GrapheneOS, a privacy-focused Android alternative, declared it will not implement age verification requirements mandated by new laws in Brazil and California. The project emphasized its commitment to user anonymity, stating devices will remain accessible globally without personal data collection. Brazil's Digital ECA (Law 15.211), effective March 17, 2026, imposes R$50 million ($9.5 million) fines per violation for non-compliant OS providers. Similar rules under California's AB-1043 and Colorado's SB26-051 require age data collection during setup, with penalties up to $7,500 for intentional violations.

The GrapheneOS Foundation, a Canadian nonprofit, faces jurisdictional ambiguity as none of these laws apply to its home country. However, U.S. legal precedents—like the extradition of Samourai Wallet developers—suggest cross-border enforcement risks. Critics, including 400+ computer scientists, argue self-reported age systems are easily circumvented, creating surveillance infrastructure without child protection benefits. The project's stance aligns with DB48X calculator firmware and MidnightBSD, which also rejected compliance.

A technical partnership with Motorola announced at MWC March 2, 2026, could expand GrapheneOS's reach. If deployed on Motorola hardware, devices would need to navigate global regulatory hurdles, potentially limiting sales in non-compliant regions. This mirrors challenges faced by other privacy-focused tools resisting similar mandates.

The core conflict centers on balancing child safety laws with digital privacy rights. While California's law avoids biometric checks, relying on self-declaration, GrapheneOS maintains that any mandatory data collection undermines its security ethos. The $9.5 million fine per violation in Brazil underscores escalating tensions between regulatory demands and open-source autonomy.