Jul 09, 2026 · 7 min read
Illinois HB 5511 Would Put ID Checks on Every Device
HB 5511 passed the Illinois General Assembly unanimously on June 1, 2026, and would require operating systems to share an age signal with every app by 2028. The EFF's June 29 letter asks Governor Pritzker to veto it anyway.
Illinois lawmakers passed HB 5511 by a combined 57-0 Senate vote and 113-0 House concurrence on June 1, 2026. Governor JB Pritzker proposed the bill himself and has said he will sign it. On June 29, the Electronic Frontier Foundation published an open letter asking him to veto it anyway, calling the measure "a massive privacy and free speech nightmare." (Source)
Key Takeaways
- Illinois HB 5511, the Children's Social Media Safety Act, passed the General Assembly unanimously on June 1, 2026, and awaits Governor JB Pritzker's signature. Source
- The bill requires operating system providers to build an age signal interface by January 1, 2028, that shares a user's age category with any app that requests it. Source
- The Electronic Frontier Foundation says the mandate creates an "anonymity- and privacy-destroying data collection framework" that touches every device owner, not just minors. Source
- The Illinois Attorney General can fine companies up to $7,500 per affected child for intentional violations, with no private right of action for residents. Source
- Pritzker sponsored the bill and has pledged to sign it, meaning EFF's veto campaign is fighting the governor's own agenda, not a fence-sitter. Source
What Does HB 5511 Actually Require?
HB 5511 sets up two obligations. First, operating system providers, practically speaking Apple, Google, and Microsoft, must build an accessible interface at device setup where the account holder declares a birth date. The OS then relays an age category signal to any app that requests it, sending "the minimum information necessary" to do so, by a compliance deadline of January 1, 2028. (Source)
Second, social media platforms in Illinois cannot let a known minor use the service without default protections: restricted algorithmic feeds, limited profile visibility, reduced media exposure, blocked location sharing, and no overnight notifications. Only the Illinois Attorney General enforces the law, up to $2,500 per child for negligent violations and $7,500 per child for intentional ones, with no private right of action. (Source)
The bill never specifies how an OS confirms a self reported birth date is accurate. A self declared age with no verification step is trivial to falsify, the exact gap pushing other states toward commercial identity verification vendors instead.
Why Does EFF Call This Device Level, Not Just an App Problem?
Because the age signal originates at the operating system, not the app you happen to be using. A site level age check, upload an ID before viewing one website, only touches the platforms you choose to visit. HB 5511 moves the checkpoint to the device itself, so the age category becomes a persistent attribute of your Apple ID, Google account, or Microsoft account rather than a one time gate at a single site. EFF argues this "requires every Illinois resident — not just minors — to prove their identity to Apple, Google, or Microsoft before installing any app," since an OS has no reliable way to tell a 16-year-old's account from a 40-year-old's without collecting age data from everyone. (Source)
That distinction matters. The 400 scientists who signed an open letter calling age verification "mass surveillance" made the same core argument about site level mandates: build infrastructure to verify age, and you've built infrastructure to verify identity. HB 5511 just moves that infrastructure one layer deeper, into the hardware mediating every other digital interaction a person has.
What Does This Mean for Anonymous Speech?
An age category signal attached to a device is, functionally, an identity signal. Once an operating system routes birth date data to apps on request, the technical distinction between "verifying you're an adult" and "verifying who you are" collapses, the same plumbing that flags a 15-year-old's account can flag a 45-year-old's just as easily. EFF's letter warns the bill will "dismantle online anonymity, jeopardize data security" and restrict constitutionally protected speech for minors and adults alike. (Source)
A whistleblower installing a secure messaging app now does so through an OS that has already logged an age category tied to their account. A domestic abuse survivor setting up a new phone has to hand a birth date to the same company that controls the device before installing anything at all. LGBTQ+ teenagers in hostile households lose the one place, an anonymous account, a pseudonymous forum, to research resources without a parental consent trail attached. ACLU of Illinois policy strategist Stephen Ragan put it plainly: mandating age gates "raises serious constitutional questions" while "the root of the harms go unaddressed." (Source)
How Does This Fit the 2026 Age Verification Wave?
HB 5511 is the fourth device level or platform level age mandate to draw serious privacy pushback in five months. Apple already rolled out UK age checks that treat every account as unverified until a user hands over ID. The UK's under-16 social media ban built a parallel verification layer across platforms operating in Britain. And federally, the KIDS Act would attach age and identity checks to whistleblower-adjacent platforms in ways EFF and privacy researchers say threaten anonymous sourcing directly.
What separates HB 5511 from that pack is where the checkpoint sits. Site level laws are avoidable, skip the platform, skip the check. A device level mandate has no workaround short of not owning a smartphone, because Apple, Google, and Microsoft aren't optional intermediaries the way a single app is. California's newer AB 1856 is already retreating from this model, carving out an exemption for open source operating systems after backlash. HB 5511 contains no such exemption, which is why open source maintainers of projects like Linux distributions and Android's AOSP joined the opposition. (Source)
Why Email Users Should Care
Google is both an operating system provider under HB 5511's definition and the identity backbone behind every Gmail account. If Pritzker signs the bill, Google's compliance path for Android would almost certainly tie the age category signal to the same Google Account that manages your inbox, meaning your Gmail login could become the anchor point where an age record gets created and shared with other apps on request.
That matters even if you're nowhere near a minor. Once an OS level account carries an age category flag by default, there's no clean way to stop that flag from becoming one more data point brokers can request alongside your email address when you sign up for a new service. Email addresses already tie accounts together across the web; a mandatory age signal on the account controlling your Gmail extends that linkage rather than limiting it.
What Happens Next?
Pritzker has not set a public signing date. Under the Illinois Constitution, a governor has 60 calendar days to act once a bill is formally presented, or it becomes law automatically. (Source) Given that Pritzker proposed the bill and has publicly committed to signing it, a veto looks unlikely. EFF's letter reads less like an attempt to change his mind than an effort to build a public record ahead of an expected legal challenge. NetChoice, the industry group representing Google and Meta, sent its own veto request the same week, arguing the bill "undermines the First Amendment rights of Illinois users while exposing their most sensitive personal data to serious harm." (Source)
The operating system deadline sits more than a year out, January 1, 2028, leaving time to watch whether California's open source carveout becomes the template other states adopt, or Illinois's no exemption version spreads instead. How Apple and Google implement HB 5511, more than the statute's text, will determine how deep the identity layer reaches into everyday device use.