A bipartisan bill introduced in the US House on April 13, 2026 would require Apple, Google, and every other operating system provider to collect the date of birth of every user - adult or child - as a condition of setting up a device. H.R. 8250, the Parents Decide Act, shifts age-verification responsibility from individual apps to the OS level, creating what privacy researchers describe as a permanent, device-level identity registry that would follow users across every application they install.
What the Bill Actually Requires
Introduced by Rep. Josh Gottheimer (D-NJ) and co-sponsored by Rep. Elise Stefanik (R-NY), the Parents Decide Act mandates that any provider of a general-purpose operating system - covering smartphones, tablets, computers, smart TVs, game consoles, e-readers, and embedded devices - must require all users to enter their date of birth before completing device setup. If a user is under 18, a parent or legal guardian must provide additional verification. The Federal Trade Commission would be required to issue implementing regulations within 180 days of enactment and report to Congress on compliance within 18 months.
Rep. Gottheimer framed the bill as restoring parental control: "Parents should decide what apps their kids can download, what content they can see, and how they interact online - not algorithms or tech companies." The bill also creates a safe harbor for OS providers that comply in good faith and takes effect one year after signing.
The Privacy Problem: Every App Gets Your Birthday
The legislation's most contested element is not the parental control mechanism - it is the mandatory programmatic interface the bill would create. Under H.R. 8250, operating systems would be required to expose collected age data through an API accessible to any application installed on the device. Privacy researchers note that this means every website, every game, every utility, and every ad network would be able to query the OS for a user's date of birth simply by making the API call.
The US Internet Privacy Society has described this as effectively forcing every device to broadcast its owner's birthday to any application that asks - with no opt-out available to adults. The concern is not hypothetical: research has shown that just three pieces of information - birthday, ZIP code, and gender - are sufficient to uniquely identify 87 percent of Americans. Once exposed through a mandatory OS-level API, that birthday becomes a permanent cross-site tracking identifier, enabling data brokers to correlate it with names, addresses, behavioral profiles, and purchase histories across the entire advertising ecosystem.
Scope: Every User, Every Device, No Exceptions
Unlike previous age-verification proposals that targeted specific platforms or content categories, H.R. 8250 applies universally. The birthdate requirement covers all users - not just those under 18. An adult purchasing a new laptop, smartphone, or smart TV would be required to submit their date of birth before they can complete setup. The bill's scope of "general purpose computing devices" is broad enough to encompass not only traditional computers and phones but also gaming consoles, connected televisions, and a wide range of embedded consumer electronics.
The bill is currently in the first stage of the legislative process, referred to the House Committee on Energy and Commerce with no hearing yet scheduled. It would need to clear committee, pass the full House, pass the Senate, and be signed by the President before becoming law - a path that carries significant uncertainty. But the direction it signals is clear: a growing appetite in Congress for identity verification at the infrastructure layer of consumer technology.
What This Means for VPN Users
A VPN routes network traffic through an encrypted tunnel and masks IP-based identifiers - but it operates at the network layer. H.R. 8250 operates at the device layer, below the network stack entirely. If enacted, the age-verification requirement would apply at device setup, before any network traffic is generated. Your VPN provider, your DNS resolver, and your browser fingerprint-blocking extension would have no visibility into the OS-level age submission - and no ability to prevent it.
What makes this different from most surveillance frameworks that VPNs are designed to address is the endpoint: the data collection happens on the device itself, at the moment of configuration. The resulting birthday-to-device binding would persist regardless of which VPN, browser, or network the user subsequently employs.
Related Coverage on vpnlab.io
Earlier pieces on age-verification legislation and its privacy consequences:
- EU Age Verification App Hacked in 2 Minutes - Durov Warns of Surveillance Risk - what happens when mandatory age-verification infrastructure itself becomes the attack surface.
- Internet by Passport in Australia: How Google and Bing Now Verify User Age - how OS-adjacent age checks already operate in Australia.
- After the UK's Age Checks on Adult Sites, VPN Usage Skyrockets - the documented privacy response when mandatory age verification reaches end users.
