority to make decisions on behalf of the minor under this state's laws.

16. "Parent account" means an account with an app store provider that:

(a) Is verified to be established by an individual who is at least eighteen years of age or is married or legally emancipated. The app store provider shall use its age verification methods to make this determination.

(b) May be affiliated with one or more minor accounts.

17. "Parental consent disclosure" means the following information:

(a) The app's or in-app purchase's age rating if the app store provider has an age rating for the app or in-app purchase.

(b) The app's or in-app purchase's content description if the app store provider has a content description for the app or in-app purchase.

(i) The personal data collected by the application from the account holder.

(ii) The personal data shared by the app with a third party.

(iii) The methods implemented by the developer to protect personal data if the personal data is collected by the app.

18. "Preinstalled application":

(a) Means any application, or portion of an application, that is present on a mobile device at the time of purchase, initial activation or first use by the consumer, including:

(i) Browsers.

(ii) Search engines and messaging.

(iii) An application or a portion of an application installed or partially installed by the device manufacturer, wireless service provider or retailer or any other party before purchase, initial activation or first use by the consumer and that may be updated after the purchase, initial activation or first use.

(b) Does not include:

(i) Core operating system functions.

(ii) Essential device drivers.

(iii) Applications necessary for basic device operation, such as phones, settings and emergency services applications.

19. "Significant change":

(a) Means a material modification to an application's terms of service or privacy policy that Materially:

(i) Changes the categories of data collected, stored or shared.

(ii) Alters the application's age rating or content description.

(b) Includes:

(i) In-app purchases if there were no in-app purchases previously present.

(ii) Advertisements if there were no advertisements previously present in the app.

20. "Verifiable parental consent":

(a) Means authorization that is provided by a parent account after the app store provider has clearly and conspicuously provided a parental consent disclosure as part of the application download or purchase or during the in-app purchasing process.

(b) Includes consent by a parent who provides an affirmative choice to either:

(i) Grant consent.

(ii) Decline consent. END_STATUTE

START_STATUTE44-1383.01. App store providers; duties; requirements

A. If an individual who is located in this state creates an account with an app store provider or for existing accounts within twelve months before the effective date of this section, the app store provider shall both:

1. Request the age category information from the individual.

2. Verify the individual's age category by using either:

(a) A commercially available method that is reasonably designed to ensure accuracy.

(b) An age verification method or process that complies with rules adopted by the attorney general pursuant to section 44-1383.03.

B. If the app store provider determines that the individual is a minor, the app store provider shall:

1. Require the minor's account to be affiliated with a parent account.

2. Obtain verifiable parental consent from the holder of the affiliated parent account each time before allowing the minor to do any of the following:

(a) Download an application.

(b) Purchase an application.

3. After receiving notice of a significant change from a developer, do both of the following:

(a) Notify the parent account holder of the significant change.

(b) For a minor account, notify the parent account of the significant change and obtain renewed verifiable parental consent before providing access to the significantly changed version of the application even if parental consent was granted before the significant change.

4. In response to a request from a developer pursuant to section 44-1383.02, provide to the developer the age category data for an account holder that is located in this state and the status of verifiable parental consent for a minor who is located in this state.

5. Provide a mechanism for a parent account holder to withdraw consent and notify the developer when a parent withdraws verifiable parental consent.

6. Protect age category data and associated verification data by limiting the collection and processing of the necessary data to do all of the following:

(a) Verify an account holder's age category.

(b) Obtain verifiable parental consent.

(d) Transmit age category data using industry standard encryption protocols to ensure data integrity and confidentiality.

7. For preinstalled apps, do both of the following:

(a) Provide available age category information in response to a request from a developer.

(b) Take reasonable measures to facilitate verifiable parental consent for use of the application in response to a request from a developer.

C. An app store provider may not do any of the following:

1. Enforce a contract or terms of service against a minor unless the app store provider has obtained verifiable parental consent.

2. Knowingly misrepresent the information in the parental consent disclosure.

3. Share age category data and any associated data except as required by this article or as otherwise required by law. END_STATUTE

START_STATUTE44-1383.02. Developer requirements; app store purchases; age category verification

A. A developer shall:

1. Verify through the app store's data sharing methods the age category data of the account holder who is located in this state and, for a minor, whether verifiable parental consent has been obtained.

2. Notify each app store provider about a significant change to an application.

3. Use age category data received through the app store's data sharing methods to both:

(a) Enforce any developer-created, age-related restriction or safety-related feature or default.

(b) Ensure compliance with applicable laws and regulations.

4. Request age category data or verifiable parental consent at the time an account holder does any of the following:

(a) Downloads an application.

(b) Purchases an application.

(d) Implements a significant change to the application.

(e) Complies with applicable law.

B. A developer may request age category data:

1. Not more than one time during a twelve-month period to verify either of the following:

(a) The accuracy of the age category data that is associated with the account holder.

(b) Whether continued account use is within the proper age category.

2. When there is reasonable suspicion of either:

(a) An account transfer.

(b) Any misuse outside of the age category.

3. At the time an account holder creates a new account with the developer.

C. When implementing any developer-created, age-related restrictions or safety-related features or defaults, a developer shall use the lowest age category indicated by either:

1. The age category data received through the app store's data sharing methods.

2. The age data independently collected by the developer.

D. A developer may not do any of the following:

1. Enforce a contract or terms of service against a minor unless the developer has verified through the app store's data sharing methods that verifiable parental consent has been obtained.

2. Knowingly misrepresent any information in the parental consent disclosure.

3. Share age category data with any person. END_STATUTE

START_STATUTE44-1383.03. Attorney general; rulemaking

The attorney general shall adopt rules to establish processes and means by which an app store provider may verify an account holder's age category in accordance with this article. END_STATUTE

START_STATUTE44-1383.04. Civil action; attorney general; enforcement; violation; penalties

A. A minor or the parent of a minor who has been harmed by a violation of this article may bring a civil action against the app store provider or the developer.

B. A court of competent jurisdiction may award a prevailing plaintiff any or all of the following:

1. The greater of either the actual damages amount or $1,000 for each violation.

2. Punitive damages if the violation was egregious.

3. Reasonable attorney fees.

4. Litigation costs.

C. A violation of this article is a consumer fraud violation pursuant to chapter 10, article 7 of this title.

D. In addition to any other remedy available under state law, the attorney general may bring an action against an app store provider or a developer to:

1. Recover a civil penalty of not more than $75,000 for each violation.

2. Restrain or enjoin the app store provider or developer from violating this article.

3. Seek injunctive relief.

4. Recover reasonable attorney fees.

5. Recover litigation costs and reasonable costs for investigating the violation. END_STATUTE

START_STATUTE44-1383.05. Developer immunity; applicability

A. A developer is immune from liability for a violation of this article if the developer demonstrates that the developer both:

1. Relied in good faith on both:

(a) The applicable age category data that was received through the app store's data sharing methods.

(b) The notification provided by the app store provider that verifiable parental consent was obtained if the account holder is a minor.

2. Complied with the requirements described in section 44-1383.02.

B. In determining an application's age rating and content description, a developer is not liable for a violation of this article if the developer uses widely adopted industry standards to determine the application's age category and content description and applies those standards consistently and in good faith.

C. The immunity described in this section both:

1. Applies only to actions brought under this article.

2. Does not limit a developer or an app store provider's liability under any other applicable law.

D. This article does not replace any other available remedy or right in state or federal law. END_STATUTE

START_STATUTE44-1383.06. Application

This chapter does not:

1. Prevent an app store provider or developer from taking reasonable measures to:

(a) Block, detect or prevent distribution to minors of:

(i) Unlawful material.

(ii) Obscene material.

(iii) Other harmful material.

(b) Block or filter spam.

(d) Protect an app store or app security.

2. Require an app store provider to disclose user information to a developer beyond age category data or status of parental consent.

3. Allow an app store provider or developer to implement measures required by this chapter in a manner that is arbitrary, capricious, anticompetitive or unlawful.

4. Require a developer to collect, retain, reidentify or link any information beyond what is either:

(a) Necessary to verify age category data as required by this chapter.

(b) Collected, retained, reidentified or linked in the developer's ordinary course of business.

5. Require an app store provider or developer to block access to an application that an account holder has downloaded or installed onto a mobile device before the effective date of this section, except to the extent that:

(a) A parent account revokes a verifiable consent for an affiliated minor account.

(b) There has been a significant change to the application. END_STATUTE

Sec. 2. Effective date

This act is effective from and after November 30, 2026.

Sec. 3. Severability

If a provision of this act or its application to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of the act that can be given effect without the invalid provision or application, and to this end the provisions of this act are severable.