New Texas Privacy Law Opens the Door to a Private Right of Action

Starting January 1, 2026, mobile app developers and app stores that have not come into compliance with the Texas App Store Accountability Act may be at risk of both public and private enforcement. 

The TASAA imposes several obligations on app developers and app stores. In particular, the following requirements, which apply to developers who make an app available to users in Texas through an app store, are notable:

1. Age Rating for Apps: An app developer must (a) assign an age rating for each of its apps, (b) provide that age rating to each app store, and (c) provide the specific content or other elements that led to each rating to each app store.
2. Age Rating for Purchases: An app developer must (a) assign an age rating “to each purchase that can be made through the software application,” (b) provide that age rating to each app store, and (c) provide the specific content or other elements that led to each rating to each app store.
3. “Significant” Changes: An app developer must provide to each app store a notice of any significant changes to its app’s terms of service or privacy policies. A significant change is one that:
   1. Changes the type or category of personal data collected, stored, or shared by the developer;
   2. Affects or changes the rating assigned to the software application or the content or elements that led to that rating;
   3. Adds new “monetization features” to the app, such as “new opportunities to make an [in-app] purchase” and “new advertisements;” or
   4. Materially changes the functionality or user experience of the app.
4. Age Verification: An app developer must create and implement a system to verify (a) a user’s age category, and (b) whether parental consent has been obtained for a user that is a minor.

The TASAA also lists specific conduct by an app developer that may form the basis of a cause of action. Such conduct includes (1) enforcing a contract or term of service against a minor who entered into an agreement without parental consent (e.g., unauthorized purchases); (2) knowingly misrepresenting an age rating or reason for that rating; and (3) sharing or disclosing personal data that was acquired pursuant to the TASAA (i.e., for age-verification purposes).

Perhaps most importantly, unlike the other privacy and technology laws recently enacted in Texas, the TASAA does not explicitly restrict enforcement to the Texas Attorney General. Rather, a violation of the TASAA is actionable pursuant to the Texas Deceptive Trade Practices Act, which generally permits both private litigants and the Texas Attorney General to bring an action. Indeed, private litigants may obtain economic damages, injunctive relief, and attorney’s fees, while the Texas Attorney General may recover up to $10,000 per violation.

Accordingly, although there are several gray areas surrounding the TASAA (including jurisdictional and extraterritorial issues), companies should take steps before January 1, 2026, to minimize litigation and regulatory risks–especially given that similar laws will take effect in Utah and Louisiana later in 2026.

***

Womble’s Privacy and Cybersecurity Team assists clients with the full spectrum of proactive compliance, government investigations, and litigation in relation to consumer protection, privacy, cybersecurity, artificial intelligence, and data governance issues. Please do not hesitate to reach out to any of the authors with questions.