GrapheneOS has a simple answer to the wave of age verification laws that is spreading through US state legislatures and is already in force in Brazil: no.

The privacy-focused Android branch, announced last Friday, said it does not intend to introduce the collection of age data required by these laws. "GrapheneOS will remain accessible to everyone around the world without requiring any personal information, ID or user account," project representatives said.

"If GrapheneOS devices cannot be sold in a region because of its regulation, so be it." This is a more direct answer than most operating system developers are prepared to give, and it is worth understanding what it actually means.

Brazil's digital ECA law (Law No. 15.211) came into force on 17 March and allows operating system providers to be fined up to 50 million reais - around $9.5 million per violation - if age verification is not included in the installation of the device.

California's Digital Age Assurance Act, AB-1043, which was signed by Governor Newsom in October 2025 and took effect on 1 January 2027, goes even further: it requires every operating system provider to collect a user's age or date of birth when creating an account and to transmit this information to app stores and developers via a real-time API.

On 3 March, the Colorado State Senate passed SB26-051, a bill making similar demands. The common goal of these bills is an age-based level of authentication that is integrated directly into the operating system and is in place before the user has even opened an application.

The GrapheneOS operating system is developed by the GrapheneOS Foundation, a registered Canadian non-profit organisation.

California State Law AB-1043 provides for civil penalties of up to $2,500 per child harmed for negligent violations and $7,500 for intentional violations, enforced by the State Attorney General. Canadian non-profit status provides some protection, but no guarantee.

The stakes became concrete when GrapheneOS and Motorola announced a partnership at MWC on 2 March. This will bring a secure operating system to Motorola's upcoming devices and end GrapheneOS' long-standing exclusivity on Google Pixel devices. A Motorola phone with the GrapheneOS operating system is expected in 2027.

As soon as a major equipment manufacturer starts supplying equipment with pre-installed GrapheneOS, these products must comply with local regulations in all markets where they are sold, or Motorola will have to restrict sales geographically.

The defiant attitude that is easy to adopt in a non-profit software project becomes a commercial problem for a global hardware manufacturer.

GrapheneOS is not the only one to refuse this. The developers of the DB48X open source calculator firmware recently published a legal notice stating that their software "does not, cannot and will not implement age verification".

MidnightBSD went even further by updating its license to completely block Brazilian users from accessing the service. The denials come from projects united by one core conviction: building government-imposed control infrastructure into software is worse than losing market access.

More than 400 IT experts signed an open letter arguing that these laws create a surveillance structure without providing any meaningful protection for children. The real result is a mandatory data flow linking operating system providers, app stores and developers, with real-time identity information linked to device settings, without any clarity on what this infrastructure will be used for in the future.

Comment on