Across the United States, a growing wave of age verification requirements—promoted as necessary protections for children online—is rapidly transforming how people access the internet. As of April 2026, roughly 25 states have passed laws requiring websites with a substantial amount of material deemed “harmful to minors” (primarily adult or pornographic content) to verify users’ ages.

These laws typically apply to sites where one-third or more of the content qualifies as harmful to minors. They mandate the use of “reasonable” or “commercially reasonable” verification methods, such as uploading government-issued IDs, providing credit card information, or using third-party services that involve biometrics or transactional data.

States with these laws include: Alabama, Arizona, Arkansas, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Louisiana (the first, passed in 2023), Mississippi, Missouri, Montana, Nebraska, North Carolina, North Dakota, Ohio (via the Innocence Act), Oklahoma, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Wyoming, and most recently West Virginia (signed around April 2026, with implementation expected soon).

Some states have also enacted separate or overlapping rules for social media platforms. These often require age verification plus parental consent for users under 16 or 18, along with restrictions on features such as direct messaging, targeted advertising, and daily time limits.

The practical impact has been swift and significant. Major adult websites like Pornhub have chosen to geo-block access in many of these states rather than comply with ID-based verification, citing privacy concerns and high compliance costs. While minors can often bypass restrictions using VPNs or unregulated platforms, adults lose convenient anonymous access. Multiple lawsuits have challenged these laws on First Amendment grounds, arguing they are overbroad and chill protected speech. Some provisions have been blocked or delayed by courts, while others—such as parts of Texas’s law—have reached the Supreme Court and received partial approval.

Related efforts are also targeting app stores and operating systems. California’s Digital Age Assurance Act (AB 1043), signed in 2025 and set to take effect in January 2027, requires operating system providers to support age-bracket signaling (via self-attestation or similar methods) that apps and services can access. Though framed as more privacy-friendly than full ID checks, it still raises concerns about creating standardized data flows between platforms.

Enter H.R. 8250: The Parents Decide Act

This fragmented state-level approach now faces potential federal expansion. On April 13, 2026, Rep. Josh Gottheimer (D-NJ) and co-sponsor Rep. Elise Stefanik (R-NY) introduced H.R. 8250, the “Parents Decide Act.” The bill was referred to the House Committee on Energy and Commerce.

If passed, the legislation would require operating system providers—including Apple, Google, Microsoft, and potentially even Linux distributions or other general-purpose computing platforms—to verify the age of every user during initial device or OS setup.

The bill centers on collecting date of birth at setup: users 18 and older could self-attest by entering their DOB, while those under 18 would require verification by a parent or guardian. It would mandate secure storage of this information and the creation of APIs so that apps and services could query age signals and apply consistent, device-wide parental controls for social media, apps, and AI tools.

Supporters argue that this approach goes beyond easily bypassed self-reported ages, gives parents control from the moment a device is first turned on, and helps protect children from explicit content and addictive AI interactions.

The Trojan Horse Argument: From Child Protection to Digital Infrastructure

Critics—including privacy advocates, the Electronic Frontier Foundation (EFF), open-source communities, and tech analysts—warn that these initiatives, beginning with state-level adult content restrictions and now potentially extending to the operating system level, serve as a Trojan horse for a de facto national digital ID system. What starts as narrowly targeted child safety measures can quickly normalize widespread identity collection and surveillance at the very foundation of computing.

the main concerns:

1. Mandatory Identity Linkage at the Device Level
State laws often require “verifiable” checks beyond simple self-attestation, frequently involving government IDs, biometrics, or credit data. While H.R. 8250’s DOB requirement appears lighter, embedding age verification directly into the operating system creates a persistent identity signal. On shared family devices or through API propagation, this could tie real-world personally identifiable information (PII) — including names, dates of birth, and potentially biometrics — to hardware and software from the very first boot. Anonymous computing would largely disappear, turning every device into an identity checkpoint. Complementary measures like California’s AB 1043 already push age data toward apps, concentrating power with major OS vendors.

2. Ecosystem-Wide Data Propagation and Loss of Consent
Age and parental control settings would flow securely across the entire ecosystem, removing the ability for granular, per-app consent. This positions OS providers as central gatekeepers, raising risks of overreach, errors in restrictions, and reduced user autonomy. Privacy experts note that early bill language leaves important questions unanswered regarding data minimization, retention limits, and deletion rights.

3. Erosion of Anonymity and Free Speech
Anonymous access to information and general-purpose computing has long enjoyed strong constitutional protections. OS-level mandates threaten this foundation, creating new barriers for whistleblowers, journalists, researchers, activists, and anyone valuing privacy. The EFF and others argue that such systems build surveillance infrastructure, disproportionately harm small developers and open-source projects, and chill protected expression. Linux communities and analysts like Bryan Lunduke have highlighted how the bill’s broad definition of “operating system provider” could create insurmountable burdens for smaller, resource-limited projects that lack the infrastructure for ID or biometric verification.

4. Security Risks, Breaches, and Scope Creep
Centralizing sensitive age and identity data makes OS vendors and related services attractive targets for hackers. While children’s data already receives some protections under COPPA, expanded collection increases overall exposure. Past breaches at age-verification companies involving government IDs illustrate the real dangers of identity theft, blackmail, or data misuse. The bill’s “and for other purposes” clause and vague FTC enforcement mechanisms open the door to future expansions—such as content filtering, telemetry requirements, or remote attestation—layered onto standardized age APIs. Critics contend this normalizes surveillance, using “protect the children” as a stepping stone toward heavier handed government oversight of personal computing.

5. Disproportionate Impact and Unintended Consequences
Open-source platforms and smaller services may be forced to exit certain markets or incur heavy compliance costs, reducing consumer choice and stifling innovation. The actual effectiveness for protecting children remains questionable, as minors can still use VPNs, false attestations, or unregulated alternatives. Meanwhile, adults face new obstacles to accessing lawful content.

Public criticism on social media has been largely skeptical. Many view the progression from state-level porn restrictions to social media rules to OS-level mandates, as the gradual construction of digital identity infrastructure. While supporters stress the benefits of consistent parental controls over fragmented app-by-app systems, the lack of detailed safeguards around encryption, opt-outs, and data limits leaves significant privacy concerns unaddressed.

H.R. 8250 is still in its very early stages, with no hearings scheduled yet. Its future will depend on close examination of the full bill text, input from civil liberties organizations and open-source advocates, and how it interacts with existing proposals like the Kids Online Safety Act.

The core tension remains: real harms to children online deserve serious solutions. However, the specifics of implementation are critical. As state experiments continue and federal proposals advance, there is a genuine risk that age verification—marketed as targeted child protection—will ultimately construct the backbone of a heavily surveilled digital ecosystem that affects all users, eroding anonymity, privacy, and open access in the name of safety.