Age Verification: Regulatory Backlash and Biometric Leaks

State-mandated age-verification laws are colliding with the uncooperative reality of digital infrastructure and privacy. In California, lawmakers were forced to proposed an amendment exempting "open source" operating systems like Linux from age-verification mandates after an intense backlash over forcing operating systems to collect users' ages. This has opened a technical debate over what constitutes an "operating system," with experts warning that proprietary-hybrid environments (like Android under Google Play Services) or "Tivoization" could render the exemption toothless or create massive legal loopholes.

Meanwhile, the privacy risks of these mandates have been laid bare by a new study from Georgia Tech and UC Irvine. Researchers analyzed Yoti—the dominant digital age-verification provider used by Meta, TikTok, and OnlyFans—and discovered that its real-time API architecture actively broadcasts highly sensitive facial photos, IP addresses, and device fingerprints to a web of third-party data brokers and credit card companies. This creates a permanent risk of identity theft, as biometric data, unlike passwords, cannot be changed once compromised.