GrapheneOS Refuses to Add Mandatory Age or Identity Verification Features

Brazil's Digital ECA (Law 15.211) took effect on March 17, imposing fines of up to R$50 million, roughly $9.5 million, per violation on operating system providers that fail to implement age verification. GrapheneOS's answer was immediate and unambiguous: not a chance.

The privacy-focused Android fork posted on X on Friday that it will not comply with emerging laws requiring operating systems to collect user age data at setup. "GrapheneOS will remain usable by anyone around the world without requiring personal information, identification or an account," the project stated. The statement concluded, "If GrapheneOS devices can't be sold in a region due to their regulations, so be it," and comes after California introduced Assembly Bill 1043, which requires people to enter their age before using an operating system, a law that goes into effect on January 1, 2027.

Colorado has also enacted similar legislation, while Brazil is going further with its Digital Statute for Children and Adolescents, which requires platforms to use age verification systems rather than mere self-reporting mechanisms. California's AB-1043 carries civil penalties of up to $2,500 per affected child for negligent violations and $7,500 for intentional ones, enforced by the state attorney general.

GrapheneOS is developed by the GrapheneOS Foundation, a registered Canadian nonprofit, and none of these laws originate in Canada, though questions around jurisdiction remain open. That legal ambiguity carries real precedent. U.S. federal prosecutors successfully extradited and convicted the developers of Samourai Wallet, a privacy-focused Bitcoin mixer, in a case where one defendant lived in Portugal.

GrapheneOS maintains that collecting such data would fundamentally undermine its core mission of privacy and security. California's law does not require photo ID or biometric verification, only self-reported age at setup, but critics, including over 400 computer scientists who signed an open letter, have argued that the laws create surveillance infrastructure without meaningfully protecting children, since self-declaration is trivially bypassed.

This makes GrapheneOS one of the first operating system projects to publicly state non-compliance with new OS-level age-verification mandates. It is not alone in the posture. The developers of open-source calculator firmware DB48X issued a legal notice stating that their software "does not, cannot and will not implement age verification," while MidnightBSD updated its license to ban users in Brazil.

The defiance carries commercial stakes. The project formed a partnership with Motorola earlier this month, and a dedicated GrapheneOS Motorola device is expected to arrive in 2027. Forgoing sales in California, Colorado, and Brazil could limit the reach of that hardware at launch. If compliance requirements prevent them from selling official devices in certain regions, the team has said it is prepared to accept that outcome.

Age verification laws have been used by governments to target websites not even hosted in their country, meaning that even users and projects in unaffected regions are unlikely to remain insulated from these regulations as they expand. For GrapheneOS, the calculation is straightforward: the identity of its users is none of an operating system's business.