As more US states consider online age-verification requirements, two Colorado lawmakers want to implement the age checks at the operating system-level.
SB26-051, introduced last month, would require operating systems to register the owner’s age, which third-party apps can then leverage to determine if the user is an adult. The bill calls for the device owner to register their birthdate or age, but for the purposes of creating an “age bracket,” which can then be shared to an app developer through an API to learn their age range, according to BiometricUpdate.com.
The bill comes from state Sen. Matt Ball and Rep. Amy Paschal, both Democrats. Ball seems to view his measure as pro-privacy and as a way to stop kids from downloading adult-oriented apps. “No personal information is communicated that you could use to identify somebody; it’s just an age bracket signal,” he told the Colorado Springs Gazette.
The legislation seems to also centralize the age check through the OS, rather than mandating that each app enforce their own age-verification mechanism, which can involve scanning the user’s official ID, thus raising privacy and security concerns. The bill also forbids the sharing of the age-bracket data for any other purpose.
But it looks like it’s easy to bypass the age check proposed by SB26-051. The legislation itself doesn’t mention any state ID check to verify the owner’s age. In addition, the bill doesn’t seem to cover websites, only apps and app stores.
The legislation adds that “if a developer has clear and convincing information that a user’s age is different than the age indicated by an age signal, the developer shall use that information as the primary indicator of the user’s age range.” SB26-051 also includes a “civil penalty of not more than $2,500 for each minor affected by each negligent violation or not more than $7,500 for each minor affected by each intentional violation.”
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
The bill’s sponsors didn’t immediately respond to a request for comment. But it’s possible SB26-051 is more focused on preventing adults from contacting minors. In the meantime, some critics are blasting the proposal as overreach and invasive.
“Hell no. You give an inch, they take a mile. Every single time. No compromises. No mass surveillance PERIOD,” wrote one user on Reddit.
Others are more sympathetic. Another Reddit user who identified themselves as a software engineer said the proposal lifts the burden of age verification from app developers and platform operators, which have faced lawsuits for failing to conduct adequate age checks.
Recommended by Our Editors
But the software engineer added: “Just because the owner of the phone was 18 doesn’t mean the USER is. I could be playing video games on my older brother’s phone that he left lying on the desk. It’s like 100% tying speeding tickets to license plates—you can try, but it doesn’t stand up because somebody else might have been driving my car. You have to know the human, not the device.”
One site that supports device-level age checks is Pornhub. Its parent company, Aylo, has blocked Pornhub and the other adult sites it owns in states and countries that require age-verification in protest of those laws.
“The best and most effective solution for protecting minors and adults alike is to identify users at the source: by their device, or account on the device, and allow access to age-restricted materials and websites based on that identification,” Pornhub says. “This means users would only get verified once, through their operating system, not on each age-restricted site. This dramatically reduces privacy risks and creates a very simple process for regulators to enforce.”
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Read Full Bio
