GrapheneOS will never collect personal data for age verification. The privacy-focused Android fork declared on March 20, 2026, that it would rather exit entire markets than comply. The announcement came three days after Brazil's Digital ECA took effect and months before California's own OS-level mandate begins.
Brazil's Digital ECA (Law 15.211) is the most aggressive age verification law in force. President Lula signed it in September 2025. It requires every operating system, app store, and gaming platform accessible to minors in Brazil to implement "effective and reliable" checks. Clicking "I am 18 or older" is explicitly banned. Fines reach R$50 million (~$9.5 million) or 10% of Brazilian revenue per infraction.
The Brazilian Data Protection Authority (ANPD) published a monitoring list. It includes Canonical (maker of Ubuntu Linux) alongside Apple, Google, Meta, Amazon, Discord, TikTok, and Valve.
California's AB-1043 (Digital Age Assurance Act) takes effect January 1, 2027. It will require operating systems to collect user age or birthdate during initial setup and pass that information to apps. Unlike Brazil, California allows self-reported age. Colorado's SB 26-051 follows with a January 1, 2028 deadline and penalties of $2,500 to $7,500 per minor for negligent or intentional violations.
Brazil's law contains its own contradiction. Article 37 bans "mass, generic, or indiscriminate surveillance mechanisms." But Article 9 prohibits self-reported age, and Article 12 demands "auditable" verification. Enforcing auditable, non-self-declared age checks absent mass data collection is a technical paradox.
GrapheneOS will remain usable by anyone around the world without requiring personal information, identification or an account. If GrapheneOS devices can't be sold in a region due to their regulations, so be it.
— GrapheneOS, X post, March 20, 2026
GrapheneOS is a Canadian nonprofit that develops a hardened Android fork. The OS ships without Google Play Services and never requires an account or identification. It currently runs exclusively on Google Pixel hardware, the only devices meeting its verified boot and hardware attestation requirements.
On March 2, 2026, Motorola and GrapheneOS announced a long-term partnership at Mobile World Congress. A GrapheneOS-powered Motorola phone is expected in 2027. The deal ends Pixel exclusivity. It also turns GrapheneOS from a self-install project into a commercially shipped product, subject to local regulations wherever Motorola sells.
The Canadian project has already answered how it will handle that collision.
We have no obligation to block people from visiting our website via GeoIP. If an authoritarian government wants to block access to GrapheneOS services, they can figure out how to do it. We don't filter the internet for Iran or North Korea so why would we for Brazil or California?
— GrapheneOS, X post, March 20, 2026
GrapheneOS is not alone. MidnightBSD updated its license to ban users in Brazil entirely, a symbolic protest against a law it cannot obey. The developers of DB48X, an open-source calculator firmware, issued a legal notice stating their software "does not, cannot and will not implement age verification." Omarchy Linux rejected compliance outright. Rockstar Games suspended direct sales through its own launcher in Brazil one day before the Digital ECA took effect.
Open-source projects face a structural problem that commercial vendors do not. A volunteer-run Linux distribution has no legal entity to sue and no Brazilian revenue to calculate fines against. The Digital ECA was drafted for Apple, Google, and Meta. Applying it to Canonical or GrapheneOS reveals a gap in the legislation.
GrapheneOS will remain usable by anyone around the world without requiring personal information, identification or an account. GrapheneOS and our services will remain available internationally. If GrapheneOS devices can't be sold in a region due to their regulations, so be it.
— GrapheneOS (@GrapheneOS) March 20, 2026
Leaked Cellebrite slides from 2024 confirmed the OS's security claims. The Israeli phone-cracking company's tools failed to extract data from a locked GrapheneOS device. Stock Android and many iPhones were vulnerable. GrapheneOS is built for journalists, activists, and dissidents. Age verification mandates that require identification at the OS level would dismantle the security model protecting those users.
The Digital ECA demands auditable verification but bans mass surveillance in the same text. GrapheneOS and the broader open-source community are calling the bluff. The practical test arrives in 2027, when a Motorola phone running GrapheneOS either ships in California without age verification or does not ship at all.
Apple and Google have not commented on OS-level compliance with the Digital ECA. Apple has already shipped a "Declared Age Range" API, a possible compliance path. ANPD's definitive guidelines on age assurance are not expected until August 2026.
The Motorola partnership makes the 2027 collision inevitable. A phone running GrapheneOS will either satisfy California's AB-1043 or not be sold in the state. GrapheneOS has made clear which option it prefers.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
