GrapheneOS has a simple answer to the wave of age verification laws moving through US state legislatures and already live in Brazil: no.
The privacy-focused Android fork announced last Friday that it won’t implement the age data collection these laws demand. “GrapheneOS will remain usable by anyone around the world without requiring personal information, identification, or an account,” the project stated.
“If GrapheneOS devices can’t be sold in a region due to their regulations, so be it.” That’s a blunter response than most OS developers are willing to give, and it’s worth understanding what it’s actually refusing.
More: An Introduction to GrapheneOS
Reclaim Your Digital Freedom.
Get unfiltered coverage of surveillance, censorship, and the technology threatening your civil liberties.
Brazil’s Digital ECA (Law 15.211) came into force on March 17, hitting OS providers with fines of up to R$50 million, roughly $9.5 million per violation, for failing to build age verification into device setup.
California’s Digital Age Assurance Act, AB-1043, signed by Governor Newsom in October 2025 and effective January 1, 2027, goes further: it requires every OS provider to collect a user’s age or date of birth during account setup, then push that data to app stores and developers through a real-time API.
Colorado’s SB26-051 cleared the state senate on March 3 with similar demands. The architecture these laws collectively envision is an age-linked identity layer baked into the operating system itself, present before you’ve opened a single app.
GrapheneOS is developed by the GrapheneOS Foundation, a registered Canadian nonprofit.
California’s AB-1043 carries civil penalties of up to $2,500 per affected child for negligent violations and $7,500 for intentional ones, enforced by the state attorney general. The Canadian nonprofit status provides some distance but not a guarantee.
The stakes grew more concrete after GrapheneOS and Motorola announced a partnership at MWC on March 2, bringing the hardened OS to future Motorola hardware and ending GrapheneOS’s long exclusivity to Google Pixel devices. A GrapheneOS-powered Motorola phone is expected in 2027.
Once a major hardware manufacturer ships devices with GrapheneOS pre-installed, those products need to comply with local regulations in every market where they’re sold, or Motorola will have to restrict sales geographically.
The defiant stance that’s easy for a nonprofit software project becomes a commercial problem for a global device manufacturer.
GrapheneOS isn’t alone in refusing. The developers of DB48X, an open-source calculator firmware, recently issued a legal notice stating their software “does not, cannot, and will not implement age verification.”
MidnightBSD went further by updating its license to block users in Brazil entirely. The refusals are coming from projects that share a core belief: building government-mandated surveillance infrastructure into software is worse than losing market access.
Over 400 computer scientists signed an open letter arguing that these laws build surveillance architecture without meaningfully protecting children. The real output is a mandatory data pipeline connecting OS providers, app stores, and developers, with real-time ID signals tied to device setup and no clear answer to what that infrastructure gets used for in the future.
