Illinois is drafting its own entry into the national age-verification arms race, and the implications stretch far beyond protecting children from harmful content online. Senate Bill 3977, introduced in the Illinois General Assembly’s 104th session, would impose age-verification mandates on a broad category of digital services — and if the bill’s language follows the trajectory set by similar proposals in California and other states, it threatens to ensnare open-source developers, small operators, and privacy-conscious platforms in a compliance web originally designed for Big Tech.
The bill, tracked via LegiScan, is still in its early stages. But its emergence fits a pattern we’ve been covering closely — a pattern that, viewed from the inside, looks less like child safety legislation and more like a structural transformation of who gets to publish software and operate services on the internet.
The National Template: How State-Level Age Bills Became a Conveyor Belt for Surveillance Infrastructure
To understand what Illinois is attempting, you have to look at what’s already happened in California. Earlier this year, California’s AB 1043 drew intense scrutiny for its sweeping age-verification requirements. As WebProNews reported, the bill’s definitions were so broad that Linux distributions, open-source browser projects, and volunteer-run platforms could all fall within its scope. The law didn’t distinguish between a social media giant with billions in revenue and a hobbyist running a Mastodon instance from a closet server. Both would face the same mandate: verify the age of every user, or face legal consequences.
That’s not a theoretical concern. It’s an architectural one.
Age verification, at scale, requires identity infrastructure. You need a way to confirm that a person is who they claim to be and that they meet a minimum age threshold. The most common methods involve government-issued ID scanning, facial estimation technology, or integration with third-party identity verification services. Each of these approaches carries significant privacy costs. Each requires the operator to collect, process, and often store sensitive personal data. And each assumes that the operator has the technical capacity, legal resources, and financial backing to implement such systems.
Open-source projects don’t have that. Most of them never will.
As WebProNews detailed in its analysis of AB 1043’s compliance burden, the bill effectively forces a surveillance mandate onto every developer — including those who can’t comply. A volunteer maintaining a free communication tool doesn’t have a legal department. They don’t have a contract with a KYC vendor. They don’t have the budget to integrate biometric age estimation. But under bills like AB 1043, and potentially under Illinois SB 3977, they’d be expected to act as if they do.
And here’s where the pattern gets more interesting — and more troubling.
System76, the Colorado-based Linux hardware and software company, has been among the most vocal critics of these bills. As WebProNews covered, System76’s leadership argued that the real agenda behind state age-verification bills isn’t child safety at all. It’s a liability dodge for large technology companies combined with a government surveillance opportunity. The logic runs like this: Big Tech platforms already have the infrastructure to implement age-gating. They collect mountains of user data already. For them, adding an age-verification layer is an incremental cost. For everyone else — smaller competitors, open-source alternatives, privacy-first services — it’s an existential burden. The net effect is that these bills consolidate power among the incumbents while giving state governments a new mechanism for tracking who accesses what online.
System76’s Carl Richell put it bluntly: the bills are written in a way that benefits the companies that lobbied for them. The compliance costs fall hardest on the entities least able to bear them, which happen to be the same entities offering alternatives to the dominant platforms.
That’s not a coincidence. It’s a feature.
Illinois Enters the Fray — And the Details Will Matter Enormously
SB 3977’s full text and amendments will determine whether Illinois follows California’s most aggressive approach or carves out meaningful exceptions. But the early signals aren’t encouraging for those hoping for a more measured bill. The political dynamics driving age-verification legislation are potent: no legislator wants to be seen as soft on child safety, and the framing of these bills — protect kids from online predators and harmful content — makes opposition politically expensive. That dynamic has produced a ratchet effect across states, where each new bill tries to go at least as far as the last one, and often further.
The Illinois bill arrives at a moment when the national debate over age verification is intensifying. Multiple states have passed or are considering similar legislation. Utah, Texas, Louisiana, and Virginia have all enacted laws requiring age verification for access to certain categories of online content, primarily pornography. But the newer wave of bills, including California’s AB 1043 and now Illinois’s SB 3977, appears to target a much broader set of services. Social media. Messaging platforms. App stores. Potentially any service that a minor could access.
The breadth is the problem.
When you write a law that applies to “online services accessible by minors,” you’ve described the entire internet. Every website. Every app. Every protocol. And unless the law includes explicit carve-outs for open-source software, nonprofit platforms, and services that don’t collect user data by design, you’ve created a legal framework that punishes privacy-respecting architecture.
Think about what that means in practice. A privacy-focused email service that doesn’t collect user identities would need to start collecting them — or shut down. A decentralized social network with no central operator would need to designate someone legally responsible for age-gating — or cease operating in the state. A Linux distribution that ships a web browser capable of accessing age-restricted content could, under the broadest reading of these laws, be considered a service that needs to verify its users’ ages.
Absurd? Maybe. But the text of these bills doesn’t always exclude such interpretations. And when the penalties are significant — fines per violation, potential liability for harm to minors — even the theoretical possibility of enforcement changes behavior. Developers start geo-blocking. Projects add restrictive terms of service. Some simply stop distributing to users in affected states.
The chilling effect is real, even before a single enforcement action.
Illinois has a particular wrinkle that makes SB 3977 worth watching closely. The state already has one of the nation’s strongest biometric privacy laws — the Biometric Information Privacy Act, or BIPA. That law has generated hundreds of lawsuits against companies that collected fingerprints, facial scans, or other biometric data without proper consent. So Illinois legislators are operating in a state where biometric data collection is already a legal minefield. Introducing a mandate that could require facial age estimation — one of the most common age-verification technologies — creates a direct tension with BIPA’s existing protections.
How do you mandate age verification while simultaneously restricting the most common methods of performing it? That’s not a rhetorical question. It’s a real legal conflict that SB 3977’s authors will need to address.
And they may not address it well. Legislative drafting is often reactive, not anticipatory. Bills get written to solve a perceived problem — kids accessing harmful content — without fully accounting for the technical and legal collateral damage. The result is legislation that sounds good in a press release but creates cascading problems in implementation.
We’ve seen this before. The original Children’s Online Privacy Protection Act (COPPA), passed in 1998, was well-intentioned but led to a blanket industry practice of simply prohibiting users under 13 from creating accounts — not because that protected children, but because it shifted liability away from platforms. The age-verification bills currently moving through state legislatures risk producing a similar outcome at a much larger scale: not genuine protection for minors, but a new layer of identity surveillance that makes the internet less open, less private, and less accessible to independent operators.
What Comes Next — And Who Pays the Price
The trajectory here is clear. More states will introduce age-verification bills. The political incentives are too strong and the opposition too fragmented to stop the momentum entirely. The question isn’t whether these laws will pass — many of them will. The question is whether they’ll be written with enough technical understanding and enough respect for civil liberties to avoid the worst outcomes.
So far, the track record isn’t great.
For the open-source community, the stakes are existential in a way that most legislators don’t seem to grasp. Open-source software is built by volunteers, distributed freely, and maintained through community effort. It doesn’t have a revenue model that can absorb compliance costs. It doesn’t have a legal team that can interpret fifty different state-level age-verification regimes. And it often doesn’t have a single entity that can be held legally responsible for compliance — because the entire point of open-source is that the software belongs to everyone.
Bills like SB 3977, if drafted carelessly, would effectively tell the open-source world: you’re not welcome here anymore. Not in Illinois. Not in California. Not in any state that passes a version of this template.
That’s a profound shift. And it’s happening quietly, state by state, bill by bill, with very little public debate about the technical consequences.
Growing up in the Midwest, I watched the internet transform from a curiosity into the backbone of modern life. Illinois was part of that story — home to early internet infrastructure, university research networks, and a thriving tech community. The idea that the state might now pass a law that makes it harder to run open-source software, harder to build privacy-respecting services, and harder to operate outside the walled gardens of Big Tech is deeply frustrating. Not because child safety doesn’t matter — it does, enormously — but because these bills aren’t actually solving that problem. They’re creating new ones.
The children these laws claim to protect will still find ways around age gates. They always have. But the developers, the small operators, the privacy advocates, and the open-source maintainers who get caught in the crossfire won’t have the resources to fight back. They’ll just disappear. And the internet will be a little more centralized, a little more surveilled, and a little less free.
SB 3977 deserves close scrutiny from Illinois residents, technology professionals, and anyone who cares about the future of open software. The bill’s progress can be tracked on LegiScan. If the pattern holds, the window for meaningful input is narrow. And once these laws pass, they’re extraordinarily difficult to roll back.


WebProNews is an iEntry Publication