Over the past few years I have written several pieces looking at the issue of access online to adult content. In 2024 I wrote How Do You Stop Kids Watching Porn? and Sarah looked at KOSA and COPPA 2.0. Aand in March this year we had Why Are Adult Sites Going Dark in So Many States? Over time the issue has taken center stage in discussions of the negative impact the online world is having on children, and this year there is another wave of legislation gathering momentum - this time targeting devices. Let's bring the story up to date.
A Brief History of Digital Gatekeeping
When lawmakers first turned their attention to age verification online, the battleground was clear: adult websites. The early state laws—such as Louisiana’s pioneering 2022 statute—required pornography sites to use government-issued ID verification or risk blocking. As explored in How Do You Stop Kids Watching Porn? and why adult sites are going dark?, these bills triggered a cascade of similar efforts across the U.S. Utah, Arkansas, Texas, Mississippi, and Virginia soon followed, citing the need to protect minors from “harmful online material.”
The result? A patchwork of digital fences. Sites like Pornhub and XVideos responded not by adapting but by withdrawing—blocking users in entire states rather than risk noncompliance. VPN traffic surged, adult site visits fell sharply inside affected jurisdictions, and enforcement mechanisms proved inconsistent. States without such laws saw an influx of redirected traffic, suggesting users were more adept at digital rerouting than legislators expected.
Across the Atlantic: The UK’s Cautionary Tale
Britain’s experiment offers a sobering case study. The UK’s Online Safety Act, implemented in 2024, required adult sites to perform robust age checks—either through third-party identity providers like Yoti or government documents. Proponents hailed it as a victory for child protection; critics warned it risked data leaks and online surveillance creep.
In practice, the system has been messy. Major adult platforms delayed compliance, while smaller ones simply went offline in the UK. VPN usage climbed by more than 20% following rollout, according to industry reports, and web analytics show substantial drops in domestic adult traffic—suggesting deterrence, but also evasion.
In the U.K. government's defence, they have tried really really hard to make this work practically. The Act itself was one of the most debated and amended pieces of legislation in recent years, and the implementation period was very long to allow adult providers to develop workable systems. One example of the innovation this drove is the use of facial recognition technology to assess a user's age. No need to share sensitive data with websites, now they can take a look at your wrinkles and figure out that you're no spring chicken. Fair enough, but of course some bright spark immediately noticed that you could use in-game selfies of Sam Porter Bridges (aka Norman Reedus), the grizzled protagonist of the computer game Death Stranding, to fool the system. Which raises two important questions - what possessed someone to actually try that? And did any of the providers ever wonder why Norman Reedus was watching so much porn?
The UK government is facing the same paradox U.S. states are grappling with: the more gates you build, the more tunnels people dig.
From Websites to Devices: The Next Phase of Age Assurance
This year’s legislative trendline points to a fundamental shift. Lawmakers are no longer content to regulate content providers—they are now targeting platforms and devices themselves. The map below shows relevant legislation across the country in current or most recent legislative sessions. Click a state to see the list of bills, then click details to read the bills.
Utah led this pivot with its App Store Accountability Act (SB152), passed in 2024, establishes for the first time in the U.S. obligations for app-store operators (rather than individual apps) to verify users’ ages and obtain parental consent before minors can download or purchase apps. Specifically, the law requires app-store providers to request age information when a Utah-resident creates an account, and if that user is a “minor” (under 18) to link the account to a verified parent account. Developers are required to use the app store’s age-category data and parental-consent status, and both app stores and developers must protect age-verification data and notify parents of “significant changes” (such as changes in data collection or app-content rating).
The law becomes effective beginning May 7, 2025 for certain provisions, with full compliance expected by May 6, 2026.
Texas soon followed with its own version—the Texas App Store Accountability Act (HB1666)—mirroring many of Utah’s provisions but with added language on data retention and parental consent; if the user is under-18, the account must be affiliated with a verified parent or guardian’s account and the parent must give consent for app downloads, purchases or in-app transactions. The law also sets out display requirements (rating and reason for rating), developer-notification obligations, and data-protection minimums.
These laws sparked a wave of similar proposals in 2025, with 19 states and Congress introducing similar legislation:
- Alaska's HB46 and Hawaii's SB1542 echo Utah’s focus on app stores and parental oversight.
- California's AB1043, now signed into law, expands the framework into a broader Digital Age Assurance model, requiring any app or online service “likely to be accessed by minors” to implement verifiable age signals.
- Louisiana's HB570 is similar, and has also become law, continuing the state's pioneering efforts in age gating.
- Illinois' HB3304 and HB4140—both titled Digital Age Assurance Act—aim to weave age verification into digital infrastructure itself, not just app platforms.
Of the bills in the BillTrack50 bill sheet, roughly half concentrate on app store gatekeeping, while the other half push for system-wide or device-level verification—a much deeper policy intervention based on the model Digital Age Assurance Act developed by the International Center for Missing and Exploited Children which we discussed in an earlier post. It does seem to be gaining traction, evidenced by the success of the California bill.
A notable feature of the bills are their non-partisan nature. How often will California and Lousiana enact very similar bills? Many of the bills themselves are strongly bipartisan. It's a refreshing focus on actually attempting to solve a problem rather than merely engaging in political point scoring.
Pros, Cons, and Political Undercurrents
Supporters argue that moving age assurance “down the stack” toward device and operating-system level verification will finally make online protections enforceable. If every device has built-in assurance tools—akin to parental controls, but standardized—children’s exposure to harmful content could be curtailed more effectively and with less friction for websites.
Critics, however, warn of a slippery slope. Device-based verification may require biometric data or government ID linkage, raising fears of digital identity creep. Civil liberties groups liken it to turning smartphones into “pocket surveillance devices.” The Electronic Frontier Foundation, among others, cautions that such systems could normalize identity checks for all online activity, blurring the line between safety and censorship.
Even within industry, the response has been uneven. Yoti, a major player in age assurance technology, has critiqued Texas’s approach, calling it “a step toward accountability and safer app ecosystems” but noting that it does not address the internet more broadly. But tech giants have been more guarded. Apple has quietly enhanced parental control features and expanded “Ask to Buy” permissions, yet resists state-by-state mandates. Google, meanwhile, argues for federal harmonization, warning that conflicting state laws could splinter app distribution.
Measuring Success: What Does “Working” Look Like?
If “success” means reducing minors’ exposure to adult content, there is some evidence of partial victory. In Louisiana and Utah, traffic to major adult sites from in-state IPs dropped significantly after verification laws took effect. But this decline was offset by increased VPN use—suggesting avoidance rather than abstinence.
In the UK, similar trends emerged: VPN adoption rose, and traffic simply relocated. Compliance is measurable; efficacy is not. Meanwhile, privacy watchdogs report increased data-handling risks as more sites collect government IDs or biometric data to meet legal thresholds.
So while lawmakers can point to blocked access and compliant platforms, the question remains whether these measures actually change behavior or merely reshape it.
The Future of Age Verification: A Digital Tug of War
Looking ahead, the battleground will likely shift again—from app stores to operating systems, and perhaps eventually to network providers. Federal proposals like a “Digital Assurance Framework” have begun circulating in Washington, suggesting a coordinated approach to unify standards. Internationally, the EU’s Digital Services Act and the UK’s Online Safety Act are setting precedents for interoperability that U.S. regulators may draw upon.
We may also see AI-based age estimation—using facial analysis or behavioral patterns—become part of the toolkit. These systems promise privacy-preserving verification without hard IDs, but they raise fresh ethical questions about accuracy, bias, and consent.
In short, age verification is no longer just about pornography websites. It is becoming a core feature of the internet’s architecture—a shift with profound implications for privacy, free expression, and digital identity. Whether we call it “assurance,” “verification,” or “protection,” the struggle to draw boundaries online shows no sign of slowing down.
About BillTrack50 – BillTrack50 offers free tools for citizens to easily research legislators and bills across all 50 states and Congress. BillTrack50 also offers professional tools to help organizations with ongoing legislative and regulatory tracking, as well as easy ways to share information both internally and with the public.