There has been growing debate over whether app stores should take on the responsibility of age verification. Some tech companies, including Meta and Snap, have suggested that app stores should enforce age restrictions, preventing underage users from downloading apps intended for adults. Others, such as Google (which operates its own app store) and Apple, oppose this shift in responsibility from individual apps and platforms to app stores themselves.
But would requiring app stores to verify users’ ages fully solve the problem of protecting children from inappropriate content? A closer look reveals significant challenges, making it clear that app store age restrictions alone would not be a complete solution — though that is not to rule out age signals from app stores or wallets being a useful addition to the ecosystem, particularly for lower-risk use cases. And where the aim is to ensure that children are not asked to sign terms and conditions below the age at which they are legally able to do so, an app store-based control, linked to a parent, is definitely an effective mechanism to deliver this. Used in combination with platform based age assurance for higher risk use-cases, such as adult content or the use of unrestricted AI tools, these two controls deploy an effective, proportionate, layered approach.
1. The Proximity Principle: Age Checks Should Happen Where Content Is Accessed
For age assurance to be highly effective, it should happen as close as possible to the moment a user tries to access age-restricted content or services. Think of a construction site: the safety control is a fence around the hole in the middle of the site, not a warning sign at the entrance. This principle is already well established in sectors such as gambling, adult content and dating, where verification occurs at the point of sign-up or content access.
App store-based age checks happen much earlier in the process – at the point of installation – long before a user engages with any specific content. This means they may not prevent underage access to age-inappropriate material within apps that contain mixed-age content, such as social media platforms or online gaming services, unless access to the apps as a whole is prohibited. That approach raises legitimate concerns about free speech and children’s rights to access knowledge, networks and support.
A child who is old enough to install a general-use app may still encounter high risk content once they start using it. Without ongoing verification at the point of content access, installation-based restrictions have inherent limits. And not all harmful content is hosted within an app: content accessed through browsers would not be captured by app store restrictions without a much more fundamental redesign of how the internet works.
2. Privacy and Security Considerations of Centralised Age Verification
If app stores were responsible for age verification, they argue they would need to collect and store users’ age data. If that is the case, then this raises privacy and data security considerations worth examining carefully, including:
- The creation of a centralised database of sensitive personal data, which could become a target for data breaches.
- The risk that app store operators monetise or track users based on their verified age status, potentially increasing surveillance and profiling.
- The challenge of ensuring compliance with data protection laws across multiple jurisdictions, particularly when handling minors’ data.
By contrast, independently certified age verification solutions are explicitly designed to minimise data collection and storage, and in some cases to process no personal data beyond the user’s own device. This is a meaningful distinction when evaluating where age assurance infrastructure should sit, unless the app stores were to design an equally anonymized ‘double blind’ system.
3. Parental Involvement Without Guaranteed Outcomes
One argument in favour of app store-based age verification is that it supports parents in managing their children’s access to online content. This is a legitimate objective, and has strong support in some cultures e.g. USA. However, real-world evidence over the last 20 years suggests that adding layers of parental responsibility has not reliably improved outcomes – a centralised approach could make this more usable but not all parents are as committed to their children’s online wellbeing as others.
Many platforms already offer parental controls, yet adoption remains low. Less than 1% of US parents use Snapchat and Discord’s parental controls, despite these being widely available. The reasons include the complexity of setting up controls across multiple devices and services, children finding ways around restrictions, and limited technical confidence among some parents.
Where app store-based approaches work well is in providing a single, consistent mechanism for parental oversight at the point of download — something that is genuinely useful for parents who engage with it. This alone is not sufficient to protect children whose parents have not set up controls, or where devices are shared, creating the need for an additional layer of protection, at the publisher level, for higher risk situations.
4. App Store Age Ratings: A Useful Starting Point With Known Limits
App store age ratings provide a helpful baseline, but have well-documented limitations:
- Ratings are typically self-declared by developers, with limited independent oversight.
- Apps with user-generated content can expose children to material that was not present or anticipated at the time of rating.
- Ratings remain static while app content and features can change significantly over time.
These limitations do not undermine the value of age ratings as a first layer of protection, but they do reinforce why ratings alone – or installation-based checks based on those ratings – cannot carry the full compliance burden.
5. In-App Content and Advertising
Age checks at the point of installation do not extend to what happens inside the app. Children can still encounter inappropriate advertising, user-generated content or in-app purchases after installation. Many apps also contain built-in browsers that provide a portal to the wider web, further limiting the reach of installation-level controls.
This is not an argument against app store involvement; it is an argument for recognising where that involvement reaches its natural limits and where service-level age assurance needs to take over.
6. Sideloading and Alternative App Stores
Users can bypass official app store restrictions by sideloading apps or using alternative app stores, many of which have no age controls. Legal initiatives such as the EU’s Digital Markets Act are actively encouraging a more diverse app store market, which means that the coverage of any app-store-centric compliance model may narrow over time rather than expand. This is worth building into any long-term policy design.
7. Shared Devices and Account Sharing
Shared devices — family tablets, smart TVs, a parent’s phone — allow younger users to access apps downloaded by adults. Unlike service-level age assurance, app store checks do not include ongoing authentication to ensure the verified account holder is still the person accessing the content. This is a meaningful gap for any approach that relies solely on the installation event.
8. Apps Change; Age Checks Do Not
Age verification at installation does not account for app updates, new features or changes in content that introduce new risks over time. Service-level age assurance that applies at the point of access to specific features can adapt to these changes in a way that installation-based approaches cannot.
A More Complete Approach
App stores can and should play a role in online safety, and age signals from app stores and device wallets are a useful contribution to a layered ecosystem. Where the policy objective is parental oversight of downloads or preventing minors from agreeing to terms and conditions, app store mechanisms are well suited to the task.
Where the policy objective is to ensure that users accessing age-restricted content or services have been reliably age-assured, service-level age checks – applied at the point of access, using independently certified methods, with privacy-preserving design – remain the more complete solution. The two approaches are complementary rather than competing, and the most effective frameworks will draw on both.