The digital landscape has always posed a twin challenge: how to protect children online while also preserving robust free speech rights for adults consistent with the First Amendment. This tension reached a logical zenith with the Supreme Court’s June 27, 2025, decision in Free Speech Coalition Inc. v. Paxton (“Paxton”), which empowers each state to vigorously enforce its age verification laws related to internet content.
The Supreme Court’s Analysis
Paxton centered on Texas’s H.B. 1181, a law requiring commercial sites with significant sexual content to verify its users’ ages. Verification under the law requires sites to get actual information on the individual user’s age through government identification or an individual’s public or private transactional data (as opposed to, for example, a winery whose site requires visitors to click a box affirming that they are over the age of 21).
Industry groups argued that this law unduly restricted adults’ access to protected speech. The District Court sided with the industry, blocking the law based on strict scrutiny, the most aggressive standard of constitutional review (requiring the law to be narrowly tailored to achieve a compelling government interest through the least restrictive means). On appeal, the Fifth Circuit Court of Appeals reversed, applying the most lenient, rational basis standard of review (requiring a law be rationally related to a legitimate government objective without being arbitrary or irrational).
Ultimately, the Supreme Court chose the middle ground, holding that intermediate scrutiny should apply. Under intermediate scrutiny, a law will pass muster if it “advances important governmental interests unrelated to the suppression of free speech and does not burden substantially more speech than necessary to further those interests.” Using this approach, the Court reframed age verification requirements as both incidental to adult speech (not a direct burden) and firmly tied to states’ historic authority to prevent minors’ access to obscene material. Therefore, the Court held that the Texas law was constitutional.
The Technology Trap: Reliability, Bias & Operational Burden
Implementing effective age verification is more easily said than done. Self-attestation (the ubiquitous “Enter birthdate to continue”) is unreliable and has been widely rejected as an effective method of age verification. Further, requiring users to upload a government ID for verification invites significant privacy and retention concerns, as discussed below.
In addition to the concerns around sensitive personal data associated with biometric methods, third-party age-estimation and device-based approaches, these methods come with their own operational and reliability challenges. For example, similar methods recently deployed in the U.K. are already being circumvented by users scanning faces that appear over 18 years old on TV shows or video games to “verify” their age.
Ohio Follows Suit
Ohio joined the broad wave of states passing strict age verification measures for online adult content in 2025. Shortly after the decision in Paxton, Governor DeWine signed H.B. 96 into law as part of Ohio’s two-year fiscal budget; sites must comply with the Ohio law’s requirements when it goes into effect September 29, 2025.
The law applies to any business disseminating “obscene or harmful” material to juveniles online and requires platforms to use “reasonable age verification methods,” which can be government-issued photo ID or other transactional data (such as evidence of a mortgage, higher education records, or employment records) to confirm users are at least 18. Sites subject to the Ohio law must delete age verification data immediately after use, in an effort to minimize data retention risks.
Privacy and practical criticisms of Ohio’s law echo those leveled at other states’ laws: the risk of data breaches with sensitive personal data, ineffective prevention of minor access and the ease of circumventing verification methods, and the diversion of internet traffic to less-regulated, obscure platforms remain unresolved concerns. Some large sites providing adult content have suspended service in states where they would be unable to ensure privacy and operational compliance or where the burden of such compliance is too great.
Privacy & Data Protection: New Duties – and Risks
State laws mandating online age checks obviously raise privacy concerns based on the specific data collected and the methods deployed in that collection. The types of data to collect for verification can include sensitive personal data like government IDs, biometrics, and credit card data. Businesses collecting this data now have a higher risk associated with data breaches, as the sensitive nature and increased volume raises the stakes involved with breach. And individuals obviously have a greater risk of their information being exposed through a breach, which could include both disclosure of the information provided as well as the sites visited. The Supreme Court, critics note, gave short shrift to these privacy worries – comparing online age checks to simple in-person ID checks with store clerks for age-limited activities like purchasing firearms or alcohol, despite the substantial risks and persistent digital footprints involved with age verification. Would you consider these to be the same types of disclosure?
Finally, a new, state-by-state age verification regulatory framework only adds complexity to the varying nature of existing privacy laws and regulations.
Compliance Intersections: Federal and State Privacy Law
State verification laws may duplicate or be at odds with existing frameworks like the Children’s Online Privacy Protection Act (COPPA), which applies only to children under 13. Following Paxton, states are now free to use a broader or narrower age range and impose different requirements for consent and data protection. This leads to inconsistency about who is protected and how, jurisdictional headaches about user location, and conflicts for businesses forced to prove compliance with verification requirements, even when privacy laws discourage retention of minors’ data.
The Practical Fallout: Patchwork State Regulation
While the Paxton Court’s conclusion is undoubtedly important, the practical effect is what needs to be examined. The decision clearly launches a signal flare for state legislatures itching to ramp up child and other internet safety laws. The ruling makes it clear: age verification laws, when properly tailored, now have a clear path past constitutional challenge. Adult internet users should expect states to test the scope of this conclusion. At a minimum, residents should expect rapid expansion of laws requiring the following (which, if privacy regulation is any guidance, may not benefit from uniform federal action):
- Mandatory age verification (i.e., formal identification of the user) for, at least, social media and adult content;
- Parental consent requirements for identified sites (this has already been started in Florida and Georgia); and
- Restrictions on “addictive” features, like California’s feed and notification limits and Utah’s bans on infinite scrolling.
Like state data privacy laws, this regulatory momentum is creating a patchwork of requirements, often at odds with existing privacy laws, technological capabilities and the laws of other states.
Action Items for Businesses
There is no longer a question of if states can regulate access to online content – it’s how far they’ll go with regulation. Age verification requirements may (and likely will) go beyond adult content and could expand to include social media or other e-commerce access. In preparation, companies should monitor state legislative activity, as each new statute could trigger new compliance obligations – often with little notice.
In implementing compliant age verification tools, businesses should use the most privacy-protective, accurate technologies available and seek counsel to ensure their mechanisms satisfy state and federal duties. Counsel can also support companies to be prepared for state attorney general scrutiny and potential consumer protection actions. Finally, businesses should minimize data collection where possible and build secure systems from day one.
The post-Paxton world is one of increasing regulatory complexity, both for internet platforms and for any business operating online. Successfully navigating this environment will require robust cross-functional engagement – between legal compliance teams, technologists, privacy officers, and business leadership.
