Age verification bills in the US show no signs of slowing down as California becomes the next state to introduce new laws.
Signed by Governor Gavin Newsom on Monday, October 13, the bill requires those setting up a new device to enter their date of birth.
The new laws won't take effect until January 1, 2027, and fines will be handed out for companies who violate the rules.
Crucially, the bill – at this stage – doesn't require users to upload sensitive personal information, including IDs. This is a significant difference to other age verification bills we have seen in the US and UK.
Interest in the best VPNs spiked considerably as people looked for ways to avoid submitting IDs and bypass age verification checks.
Multiple US states saw an increase in searches for VPNs and major VPNs saw a spike in downloads in the UK – including some potentially suspicious ones.
With California doing things differently, should this been seen as an example of how to do age verification safely, or does your personal data remain under threat?
Less invasive age verification?
California's Assembly Bill 1043 requires operating system providers and developers "to provide an accessible interface at account setup" for users to indicate their birth date or age. Its goal is to provide "protections for minors on the internet."
Users would then be assigned to "age brackets." Data collected will determine if a user is under 13, between 13 and 16, between 16 and 18, or over 18 years old.
Operating system providers is defined as "a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device."
This includes the likes of Apple and Google, and the bill doesn't specify how companies should complete age checks.
There are no requirements for the uploading of government-approved IDs or credit card information. These are two ways age verification has taken place in other states and countries.
All the bill states is that an opportunity for users to enter their age is provided. It also dictates that companies should only collect "the minimum amount of information necessary" to complete age checks and should not use it "in an anticompetitive manner."
The law is due to come into effect on January 1, 2027, and companies have until July 1, 2027, to provide the necessary age verification steps.
Any company that violates the laws will face fines of up to $2,500 per child for "each negligent violation." Fines of up to $7,500 per affected child will be handed out for "each intentional violation."
The bill states that companies will not be punished if users lie or enter a false age as long as they have made "a good faith effort to comply" with the law.
According to Politico, Meta and Google have both supported while Apple has remained silent. The Motion Picture Association, which represents five major US film studios including Warner Bros. and Universal, opposes the law. It argues that its existing children protection measures for streaming would be overridden.
The Motion Picture Association has previously targeted VPNs in its bid to combat piracy.
Is this how age verification should be done?
California's age verification bill appears to be less robust than other laws we have seen. Despite legitimate concerns and cybersecurity risks, age verification laws in the UK and other US states do make more of an effort to protect minors from seeing harmful content online.
If all a user has to do in California's case is enter their date of birth at account creation then a false age could easily be entered – should the user be under 18.
If parents are setting up a child's device then it is more likely a true age will be entered, but this isn't a guarantee.
Other age verification laws are far stricter, with sensitive personal information required to be submitted. Sites hosting adult content require users to verify their age via a third-party age-check provider. This verification status can then be tied to your account, meaning you won't need to verify your age again. However, age checks must be done at least once for each relevant website.
California's bill appears to verify age at a device level upon sign-up. This then raises the question of whether your age would still need to be verified when you visit certain sites or is there a way for the site to communicate with your device and determine age.
If age verification is done through Apple or Google when setting up your device, does this mean your age information is tied to your relevant Apple and Google accounts? Could you therefore use this information to access certain sites and bypass age checks?
The bill raises a lot of questions about age verification effectiveness, but it could also be seen as more private than other states if no personal information beyond date of birth is required.
Privacy advocates have criticized current iterations of age verification laws, with experts saying the collection of highly sensitive personal information is "a disaster waiting to happen."
Laura Tyrylyte, privacy advocate at NordVPN, championed parental controls as a way of protecting under-18s online. "Device-level controls are the most effective way to manage children's internet access," Tyrylyte said, adding that more awareness of these tools is needed.
NordVPN doesn't have any dedicated parental controls, with ExpressVPN one of the only VPN providers to offer the features. You can also check out our guide on the best parental control apps in 2025.
VPNs are not mentioned in the bill's text, which differs from other age verification laws. An age verification bill in Wisconsin calls for sites to block VPN traffic as well as implement age checks.
The UK's Online Safety Act states that any site found to promote VPN usage as a way of passing age verification checks could face fines of up to 10% of global revenue or £18 million.
The Children's Commissioner called for "age verification on VPNs" and described them as a "loophole that needs closing." A report from the Commissioner's office recommended children should be blocked from using VPNs.
Some have asked if the UK would ban VPNs but former Secretary of State for Science, Innovation and Technology, Peter Kyle, said he had no plans to do so.
Alongside proposed age verification laws, lawmakers in Michigan have called for a VPN ban as part of its proposed "Anticorruption of Public Morals Act." It seeks to "prohibit the distribution of certain material on the internet that corrupts the public morals" and this includes a ban on the sale and promotion of "circumvention tools" such as VPNs.
Clearly there are still a lot of unknowns with California's age verification bill. On the face of it, it seems far less invasive than others – but it's uncertain how effective it will be at protecting children from harmful content.
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
