US lawmakers are testing a new front in the fight over kids’ online safety by shifting age checks from individual apps to the operating systems that run phones, tablets, and PCs. A Colorado proposal, Age Attestation on Computing Devices (SB26-051), would require Apple, Google, Microsoft, and other OS providers to verify a user’s age during device setup and send a privacy-preserving age signal to apps. If adopted, the model could ripple beyond Colorado and accelerate a nationwide pivot to device-level age restriction of apps.
How Device-Level Age Signals Would Work for Apps
Under the bill, users (or parents setting up a child’s device) would attest to age once at onboarding. The OS would not share a birthdate; instead, it would categorize the account into one of four bands: under 13, 13 to under 16, 16 to under 18, and 18 and older. When a user tries to download or open an age-gated app, the system would transmit only that age band so the app can allow, restrict, or deny access.
The measure instructs platforms to share the minimum information necessary and prohibits passing the age signal to third parties for unrelated purposes. In effect, the OS becomes the authoritative source of age, replacing the patchwork of in-app pop-ups and self-attestation screens that are easy for minors to bypass.
Why States Are Turning to the Operating System Level
States are looking for systemic solutions after years of uneven enforcement at the app level. Federal law via COPPA already bars data collection from children under 13 without parental consent, yet teens remain largely uncovered. The US Surgeon General has warned that social media poses significant risks to youth mental health and urged stronger default protections. Pew Research Center reports that 95% of US teens use YouTube and 67% use TikTok, underscoring how pervasive access has become.
A device-level approach could reduce repeated data entry and limit exposure of personal information by turning age into a standardized signal rather than a piece of user data that every app must collect. It also aligns with existing parental controls—like Apple’s Screen Time and Google’s Family Link—by making age a core OS attribute rather than an optional add-on.
Gaps, Risks, and Privacy Questions for Colorado’s proposal
The Colorado bill is focused on apps, leaving websites accessed via browsers outside its scope. That gap could become a well-known workaround for determined teens, especially where apps and web experiences mirror each other. The proposal also leans on user-provided age at setup, which can still be falsified unless backed by stronger checks.
Stronger checks, however, raise their own trade-offs. Government ID verification or biometric age estimation can be more accurate, but they increase data sensitivity and the risk of function creep. Privacy advocates have long warned that centralized age verification could expand tracking across services. Colorado’s “minimum information” standard aims to counter this by limiting the signal to broad age bands, but the technical details—such as whether cryptographic, one-time tokens will be used—remain to be worked out.
Shared or family devices introduce complexity too. Multi-user profiles and supervised accounts can help, but incomplete adoption could lead to mismatched restrictions or false blocks for adult users on a child-labeled device.
Industry and Legal Landscape for OS-Level Age Checks
If enacted, the requirement would push OS makers to build standardized age APIs that developers can rely on, and potentially extend those APIs to third-party app stores. That shift would mirror past platform privacy changes—think App Tracking Transparency or permission prompts—that redefined developer practices across ecosystems.
Colorado’s push follows California’s Digital Age Assurance Act (AB-1043), slated to take effect in 2027, signaling a broader state-led trend. Still, legal headwinds are real. Courts have already blocked or narrowed several state youth online safety laws on First Amendment and Commerce Clause grounds, including high-profile challenges led by NetChoice. Any OS-level mandate could face similar tests, particularly if it affects interstate app distribution or speech-related services.
Regulators will also weigh accountability. The Federal Trade Commission’s recent actions—such as penalties stemming from COPPA violations in major gaming and video platforms—show that enforcement can be costly. A unified OS signal could lower compliance risk for smaller developers, but it would shift responsibility squarely onto a handful of platform owners.
What It Means For Families And Developers
For parents, the change promises simpler, more consistent controls: verify once, then manage access across apps by default. For developers, it means planning for a new mandatory check at app startup and during purchases or content transitions. Expect SDKs from platform vendors and updated app store policies spelling out how and when to query the age signal.
Colorado’s proposal would not take effect until 2028 and could still face a referendum or litigation. But the direction is clear. With teens’ screen media use and smartphone ownership rising—Common Sense Media reports near-universal smartphone access among high schoolers—state lawmakers are betting that age assurance belongs at the operating system layer. Whether that bet becomes a national standard will depend on technical design choices, civil liberties safeguards, and how courts reconcile youth protection with digital speech rights.
