(Headline article below) According to Brian Lunduke, they carved out an exception for opensource, but supposedly anything with the GPL license wouldn’t be included, so not really? It’s all just shenanigans to drive us to digital ID and biometric identification. They’re doing this piecemeal by state and country, making such a mess of the landscape, hoping they can sneak their digital ID scheme through with the public accepting it. Perhaps with the right false flag cyber events they can get this accepted? Side note, the System 76 computer maker CEO (also the manager of their own distro with Cosmic Desktop) went to Colorado legislators for the opensource exemption and supported this bill, so either compromised or didn’t understand their legislative trick?
https://reclaimthenet.org/big-tech-backs-colorado-os-level-age-data-bill
Apple and Google would become the state-appointed gatekeepers of every Coloradan’s age data and their lobbyists are pushing hard for the privilege.
By Dan Frieth
Chamber of Progress, a lobbying group bankrolled by Amazon, Apple, Google, Meta, and OpenAI, is pushing Colorado Governor Jared Polis to sign SB 26-051 into law.
The bill would force operating system providers to harvest users’ dates of birth and pipe that data to app developers through an API every time you download or open an app. If Polis signs it, your phone’s operating system becomes more of an identity checkpoint, not just for children, but for everyone.
The bill landed on the Governor’s desk on May 12 after clearing both chambers of the Colorado legislature, passing the House 40-23 and the Senate 26-9.
We obtained a copy of the latest version of the bill for you here.
Sponsored by Democratic Senator Matt Ball and Representative Amy Paschal, the legislation mirrors California’s AB 1043, signed into law in October 2025. Colorado’s version would start applying to new users on July 1, 2028, with existing users folded in by January 1, 2029.
When you set up a device account, the OS asks for a date of birth. That data gets translated into one of four age brackets (under 13, 13 to 15, 16 to 17, and 18-plus) and stored as an “age signal.”
Developers are required to request that signal at first launch or account creation through a real-time API. Every app you open gets to ask your operating system how old you are.
Chamber of Progress told Colorado lawmakers that the bill “reflects an important effort to protect children online while minimizing risks to privacy and lawful speech.”
That framing collapses under the weight of what the bill constructs. It calls age-bracket data “nonpersonally identifiable,” but an age bracket combined with a device ID, app usage patterns and an IP address makes re-identification trivial. When that signal flows to dozens of apps at launch, the aggregate profile becomes far richer than any single data point suggests.
The bill also makes anonymous device use functionally harder. If account setup requires an age attestation that follows you into every app, you lose the ability to use the software without disclosing something about your identity. That has consequences for journalists, activists, domestic violence survivors, and anyone who treats privacy as a default.
The bill never specifies how age data is verified. Account holders just “indicate” a birth date. It may not have an ID check or a biometric scan, at least for now. But a 12-year-old can type in 1988 and the system accepts it.
As a mechanism for protecting children, this is useless, and everyone involved in writing it knows that. What it does accomplish is something else entirely. It builds the architecture: the API, the data pipeline, the legal obligation for developers to query an age signal at every app launch. Once that plumbing exists, the only question left is what gets poured through it.
The self-reported birth date is a placeholder. When legislators inevitably point out that kids are lying about their age (which this system was designed to let them do), the fix will be ID uploads, biometric verification, or both. The bill doesn’t protect children from anything today but it lays the groundwork for mandatory identity verification tomorrow and it does so without ever having to make that argument openly. And when the system misfires in its current form, nobody is accountable.
Section 6-30-104(2) gives OS providers and app stores a “good faith” safe harbor, meaning an adult incorrectly flagged as a minor who loses access to content has no real recourse.
Requiring Apple and Google to collect, store, and distribute age data makes them custodians of a sensitive dataset tying age to device identity. The bill includes data minimization language but the structural reality is that two companies gain a legally mandated role as age gatekeepers for an entire state’s population. A breach of that data would be consequential.
The Chamber of Progress knows what it’s endorsing. A law requiring OS-level age signals doesn’t threaten Apple and Google. It cements their dominance, handing them a statutory mandate to manage personal data while creating compliance costs smaller competitors absorb less easily.
This bill builds an infrastructure that changes the baseline expectation of anonymity when using a computing device, and the companies lobbying for it are the ones who profit from holding the keys.