MISSISSIPPI LEGISLATURE
2026 Regular Session
To: Judiciary A
By: Representative Powell
AN ACT TO REQUIRE APP STORE PROVIDERS TO REQUEST AND VERIFY A USER'S AGE CATEGORY AT THE TIME THE USER CREATES AN ACCOUNT, TO REQUIRE A MINOR'S ACCOUNT TO BE AFFILIATED WITH A PARENT ACCOUNT, TO OBTAIN VERIFIABLE PARENTAL CONSENT BEFORE ALLOWING THE MINOR TO DOWNLOAD AN APP, PURCHASE AN APP, OR MAKE AN IN-APP PURCHASE, AND TO SHARE AGE CATEGORY DATA WITH DEVELOPERS; TO PROHIBIT APP STORE PROVIDERS AND DEVELOPERS FROM ENFORCING CONTRACTS AGAINST MINORS WITHOUT VERIFIABLE PARENTAL CONSENT AND FROM MISREPRESENTING PARENTAL CONSENT DISCLOSURES; TO REQUIRE DEVELOPERS TO VERIFY AGE CATEGORY DATA OF ACCOUNT HOLDERS AND TO DETERMINE WHETHER VERIFIABLE PARENTAL CONSENT HAS BEEN OBTAINED; TO REQUIRE THE OFFICE OF CONSUMER PROTECTION TO ESTABLISH STANDARDS FOR AGE VERIFICATION METHODS; TO CREATE A PRIVATE RIGHT OF ACTION FOR PARENTS OF MINORS HARMED BY A VIOLATION OF THIS ACT; TO AUTHORIZE THE ATTORNEY GENERAL TO BRING AN ACTION AGAINST AN APP STORE PROVIDER OR A DEVELOPER WHO VIOLATES THIS ACT; TO PROVIDE A SAFE HARBOR FOR COMPLIANT DEVELOPERS; TO AMEND SECTION 75-24-5, MISSISSIPPI CODE OF 1972, TO PROVIDE THAT A VIOLATION OF THIS ACT IS AN UNFAIR METHOD OF COMPETITION OR UNFAIR OR DECEPTIVE TRADE PRACTICE UNDER THE CONSUMER PROTECTION LAWS; TO BRING FORWARD SECTIONS 45-38-3 THROUGH 45-38-13, MISSISSIPPI CODE OF 1972, WHICH ARE THE PROVISIONS OF THE WALKER MONTGOMERY PROTECTING CHILDREN ONLINE ACT, FOR THE PURPOSES OF POSSIBLE AMENDMENT; AND FOR RELATED PURPOSES.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI:
SECTION 1. Definitions. As used in this act, the following terms shall be defined as provided in this section, unless the context clearly indicates otherwise:
(a) "Account holder" means the individual who is associated with the mobile device.
(b) "Age category" means one (1) of the following categories of individuals based on age:
(i) "Child", which means an individual who is under thirteen (13) years old;
(ii) "Younger teenager", which means an individual who is at least thirteen (13) years old and under sixteen (16) years old;
(iii) "Older teenager", which means an individual who is at least sixteen (16) years old and under eighteen (18) years old; or
(iv) "Adult", which means an individual who is at least eighteen (18) years old.
(c) "Age category data" means information about an account holder's age category that is collected by an app store provider and is shared with a developer.
(d) "Age rating" means one or more classifications that assess the suitability of an app's content and functions for different age groups.
(e) "App" means a software application or electronic service that a user may run or direct on a mobile device.
(f) "App store" means a publicly available website, software application or electronic service that allows account holders to download apps from third-party developers onto a mobile device.
(g) "App store provider" means a person that owns, operates or controls an app store that allows account holders in the state to download apps onto a mobile device.
(h) "Content description" means a description of the specific content elements or functions that informed an app's age rating.
(i) "Developer" means a person that owns or controls an app made available through an app store in the state.
(j) "Knowingly" means to act with actual knowledge or to act with knowledge fairly inferred based on objective circumstances.
(k) "Minor" means an individual under eighteen (18) years old unless the individual is married or legally emancipated.
(l) "Minor account" means an account with an app store provider that is established by an individual who is a minor. A minor account must be affiliated with a parent account.
(m) "Mobile device" means a phone or general-purpose tablet that:
(i) Provides cellular or wireless connectivity;
(ii) Is capable of connecting to the Internet;
(iii) Runs a mobile operating system; and
(iv) Is capable of running apps through the mobile operating system.
(n) "Mobile operating system" means software that:
(i) Manages mobile device hardware resources;
(ii) Provides common services for mobile device programs;
(iii) Controls memory allocation; and
(iv) Provides interfaces for apps to access device functionality.
(o) "Office" means the Office of Consumer Protection within the Office of the Attorney General.
(p) "Parent" means, with respect to a minor, an individual who is reasonably believed to be a parent, a legal guardian, an individual with legal custody, or any other individual who has the legal authority to make decisions on behalf of the minor under applicable state law.
(q) "Parent account" means an account with an app store provider that:
(i) Is verified to be established by an individual who the app store provider has determined is at least eighteen (18) years old, or married, or emancipated through the app store provider's age verification methods; and
(ii) May be affiliated with one or more minor accounts.
(r) "Parental consent disclosure" means the following information:
(i) If the app store provider has an age rating for the app or in-app purchase, the app's or in-app purchase's age rating;
(ii) If the app store provider has a content description for the app or in-app purchase, the app's or in-app purchase's content description;
(iii) A description of:
1. The personal data collected by the app from an account holder; and
2. The personal data shared by the app with a third party; and
(iv) If personal data is collected by the app, the methods implemented by the developer to protect the personal data.
(s) "Significant change" means a material modification to an app's terms of service or privacy policy that:
(i) Changes the categories of data collected, stored or shared;
(ii) Alters the app's age rating or content descriptions;
(iii) Adds new monetization features, including:
1. In-app purchases; or
2. Advertisements; or
(iv) Materially changes the app's:
1. Functionality; or
2. User experience.
(t) "Verifiable parental consent" means authorization that:
(i) Is provided by a parent account;
(ii) Is given after the app store provider has clearly and conspicuously provided the parental consent disclosure as part of the app download, purchase or in-app purchase process; and
(iii) Requires the parent to make an affirmative choice to:
1. Grant consent; or
2. Decline consent.
SECTION 2. App store provider requirements. (1) An app store provider shall:
(a) At the time an individual who is located in the state creates an account with the app store provider:
(i) Request age category information from the individual; and
(ii) Verify the individual's age category using:
1. Commercially available methods that are reasonably designed to ensure accuracy; or
2. An age verification method or process that complies with rules adopted by the office under Section 4 of this act.
(b) If the app store provider determines the individual is a minor:
(i) Require the account to be affiliated with a parent account; and
1. Download an app;
2. Purchase an app; or
3. Make an in-app purchase;
(c) After receiving notice of a significant change from a developer:
(i) Notify the account holder of the significant change; and
(ii) For a minor account:
1. Notify the parent account; and
2. Obtain renewed verifiable parental consent;
(d) Provide to a developer, in response to a request authorized under Section 3 of this act:
(i) Age category data for an account holder located in the state; and
(ii) The status of verifiable parental consent for a minor located in the state;
(e) Notify a developer when a parent revokes verifiable parental consent; and
(f) Protect age category data and any associated verification data by:
(i) Limiting collection and processing to data necessary for:
1. Verifying an account holder's age category;
2. Obtaining verifiable parental consent; or
3. Maintaining compliance records; and
(ii) Transmitting age category data using industry-standard encryption protocols that ensure data integrity and data confidentiality.
(2) An app store provider may not:
(a) Enforce a contract or terms of service against a minor unless the app store provider has obtained verifiable parental consent;
(b) Knowingly misrepresent the information in the parental consent disclosure; or
(c) Share age category data and any associated data except as required by this act or otherwise required by law.
SECTION 3. Developer requirements. (1) A developer shall:
(a) Verify through the app store's data sharing methods the age category data of account holders located in the state, and for a minor's account, whether verifiable parental consent has been obtained;
(b) Notify app store providers of a significant change to an app;
(c) Use age category data received through the app store's data sharing methods to:
(i) Enforce any developer-created age-related restrictions, safety-related features, or defaults; and
(ii) Ensure compliance with applicable laws and regulations;
(d) Request age category data or verifiable parental consent:
(i) At the time an account holder:
1. Downloads an app; or
2. Purchases an app;
(ii) When implementing a significant change to the app; or
(iii) To comply with applicable law.
(2) A developer may request age category data:
(a) No more than once during each twelve-month period to verify:
(i) The accuracy of age category data associated with an account holder; or
(ii) Continued account use within the age category;
(b) When there is reasonable suspicion of:
(i) Account transfer; or
(ii) Misuse outside of the age category; or
(c) At the time an account holder creates a new account with the developer.
(3) When implementing any developer-created age-related restrictions, safety-related features, or defaults, a developer shall use the lowest age category indicated by:
(a) Age category data received through the app store's data sharing methods; or
(b) Age data independently collected by the developer.
(4) A developer may not:
(a) Enforce a contract or terms of service against a minor unless the developer has verified through an app store's data sharing methods that verifiable parental consent has been obtained;
(b) Knowingly misrepresent any information in the parental consent disclosure; or
(c) Share age category data with any person.
SECTION 4. Rulemaking. The Attorney General shall adopt rules to establish definite processes and means by which an app store provider may verify an account holder's age category in accordance with Section 2(1)(a)(ii) of this act.
SECTION 5. Enforcement. (1) Private right of action.
(a) A minor, or the parent of a minor, who has been harmed by a violation of this act may bring a civil action against an app store provider or a developer.
(b) In such an action, the court shall award a prevailing plaintiff:
(i) The greater of actual damages or One Thousand Dollars ($1,000.00) for each violation;
(ii) Punitive damages if the violation was egregious;
(iii) Reasonable attorney's fees; and
(iv) Litigation costs.
(2) State enforcement.
(a) A violation of this act is a false, misleading or deceptive act or practice as prohibited under Section 75-24-5.
(b) In addition to any other remedy available under state law, the Attorney General may bring an action against an app store provider or a developer to:
(i) Recover a civil penalty not to exceed Seven Thousand Five Hundred Dollars ($7,500.00) for each violation;
(ii) Restrain or enjoin the app store provider or developer from violating this act;
(iii) Seek injunctive relief;
(iv) Recover reasonable attorney's fees; and
(v) Recover litigation costs and the costs of investigating the violation.
SECTION 6. Safe harbor. (1) A developer is not liable for a violation of this act if the developer demonstrates that the developer:
(a) Relied in good faith on applicable age category data received through an app store's data sharing methods; and
(b) Relied in good faith on notification from an app store provider that verifiable parental consent was obtained if the account holder was a minor; and
(c) Complied with the requirements described in Section 3 of this act.
(2) In determining an app's age rating and content description for purposes of Section 3(4)(b) of this act, a developer is not liable for a violation of this act if the developer:
(a) Uses widely adopted industry standards to determine the app's age category and content description; and
(b) Applies those standards consistently and in good faith.
(3) The safe harbor described in this Section 6:
(a) Applies only to actions brought under this act; and
(b) Does not limit a developer or app store provider's liability under any other applicable law.
(4) Nothing in this act shall displace any other available remedies or rights authorized under the laws of this state or the United States.
SECTION 7. Application and limitations. Nothing in this act shall be construed to:
(a) Prevent an app store provider or developer from taking reasonable measures to:
(i) Block, detect or prevent distribution to minors of:
1. Unlawful material;
2. Obscene material; or
3. Other harmful material;
(ii) Block or filter spam;
(iii) Prevent criminal activity; or
(iv) Protect app store or app security;
(b) Require an app store provider to disclose user information to a developer beyond age category data;
(c) Allow an app store provider or developer to implement measures required by this act in a manner that is arbitrary, capricious, anticompetitive or unlawful;
(d) Require an app store provider or developer to obtain verifiable parental consent for an app that meets all conditions of this paragraph (d):
(i) Provides direct access to emergency services, including:
1. 911;
2. Crisis hotlines; or
3. Emergency assistance services legally available to minors;
(ii) Limits data collection to information necessary to provide emergency services in compliance with the federal Children's Online Privacy Protection Act, 15 USC Section 6501 et seq.;
(iii) Provides access without requiring:
1. Account creation; or
2. Collection of unnecessary personal information; and
(iv) Is operated by or in partnership with:
1. A government entity;
2. A nonprofit organization; or
3. An authorized emergency service provider;
(e) Require a developer to collect, retain, reidentify or link any information beyond what is:
(i) Necessary to verify age category data as required by this act; and
(ii) Collected, retained, reidentified or linked in the developer's ordinary course of business; or
(f) Relieve a developer of its obligation to conduct age verification as otherwise required by law, including by the Walker Montgomery Protecting Children Online Act, Section 45-38-1 et seq. A developer may rely on age category obtained under this act to the extent those signals satisfy the requirements of applicable law; however, a developer must also comply with the age verification requirements of the Walker Montgomery Protecting Children Online Act.
SECTION 8. Severability. (1) If any provision of this act or the application of any provision to any person or circumstance is held invalid by a final decision of a court of competent jurisdiction, the remainder of this act shall be given effect without the invalid provision or application.
(2) The provisions of this act are severable.
SECTION 9. Section 75-24-5, Mississippi Code of 1972, is amended as follows:
75-24-5. (1) Unfair methods of competition affecting commerce and unfair or deceptive trade practices in or affecting commerce are prohibited. Action may be brought under Section 75-24-5(1) only under the provisions of Section 75-24-9.
(2) Without limiting the
scope of subsection (1) of this section, the following unfair
methods of competition and unfair or deceptive trade practices or acts in
the conduct of any trade or commerce are * * * prohibited:
(a) Passing off goods or services as those of another;
(b) Misrepresentation of the source, sponsorship, approval, or certification of goods or services;
(c) Misrepresentation of affiliation, connection, or association with, or certification by another;
(d) Misrepresentation of designations of geographic origin in connection with goods or services;
(e) Representing that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities that they do not have or that a person has a sponsorship, approval, status, affiliation, or connection that he does not have;
(f) Representing that goods are original or new if they are reconditioned, reclaimed, used, or secondhand;
(g) Representing that goods or services are of a particular standard, quality, or grade, or that goods are of a particular style or model, if they are of another;
(h) Disparaging the goods, services, or business of another by false or misleading representation of fact;
(i) Advertising goods or services with intent not to sell them as advertised;
(j) Advertising goods or services with intent not to supply reasonably expectable public demand, unless the advertisement discloses a limitation of quantity;
(k) Misrepresentations of fact concerning the reasons for, existence of, or amounts of price reductions;
(l) Advertising by or on behalf of any licensed or regulated health care professional which does not specifically describe the license or qualifications of the licensed or regulated health care professional;
(m) Charging an increased premium for reinstating a motor vehicle insurance policy that was cancelled or suspended by the insured solely for the reason that he was transferred out of this state while serving in the United States Armed Forces or on active duty in the National Guard or United States Armed Forces Reserve. It is also an unfair practice for an insurer to charge an increased premium for a new motor vehicle insurance policy if the applicant for coverage or his covered dependents were previously insured with a different insurer and canceled that policy solely for the reason that he was transferred out of this state while serving in the United States Armed Forces or on active duty in the National Guard or United States Armed Forces Reserve. For purposes of determining premiums, an insurer shall consider such persons as having maintained continuous coverage. The provisions of this paragraph (m) shall apply only to such instances when the insured does not drive the vehicle during the period of cancellation or suspension of his policy;
(n) Violating the provisions of Section 75-24-8;
(o) Violating the provisions of Section 73-3-38;
(p) Violating any of
the provisions of Title 41, Chapter 149, Mississippi Code of 1972; * * *
(q) Violating any of
the provisions of Title 45, Chapter 38, Mississippi Code of 1972 * * *;
(r) Violating any of
the provisions of Title 41, Chapter 151, Mississippi Code of 1972 * * *; and
(s) Violating any of the provisions of Sections 1 through 8 of this act.
SECTION 10. Section 45-38-3, Mississippi Code of 1972, is brought forward as follows:
45-38-3. For purposes of this chapter, the following words shall have the meanings ascribed herein unless the context clearly requires otherwise:
(a) "Digital service" means a website, an application, a program, or software that collects or processes personal identifying information with Internet connectivity.
(b) "Digital service provider" means a person who:
(i) Owns or operates a digital service;
(ii) Determines the purpose of collecting and processing the personal identifying information of users of the digital service; and
(iii) Determines the means used to collect and process the personal identifying information of users of the digital service.
(c) "Harmful material" means material that is harmful to minors as defined by Section 11-77-3(d).
(d) "Known minor" means a child who is younger than eighteen (18) years of age who has not had the disabilities of minority removed for general purposes, and who the digital service provider knows to be a minor.
(e) "Personal identifying information" means any information, including sensitive information, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous information when the information is used by a controller or processor in conjunction with additional information that reasonably links the information to an identified or identifiable individual. The term does not include deidentified information or publicly available information.
SECTION 11. Section 45-38-5, Mississippi Code of 1972, is brought forward as follows:
45-38-5. (1) This chapter applies only to a digital service provider who provides a digital service that:
(a) Connects users in a manner that allows users to socially interact with other users on the digital service;
(b) Allows a user to create a public, semi-public or private profile for purposes of signing into and using the digital service; and
(c) Allows a user to create or post content that can be viewed by other users of the digital service, including sharing content on:
(i) A message board;
(ii) A chat room; or
(iii) A landing page, video channel or main feed that presents to a user content created and posted by other users.
(2) This chapter does not apply to:
(a) A digital service provider who processes or maintains user data in connection with the employment, promotion, reassignment or retention of the user as an employee or independent contractor, to the extent that the user's data is processed or maintained for that purpose;
(b) A digital service provider's provision of a digital service that facilitates e-mail or direct messaging services, if the digital service facilitates only those services;
(c) A digital service provider's provision of a digital service that:
(i) Primarily functions to provide a user with access to news, sports, commerce, online video games or content primarily generated or selected by the digital service provider; and
(ii) Allows chat, comment or other interactive functionality that is incidental to the digital service; or
(d) A digital service provider's provision of a digital service that primarily functions to provide a user with access to career development opportunities, including:
(i) Professional networking;
(ii) Job skills;
(iii) Learning certifications;
(iv) Job posting; and
(v) Application services.
(3) The Internet service provider, Internet service provider's affiliate or subsidiary, search engine or cloud service provider is not considered to be a digital service provider or to offer a digital service if the Internet service provider or provider's affiliate or subsidiary, search engine or cloud service provider solely provides access or connection, including through transmission, download, intermediate storage, access software or other service, to an Internet website or to other information or content:
(a) On the Internet; or
(b) On a facility, system or network not under the control of the Internet service provider, provider's affiliate or subsidiary, search engine or cloud service provider.
SECTION 12. Section 45-38-7, Mississippi Code of 1972, is brought forward as follows:
45-38-7. (1) A digital service provider may not enter into an agreement with a person to create an account with a digital service unless the person has registered the person's age with the digital service provider. A digital service provider shall make commercially reasonable efforts to verify the age of the person creating an account with a level of certainty appropriate to the risks that arise from the information management practices of the digital service provider.
(2) A digital service provider shall not permit an account holder who is a known minor to be an account holder unless the known minor has the express consent from a parent or guardian. Acceptable methods of obtaining express consent of a parent or guardian include any of the following:
(a) Providing a form for the minor's parent or guardian to sign and return to the digital service provider by common carrier, facsimile, or electronic scan;
(b) Providing a toll-free telephone number for the known minor's parent or guardian to call to consent;
(c) Coordinating a call with a known minor's parent or guardian over video conferencing technology;
(d) Collecting information related to the government-issued identification of the known minor's parent or guardian and deleting that information after confirming the identity of the known minor's parent or guardian;
(e) Allowing the known minor's parent or guardian to provide consent by responding to an email and taking additional steps to verify the identity of the known minor's parent or guardian; or
(f) Any other commercially reasonable method of obtaining consent in light of available technology.
SECTION 13. Section 45-38-9, Mississippi Code of 1972, is brought forward as follows:
45-38-9. (1) A digital service provider that enters into an agreement with a known minor for access to a digital service shall:
(a) Limit collection of the known minor's personal identifying information to information reasonably necessary to provide the digital service; and
(b) Limit use of the known minor's personal identifying information to the purpose for which the information was collected.
(2) A digital service provider that enters into an agreement with a known minor for access to a digital service may not:
(a) Use the digital service to collect the known minor's precise geolocation data;
(b) Use the digital service to display targeted advertising involving harmful material to the known minor; or
(c) Share, disclose or sell the known minor's personal identifying information unless required to:
(i) Comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by a governmental entity;
(ii) Comply with a law enforcement investigation;
(iii) Detect, block or prevent the distribution of unlawful, obscene or other harmful material to a known minor;
(iv) Block or filter spam;
(v) Prevent criminal activity; or
(vi) Protect the security of a digital service.
SECTION 14. Section 45-38-11, Mississippi Code of 1972, is brought forward as follows:
45-38-11. (1) In relation to a known minor's use of a digital service, a digital service provider shall make commercially reasonable efforts to develop and implement a strategy to prevent or mitigate the known minor's exposure to harmful material and other content that promotes or facilitates the following harms to minors:
(a) Consistent with evidence-informed medical information, the following: self-harm, eating disorders, substance use disorders, and suicidal behaviors;
(b) Patterns of use that indicate or encourage substance abuse or use of illegal drugs;
(c) Stalking, physical violence, online bullying, or harassment;
(d) Grooming, trafficking, child pornography, or other sexual exploitation or abuse;
(e) Incitement of violence; or
(f) Any other illegal activity.
(2) Nothing in subsection (1) shall be construed to require a digital service provider to prevent or preclude:
(a) Any minor from deliberately and independently searching for, or specifically requesting, content; or
(b) The digital service provider or individuals on the digital service from providing resources for the prevention or mitigation of the harms described in subsection (1), including evidence-informed information and clinical resources.
SECTION 15. Section 45-38-13, Mississippi Code of 1972, is brought forward as follows:
(2) If a digital service provider violates this chapter, the parent or guardian of a known minor affected by that violation may bring a cause of action seeking:
(a) A declaratory judgment under Rule 57 of Mississippi Rules of Civil Procedure; or
(b) An injunction against the digital service provider.
(3) A court may not certify an action brought under this section as a class action.
SECTION 16. This act shall take effect and be in force from and after July 1, 2026.