(Credit: Zain bin Awais/PCMag/Getty Images)
Age verification laws are no longer limited to porn sites. After more than two dozen US states passed laws targeting adult websites like PornHub—and Utah moved against VPN use—the next battleground is your operating system.
Starting in 2027, California's Digital Age Assurance Act will require operating systems, including Windows, macOS, Android, ChromeOS, and Linux distributions, to ask users for their age during device setup and share an age range with apps. Depending on how future laws evolve, that process could eventually involve government IDs, credit cards, or biometric verification.
Aaron Mackey, deputy legal director at the Electronic Frontier Foundation, warns the effects won't stop at California’s borders. Because tech companies rarely build separate operating systems for different states, he says these systems will likely be rolled out "for everyone who uses [operating systems], including the billions of folks outside of California."
California is unlikely to remain alone for long. Similar bills are advancing in other states, while the proposed federal Parents Decide Act would expand age verification at the operating system level nationwide if passed. Privacy advocates, open-source developers, and lawmakers are now battling over a question that could reshape the future of computing: Should your computer know your age before you can use it? Here's what you need to know so far.
Which States Have OS Age Verification Laws in the US?
As of this writing, California’s Digital Age Assurance Act (AB 1043) is the only US state or federal law that requires operating systems to collect their users’ ages. It takes effect on Jan. 1, 2027.
California’s law requires that operating systems ask for your age when you set them up. Your OS must then share an age bracket signal with the applications running on your computer. Applications will see one of the following age ranges: under 13, 13-16, 16-18, or over 18.
Application developers are then “deemed to have actual knowledge of the age range of the user.” They would have a legal duty to comply with any laws requiring different treatment of minors and could not plead ignorance of the device user's age. An application might need to restrict access or features for users under 18 under other laws, including the federal Children's Online Privacy Protection Act of 1998 (COPPA), which requires online services to handle the personal information of users under the age of 13 differently. This could affect dating, gaming, and social media apps, for example. California’s law doesn’t affect websites. However, a proposed California law would extend the age signal to the web.
How Will Your OS Verify Your Age?
Under California’s law, as written, your operating system must ask for your age during the device setup process. Your operating system will accept that age without requiring identification. Attestation—in other words, simply declaring your age—is sufficient proof.
Nichole Rocha, a data privacy attorney who represents Children Now, a California-based organization that backs the law, tells me that California’s bill was designed to protect privacy. “There’s no requirement for the uploading of a government ID, and that was intentional on the part of the author, [California state assembly member] Buffy Wicks,” she says.
“I think the bill strikes an appropriate balance. You see other states requiring the uploading of government IDs, and that’s incredibly invasive,” says Rocha. She argues that research shows parents set up devices for minors and will enter a child's age accurately at that time.
However, the EFF believes operating system providers like Apple, Google, and Microsoft will require more personal information. “While the law on paper doesn’t require strict age verification, I think in practice compliance will look a lot more like age verification,” Mackey says.
He points out that there are fines and legal consequences if minors bypass age checks, and that companies will want to prevent minors from lying. “That involves more invasive forms of age verification that adult websites implement,” he says. That could mean providing a credit card, a facial scan, or a government ID during OS setup to verify that an adult was involved in the process.
What Similar Laws Are Advancing in the US?
On the federal level, the Parents Decide Act, introduced in Congress in April, would require OS-level age checks in all states if it passes. Specifically, the proposed law says operating system providers must "require any user of the operating system to provide the date of birth of the user" to set up an account or use the OS. Adults would also have to provide their date of birth. The Federal Trade Commission (FTC) would also need to “issue regulations on how operating system providers can… verify the date of birth of a parent or legal guardian” if a minor is setting up a device. This could potentially include government identification checks upon device setup; the implementation details would be up to the FTC.
Rocha doesn’t expect the federal government to take action. “Every year, things pop up in Congress that never get signed, right?” she says. “We just haven’t seen anything meaningful happen at the federal level in this space since the mid-1990s.” The EFF is concerned about the current legislative environment, however. "This is a trend we're seeing," says Mackey. "Lawmakers don't understand the technology, and they don't understand that these proposals are unpopular."
Other states are discussing laws similar to California’s. Colorado has bill SB26-051, while Illinois has the Children’s Social Media Safety Act, SB3977. Neither has yet passed, but both require the person setting up a device to declare only an age, without requiring proof of identity.
“I hope that by doing privacy-protective and nuanced legislation in California, we’re serving as a model for the rest of the states,” says Rocha.
Some states might require more personal identification. New York’s senate, for example, is discussing Bill 8102, which will require operating systems to determine user ages via “commercially reasonable age assurance methods.”
How Will Apps Get Your Age From Your OS?
Apps will get your age range from your operating system using an application programming interface (API). In other words, they’ll ask the operating system for your age range and get a response.
Major operating system vendors are already implementing compliant APIs. Google has the Play Age Signals API for Android apps from Google Play, while Apple has the Declared Age Range API in iOS and macOS. A Microsoft spokesperson tells me that Windows will also offer an age range API and that the company will have more to share in the future. The system software that many Linux distributions use now has an age field for user accounts, too.
How Is This Different From App or Website Age Checks?
The legislation discussed above moves age verification from the application or website layer to the device or operating system level. PornHub has urged Apple, Google, and Microsoft to implement OS-level age verification. With OS-level age verification, adult online services like PornHub would not need to confirm visitors' ages by collecting documentation themselves. Instead, the operating system would have that obligation. PornHub is already using signals in Apple's iOS to check the age of visitors in the UK.
However, as mentioned, California’s law does not require that the operating system pass age signals from the web browser to a website. That’s surprising, given that age-verification laws in many states have targeted adult websites. Rocha says California’s lawmakers were trying to address the web in the original law, but “ran out of time.” California's Bill AB 1856, which hasn’t passed yet, would extend the age verification requirement to web browsers and websites.
Web browser developers are already working on age-verification standards. Google’s Chromium and Apple’s Safari both support the Digital Credentials API to share government identification information with websites. If you save a driver's license or other government ID to Apple Wallet or Google Wallet on your phone, you can securely share your credentials with websites. Theoretically, you could use the same process to share an age you provided to your desktop operating system with a website, too.
What About Linux and Other Open-Source Software?
In addition to affecting Apple’s iOS and macOS, Google’s Android and ChromeOS, and Microsoft's Windows, these laws impact smaller open-source community operating systems, including Linux distributions.
“I think the open-source community is rightly very concerned about what’s happening here,” Mackey says. He adds that the law doesn’t regulate people who contribute to open-source operating systems or host downloads of Linux distributions. However, he says the law may apply to hobbyists who create or mod open-source operating systems. “And if they don’t implement these systems, then in theory, the state of California can bring enforcement action against them," he says. "And I think that is very scary.”
Mackey points out that many open-source operating systems prioritize privacy and don’t want to collect user data or engage in surveillance. “There are lots of folks who have talked to lawmakers about this problem with the open-source system," he says. "It’s just that lawmakers are not hearing them and not responding to address those concerns."
Rocha disagrees. She says she’s met with members of the Linux community, and that lawmakers are listening and considering changes to the law. ”We are actively trying to figure out how to solve for the problem of open-source without undermining the protections in the bill,” she says.
How Are Open-Source Projects Responding?
The open-source community is discussing age verification laws, and some projects have already commented publicly. GrapheneOS, a privacy-focused Android fork, has announced its intention to “remain usable by anyone around the world without requiring personal information, identification, or an account.” The project adds, “If GrapheneOS devices can't be sold in a region due to their regulations, so be it."
Mackey says what California is doing to privacy-centric operating systems that don’t want to collect data on their users is tragic. “They’re envisioning an internet and mobile operating systems… without the surveillance, and we’re actually shutting them out of this and potentially creating liability for them," he says.
MidnightBSD, an open-source operating system based on FreeBSD, now bans residents of jurisdictions with age verification laws from downloading its software on its download page. “We are working on a plan to try to implement functionality to comply with California, Colorado, and Illinois laws, but will never be able to comply with Brazil or New York. We are not a company and don't have revenue to pay for verification services,” reads MidnightBSD’s statement. (Brazil’s ECA Digital law requires operating systems to verify user ages with “reliable” methods.)
Other projects are deciding how to proceed. “There are currently no concrete plans on how, or even whether, Ubuntu will change in response,” writes Jon Seager, vice president of engineering at Canonical, in response to the passage of the California law. Canonical is the company that manages Ubuntu,
Will These Laws Affect VPNs?
California’s law doesn’t mention VPNs. However, under other laws or regulations, a VPN application might need to block access based on OS-level age signals. Or applications and websites might legally need to check the OS-level age signal to confirm user ages.
What Do These Laws Mean for the Future of Computing?
Although I spoke to lawyers for this piece, I’m not a lawyer. I’m a tech geek who’s been using computers and operating systems for decades. As far as I can see, there are two types of laws under discussion: those that ask for your age and those that require proof of your age.
California’s law, as well as proposed laws in Colorado and Illinois, accept whatever you provide during device setup. This puts additional legal requirements on operating system providers, including open-source communities, to design operating system interfaces that collect user ages. Rocha summarizes the California law’s approach: “We are going to try and protect as many children as possible in the most privacy-protecting way possible. And there will probably be some kids who get around the system, but the vast majority of kids will be protected by this.”
Legislation like the proposed bill in New York could require proving your age with a credit card, facial scan, government ID, or other method while setting up your device. A federal law could enforce this nationwide, depending on what the FTC requires. Future operating systems may require biometrics or identity document verification during device setup.
I’m not a fan of either type of law. I don’t believe governments should require operating systems—especially small, open-source projects—to verify their users' personal information at the risk of legal liability. I want privacy-centric operating systems that don’t collect any user data to continue existing.
“The open internet as we know it allows people to access information anonymously, privately, and securely,” says Mackey. “It’s in danger by lawmakers who have good intentions but are writing broad laws.”
Mackey doesn’t think these laws are inevitable, though. “My hope is that people are energized by this [debate] and recognize the opportunity that we can push back,” he says.