As of today, about half of all U.S. states have some form of age verification law around. Nine of those were passed in 2025 alone, covering everything from adult content sites to social media platforms to app stores.
Right now, California’s Digital Age Assurance Act (AB 1043) is all the rage right now, which targets not only websites and apps but also operating systems. Come January 1, 2027, every OS provider must collect a user’s age at account setup and provide that data to app developers via a real-time API.
Colorado is also working on a near-identical bill, which we covered earlier.
The EFF’s year-end review put it more bluntly: 2025 was “the year states chose surveillance over safety.” The foundation’s concern, which I concur with, is, where does this stop? Self-reported birthday today, government ID tomorrow? There appears to be no limit to these laws’ overreach.
The thing about doing age verification at the OS level is the user could just install a crack that rewrites the necessary code. It’ll take some heavy DRM type stuff to block that. Possibly hardware support, like a specialised TPM.
No way can that be standardised and then rolled out quickly. If they rush it then it’ll be some proprietary power grab.
The alternative is each website and app does it separately which will be spotty and provide endless security breaches.
It’ll be a shitshow either way.
The thing is, this shouldn’t really be a problem.
I am still against where all this age verification crap is coming from, and I’m against what specifically “age verification” entails; but here’s the thing: We keep saying, “It should be the parent’s responsibility to secure their kids”—and while that’s true, you can do all the talking and educating you want, but the fact is that the internet is now nigh-fully integrated with our lives, and unless you are surveilling your kid at every moment they are on the internet (don’t recommend), not every parent has the time, resources, or know-how to keep their children safe on the internet without help.
So to play naive for a moment and ignore the well-understood reality that “child safety” is an atom-thick veil for mass surveillance: Why did we give up so fast on device parental controls? The info being stored on the OS / user settings actually isn’t so bad of an idea if the implementation valued both safety and privacy. Upon setting up the device or account, it is the parent’s responsibility to create a password or biometric or whatever to activate/deactivate the safety mode. No personal information required. It should be pretty easy. Are there technically ways for the kid to get around this? Yes, but that’d be breaking the trust. In the same way you’d deal with your kid sneaking out of the house, you deal with that separately. The existence of websites that don’t perform the check is inevitable no matter what you do.
And if you don’t believe your kid needs a safety lock on the internet, then that’s your prerogative.
It’s apparent that many parents need a more convenient tool available to them, but privacy doesn’t need to be compromised in order to achieve a safer internet. I got lazy while writing this, and I’m sure that’s clear in some spots, but I’m just gonna post it. There’s possibly something huge that I’m overlooking, so I’ll just let someone else point it out.