Age verification is being sold as child safety. The bigger pattern is internet identity control. This tracker follows KOSA, app store age checks, state ID laws, platform responses, and the policy pipeline pushing the open internet toward identity checkpoints.
Last updated: May 24, 2026
Current threat level: HIGH
- KOSA is active at the federal level as S.1748 in the 119th Congress.
- State age verification laws are spreading across the country.
- Some platforms already block users in certain states instead of collecting ID.
- Big Tech can absorb compliance costs. Smaller sites, forums, and open-source projects cannot.
- The core risk is not one bill. The core risk is normalizing ID checks for speech.
Contents
- Why This Tracker Exists
- The Short Version
- Federal Bills To Watch
- The Compliance Incentive Problem
- State Age Verification Laws To Watch
- Platform Responses Are The Early Warning System
- Why Anonymous And Pseudonymous Speech Matters
- The Big Tech Compliance Moat
- Better Child Safety Without ID Checkpoints
- What To Tell Congress
- What Privacy-Minded Readers Should Do Now
- Copy/Paste This
- Related TheThriftyDev Reading
- Sources
Why This Tracker Exists
There are real online harms affecting kids. Sextortion, predatory adults, algorithmic amplification, bullying, self-harm content, addictive feeds, and data harvesting are not imaginary. Parents are right to be angry, and lawmakers are right to care.
The problem is the tool. Age verification sounds narrow until you ask how it works at internet scale. If a platform must treat minors differently, it needs a way to know who is a minor. If it cannot reliably know who is a minor, it checks more users. If checking more users becomes the safe legal path, adult speech gets dragged into the same identity layer.
That is age verification creep: a child safety proposal becomes a compliance system, the compliance system becomes an identity checkpoint, and the identity checkpoint becomes the default gate for speech, search, social media, communities, apps, and eventually payments.
The Short Version
- Protecting kids online matters.
- Age checks sound limited.
- But platforms cannot separate minors from adults without checking users.
- That creates pressure for ID vendors, device-level age signals, app-store verification, and more intrusive account systems.
- The people hurt first are not criminals. They are abuse survivors, whistleblowers, dissidents, religious minorities, activists, journalists, LGBTQ users, and teenagers seeking help.
Federal Bills To Watch
| Bill or proposal | Status | Supporter framing | Age verification risk | Speech/privacy risk |
|---|---|---|---|---|
| KOSA, S.1748 | Introduced in the 119th Congress and referred to Senate Commerce | Design duties and safeguards for minors | High | Platforms may over-filter sensitive lawful content and seek age assurance |
| COPPA 2.0 | Federal privacy proposal often discussed beside KOSA | Stronger protections for children and teens | Medium | Depends on implementation and how platforms determine age |
| House online safety packages | Moving in parallel with child safety and app accountability proposals | Parental controls and child safety accountability | High | Could shift age checks to app stores, operating systems, or device layers |
| Phone or SIM identity proposals | Separate but related identity pressure | Fraud, trafficking, and crime prevention | Severe | Turns basic communication into a permissioned identity event |
The Compliance Incentive Problem
Supporters often say KOSA does not directly require every user to upload ID. That is an important distinction. But direct mandates are not the only way policy changes behavior. Liability changes incentives.
If a platform can be punished for failing to protect minors from certain harms, the platform needs a defensible way to show which users are minors, which settings applied to them, and what content or features they were allowed to access. A small site owner, open-source developer, Nostr client, forum admin, or indie app team does not have a legal department to litigate fine distinctions. The safe response is to block users, remove features, over-filter speech, or outsource age checks to vendors.
That is how “we do not require ID” can still become “show ID to participate.”
State Age Verification Laws To Watch
State laws matter because they create the test cases. One state passes an age check. Another expands it. Courts rule on pieces of it. Platforms react by blocking regions, adding compliance vendors, or changing product design nationally.
| Category | What to watch | Why it matters | Risk |
|---|---|---|---|
| Adult-site age verification | State laws requiring ID or age assurance for sexual content | Creates legal precedent and vendor infrastructure | High |
| Social media minor laws | Parental consent, account limits, and age checks for social platforms | Pushes identity checks into general-purpose speech platforms | Severe |
| App store age verification | Apple/Google or app-store-level age signals | Centralizes age identity at the operating-system or app-store layer | Severe |
| Device-level age systems | Age signals built into phones, browsers, or operating systems | Could follow users across apps and websites | Severe |
Platform Responses Are The Early Warning System
When a platform blocks a state instead of collecting ID, that is not just a business decision. It is a warning signal. It means the compliance burden, liability risk, or privacy risk is too high for that platform to operate normally.
EFF has documented how age gates can become a windfall for Big Tech and a death sentence for smaller platforms. Large companies can pay lawyers, vendors, auditors, trust and safety teams, policy teams, lobbyists, and compliance engineers. Small communities cannot. If the cost of running a forum becomes identity verification infrastructure, the open web loses.
Why Anonymous And Pseudonymous Speech Matters
Pseudonymous speech is not a loophole. It is a safety feature.
People use pseudonyms to report abuse, talk about addiction, explore religion, research health issues, organize politically, question powerful institutions, build communities, and separate public speech from private life. Teenagers may need access to information they cannot safely ask for at home. Abuse survivors may need resources without alerting an abuser. Whistleblowers may need to speak without attaching their legal name to every sentence.
An ID-check internet chills all of that. Even if the government never reads the database, the database exists. It can be breached, sold, subpoenaed, misused, shared, or quietly normalized until refusal itself looks suspicious.
The Big Tech Compliance Moat
Regulation sold as anti-Big-Tech can accidentally entrench Big Tech. That is the compliance moat.
Meta, Google, Apple, TikTok, and other giants can absorb age assurance vendors, policy audits, legal challenges, and reporting requirements. A small Mastodon instance, Nostr client, indie forum, hobby project, or privacy-first tool cannot. The likely result is less competition, more centralization, and fewer escape routes from the platforms lawmakers claim to be disciplining.
That matters for builders. A sovereign web needs small services, open protocols, self-hosted tools, and low-friction publishing. Identity compliance moves the web in the opposite direction.
Better Child Safety Without ID Checkpoints
The choice is not “do nothing” or “verify everyone.” Better options exist:
- Ban behavioral advertising to minors.
- Enforce data minimization for all users.
- Ban manipulative dark patterns and addictive product loops.
- Require simple chronological feed options.
- Improve reporting, takedown, and appeals systems.
- Fund investigations and enforcement against predators and extortion networks.
- Support family-level tools that do not require every website to collect ID.
- Require privacy-preserving age signals only if they are voluntary, minimal, audited, open, and not tied to browsing history.
What To Tell Congress
Here is the clean message:
Protect kids online, but do not create an ID-check internet. Oppose age verification mandates and any bill that pressures platforms to identify users before they can speak, search, learn, or join communities. Pass privacy-first child safety instead: data minimization, limits on behavioral targeting, anti-dark-pattern rules, better enforcement against predators, and protections for anonymous and pseudonymous speech.
What Privacy-Minded Readers Should Do Now
- Contact your senators and representatives. Ask whether they support age verification mandates or privacy-first child safety.
- Use pseudonymous accounts where appropriate. Do not attach your legal identity to every public opinion.
- Support decentralized and smaller platforms before the compliance moat gets worse.
- Move some social activity to Nostr and other exit-ramp systems.
- Reduce dependence on identity-linked accounts where possible.
- Share this tracker when someone says, “It is only about protecting kids.”
Copy/Paste This
If you want to explain the issue fast, use this:
Age verification does not stay age verification. Once platforms must prove who is a minor, adults get dragged into the identity layer too. That is how “protect kids” becomes “show ID to speak.” Tracker: https://thethriftydev.com/blog/age-verification-creep-tracker/
Related TheThriftyDev Reading
- KOSA Is Not Just a Kids Safety Bill. It Is an Age Verification Creep Bill
- Mandatory ID Is Coming for Phones and Social Media. Here’s How to Move to Nostr Before the Gate Closes
- Google AI Search Privacy: Better Alternatives to Protect Your Searches
- What Is the Sovereign Builder Protocol?
Sources
- GovTrack: S.1748 Kids Online Safety Act
- GovInfo: S.1748 bill text
- Sen. Blackburn release on KOSA reintroduction
- ACLU on kids online safety bills and speech protections
- EFF: age gates, Big Tech, and smaller platforms
- R Street on social media age verification problems
- The Intercept on anonymity, KOSA, and age verification
Views: 0
