One of a Bend Privacy Alliance series on age verification and youth online safety. Before debating a new age-checking law, it helps to know what Oregon law already requires — and where the genuine gaps are.
It is easy to talk about youth online safety as if Oregon were starting from zero. It is not. Several Oregon laws already protect young people’s data and well-being online, each aimed at a specific setting. Knowing what is already on the books is the only way to judge what a new operating-system age-signal law would actually add — and what it might simply duplicate.
This page walks through Oregon’s existing protections, the pattern they share, and the one place an age-signal law could plausibly fill a real gap. The aim is not to argue that Oregon has already done enough. It is to make the 2027 conversation specific.
In schools: student data
In K–12 classrooms, the Oregon Student Information Protection Act (OSIPA, ORS 336.184, enacted in 2015) governs the apps and online services students use. It bars education-technology operators from using K–12 student data for anything other than school purposes, prohibits targeted advertising to students, and requires reasonable security and deletion of student data at a school’s request; violations are treated as unlawful trade practices. Federal FERPA and COPPA add a baseline on top of that.
At the same time, Oregon is collecting more in-school data, not less. SB 141 (2025), the Education Accountability Act, expands required interim assessments — adding more testing, and more student-data flowing through school technology. That makes OSIPA’s guardrails more important, not less, and it is a reminder that “more student data” and “student privacy” are moving at the same time.
In the marketplace: minors’ commercial data
For commercial data, the Oregon Consumer Privacy Act (OCPA), in effect since January 1, 2025, sets the rules — and HB 2008 strengthened them. Effective January 1, 2026, a business may not use the personal data of anyone under 16 for targeted advertising or for profiling that produces significant effects, and may not sell it, where the business has actual knowledge of, or willfully disregards, that the person is under 16. Notably, consent does not override the ban. HB 2008 also prohibits the sale of precise location data for all Oregonians.
In AI chat: companion chatbots
For one of the newest risks, Oregon has already acted. SB 1546, the AI-companion law signed March 31, 2026 and effective January 1, 2027, regulates chatbots designed to simulate a sustained, human-like relationship. Operators must remind users they are talking to AI, detect expressions of suicidal ideation or self-harm and route users to crisis resources (such as the 988 Suicide & Crisis Lifeline and Oregon’s YouthLine), and apply additional protections when they know or have reason to believe a user is a minor. The law carries a private right of action.
The common thread: known age, not universal ID
Look across these laws and a pattern appears. Most of them trigger on the age a service already knows — on “actual knowledge” of, or “willful disregard” of, a user being under 16 or a minor. None of them requires every Oregonian to prove their age before using a device or the web. Oregon’s existing approach protects young people by placing duties on the services that handle their data, not by building a universal system that checks everyone’s age at the door.
That distinction is the heart of the 2027 debate. An operating-system age signal would change the default: instead of acting on the age a service happens to know, the device or account would be able to produce an age for anyone, on request.
So what would an age-signal law actually add?
An operating-system age-signal law (the California AB 1043 model, explained on our hub page) would add a standardized, device-level age bracket that covered apps could request. In practice, that does two things. First, it makes age available by default, rather than only when a service already knows it. Second, it shifts the job of establishing age onto the operating system and the device, rather than the individual service.
Whether that is an improvement depends entirely on the gap it is meant to close.
Where there is a real gap — and where there isn’t
There is a plausible gap. Oregon’s “actual knowledge” standard means a service can sometimes avoid its duties by arranging not to know a user’s age. A reliable age signal could close that “I didn’t know” loophole for some apps. That is the strongest argument for the model.
But much of what worries parents is already covered. Student data, under-16 commercial data, and AI-companion safety each already have a law. An age signal would not replace those protections; it would mostly change how age is established — while adding a new, reusable age layer and the risks that come with it (described on the hub page). So the honest question is narrow: is closing the “actual knowledge” gap worth building a device-level age layer — and could a narrower fix, such as tightening the “willful disregard” standard in existing law, close the same gap without it?
Questions to ask before 2027
- Which specific Oregon law leaves the gap this bill is meant to fill?
- Is the gap really about age verification, or about the “actual knowledge” standard in laws Oregon already has?
- Could strengthening the “actual knowledge” or “willful disregard” standard close the gap without a universal age signal?
- Does the bill duplicate OSIPA, OCPA/HB 2008, or SB 1546 — and if so, why is the overlap necessary?
- What new data flows or persistent identifiers would the age signal create that current law does not?
Further reading
- OS Age Verification, Explained: What Oregonians Should Know — the hub explainer, with the safeguards an age-signal law would need.
- Four Bills, One Label — the four very different policies people call “age verification.”
- Source library — primary sources are gathered in section 15, “Age verification and youth online safety.”
- Get involved — how to follow the work and weigh in before the 2027 session.
The basic principle
Oregon is not starting from scratch on youth online safety, and that is the point. The question for 2027 is not whether to protect young people — the laws above already do — but whether a universal age layer adds protection the current, targeted approach cannot, and whether that gain is worth the new infrastructure it would require.
Before building a system that can check everyone’s age, Oregon should be able to name the specific gap in existing law that nothing narrower can close.
Prepared by the Bend Privacy Alliance. The platform tools and laws described here are new and changing; this page reflects the picture as of June 2026, and current status should be checked before relying on any specific detail.