Illinois moved one step closer last week to requiring every phone and computer sold in the state to know how old its user is. House Bill 5511 passed the Illinois House on an 82-27 vote and now heads to the Senate, where Governor JB Pritzker, a top backer of the measure, is expected to push for quick passage.
We obtained a copy of the bill for you here.
The bill, rebranded the Children’s Social Media Safety Act, forces operating system providers to prompt every account holder for a birth date, age, or both at account setup by January 2028. That age data then gets passed to apps as a signal. Miss the prompt, and the device stays locked. The only real escape is a paid family account where the primary holder has already been verified as an adult using, in the bill’s own language, “commercially available methods that are reasonably designed to ensure accuracy.”
What those methods actually are, the bill leaves to the market to figure out.
Reclaim Your Digital Freedom.
Get unfiltered coverage of surveillance, censorship, and the technology threatening your civil liberties.
Government-issued ID checks. Face scans. Credit card matching. Third-party identity brokers. All of them have been pitched as “commercially available” age verification, and all of them require the OS vendor, or a contractor working for them, to collect identifying information about adults who just want to set up a laptop.
The law says operating systems should send “only the minimum amount of information necessary.” It says nothing similar about the companies standing up the verification pipeline behind it.
Rep. Jennifer Gong-Gershowitz, a Glenview Democrat and the chief sponsor, framed the bill as a privacy upgrade. “Rather than transmitting data about a child’s birthday directly to each app, House Bill 5511 gives parents the peace of mind that comes from knowing that their child is not being fed addictive content in a way that does not compromise their privacy,” she said.
The move the bill actually makes is subtler. It relocates the age gate from individual apps, where users could lie about their birth year and often did, to the operating system, where lying is harder because the OS is the thing most likely to be tied to a verified adult account, a payment method, or a device registration.
Gong-Gershowitz pitched the bill as overdue. She told a committee hearing last month that the issue “probably is an issue that parents are battling with on a daily basis” and “one that has been rapidly evolving, but we have been far too slow to regulate.” On the House floor she argued, “We’ve been a little bit too late to the game to talk seriously about how do we protect children’s mental health and children’s safety online.”
The bill creates four age buckets the operating system must sort users into. The statute defines “age bracket data” as information indicating “(1) whether a user is under 13 years of age; (2) whether the user is at least 13 years of age and under 16 years of age; (3) whether the user is at least 16 years of age and under 18 years of age; or (4) whether the user is at least 18 years of age.”
Every covered “Internet-enabled device,” defined by the bill as “a smartphone, tablet, or personal laptop or desktop computer,” must pass that signal along to any app that asks.
The paid family account carveout is narrower than it first appears. To qualify, a platform has to meet four conditions, including that it “requires a paid subscription or account creation with payment method verification as the platform’s primary business model” and that it “verifies that the primary account holder is an adult using commercially available methods that are reasonably designed to ensure accuracy.” The bill offers no list of what those methods are. That blank space is where the actual identity infrastructure gets built, and it gets built by whoever wins the contract.
The default settings for minors, in the bill’s own text, are limited to two things. A covered operator must configure the platform so that no user already disconnected from the minor may “view the precise geolocation information of the minor if a covered platform provides a mechanism by which users share their location on the platform” or “receive or send gifted currency to the minor.”
“Precise geolocation information” is defined as data that “directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet.” Earlier press summaries describing broader profile restrictions and blanket bans on stranger transactions compressed a narrower statutory text.
The nighttime notification ban is real and sits in Section 15(g). It is “unlawful for an addictive social media platform to, between the hours of 10 p.m. and 7 a.m., send notifications concerning an addictive feed to a covered user” unless the platform knows the user is an adult or has “obtained verifiable parental consent.” The state is now in the business of telling platforms when they may ping a teenager’s phone.
The definition of “addictive feed” runs nearly two full pages of the bill and carves out eight exceptions, including feeds based on “user-selected privacy or accessibility settings” and media the user “expressly and unambiguously requested.” What counts as an addictive feed, and therefore what gets banned by default for every minor in Illinois, comes down to how an enforcement-minded attorney general reads those exceptions. The civil penalty is “not more than $2,500 for each affected child for each negligent violation or not more than $7,500 for each affected child for each intentional violation,” recoverable only by the Attorney General.
Two provisions in Section 15 are worth reading together. Subsection (l) says nothing in the Act “shall be construed as preventing access to information regarding sex, sexuality, gender, and reproductive health that is not already prohibited by existing law.”
Subsection (m) permits platforms to restrict, in good faith, material they “consider obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not the material is constitutionally protected.” One clause says the law doesn’t limit health information. The next says platforms can block constitutionally protected speech at their discretion, with the state’s blessing. Both clauses live in the same bill.
