The full text of H.R. 8250 โ€” a proposed federal law that would require every operating system in the United States to implement age verification for all users โ€” has been made publicly available on Congress.gov. Introduced on April 13, 2026 by Rep. Josh Gottheimer (D-NJ) and Rep. Elise Stefanik (R-NY) and referred to the House Committee on Energy and Commerce, the bill carries the official short title of the โ€œParents Decide Act.โ€

The full text clocks in at six pages. For a bill that would fundamentally reshape how billions of devices work, it is remarkably short on specifics โ€” and remarkably long on things it punts to other agencies to figure out later.

What the Bill Requires

At its core, H.R. 8250 mandates three things from operating system providers:

  1. Collect date of birth from every user before they can set up an account or use the operating system.
  2. Require parental or guardian verification if the user is under 18 years of age.
  3. Build an API or system that allows app developers to access the age verification data collected by the operating system, for the purpose of verifying the age of users on their apps.

There is also a Safe Harbor provision: an operating system provider cannot be held liable for violations if they follow the requirements laid out in the Act or any regulations promulgated under it.

Violations are to be treated as violations of the Federal Trade Commission Act โ€” specifically Section 18(a)(1)(B), which governs unfair or deceptive acts or practices. The FTC will be the enforcing body.

The FTC Gets to Figure Out the Hard Parts

Here is where the billโ€™s brevity becomes a problem. The legislation does not specify how age verification is supposed to work. There is no mention of biometrics, government ID checks, credit card verification, or any other mechanism. Instead, the bill delegates that entire question โ€” along with data protection standards and the specifics of the developer access API โ€” to the Federal Trade Commission, which will have 180 days after enactment to promulgate regulations covering:

  • The actual age verification mechanism
  • Data protection standards for the birth date and related user information collected
  • Requirements for how operating systems must provide app developers access to that collected data
  • Parental controls allowing guardians to manage what under-18 users can access on a device

The FTC must also brief Congress within those 180 days on its rulemaking process and submit a full report to Congress 18 months after enactment.

The bill takes effect one year from the date of enactment, meaning the FTC would have six months to write the regulations, and the industry would have another six months to implement whatever those regulations require. That is an extremely aggressive timeline for changes of this technical magnitude.

The Definition of โ€œOperating Systemโ€ Is Staggeringly Broad

This is where the bill moves from ambitious to potentially unworkable. The text defines โ€œoperating systemโ€ as:

โ€œsoftware that supports the basic functions of a computer, mobile device, or any other general purpose computing device.โ€

Read that again. Any general purpose computing device. Under that definition, this bill applies to:

  • Windows, macOS, Linux โ€” obviously
  • iOS and Android โ€” yes
  • ChromeOS and Fire OS โ€” yes
  • Smart TVs running Android TV or Tizen โ€” almost certainly
  • Smart refrigerators, thermostats, and IoT devices with general-purpose OS components โ€” plausibly yes
  • Embedded Linux systems in industrial equipment โ€” arguably yes
  • Gaming consoles running custom operating systems โ€” very likely yes

The bill does not carve out exceptions for embedded systems, enterprise environments, industrial control systems, or devices where user accounts are not a standard feature of operation. If your device runs an OS that โ€œsupports the basic functionsโ€ of a general purpose computing device, you are now an operating system provider subject to federal age verification mandates.

What Happens to Linux and Open Source?

This is one of the most under-discussed implications of the bill. Linux distributions โ€” Ubuntu, Fedora, Debian, Arch, and thousands of others โ€” are maintained by open-source communities, foundations, and in some cases individual developers. The bill defines an โ€œoperating system providerโ€ as โ€œa person that develops, licenses, or controls the operating system on a computer, mobile device, or any other general purpose computing device.โ€

Does that mean the Linux Foundation? The Debian Project? Individual maintainers? A company that bundles Linux in an appliance? The bill does not say. Enforcement against a globally distributed open-source community through the FTC Act is, to put it charitably, untested legal territory.

The Age Verification Mechanism: Still Unknown

The billโ€™s most glaring omission is any specification of what โ€œage verificationโ€ actually means in practice. Right now, a user could theoretically type in any date of birth and the requirement would technically be met โ€” the honor system. The FTC is being asked to solve this problem within 180 days, but the options are all fraught:

  • Self-attestation (typing your birthdate): trivially bypassed
  • Credit card verification: excludes minors who lack cards, also a privacy concern
  • Government ID upload: massive privacy risk, technically complex, excludes undocumented individuals
  • Biometric verification: deeply invasive, raises serious equity and civil liberties concerns
  • Parental consent flows: workable in some cases, but not for device-level OS setup

Whatever the FTC decides, it will be controversial, technically challenging, and will need to be implemented by Apple, Microsoft, Google, and hundreds of smaller OS vendors within six months of the rule being finalized.

The Developer Access API: A Privacy Risk Hidden in Plain Sight

Section 2(a)(3) of the bill requires operating systems to build a system that allows app developers to access age verification data collected from users. This provision barely gets a mention in early coverage, but it deserves serious scrutiny.

The bill calls for data protection standards to govern this access โ€” but those standards do not yet exist, and will be written by the FTC during its 180-day rulemaking period. In the meantime, the mandate is clear: if you are an app developer, you are entitled to access the age data your users provided to the operating system.

The data protection standards must ensure that collected birth date data:

  • Is collected only to the minimum necessary to maintain user privacy
  • Is stored securely
  • Is not stolen or breached

These are good principles. They are also not specific requirements. โ€œStored securelyโ€ and โ€œnot breachedโ€ are aspirational statements, not enforceable technical controls โ€” at least not yet.

What this provision creates, in practical terms, is a centralized database of birth dates tied to device identities, queryable by app developers under rules not yet written. That is an extraordinarily attractive target for threat actors. A single breach of that infrastructure would expose age-linked identity data for potentially every user of every affected operating system.

Legislative Context: Why Now?

H.R. 8250 does not emerge from a vacuum. It arrives after a period of significant โ€” and fragmented โ€” state-level action on age verification. A federal judge blocked Texasโ€™s SB 2420 app-store age verification law in December 2025, and state bills in Ohio, Kansas, South Dakota, Louisiana, and Utah have taken diverging approaches. The Supreme Court has also recently engaged with adult-platform age verification challenges.

At the same time, the app store ecosystem has been building out parallel infrastructure. Google rolled out a Play Age Signals API to help developers meet state-level requirements, and identity verification companies including Persona, Incode, and Veratad have launched the OpenAge initiative for reusable age credentials.

H.R. 8250 represents a significant escalation: rather than regulating apps or app stores, it goes one layer deeper and targets the operating system itself, shifting the compliance burden to platform owners โ€” Apple, Microsoft, Google, and every other OS provider โ€” rather than individual developers or distributors.

Current Status

The bill was introduced on April 13, 2026 and is currently in the first stage of the legislative process, referred to the House Committee on Energy and Commerce. As of publication, there are no additional cosponsors beyond Stefanik, and no hearing has been scheduled. It will need to clear committee before any floor consideration in the House, and would then need to pass the Senate before reaching the President.

Given the breadth of its reach and the lack of technical detail, significant amendment or committee pushback is likely before the bill advances โ€” if it advances at all.

The Bottom Line

The Parents Decide Act is a bill with a legitimate goal โ€” giving parents more meaningful control over how their children interact with technology โ€” wrapped in legislation that raises more implementation questions than it answers. It delegates the technical and regulatory heavy lifting to the FTC, gives that agency six months to solve problems the entire tech industry has been wrestling with for years, and sets an implementation clock of one year for changes that would require fundamental modifications to every operating system sold or distributed in the United States.

The cybersecurity implications alone are substantial. A centralized database of birth dates tied to device identities, accessible by app developers under rules not yet written, is an extraordinarily attractive target for threat actors. The billโ€™s data protection language is aspirational at best. The scope โ€” literally every general purpose computing device โ€” is so broad as to create compliance uncertainty for everyone from Apple and Microsoft to embedded Linux vendors and smart appliance manufacturers.

This is early-stage legislation. It can and should change substantially before becoming law, if it does at all. But it signals where federal legislative appetite is trending: toward device-level identity verification, increased platform accountability, and centralized control architectures that the security community should be scrutinizing with great care.

This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel regarding their specific compliance obligations under applicable law.