Colorado lawmakers are advancing a sweeping proposal that would embed age verification requirements directly into smartphones, tablets, and computers sold in the state.
Senate Bill 26-051, titled “Age Attestation on Computing Devices,” would require operating system providers such as Apple, Google, and Microsoft to collect a user’s date of birth during device setup and generate a persistent “age signal.” Apps would be required to rely on that signal before granting access to users.
Supporters say the bill is designed to protect minors online. But by shifting age checks from individual websites and apps to the operating system itself, the proposal moves identity verification – a key steppingstone on the way to Digital ID – deeper into the digital infrastructure that powers everyday life.
Device Level Digital ID
Unlike age gates that exist at the website level, this bill would make age verification a built-in feature of the device itself. Every new device sold in Colorado could begin with a mandatory request for personal information before users can fully access app stores or download services.
Critically, meaningful age verification typically requires more than simply typing in a birthdate. To actually verify age, companies often require some form of government-issued identification, biometric scan, or third-party database check. That process inherently links a real-world identity to a device.
In practice, that means:
- Users may need to submit government ID or other sensitive documentation to confirm their age.
- Companies could be required to store or process that identifying information.
- Anonymous or pseudonymous access to lawful online services could become far more difficult.
Once identity is tied to the operating system layer, anonymity becomes fragile. Even if the age signal is designed to share only a “yes or no” age status with apps, the underlying verification process still requires collecting and validating real-world identity data somewhere in the chain.
De-Anonymization Risks
Embedding age verification into device software creates a structural incentive to associate devices with verified identities. That shift carries long-term implications for online speech and privacy.
For decades, the internet has allowed users to participate in lawful discourse without attaching their legal names to every interaction. Mandating identity verification at the operating system level risks normalizing a system where access to digital spaces depends on presenting papers first.
The bill also includes civil penalties of up to $7,500 per minor for intentional violations, creating strong incentives for companies to over-collect data and strictly enforce compliance.
If enacted, the requirements would take effect in January 2028. Because operating systems are distributed nationally and globally, compliance in one state could shape device design far beyond Colorado’s borders.
The proposal reflects a growing national trend toward age verification mandates in the name of child safety. But by pushing identity checks into the core software that powers modern life, Colorado’s bill goes further than most.
