Louisiana App Store Age Law Delayed to 2027 as ID Breach Pattern Grows – Tech Times

Home Technology Louisiana App Store Age Law Delayed to 2027 as ID Breach Pattern Grows – Tech Times
Louisiana App Store Age Law Delayed to 2027 as ID Breach Pattern Grows – Tech Times

Today was supposed to be the day Louisiana became the third U.S. state to enforce app store age verification — requiring Apple and Google to confirm every user’s age before allowing app downloads and linking minors’ accounts to their parents. Instead, July 1, 2026 is the date Louisiana’s original law was quietly pushed aside. On May 15, Gov. Jeff Landry signed HB 977, a replacement measure that repeals the original App Store Accountability Act and resets its enforcement clock to July 1, 2027. The reason the legislature moved was the same reason the rest of the country is watching: a near-identical law in Texas is currently fighting for its life in federal court after a judge ruled it likely violates the First Amendment. What the national delay-and-refile pattern now makes clear is that the central question in this debate has never been whether parents can protect their children — it is whether the only practical mechanism to do so requires every adult in America to submit a government ID to a third-party company that has already been breached twice.
The Louisiana legislature did not abandon its child-protection goal. It recalibrated under legal pressure and with enough time to avoid a court fight it might lose. The original HB 570 — authored by Rep. Kim Carver (R-Mandeville) and signed June 30, 2025 — required app stores to verify user ages at account creation, link minor accounts to verified parent accounts, and obtain per-download parental consent. Developers were independently required to ingest age signals and gate their apps accordingly. Violations carried civil penalties of up to $10,000 per incident, with a 45-day cure window before enforcement.
HB 977, sponsored by Rep. Gerald “Beau” Beaullieu IV (R-New Iberia) and signed May 15, 2026, formally repeals Act No. 481 of 2025 — the original HB 570 — and reenacts the Louisiana App Store Accountability Act (ASAA) with several targeted changes alongside the one-year delay. Under the revised law, developers may rely on app store-provided age signals rather than independently sourcing “other data” to satisfy verification obligations. A new “family account” exception allows applications with paid primary accounts (where the primary holder is verified as an adult) to use that holder’s age to set defaults for subaccounts. The law also removes a prior carveout for emergency-services apps, a change that Alston & Bird’s privacy team noted “may reflect legislative sensitivity to First Amendment challenges arguing application type-based exemptions indicate content-based speech restrictions.”
The legislative revision mirrors what Utah did in parallel: Utah’s ASAA was also delayed by one year, from May 2026 to May 2027, after a First Amendment challenge was filed. Louisiana’s legislature watched that pattern and acted preemptively before a challenge could be filed in its own state.
Read more: Texas App Store Age Verification Active: SB 2420 Ends Anonymous Access, Developers Face $10K Penalty
Louisiana’s revised law, like its predecessor, uses the phrase “commercially available methods reasonably designed to ensure accuracy.” That language sounds neutral. In practice, it is not. The law does not require government ID verification. But it excludes the weakest alternative — simple self-declaration of a birthdate — because that method is explicitly not “reasonably designed to ensure accuracy.” What remains as the practically deployable options are government ID upload, credit card confirmation (debit cards excluded in Texas’s implementation; Louisiana’s approach is expected to mirror that), or facial age estimation via a selfie processed by a third-party biometric vendor.
Apple’s Declared Age Range API — deployed in iOS 26.2 to support Texas compliance and extended globally — handles the developer-facing layer of this architecture in a genuinely privacy-preserving way. When a developer queries the API, it receives only an age bracket (under 13, 13–15, 16–17, or 18+) and a signal indicating how that bracket was verified, not the user’s actual birthdate, name, or identity document. The privacy preservation happens at the API boundary, not at the account creation boundary. To generate that bracket in the first place, a user creating a new Apple account in a covered state must submit to one of those identity-confirming methods — government Digital ID stored in Apple Wallet, a credit card, or a biometric selfie — at account setup. For adults who are clearly adults, this is a verification burden that exists solely to confirm a negative: that they are not a child.
Google’s Play Age Signals API offers a parallel architecture and was in beta rollout as of early 2026. The technical distinction between identity-based and assurance-based verification matters enormously here. Zero-knowledge proof systems — cryptographic methods that can confirm a user is over 18 without transmitting any identifying data to either the platform or the issuing government — exist and are being deployed in other contexts. Louisiana’s law, like those in Texas and Utah, does not require them. “Commercially reasonable” in a legal-compliance context means what Apple and Google’s existing infrastructure can defend in an enforcement proceeding, not what is technically optimal for adult privacy.
The privacy argument against mandatory age verification rests on a pattern that is no longer theoretical. In June 2024, security researchers discovered that AU10TIX — an Israeli identity verification company whose clients included TikTok, Uber, X (formerly Twitter), LinkedIn, PayPal, and Coinbase — had left administrative credentials exposed online for more than 18 months. The credentials, first compromised in December 2022 and posted to a public Telegram channel in March 2023, provided access to a logging platform containing users’ names, dates of birth, nationalities, identification numbers, and images of identity documents including driver’s licenses and passports. AU10TIX initially denied the credentials still worked; security researchers confirmed they did. Of the major platforms using AU10TIX’s services, only Upwork switched to a different provider following the disclosure. 404 Media’s investigation documented the full timeline.
In September 2025, attackers compromised the account of a support agent at 5CA, a third-party vendor handling Discord’s Zendesk-based customer service system. Over 58 hours of access, the attackers exfiltrated data from approximately 8.4 million support tickets. Discord confirmed that approximately 70,000 users had government-issued ID photos exposed — photos submitted for age verification appeals routed through a general-purpose customer service platform. The attackers initially claimed 2.1 million IDs; Discord’s investigation fixed the number at 70,000. Discord terminated its relationship with 5CA and switched to dedicated age verification providers.
The Electronic Frontier Foundation, which tracks age verification legislation, has a name for the pattern these incidents document: “In the final analysis, age verification systems are surveillance systems.” The EFF’s observation is specifically about the data collection architecture, not a judgment about child safety goals. Centralized repositories of identity documents are high-value breach targets precisely because that data is irreplaceable — a driver’s license number, once exposed, cannot be changed the way a password can.
The legal environment shaping Louisiana’s 2027 deadline is defined by two rulings in tension with each other. On June 27, 2025, the Supreme Court issued its landmark decision in Free Speech Coalition, Inc. v. Paxton, upholding Texas’s law requiring commercial websites publishing sexually explicit content to verify users’ ages before granting access. In a 6-3 ruling written by Justice Clarence Thomas — with Justice Elena Kagan dissenting alongside Justices Sotomayor and Jackson — the Court applied intermediate scrutiny and held that the law only “incidentally burdens the protected speech of adults.” The ruling was widely described as a constitutional green light for age verification mandates.
But the ruling is narrower than it appeared to advocates of broad digital age verification. Free Speech Coalition v. Paxton addressed content “obscene to minors” — sexually explicit material covered by decades of Supreme Court precedent giving states broad authority to shield children from that specific category of speech. App stores distribute weather apps, banking tools, educational software, and productivity suites alongside everything else. In December 2025, U.S. District Judge Robert Pitman blocked Texas’s ASAA — a law governing general-audience app store downloads — specifically because it “restricts access to a vast universe of speech by requiring Texans to prove their age before downloading a mobile app.” Pitman’s ruling acknowledged the importance of protecting children while holding that the law’s mechanism violated the First Amendment. The 5th Circuit’s administrative stay on May 28, 2026 allowed Texas to enforce the law while the circuit considers the constitutional question. That final ruling — not yet issued as of NOW — is the decision the entire industry is waiting for.
Louisiana’s delay means the current ASAA enforcement map looks like this: Texas’s law is actively enforceable under the 5th Circuit’s administrative stay, with Apple completing compliance for new Texas accounts as of June 4, 2026. Utah’s law has been delayed to May 2027. Alabama’s ASAA, signed in early 2026, is set to take effect January 1, 2027 — though that timeline is also subject to revision. California’s Digital Age Assurance Act (AB 1043), signed by Gov. Gavin Newsom in October 2025, takes a structurally different approach: it places the age-collection obligation on operating system providers at device setup, generating age bracket signals for apps without requiring government ID. California’s law takes effect January 1, 2027.
The gap between California’s model and the other states’ models is technically significant. California’s AB 1043 relies on self-declared date of birth entered at device setup — a lighter-touch approach that critics, including the Age Verification Providers Association, argue does not constitute genuine age assurance because it does not require any form of identity confirmation. A 15-year-old who enters a false birthdate at device setup transmits an adult signal to every app on their phone. The other states’ “commercially reasonable” standard, whatever its ambiguity, at minimum requires a mechanism with higher accuracy — which, in practice, means identity-confirming data.
For developers, the four-state patchwork means the compliance work already done for Texas applies structurally to Louisiana when it takes effect in 2027. The core technical obligations — integrating with Apple’s Declared Age Range API or Google’s Play Age Signals API, gating content or purchases based on age brackets, handling parental consent refresh when app terms change significantly — are consistent across the four states. Louisiana’s revised law adds a specific clarification that if an app store’s age signal conflicts with a developer’s internal data, the developer must apply the more restrictive (lower) age classification unless it has actual knowledge that its own data is more accurate.
One developer obligation that Louisiana’s law creates immediately — not in 2027 — is COPPA exposure. Once app stores transmit age signals indicating that a Louisiana user is under 13, a developer who receives that signal has actual knowledge of a minor user under federal law. COPPA obligations then apply to that specific user: data collection restrictions, verifiable parental consent requirements, and potentially an obligation to delete data already collected from that user. General-audience apps that have previously avoided COPPA compliance by claiming ignorance of user ages lose that defense the moment they integrate with the age-verification API stack.
Read more: House KIDS Act Deal Drops KOSA Duty of Care, Adds Age Verification for All Users
Neither Apple nor Google is legally required to disclose the full technical lifecycle of a user’s identity data under Louisiana’s law, which specifies only that age verification data “shall be transmitted using industry standard encryption” and may only be used for compliance purposes. What Apple has disclosed publicly is that government Digital ID documents submitted through Apple Wallet are processed at the account level and that Apple’s Declared Age Range API subsequently transmits only the age bracket to developers. Apple’s stated policy is that it does not retain images of identity documents; the verification is processed and the document image is not stored. Third-party verification vendors, however — the AU10TIX and Persona-type companies that handle the actual document processing behind the scenes — operate under different retention policies that may not be disclosed to end users.
Louisiana’s law is silent on independent audit requirements. It does not require app stores or their verification subcontractors to undergo third-party security audits of their age verification infrastructure. The Discord breach occurred not at Discord’s own systems but at a Zendesk-based vendor — an outsourced support system that accumulated government ID photos as a side effect of handling age verification appeals. The breach was a supply chain attack on a system that probably was not designed to hold government documents at all. That structural risk — identity data flowing to secondary vendors not purpose-built for secure credential storage — is unaddressed by Louisiana’s law.
HB 977 introduces a developer safe harbor that the original HB 570 conspicuously lacked. Under the original law, a Louisiana developer could still face liability even if it relied in good faith on Apple’s or Google’s age verification data — if something went wrong on the developer’s end after the app store did its job. The revised law clarifies that developers may rely on app store-provided parental consent signals without independently verifying that consent. This change addresses one of the most significant compliance concerns expressed by developers: that good-faith reliance on Apple and Google’s infrastructure was not a defense under Louisiana law the way it was under Texas’s law.
Texas, by contrast, explicitly requires developers to delete age data after the verification process is complete. Louisiana’s HB 977 does not include an equivalent deletion mandate. How developers should handle age bracket signals stored in their own systems after a Louisiana user deletes their account, or after parental consent is revoked, is not explicitly addressed in the revised statute.
The political and legislative momentum behind App Store Accountability Acts is not diminishing. Alabama signed its version in early 2026. More than a quarter of U.S. states have introduced related legislation. The federal KIDS Act, which passed the House Energy and Commerce Committee on a 28-24 party-line vote in March 2026, would add age verification requirements for users across federally regulated platforms — though its preemption language, which would override the state-by-state patchwork, was one of the primary Democratic objections to the package.
Louisiana’s one-year delay — like Utah’s — is best understood as a calibration move, not a retreat. The state’s legislature watched Texas’s law get blocked, revised its own law to tighten the compliance architecture and reduce obvious constitutional vulnerabilities, and pushed the effective date forward to give courts time to resolve the Texas challenge before Louisiana’s law faces the same fight. If the 5th Circuit upholds the Texas ASAA on First Amendment grounds, Louisiana will almost certainly proceed to enforcement in July 2027. If it does not, Louisiana will almost certainly amend again.
What will not change, regardless of those legal outcomes, is the underlying technical reality that any age verification system robust enough to satisfy a “commercially reasonable” standard will require identity-confirming data from all users — not just from minors. The children being protected by these laws will never submit their own documents; their parents will. The people submitting government IDs to Apple, Google, and whatever verification subcontractors sit behind them are adults proving they are not children. Two confirmed breaches at identity verification vendors since 2024 demonstrate that those documents, once collected, are a target.
No. The original law (HB 570, Act No. 481 of 2025) was repealed and replaced by HB 977, signed May 15, 2026 by Gov. Jeff Landry. The new law takes effect July 1, 2027. Today — July 1, 2026 — is the date the original law would have taken effect, but that provision is no longer operative.
Not yet — the law doesn’t take effect until July 2027. But in Texas, where a similar law is currently enforceable under a 5th Circuit administrative stay, any adult creating a new Apple account must confirm their age through Apple’s Declared Age Range system, which accepts a government Digital ID stored in Apple Wallet, a credit card, or a biometric selfie. Louisiana’s law uses the same “commercially reasonable methods” language and is expected to produce a similar verification architecture when it takes effect.
Louisiana’s revised law (HB 977) gives developers a clearer safe harbor: they can rely on app store-provided age signals and parental consent data without independently re-verifying that information. This addresses a gap in the original HB 570, which left developers potentially liable even when they acted on Apple’s or Google’s data in good faith. Louisiana’s law does not require data deletion after verification is complete — a requirement Texas has. Developers should also note that receiving an “under 13” age signal immediately triggers COPPA obligations for that user regardless of whether Louisiana’s law is fully in effect.
They are documented rather than theoretical. In 2024, identity verification company AU10TIX — used by TikTok, X, Uber, LinkedIn, and PayPal — had administrative credentials exposed for more than 18 months, giving anyone who found them access to users’ names, birthdates, nationalities, ID numbers, and document images. In September 2025, approximately 70,000 Discord users had government-issued ID photos exposed when attackers compromised a third-party customer service vendor handling age verification appeals. Unlike compromised passwords, exposed driver’s license numbers and document images cannot be changed. Both incidents were discovered only because outside researchers found the evidence — not through company disclosure.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.

source

Leave a Reply

Your email address will not be published.