US Considers Forcing Operating Systems to Enforce Age Verification and Share User Data with Third Parties

To set up and use your computer, you may soon be required to prove how old you are, not to an app or a website, but to the operating system itself. A bipartisan bill called the Parents Decide Act was introduced in the US House of Representatives on April 13, 2026. Cosponsored by New Jersey Democrat Josh Gottheimer and New York Republican Elise Stefanik, it has been referred to the House Committee on Energy and Commerce.

The bill, formally known as H.R. 8250, would require operating system providers to collect a user’s date of birth during initial device setup. That means Windows, macOS, Android, iOS, and even Linux distributions would be required to ask every user, adult or child, for their birth date before granting access to the system. Users under 18 would require a parent or legal guardian to verify the information. According to Biometric Update, this shifts age-checking obligations away from individual apps and onto the platform owners themselves.

The reasoning behind the bill centers on a familiar problem: children bypassing age restrictions online. According to Representative Gottheimer, kids can currently sidestep age requirements simply by typing in a different birthday. The bill aims to fix this by anchoring verification at the deepest layer of personal computing. But its actual reach extends well beyond parental controls, touching questions of data ownership, privacy, and what it means to use a computer anonymously. That reach is where the controversy begins.

This article was created with the assistance of AI and reviewed by our editorial team for accuracy and clarity.

Your Birthday, Their Business

The most contentious part of the Parents Decide Act is not the age check itself. It is what happens after. The bill directs operating system providers to build a system allowing app developers to access “any information as is necessary” collected by the OS to verify a user’s date of birth. In plain terms, any application on your computer could tap into that data. As reported by Windows Central, the practical scope of this data-sharing remains vague in the bill’s current text.

The bill does not specify how age verification will actually work. It does not say whether entering a birth date is enough, or whether a government-issued ID, biometric scan, or third-party identity check will be required. These critical details are left to the Federal Trade Commission, which would have 180 days after the bill’s passage to draft implementation rules. According to Windows Forum, the law’s real privacy footprint depends heavily on those future rules, which do not yet exist.

That gap between what the bill says now and what it could require later is a significant concern for critics. Writing rules after passing a law is common practice, but in this case, the most sensitive decisions, including how personal data is stored, who can access it, and under what conditions it is shared with developers, are all unresolved. Until those rules are finalized, the bill essentially hands the FTC a blank check to define the future of personal computing privacy. The stakes are high enough that even the bill’s supporters should want those answers before a vote.

Open Source, Offline Users, and the People the Bill Forgot

One of the most glaring blind spots in the Parents Decide Act is its apparent assumption that all operating systems are corporate products with centralized account infrastructure. Linux, the open-source operating system that powers everything from personal computers to servers and scientific instruments, operates on an entirely different model. Many Linux distributions have no centralized account system, no single company to enforce compliance, and no obvious mechanism for securely processing personal identification data at installation. The bill offers no explanation for how this would work.

Privacy-focused operating systems are already drawing a hard line. GrapheneOS, an Android-based open-source OS, publicly stated it will remain usable by anyone without requiring personal information, identification, or an account. The Electronic Frontier Foundation and other digital rights groups warn that embedding age verification at the OS level creates what amounts to surveillance infrastructure, one that could disproportionately burden smaller developers and open-source projects that lack the resources to build compliant identity-verification pipelines. These are not edge cases. They represent a significant portion of how people around the world use computers.

There is also a question that has received surprisingly little attention: would this law require an internet connection just to use a computer? If verification must be confirmed against a database or third-party system, then offline use becomes impossible by design. That concern was raised by PC Gamer’s editor-in-chief Tyler Wilde and has not been addressed by the bill’s sponsors. For millions of users in rural areas, low-connectivity regions, or workplaces with restricted networks, that would not be a minor inconvenience. It would be a fundamental barrier to access.

California Already Did It, and the Fallout Is a Warning

The Parents Decide Act is not arriving in a vacuum. California signed its own version into law in October 2025. The Digital Age Assurance Act requires operating system providers to collect age information during setup and pass a standardized age-bracket signal to apps and developers, with full compliance expected by January 2027. That means the industry is no longer debating a hypothetical scenario. Major OS vendors are already preparing for a compliance regime, and the consequences for smaller players are becoming visible.

The pressure on open-source developers in California has been significant. Projects without the legal teams, engineering resources, or centralized infrastructure to meet the law’s requirements face a difficult choice: build compliance tools they were never designed for, or effectively withdraw from one of the world’s largest consumer markets. The federal bill, if passed, would replicate that pressure nationwide. At the same time, other state-level bills on age verification have taken diverging paths, with a federal judge blocking Texas’s version in December 2025 and the Supreme Court signaling interest in related constitutional questions.

Congress is not wrong to worry about children’s safety online. The problem is that this bill attempts to solve a real issue by creating a permanent identity checkpoint at the foundation of personal computing, affecting every user regardless of age, and delegating the most critical implementation decisions to a regulatory body after the fact. The question worth sitting with is this: once the infrastructure for mandatory, OS-level identity verification exists, what else might it eventually be used for? That is not a question the Parents Decide Act even attempts to answer, and that silence may matter most of all.