EFF Urges Illinois’ Governor to Veto an Age-Gating Law

Key Takeaways

• The Illinois legislature passed House Bill 5511, a device-level age-gating law covering nearly all internet-enabled hardware, operating systems, and online services.
• The Electronic Frontier Foundation (EFF) has formally urged Governor J.B. Pritzker to veto the bill, calling it a "massive privacy and free speech nightmare."
• The bill requires platforms to collect and share users' ages and restricts features like personalized feeds and overnight notifications for minors without "verifiable parental consent."
• It closely mirrors California's A.B. 1043 and New York's SAFE for Kids Act, both of which are still untested in court and already facing pushback from privacy advocates and tech communities.

The Illinois legislature has passed House Bill 5511, a sweeping piece of legislation that would impose age-gating requirements across nearly all internet-enabled hardware, operating systems, and online services in the state. According to reporting by the Electronic Frontier Foundation, the bill would force digital platforms to collect and share users' ages, and would strip away everyday features like personalized content feeds and overnight notifications for young people unless they secure "verifiable parental consent."

The EFF has formally written to Governor J.B. Pritzker, urging him to veto the bill, describing it as "a massive privacy and free speech nightmare." The organization argues that, far from protecting children, the law would dismantle online anonymity, jeopardize data security, and restrict constitutionally protected speech for both young people and adults.

What stands out to me here is the scale of it. This isn't a bill targeting one type of platform or one category of content. It's a device-level framework, meaning the age-gating requirement isn't just baked into a handful of apps; it's built into the hardware and operating systems people use to access the internet in the first place. That's a meaningfully different, and more invasive, approach than most of the age verification laws we've seen so far.

Why “Device-Level” Age-Gating Is a Problem

Most age verification laws, however flawed, at least operate at the platform level — you verify your age to use a specific app or website. HB 5511 pushes the requirement down into the infrastructure itself. According to the EFF, that means the systems built to manage your age and consent status sit closer to the operating system layer, which means more entities, at more points in the chain, handling sensitive identity data.

This is the part that I think gets lost in the public framing of these bills. Every additional layer of age verification is another place where personal data – date of birth, parental consent records, potentially government ID information – has to be collected, stored, and protected. And it's not a hypothetical risk. We've watched data breaches erode public trust in exactly these kinds of systems again and again. Building age verification into the device layer doesn't reduce that risk; it multiplies the number of places where it can go wrong.

The EFF also flags something I think deserves more attention than it usually gets: these laws don't just affect typical households. Verifiable parental consent requirements assume a stable, available, willing parent in every case. For young people in non-traditional families, foster care, unstable households, or situations where a parent is the source of harm rather than protection, that requirement doesn't add a safety net. It cuts off a lifeline. The EFF specifically warns that these schemes "cut off vital lifelines for vulnerable youth in non-traditional families," and that's a consequence that rarely makes it into the political pitch for bills like this.

A Pattern, Not an Isolated Bill

HB 5511 didn't come out of nowhere. It's modeled closely on California's A.B. 1043 and New York's SAFE for Kids Act, both of which have already drawn significant pushback from privacy advocates, open-source communities, and tech stakeholders — and neither of which has gone into effect or been tested in court yet. Illinois is essentially copying an unproven, contested framework before anyone knows whether it actually works or whether it survives legal challenge.

That's the pattern I keep seeing across these bills, state after state: a real concern about kids' wellbeing online gets translated into the broadest possible technical mandate, with privacy and free expression treated as acceptable collateral damage. I don't doubt the sincerity behind these efforts. But age-gating an entire device, rather than addressing specific harms on specific platforms, doesn't protect kids so much as it restructures the relationship every single user has with the internet — adults included.

The EFF is right to push back on this one. A free and open internet shouldn't require proving your age, your identity, or your parents' consent just to use a device you already own. That's not child safety. That's a far broader claim on personal freedom than these bills are usually honest about making.