As governments around the world strain to make the internet safer for children, one idea has been gaining traction: Instead of forcing websites to keep out children, why not have their device do it instead?

In the United States, California has passed a law that requires operating systems to collect age information and provide apps with a signal indicating whether a user is a minor or an adult. Lawmakers in Colorado(new window) and Illinois(new window) are considering similar legislation.

In the United Kingdom, Apple has already begun requiring some iPhone users to verify their age at the operating system level to access certain features.

This is a major shift in how identity works online. When identity checks move from websites into operating systems, they become part of the internet’s infrastructure. Decisions made at this layer can affect how billions of people access information, communicate, and participate online. 

“They create unnecessary and unconstitutional barriers(new window) for adults and young people to access information and express themselves online,” warns the Electronic Frontier Foundation, especially when family members of varying ages share devices within a household.

From website checks to device-level signals

Age restrictions on the internet have historically been handled by individual apps and websites. If an app or website hosts content intended for adults, it could ask users to confirm their age before allowing the user to download the app or access the website. The new approach moves that responsibility to the operating system that runs your device, such as Windows, Mac, or Linux. 

Under California’s Digital Age Assurance Act(new window), operating systems must collect a user’s age during account setup and categorize users into age groups: under 13, 13 to 15, 16 to 17, or 18 and older. Instead of asking every website to check a user’s age, the operating system that your computer runs on determines the user’s age category once and then shares that information with apps when requested — indefinitely.

Moving age verification into operating systems doesn’t just simplify compliance. It changes who controls identity online.

Today, most mobile devices run on operating systems controlled by Apple and Google. If age verification becomes an OS-level requirement, these companies effectively become the gatekeepers of age signals used across millions of apps.

Developers would no longer decide how to verify users. Instead, they would be required to rely on the operating system’s classification. In practice, that means trusting Apple or Google’s infrastructure — and their interpretation of regulatory requirements — to determine who can access what.

This has implications beyond privacy. It reinforces the power of existing app store ecosystems, where both companies already control distribution and policy enforcement. Adding identity verification to that stack further entrenches their position, locking developers into their ecosystems and limiting the ability of competitors to build alternative platforms or identity systems.

It also raises questions about how this infrastructure might be used beyond its original purpose. Once operating systems can verify and transmit attributes like age, the same mechanism could be extended in other countries to enforce broader controls. 

Governments such as China and Russia have already shown a willingness to require companies to restrict access to apps and content. Systems built for age verification could become a foundation for wider forms of control.

Supporters argue this could simplify compliance and reduce the need for platforms to collect age data themselves. Critics say it risks turning the device itself into a permanent identity checkpoint. Under the new law, every operating system will be required to verify the age of the user upon setup(new window), and it can send that data via API to app developers without the user’s explicit consent.

The privacy risks of centralized age checks

Age verification systems vary widely in how they work.

Uploading identity documents can expose users to the risk of data breaches, as seen with platforms like Discord, where attackers have gained access to thousands of government IDs through age verification systems.

Biometric systems raise concerns about accuracy and bias. Facial scans, for example, can’t determine someone’s exact age and can lead to inaccurate results.

Centralizing age signals at the operating-system level introduces a different risk. If identity attributes become embedded in the software that runs a device, that information could shape how users interact with the entire digital ecosystem.

For example, in multi-family households where many people use the same device, apps could mistakenly restrict access to content based on the age signal they receive from the operating system, even when the user is of age. Similarly, if an adult registers the operating system, children using the device can easily bypass the age signal sent from the OS. In some cases, developers may face legal liability if they fail to enforce age restrictions properly.

Designing systems that respect privacy

Protecting children online is an important goal. Parents, educators, and policymakers have legitimate concerns about harmful content, social media pressures, and exploitative design practices. But designing safeguards for the internet is not just about policy goals. It is also about technical architecture.

A system intended to protect minors should not require everyone to surrender sensitive personal information to use everyday online services.

Instead, comprehensive privacy laws can help protect children(new window) while preserving privacy, security, and access to information for everyone.

As age verification policies continue to evolve, the systems that enforce them will help determine what the internet looks like for the next generation. What matters most is who controls the systems that make those decisions.