GoKawiilI've been pulling public records on the wave of "age verification" bills moving through US state legislatures. IRS 990 filings, Senate lobbying disclosures, state ethics databases, campaign finance records, corporate registries, WHOIS lookups, Wayback Machine archives. What started as curiosity about who was pushing these bills turned into documenting a coordinated influence operation that, from a privacy standpoint, is building surveillance infrastructure at the operating system level while the company behind it faces zero new requirements for its own platforms.
I want to be clear about what this is and isn't. I am not the author of the earlier r/linux post by aaronsb and I'm not affiliated with them. I titled this to draw attention on this subreddit because the privacy implications go well beyond Linux. Every source cited here is a public record.
What the bills actually require you to hand over
Most reporting on these bills says something vague like "age checks at device setup." The statutory language is more specific and more invasive than that.
California AB-1043, signed October 2025 and effective January 1, 2027, defines "Operating system provider" under Section 1798.500(g) as "a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device."
Every OS provider must then: provide an interface at account setup collecting a birth date or age, and expose a real-time API that broadcasts the user's age bracket (under 13, 13 to 15, 16 to 17, 18+) to any application running on the system.
Read that again. Every app on your device gets to query a system-level API that returns your age bracket in real time. This isn't age verification at the point of accessing restricted content. This is a persistent age-broadcasting service baked into the operating system itself, queryable by every installed application.
Colorado SB26-051 (passed the Senate 28-7, now in the House) copies the same definitions in the same order, same penalty structure ($2,500 per child for negligent violations, $7,500 for intentional ones), same exemptions. The template is the ICMEC "Digital Age Assurance Act," and it's been introduced or is pending in Illinois (three separate bills), New York, Kansas, South Carolina, Ohio, Georgia, Florida, and at the federal level.
New York's S8102A goes further. It requires device manufacturers to perform "commercially reasonable and technically feasible age assurance" at device activation and explicitly bans self-reporting. The AG picks the approved methods. That means biometric age estimation or government ID verification before you can use a device you purchased.
Exemptions in all of these bills cover broadband ISPs, telecom services, and physical products. None contain any exemption for open-source software, non-commercial projects, or privacy-preserving verification methods.
... continue reading