March 23, 2026 GrapheneOS says it will not comply with new laws requiring operating systems to collect user age data during setup. The decision could limit where its devices can be sold, as jurisdictions including Brazil and several U.S. states move to mandate age verification at the OS level.

In a statement on X, the privacy-focused Android fork said: “GrapheneOS will remain usable by anyone around the world without requiring personal information, identification or an account,” adding that if devices cannot be sold in certain regions, “so be it.”

The stance comes as Brazil’s Digital ECA law took effect on March 17, imposing fines of up to R$50 million (about $9.5 million) per violation for non-compliant operating systems. In the U.S., California’s Digital Age Assurance Act will take effect in January 2027, requiring OS providers to collect a user’s age or date of birth at setup and share that data with app developers through a real-time API. Colorado is advancing similar legislation.

While GrapheneOS is developed by a Canadian nonprofit, enforcement boundaries remain unclear. California’s law includes civil penalties of up to $2,500 per affected child for negligent violations and $7,500 for intentional ones. A recent U.S. case involving the extradition of developers behind a privacy-focused crypto tool highlights how cross-border enforcement can extend beyond domestic jurisdictions.

The issue also intersects with hardware distribution. GrapheneOS recently announced a partnership with Motorola to bring the operating system to new devices, expected in 2027. If those devices ship with GrapheneOS pre-installed, compliance with local laws may become a requirement for sales in regulated markets.

GrapheneOS is not alone in resisting the trend. Other open-source projects have issued similar refusals, while critics – including hundreds of computer scientists – argue that self-reported age systems create surveillance infrastructure without effectively protecting children.