What HB 5511 Actually Does
On June 1, 2026, the Illinois General Assembly gave final passage to HB 5511, the Children's Online Social Media Safety Act, by a 57-0 Senate vote and 113-0 House concurrence — unanimous, on the session's last day (Capitol News Illinois). Gov. JB Pritzker, who proposed the measure in his February budget address, has said he will sign it despite the constitutional objections already piling up.
The bill's core mechanism is unusual: rather than requiring each app to verify a user's age at sign-up, it pushes verification up to the operating system. By January 1, 2028, Apple, Google, and Microsoft must build an age-declaration prompt into device setup, sort each user into one of four brackets — under 13, 13-15, 16-17, 18+ — and transmit that category signal to any app that requests it. Apps then owe minors default protections: no algorithmic feeds without parental consent, hidden precise location, limited in-app purchases, and no push notifications between 10 p.m. and 7 a.m. The Illinois Attorney General enforces it, with penalties running $2,500 per child for unintentional violations up to $7,500 per child for intentional ones (Capitol News Illinois).
The Case For It
The strongest argument for HB 5511 is that the status quo — each app independently self-certifying age, mostly by asking users to type in a birthday — barely functions. Kids lie about their age constantly, and platforms have limited incentive to catch it. Centralizing verification at the OS level, in theory, means it happens once per device rather than dozens of times across apps with wildly different compliance postures, and Illinois lawmakers argue that algorithmic feeds and late-night notifications carry real, documented harms for adolescent users. That underlying interest — protecting minors from design features engineered to maximize engagement — is one that even skeptical courts have treated as legitimate. The Supreme Court's own age-verification jurisprudence acknowledges as much.
Where the Legal Theory Runs Into Precedent
But the mechanism Illinois chose is the part that is legally fragile, and the state doesn't have to guess at the outcome — it's already been litigated elsewhere. In NetChoice v. Murrill, the U.S. District Court for the Middle District of Louisiana permanently enjoined that state's social-media age-verification and parental-consent law on December 15, 2025, ruling that Louisiana could not condition access to lawful speech on handing over sensitive identity data, and that the state has no "free-floating power to restrict the ideas to which children may be exposed" (NetChoice). NetChoice's veto-request letter to Pritzker leans on the same theory, plus a compelled-speech claim: forcing platforms to default to chronological rather than algorithmic feeds, it argues, intrudes on the editorial discretion the Supreme Court recognized as protected First Amendment activity in Moody v. NetChoice (2024) (NetChoice letter).
Supporters of HB 5511 will point to Free Speech Coalition v. Paxton, where the Supreme Court, in a 6-3 decision on June 27, 2025, upheld a Texas law requiring age verification on sites where at least a third of content is sexual material harmful to minors — applying intermediate rather than strict scrutiny because the burden on adult speech was, the majority found, only incidental (Supreme Court opinion). That's a real shift, and it's the strongest card Illinois has to play. But it's a narrower one than it looks: Texas's law applied to a defined category of content presumptively obscene to minors, verified at the point of access. HB 5511 applies to all social media, verified once at the operating-system level and broadcast to every app on the device — general-purpose infrastructure, not a content-specific gate. That distinction is exactly the one Louisiana's law failed on, and it's why EFF told Pritzker the bill would "effectively dismantle online anonymity, jeopardize data security, and severely restrict access to constitutionally protected speech," while warning the OS-level mandate poses "an existential threat to the open-source ecosystem" that can't easily bolt on a proprietary age-signal API (EFF).
What Should Survive, and What Shouldn't
The state cannot use a "free-floating power to restrict the ideas to which children may be exposed." — Judge John W. deGravelles, NetChoice v. Murrill
The pro-innovation, proportionate position isn't that minors' online safety is a non-issue — it's that Illinois picked the most legally exposed and technically invasive tool available when narrower ones exist. Design-code provisions like notification curfews and default privacy settings for accounts platforms already know belong to minors are far more defensible than a mandatory, device-wide identity layer that necessarily verifies every adult too. A single state building de facto national age infrastructure — because OS makers won't ship an Illinois-only build — is the kind of extraterritorial overreach that has already sunk similar laws on separate grounds.
Key Numbers
- 57-0 / 113-0 — the Senate and House vote margins on final passage, with zero recorded dissents.
- January 1, 2028 — the deadline for OS-level age prompts to go live.
- $2,500–$7,500 — per-child penalty range for unintentional versus intentional violations.
Expect a NetChoice or CCIA lawsuit within weeks of signature, arguing the same theory that won in Louisiana. The open question is whether Illinois's OS-level architecture reads to a court as closer to Texas's narrowly tailored gate or Louisiana's broad mandate. Precedent suggests the latter.