Outdated NIST data fuels argument against app store age checks

Apple is preparing to comply with Texas’ new law imposing age assurance measures on app stores, SB2420, and the Computer and Communications Industry Association (CCIA) is not happy about it. The long-standing tech sector organization has published a blog by Trevor Wagener, its research director and chief economist, declaring that age checks at the app store level are “poised to fail.”

A primary argument is that app store age verification bills, such as Texas’ SB2420 and Utah’s App Store Accountability Act (SB142), are “emblematic of public support for age verification in the sense of ‘rules for thee but not for me’.” The CCIA suggests that people support age checks in theory – right up until they’re asked to scan their biometrics or government ID.

“Public support for age checks or age verification in the abstract evaporates when people are actually asked to upload IDs or submit to face scans,” the group says. “Even in the event that users are willing to submit to face scans, face-based age estimation is notably error-prone, and this is especially true for teens.” Wagener points to teens in the UK that have fooled age estimation tech with the faces of video game characters.

The industry organization is not wrong to worry that “the mass collection of sensitive documents and biometrics creates a very tempting sensitive data target for bad actors and creates a huge centralized data breach risk.” Luckily, the age assurance sector has considered this; most age check tools aim to retain as little data for as little time as possible to perform their function. That said, data retention has become an apparent problem in light of the recent Discord breach.

In its defense, the CCIA looks to the NIST Face Analysis Technology Evaluation (FATE) to bolster its argument. To its discredit, it cites a May 2024 release from NIST showing a “best-case mean absolute error (MAE) around 3.1 years on visa-quality photos,” which it says  is wider than specified in the App Store Accountability Act. The FATE rankings for facial age estimation, which is the subject in question, were last updated in late August, 2025; in that data, the highest rated algorithm for airport concourse border crossing photos has a MEA of 2.775.

Since CCIA’s statistics are badly outdated, it’s hard to take its argument very seriously. Besides which, it is not an industry secret that facial age estimation (FAE) tools are best used with a buffer age, and that they may be best applied for those who are well above an age threshold (say, a 50-year-old looking to buy cigarettes online).

Still, there is truth in the meat of the CCIA’s argument: people, and especially Americans, are generally not pleased to be asked for their papers to access what they believe to be their right.

The CCIA makes the common argument that parents, not tech firms, should have the right to decide what their kids can see. “Policymakers should pivot from universal ID checks to risk-proportionate approaches that minimize sensitive data collection: device-level parental tools, privacy-preserving age-range attestations, and targeted enforcement against bad actors.”

Conveniently, these deflect responsibility for who can access what online to another party. The “parents know best” argument is a way to absolve platforms and operating systems of liability for any perceived harm that comes to kids while they scroll. “Device level parental tools” require parents to know they’re available. “Privacy-preserving age-range attestations” are what Apple offers, and require initial verification through a parental account.

Apple compliant but unhappy about age checks

Apple has made its displeasure over both Utah’s law and Texas’ app store age check requirement known via its own channels. In a statement, it says that, “while we share the goal of strengthening kids’ online safety, we are concerned that SB2420 impacts the privacy of users by requiring the collection of sensitive, personally identifiable information to download any app, even if a user simply wants to check the weather or sports scores.”

It is an interesting argument that has the potential to open up a large can of digital worms. Many apps that feature sports scores are now also tied to online sports betting; should they be regulated? Weather apps collect user data and feed them advertisements; does that implicate them in the age check wars? And are people really so hesitant to provide personal information to Apple, which probably knows it anyway, if they have an Apple account?

The truth is more likely that, especially over time, users will be far less concerned over having their biometrics associated with a dozen Candy Crush downloads than with a single visit to  SpankBang, Voyeur Web and their ilk.

Article Topics

age verification  |  app store age verification  |  Apple  |  Computer & Communications Industry Association  |  Face Analysis Technology Evaluation (FATE)  |  facial age estimation (FAE)  |  Texas age verification  |  Utah age verification