On June 1, 2026, the Illinois Senate passed HB 5511, the Children's Online Social Media Safety Act, 57-0. The House concurred the following day 113-0, making Illinois the first US state to mandate age verification at the operating system layer rather than the application layer. Governor JB Pritzker, who proposed the bill during his February 2026 budget address, has pledged to sign it. The Electronic Frontier Foundation and NetChoice are urging a veto.
The mechanism is architecturally novel. Rather than requiring each app or website to independently verify user ages — a process that typically demands government IDs or biometric scans — HB 5511 requires Apple, Google, and other OS providers to build an age-range interface into device setup. Users declare one of four age brackets: under 13, 13–15, 16–17, or 18 and above. Platforms may then request this "age-category signal" and apply default restrictions on users known to be minors: algorithmic "addictive feed" recommendations are disabled unless a parent explicitly consents, nighttime notifications are blocked from 10 p.m. to 7 a.m., profile visibility is restricted, and precise location tracking is prohibited. The Illinois Attorney General enforces; unintentional violations carry fines up to $2,500 per affected child, intentional ones up to $7,500. Full compliance is required by January 1, 2028.
The Steelman Is Genuine
The case for this approach is not trivial. Children are spending more time on algorithmically optimized platforms than any previous generation, and the clinical evidence of harm — in adolescent anxiety, sleep disruption, and disordered eating — is extensive. Platforms have had years to self-regulate and have largely responded with superficial tools while their engagement systems remained intact. Sen. Willie Preston, the Senate sponsor, put the core claim plainly: "Children are not miniature adults. These platforms invest billions capturing attention, maximizing engagement."
The device-level mechanism also has genuine engineering logic. A single minimally informative signal — an age bracket, not a birthdate, not a government ID — is architecturally simpler than asking every app to independently build verification systems. It avoids the most invasive versions of age verification that other states and countries have adopted. The sponsors are not wrong about the problem they are trying to solve.
But the Architecture Creates a Surveillance Chokepoint
Moving age verification to the OS layer does not eliminate centralized data collection — it relocates it. Apple and Google become the single chokepoints through which every minor's age signal must pass before reaching any platform. Proton, the privacy-focused technology company, has specifically analyzed OS-level age verification laws and warns they concentrate power in "gatekeepers of age signals used across millions of apps" — two corporations already under antitrust scrutiny in the US and EU for their control of app distribution. A centralized, age-categorized user database is precisely the kind of high-value target that attracts breaches; prior incidents at platforms have exposed users' age-verification documents to attackers.
The EFF sent a formal veto request to Governor Pritzker characterizing HB 5511 as "a massive privacy and free speech nightmare" that "dismantles online anonymity, jeopardizes data security, and severely restricts access to constitutionally protected speech." Their concern is not limited to data security: the law creates systemic problems for minors who access the internet through school computers, borrowed devices, or shared family accounts, where the age signal registered on the device may not match the actual user.
The First Amendment Track Record Is Unfavorable
NetChoice has submitted its own veto request to Pritzker. It has successfully enjoined age verification and social media access laws in Louisiana (NetChoice v. Murrill), California, Texas, and other states on First Amendment grounds. Their constitutional argument here draws on the Supreme Court's 2024 ruling in Moody v. NetChoice, LLC (603 U.S. 718), which held that algorithmic curation and content feed design constitute protected expression under the First Amendment. Mandating that platforms serve minors only request-based or chronological content — which is what HB 5511's "addictive feed" restrictions effectively require absent parental consent — compels platform speech in ways the Court has signaled it will not sustain.
Illinois's proponents argue the OS-level mechanism is constitutionally distinguishable: it does not ban minors from social media, does not require government-ID verification, and targets algorithmic default settings rather than content categories. That is a plausible argument. It is also entirely untested, and every comparable state law that has reached appellate review has been enjoined.
Process and Proportionality
The bill's unanimity deserves scrutiny. According to NetChoice's veto request, a key amendment formally defining "covered platform" was filed on a Saturday and voted on Sunday — the final day of the legislative session — outside of committee process and without public hearings. That amendment was filed May 30 and voted on June 1. Unanimous votes at session's end frequently reflect the political optics of child safety rather than careful deliberation on constitutional edge cases. An earlier House passage of the pre-amendment bill in April 2026 was 82-27 — a comfortable margin but far from unanimous. The 113-0 concurrence came only after the last-minute definitional changes, suggesting the final text was not subject to the same scrutiny as the underlying bill.
The better regulatory path — one the EFF specifically advocates — is a strong federal data minimization baseline that prevents platforms from building exploitative behavioral profiles of minors in the first place. Prohibiting the collection and use of the behavioral data that drives engagement systems is structurally upstream of both the platform-surveillance problem and the OS-surveillance problem HB 5511 attempts to solve. It would also survive constitutional review more reliably than feed-restriction mandates.
Illinois has moved further and more creatively than any other US state on this issue. The unanimous vote reflects a genuine public mandate for action. But delegating the child-safety gatekeeping function to Apple and Google, through a definitional amendment drafted over a weekend without committee hearings, is not proportionate regulation. It is surveillance infrastructure wearing a child-safety label — and a federal privacy baseline would do the job better, with fewer constitutional casualties.