Apple Expands App Store Age Assurance and 18+ Download Restrictions
Apple introduced expanded age assurance capabilities for the App Store to support compliance with new or emerging regulations in multiple jurisdictions, including Brazil, Australia, Singapore, Utah, and Louisiana. As of Feb. 24, 2026, Apple began blocking downloads of 18+ rated apps in Brazil, Australia, and Singapore unless the user is confirmed to be an adult, using what Apple describes as “reasonable methods” for age confirmation. Apple also expanded the Declared Age Range API (iOS/iPadOS/macOS) and related platform components (including PermissionKit’s Significant Change API, a new StoreKit age-rating property type, and App Store Server Notifications) to provide developers with an age category plus signals about the assurance method and whether regulatory requirements apply; in Brazil, certain disclosures (e.g., loot boxes) can drive an app’s rating to 18+.
Broader policy debate continues around online age assurance in the U.S. and internationally, with jurisdictions adopting or considering stricter mandates and platforms preparing new verification requirements. Public skepticism remains elevated due to backlash against age-gating (including reported VPN usage spikes in response to the UK’s requirements) and concerns about data security following breaches at age-verification providers (e.g., Sumsub disclosing a previously undetected 2024 compromise). The policy environment is also being shaped by U.S. state laws and litigation, including the Supreme Court’s decision in Free Speech Coalition v. Paxton upholding Texas’s age verification law, while proponents argue that privacy-preserving age assurance approaches are becoming more technically mature and scalable.
Sources
Related Stories
Apple Security and Compliance Updates for Government and Child-Safety Requirements
Apple announced new *age-assurance* capabilities aimed at complying with expanding child-safety regulations, centered on an updated **Declare Age Range API** that returns an age bracket (e.g., under 13, 16–17) rather than a precise birthdate. In certain jurisdictions (including Australia, Brazil, and Singapore), Apple also plans to **block downloads of 18+ apps** until the user confirms they are an adult via an App Store-managed flow, alongside OS-level family settings intended to enforce age-appropriate restrictions without pushing sensitive identity collection to individual apps and websites. Separately, Apple’s **iOS 26** and **iPadOS 26** (with specific hardware) were reported as receiving **NATO Restricted** approval, enabling use for classified information up to the Restricted level under an “Indigo” configuration listed in NATO’s Information Assurance Product Catalogue. The approval was attributed to platform security features such as encryption, **Face ID**, and **Memory Integrity Enforcement**, with additional emphasis on Secure Enclave capabilities in newer chips; the evaluation reportedly involved Germany’s BSI. A third item provides general guidance on **CUI enclaves** and **NIST SP 800-171** controls for protecting Controlled Unclassified Information on mobile/remote-access workflows, but it does not describe the Apple/NATO certification or Apple’s age-verification tooling as a specific event.
1 weeks ago
California Digital Age Assurance Act Mandates OS-Level Age Signaling via API
California’s **Digital Age Assurance Act (AB 1043)** establishes a statewide requirement for *operating system providers* to collect a user’s age information during OS account setup and expose an age-range signal to application developers through a “reasonably consistent” real-time API when an app is downloaded or launched. The law’s definition of OS provider is broad enough to include major commercial platforms (**Windows, macOS, Android, iOS**) as well as **Linux distributions** and **Valve’s SteamOS**, and it specifies four age brackets: *under 13*, *13 to under 16*, *16 to under 18*, and *18+*. Developers who request and receive the signal are treated as having “actual knowledge” of the user’s age range, shifting compliance and content-suitability liability toward app providers; enforcement is assigned to the California Attorney General with penalties up to **$2,500 per affected child** for negligent violations and **$7,500** for intentional violations. Separate reporting highlights broader **age/identity verification** pressure across consumer platforms, including Discord’s planned move to require age verification in 2026, which has triggered privacy concerns about submitting government IDs or face scans and renewed scrutiny following a prior breach that exposed IDs for roughly **70,000 users**. Other items in the set are not about AB 1043 or OS-level age signaling and instead cover general security roundups, interviews, conference write-ups, exam prep material, and unrelated policy or industry commentary; they do not add substantiated details about the California OS age-verification mandate or its implementation requirements.
2 weeks agoWidespread Privacy Risks from Mobile App Data Practices and Regulatory Age Verification Requirements
A recent large-scale analysis of 50,000 mobile applications has revealed that over 77% of these apps leak personally identifiable information due to insecure data handling and insufficient privacy controls. The study found that many iOS applications fail to include required privacy manifests, while Android apps often circumvent explicit data-safety disclosures, creating significant blind spots in user privacy protections. These vulnerabilities are particularly concerning given the central role mobile devices play in daily communications and financial transactions, making users susceptible to tracking, profiling, and data theft. The research underscores the systemic nature of privacy risks in the mobile app ecosystem, with both platforms exhibiting gaps in transparency and compliance. In parallel, regulatory efforts to protect minors online are introducing new privacy challenges, as exemplified by Texas's SB 2420 law, which mandates age assurance for app store users and developers. Apple has voiced strong concerns that such laws require the collection and storage of sensitive personal information, such as government IDs, even for benign app downloads, thereby increasing the risk of data breaches. Starting January 1, 2026, Apple will require new account holders to confirm they are over 18, and minors will need parental consent for app downloads and purchases, further expanding the amount of sensitive data collected. Apple argues that these requirements should be limited to apps where age verification is truly necessary, warning that blanket mandates could have unintended privacy consequences. The complexity is heightened by the patchwork of state-level laws, with similar regulations set to take effect in Utah and Louisiana, compelling developers to adapt to varying compliance standards. The risks of such data collection are not theoretical; a recent breach at a third-party provider for Discord, which handled age verification, resulted in the exposure of sensitive government ID images. This incident illustrates the tangible dangers of accumulating large repositories of personal data for regulatory compliance. The convergence of insecure app data practices and regulatory-driven data collection amplifies the threat landscape for mobile users. Both industry and regulators face the challenge of balancing user safety, especially for minors, with the imperative to minimize unnecessary data exposure. The findings highlight the urgent need for stronger privacy-by-design principles in app development and more nuanced regulatory approaches that do not inadvertently increase user risk. As mobile platforms continue to evolve, ongoing vigilance and collaboration between stakeholders will be essential to safeguard user privacy. The situation calls for immediate action from app developers, platform providers, and policymakers to address these multifaceted privacy threats. Users are advised to remain cautious about the permissions they grant and the information they share with mobile applications. The broader industry must prioritize transparency, user control, and robust security measures to restore trust in the mobile app ecosystem.
5 months ago