What is Paxton v. Free Speech Coalition?

Paxton v. Free Speech Coalition is the Supreme Court case challenging Texas's age verification law (HB 1181). The Free Speech Coalition argues the law violates the First Amendment by compelling adults to identify themselves to access protected speech. The Court's ruling, expected in 2026, will determine whether state age verification laws are constitutional.

What data do age verification systems collect?

Age verification systems collect government ID images, facial biometrics, names, dates of birth, addresses, and in some cases credit card information. This data is processed by third-party vendors like Yoti, Veriff, and Jumio. These databases become targets for breaches and can be subpoenaed by law enforcement without a warrant in most jurisdictions.

Can I refuse age verification?

If you live in a state with an active age verification law, you cannot access the covered content without submitting to verification. There is no federal opt-out. Using a VPN may circumvent geographic restrictions for website-level checks, but OS-level verification as proposed in California and Colorado would make bypassing significantly harder.

What is OS-level age verification?

OS-level age verification requires your device's operating system (iOS, Android, Windows, macOS) to verify your age during device setup and then broadcast an 'age signal' to any app or website that requests it. California SB 976 mandates this by December 31, 2026. Colorado SB26-051 mirrors the approach. This means your phone verifies your identity before you even open a browser.

US Age Verification Laws in 2026: The Surveillance Infrastructure Nobody Voted For

Q: How many US states have age verification laws?

As of May 2026, approximately 25 states enforce some form of age verification for adult content or social media. States with active enforcement include Texas, Utah, Virginia, Arkansas, Louisiana, Mississippi, Montana, Indiana, Idaho, Kansas, Florida, Alabama, Georgia, and others. California SB 976 and Colorado SB26-051 go further, requiring verification at the operating system level.

In 2022, Louisiana became the first state to require adults to upload government ID to access pornography online. Three years later, roughly half the country has followed. California and Colorado want to move verification to your phone's operating system. The Supreme Court is deciding whether any of this is constitutional. And nobody — not one voter in any of these states — cast a ballot to create a national identity verification infrastructure. This is how surveillance gets built: one law at a time, each targeting content nobody will defend, each normalizing the idea that you must identify yourself to use the internet. TL;DR ~25 states now enforce age verification for adult content or social media, with no federal standard governing what data is collected, how long it is stored, or who can access it California SB 976 and Colorado SB26-051 require age verification at the operating system level — your device, not a website, confirms your identity Paxton v. Free Speech Coalition, currently before the Supreme Court, will determine whether these laws survive First Amendment scrutiny Every verification method — ID scans, facial estimation, database checks — creates records linking your identity to what you accessed online There is no federal opt-out. No national privacy law constrains what verification companies do with your data. The infrastructure outlasts every law that creates it. The Louisiana model: where it started Louisiana Act 440, signed by Governor John Bel Edwards in June 2022 and effective January 1, 2023, was the first state law to require age verification for access to online adult content. The law required sites with a "substantial portion" of pornographic material to verify that users are 18 or older before granting access. Louisiana's implementation was notable for two reasons. First, it leveraged the state's existing digital ID system, LA Wallet — the same app Louisiana residents use to present a digital driver's license. Users had to link their LA Wallet account to age verification vendor Allpasses, which then confirmed their age to the requesting site. In practice, this meant presenting a government-issued credential to a private company to watch adult content. Second, the law produced exactly the outcome privacy advocates predicted: a centralized database linking Louisiana residents' government IDs to their browsing activity. Allpasses stated it did not store browsing history, but the architecture required creating a verification record for every session. Those records existed. They were held by a private company. And they were subject to legal process. Within months, copycat bills appeared in state legislatures across the country. The language was often identical, drafted by the same advocacy organizations and distributed through model legislation networks. By the end of 2023, seven states had enacted similar laws. By the end of 2025, the count had tripled. By May 2026, roughly 25 states enforce some form of age verification, and the Free Speech Coalition's tracker shows additional laws scheduled to take effect throughout the year. Louisiana proved the concept would pass. Every state that followed proved it would spread. The state-by-state landscape The patchwork is sprawling and inconsistent. No two state laws are exactly alike, but they share a common architecture: mandate verification, outsource it to private vendors, and accept whatever data collection that requires. States with active enforcement for adult content verification include Texas, Utah, Virginia, Arkansas, Louisiana, Mississippi, Montana, Indiana, Idaho, Kansas, Oklahoma, South Carolina, Florida, Alabama, Georgia, Nebraska, and North Dakota. The specific mechanisms vary — some require government ID upload, some accept credit card verification, some allow facial age estimation — but every method collects personal data. States with social media age verification represent a newer and broader category. Florida's HB 3, effective January 1, 2025, requires social media platforms to verify the age of all users and restrict accounts for users under 14. Texas, Utah, and others have similar provisions. These laws expand verification beyond adult content to platforms used by most of the population daily. States pursuing OS-level verification are the newest frontier. California SB 976, Colorado SB26-051, and North Dakota SB 2380 all require operating systems to verify and transmit user age. This is categorically different from website-level checks. It means the verification happens before you reach any specific site — it is embedded in the device itself. Nebraska's Parental Rights in Social Media Act takes effect July 1, 2026. Missouri's administrative rule is already in effect. New bills are introduced every legislative session. The Free Speech Coalition maintains the most comprehensive state-by-state tracker for current status. There is no federal age verification law. There is no federal standard for verification methods, data retention, or access controls. Each state builds its own piece of the infrastructure, and the pieces do not come with an off switch. How age verification actually works Every method requires sharing personal information with a third party. There are no exceptions. Government ID scanning: You photograph your driver's license, passport, or state ID. A verification vendor — typically Yoti, Veriff, Jumio, or Onfido — processes the image, extracts your name, date of birth, address, and ID number, confirms the document is valid, and reports a yes/no to the requesting platform. Your ID image and extracted data may be retained for fraud prevention and compliance. Facial age estimation AI: A camera captures your face. An AI model estimates your age range, typically placing you in a bracket (13-17, 18-24, 25+). Some systems combine this with liveness detection — asking you to blink or turn your head — to confirm you are a real person. The biometric data may or may not be stored depending on the vendor's policy, which you cannot verify independently. Credit card verification: The system runs a zero-dollar or one-dollar authorization on your credit card. Since you must be 18 to hold a credit card, a successful charge serves as proof of age. This directly links your browsing activity to your financial identity. Database cross-referencing: The verification service checks your personal details against commercial databases maintained by data brokers. If your information matches records indicating you are over 18, you pass. This effectively writes data brokers into age verification law as identity infrastructure — the same companies the FTC is warning about for selling data to foreign adversaries are now legally embedded in the verification pipeline. OS-level age signals (emerging): Under California SB 976 and Colorado SB26-051, your operating system would verify your age once during device setup and then broadcast an "age bracket" or "age signal" to any app that requests it. This creates a persistent, device-level identity marker available to every application on your phone or computer. Each method creates a record. Each record can be breached. Each database can be subpoenaed. Use our Browser Identity Audit tool to see what your device already reveals — then consider what adding a government ID scan to that profile means. The privacy risks, in plain terms Age verification is not a neutral technical process. It is identity infrastructure. And identity infrastructure is surveillance infrastructure. Biometric data is irreplaceable. You can change a compromised password. You cannot change your face. Facial age estimation systems capture biometric data that, if breached, cannot be revoked or replaced. The major verification vendors hold millions of facial scans. A single breach exposes biometric data permanently. ID images are comprehensive identity documents. A scan of your driver's license contains your full legal name, date of birth, home address, physical description, and a unique identification number. When this data is collected for age verification, it is linked to a record of the content you accessed. The combination — your identity plus your browsing activity — is exactly the kind of data that surveillance systems are designed to collect. Data breaches are not theoretical. Discord suffered a significant data breach in late 2025 and then announced mandatory global age verification requiring government ID uploads and face scans in February 2026. The EFF published a detailed critique noting the irony of a company that could not protect existing user data now collecting the most sensitive identity documents possible. If Discord could not secure chat logs, there is no reason to believe it can secure ID scans. Law enforcement access is easy. Age verification databases are commercial records. In most US states, law enforcement can obtain them with a subpoena rather than a warrant — a lower legal standard that does not require probable cause and may not include notification to the subject. The same verification record that confirms you are over 18 also confirms exactly who you are and what you accessed. Data retention is indefinite in practice. Most verification services retain data for fraud prevention and compliance. State privacy laws like California's CCPA and Colorado's CPA provide some rights over personal data, but both contain exceptions for data collected for "security" or "fraud prevention" — exactly how verification companies categorize their data. In practice, there is no reliable mechanism to ensure your ID scan is deleted after verification. Run a Breach Check on your email to see whether your data has already been exposed — then consider what happens when verification databases are added to the breach economy. California SB 976: verification at the OS level California's SB 976, the "Protecting Our Kids from Social Media Addiction Act," represents the most aggressive approach in the country. Rather than requiring individual websites to verify age, SB 976 shifts the burden to the operating system itself. The law took effect January 1, 2025, with a compliance deadline of December 31, 2026. Under SB 976, operating systems — iOS, Android, Windows, macOS, and potentially Linux — must estimate or verify the age of the primary user and transmit a digital "age signal" to any app or website that requests it. This means your phone or computer would verify your age before you open a browser. The age signal would be available to any application that asks for it. You would not choose when to verify — the operating system would make that determination at the device level, and every app on the device would have access to the result. On November 12, 2025, NetChoice sued in the Northern District of California. Judge Edward John Davila blocked sections of SB 976 that required time-of-day restrictions on social media access. The age verification provisions remain in effect pending further litigation. The EFF called 2025 "the year states chose surveillance over safety," specifically citing SB 976 as the turning point where age verification moved from website-level checks to device-level identity infrastructure. Colorado SB26-051 and the copycat cascade Colorado's SB26-051, introduced in early 2026, mirrors California's OS-level approach. The bill requires operating systems to register the device owner's birthdate or age and share an "age bracket" with third-party apps through an API. A hearing was held February 24, 2026. If enacted without a safety clause, the effective date would be August 12, 2026. The Register reported that System76 — the Colorado-based Linux hardware manufacturer — attempted to talk lawmakers down from the bill, arguing that open-source operating systems like Pop!_OS cannot comply with the age attestation requirements without fundamentally altering their architecture. Linux distributions are built on the principle that the user controls the system. OS-level age verification requires the system to control the user. Similar bills have been introduced or proposed in New York, Illinois, Louisiana, Texas, and Utah. The California-Colorado model is becoming the template. Each new state that adopts it expands the population subject to device-level identity verification. Paxton v. Free Speech Coalition: the Supreme Court weighs in The most consequential legal challenge to age verification is currently before the Supreme Court. In Paxton v. Free Speech Coalition, the Court is reviewing Texas HB 1181, the state's age verification law for adult content. The Free Speech Coalition, represented by a coalition including the ACLU, argues that requiring adults to identify themselves to access constitutionally protected speech violates the First Amendment. The legal theory is straightforward: the government cannot condition access to protected expression on the surrender of identifying information, any more than it can require you to show ID before entering a bookstore or a library. Texas defends the law under a rational basis standard, arguing that the state has a compelling interest in protecting minors and that age verification is a narrowly tailored means of achieving that interest. The state points to the availability of VPNs and other circumvention tools as evidence that the burden on adults is minimal. The Supreme Court has ruled on this issue before. In Ashcroft v. ACLU (2004), the Court rejected the Communications Decency Act's approach to online content restrictions, finding that less restrictive alternatives — specifically, filtering software — were available and that age verification requirements imposed too great a burden on adult access to protected speech. The question in Paxton is whether the Court will distinguish its earlier ruling based on changes in technology or reaffirm the principle that adults cannot be forced to identify themselves to access legal content. The Court's ruling, expected in 2026, will determine the constitutional status of every state age verification law currently in force. If the Court upholds Texas's law, the current patchwork will accelerate dramatically — every state that has been waiting for legal clarity will move to enact its own version. If the Court strikes it down, the existing laws become unenforceable, though the databases already built will remain. Discord's global verification rollout On February 9, 2026, Discord announced mandatory global age verification for all users. Under the "teen-by-default" system, every user would receive a restricted experience by default. To access age-restricted channels, sensitive content, or adult settings, users would need to verify their age through face scans or government ID uploads. The announcement drew immediate criticism. The EFF published a detailed critique noting that Discord had suffered a significant data breach just months before asking users to upload government IDs and biometric data. On February 25, 2026, Discord CTO Stanislav Vishnevskiy announced a delay, moving the rollout to the "second half of 2026" to expand verification options and increase vendor transparency. The delay does not change the plan. Discord will still require age verification globally. It is building the infrastructure now. Discord's voluntary rollout is significant because it demonstrates a trend that predates and extends beyond legislation: companies are adopting age verification preemptively, either to avoid regulatory liability or to position themselves as compliant before laws take effect. This means the surveillance infrastructure grows regardless of whether individual state laws survive court challenges. The databases are being built now. What this means for anonymity online The internet was not designed with identity verification in mind. Its architecture assumes that users can access information without identifying themselves — the same way you can walk into a public library, browse shelves, and read books without presenting a driver's license. Age verification laws dismantle that assumption at the infrastructure level. When California and Colorado require your operating system to verify your age and transmit that verification to any requesting app, they are building a system where anonymity is the exception rather than the default. The age signal is technically just a number — but the verification process that produces it requires identification, and the record of that verification links your identity to your device. The trajectory is visible and unbroken: 2022: Age verification for pornographic websites (Louisiana) 2023-2024: Age verification for social media platforms (multiple states) 2025-2026: Age verification at the operating system level (California, Colorado, North Dakota) 2026: Mandatory global age verification on messaging platforms (Discord) Next: Age verification for search engines, e-commerce, and any website a legislator deems "harmful to minors" North Dakota SB 2380 already requires device manufacturers to estimate user age and block access to "mature content" for minors. "Mature content" is undefined in the bill. Once the infrastructure exists to verify age for one category of content, expanding it to others requires only a legislative amendment — no new technology, no new vendors, no new databases. The surveillance capability is general-purpose. The policy promises are not. Anonymity online is not a luxury. It is how whistleblowers expose corruption, how abuse survivors seek help, how citizens in oppressive regimes communicate, and how ordinary people explore ideas they may not want permanently associated with their legal identity. Every expansion of mandatory identification narrows the space where that exploration is possible. What you can do Use a VPN. Geographic restrictions are the weakest link in current website-level age verification laws. A VPN routes your traffic through a jurisdiction without verification requirements. OS-level verification under California SB 976 would make this harder, but the law remains under legal challenge. Check whether your VPN is actually working with our VPN Leak Test. Choose the least invasive verification method. If age verification is unavoidable, facial age estimation — while imperfect and biometric — does not typically transmit your legal name or government ID number. It is the least bad option among bad options. Credit card verification links your financial identity to your browsing. Government ID scanning provides the most comprehensive identity data. Demand data deletion. Under state privacy laws where they apply, you can request deletion of your personal data from age verification services. Exercise this right after every verification. Use our Data Broker Opt-Out tool to remove your information from the commercial databases that age verification systems cross-reference. Do not trust "anonymous" verification claims. Some vendors claim to verify age without storing identity data. These claims are unverifiable, and multiple vendors have been found to retain more data than their privacy policies disclosed. Treat every verification as though your data will be stored indefinitely. Support organizations fighting these laws. The EFF, the ACLU, the Free Speech Coalition, and the Center for Democracy & Technology are actively litigating against age verification requirements. NetChoice has filed suits in multiple states. The Supreme Court's ruling in Paxton will be the most important legal decision on this issue in a generation. Pay attention to your state legislature. These laws pass with minimal public awareness. Many are introduced as amendments to unrelated bills. Check the Free Speech Coalition's tracker for your state's status. Contact your state representatives. The infrastructure being built in 2026 will outlast every law that created it. --- The question is not whether age verification works. The question is what it costs and who pays. Every state that passes an age verification law adds another brick to a wall of identity infrastructure that no one voted to build, no one can opt out of, and no one has the power to dismantle. The databases persist. The vendor relationships persist. The normalization of presenting government ID to access the internet persists. The Supreme Court will rule on whether this is constitutional. Regardless of the answer, the infrastructure is already being built. The only question that remains is how much of it will be standing when the courts finally weigh in.