A new federal bill requires every computer, phone, and tablet in America to collect your date of birth and hand it to any app that asks. It applies to Linux volunteers, Raspberry Pi hobbyists, and your grandmother’s Kindle. The bill text contains no restrictions on selling the data.

Five days ago, two members of Congress introduced a bill called the “Parents Decide Act.” The name suggests parental controls. The text suggests something else.

H.R. 8250 was filed on April 13, 2026, by Rep. Josh Gottheimer of New Jersey and Rep. Elise Stefanik of New York. It was referred to the House Committee on Energy and Commerce. The full text is now public.

What the Bill Actually Does

The bill would require every “operating system provider” to do three things:

Collect your birthday. Every user of every operating system must provide their date of birth to set up an account and to use the device. Not age. Not “over 18.” Your exact date of birth.

Verify minors through parents. If a user is under 18, a parent or legal guardian must verify the child’s date of birth. How? The bill does not say. It delegates that decision to the FTC, which has 180 days to figure it out.

Build a birthday API for app developers. This is the one that matters. Section 2(a)(3) requires operating system providers to “develop a system to allow an app developer to access any information as is necessary... to verify the date of birth of a user of an app.”

Read that again. Your operating system must build a pipeline that hands your birthday to any app that asks for it.

Your Birthday Identifies You

Most people do not think of their birthday as sensitive information. In 1997, a researcher named Latanya Sweeney demonstrated that just three data points can uniquely identify 87 percent of Americans: date of birth, ZIP code, and gender. Two of those three, most apps already have.

Your birthday is the missing key, and this bill hands it over.

Once an advertiser knows your birthday and your approximate location, they can cross-reference commercial databases to attach your name, your address, your purchase history, and your browsing habits. Not because they hacked anything. Because your operating system handed them the key and Congress told it to.

“Operating System Provider” Means Everyone

The bill defines “operating system” as “software that supports the basic functions of a computer, mobile device, or any other general purpose computing device.” It defines “operating system provider” as “a person that develops, licenses, or controls” such software.

That definition covers Apple and Google. It also covers:

Linux distributions. Ubuntu, Debian, Fedora, Arch. Built by volunteers, maintained by nonprofit foundations, downloaded by millions. Under this bill, every distribution maintainer is an “operating system provider” subject to FTC enforcement.

Raspberry Pi projects. The dad who builds a smart garage door opener. The teacher who sets up a classroom computer lab. The kid learning to code on a $35 board. All operating system providers.

Custom firmware. Anyone who installs a custom ROM on their phone, flashes firmware on a router, or modifies an embedded system.

Game consoles. Smart TVs. E-readers. Car infotainment systems. Smartwatches. Anything with software that “supports basic functions” of a “general purpose computing device,” a term the bill never defines.

The bill makes no distinction between Apple and a college student writing an operating system for a class project. The FTC enforcement applies equally.

No Protections on the Data

The bill instructs the FTC to create “data protection standards” for how birthday data is collected. It says the data must be collected “in a secure manner” and must not be “stolen or breached.”

It says nothing about selling it. Nothing about sharing it. Nothing about how long it can be retained. Nothing about what app developers can do with it once they receive it through the mandatory API.

The USIPS analysis puts it plainly: “The bill itself has no protections from the sharing or selling of the gathered data.”

Your web browser is an app. Under this bill, every website you visit through your browser could request your date of birth from your operating system. Advertisers would have a universal tracking identifier delivered by federal mandate.

The State-Level Wave

H.R. 8250 did not emerge in a vacuum. It follows a pattern of state legislation pushing the same concept:

Colorado SB26-051 requires operating systems to collect age information at account setup and provide “age-related signals” to applications. California AB 1043 mandates age-bracketing systems for operating systems and app stores beginning in 2027. Oregon has introduced similar legislation.

The Electronic Frontier Foundation criticized California’s version for “expanding the collection of sensitive age data and increasing privacy and censorship risks.” The federal bill goes further than any state version by requiring the exact date of birth rather than an age bracket, and by mandating a data-sharing API for app developers.

The Safer Path They Didn’t Take

California’s bill, for all its problems, at least attempts to limit what gets shared. Instead of broadcasting your exact birthday, it passes a simple signal: over 18, or not. Binary. Less useful for tracking.

H.R. 8250 chose the other path. Your exact date of birth. To every app. Through a mandatory API. With no restrictions on what happens to it next.

The bill’s sponsors call this “letting parents decide.” The infrastructure they are building lets advertisers decide, data brokers decide, and anyone who buys the data decide.

The Loophole

The Fourth Amendment says the government needs a warrant to track you. But there is a loophole big enough to drive a surveillance state through…

The government can just buy the data instead.

The legal theory is simple. You “voluntarily” shared your location with a weather app. You clicked “Allow” without reading the terms of service. A data broker bought your location data in bulk from the app developer. And because you “voluntarily” gave it up, the government argues it can purchase that data without a warrant, without a judge, without any of the constitutional protections that are supposed to constrain state surveillance.

Privacy lawyers call this “constitutionally indefensible.” Courts have let it slide for years.

The receipts are public. DHS signed a $1 billion contract with Palantir to build AI-powered surveillance systems using purchased commercial data. ICE has a $30 million contract with Palantir for “ImmigrationOS,” a platform that tracks people for deportation with “near real-time visibility.” The FBI signed a contract worth up to $27 million with Babel Street for 5,000 licenses to its Locate X product. When Senator Wyden asked FBI Director Kash Patel if he would commit to stop purchasing Americans’ location data, Patel declined. The FBI “uses all tools,” he said.

The Department of Defense purchased location data from a Muslim prayer app. Law enforcement used purchased data to track Black Lives Matter protesters. The IRS bought location data. Even the Secret Service is shopping at the data broker mall.

None of this required a warrant. None of it was reviewed by a judge.

Where Oracle Fits

Oracle is not just a database company. It is one of the largest consumer data brokers on the planet.

In 2014, Oracle acquired BlueKai, a company that tracks web browsing behavior across millions of sites. The same year, it acquired Datalogix, which aggregates data on over $2 trillion in consumer spending from loyalty card programs and retail transactions. These were merged into Oracle Data Cloud, a platform that connects your offline purchases to your online behavior and sells that composite profile to advertisers.

Oracle knows what you buy at the grocery store. It knows what websites you visit. It knows your age, your income bracket, your interests, and your purchase intent. It knows this for billions of consumer profiles across five billion unique IDs.

Now consider who Oracle’s strategic partner is.

Palantir. The company founded by Peter Thiel. The company with $1 billion in DHS contracts. The company building the AI surveillance infrastructure that ingests data from every source the government can legally buy.

Oracle and Palantir’s partnership page says they help “organizations increase efficiency, meet sovereignty requirements, and outpace adversaries.” Translated: Oracle collects the data, Palantir builds the analytics, and the government buys access to both. No warrant needed. No judge involved. No Fourth Amendment in sight.

Palantir claims it does not “own or broker access to data.” It just builds the software that makes other people’s data searchable, correlatable, and actionable at scale. The distinction is the kind of thing that sounds meaningful in a legal brief and evaporates the moment you understand what the software actually does.

The Connection

Stack the pieces.

Anthropic collects your face through Persona, a Thiel-funded verification company that runs 269 checks per user and files reports with federal agencies.

H.R. 8250 requires your operating system to collect your exact date of birth and hand it to any app through a mandatory API.

Oracle already has your purchase history, your browsing behavior, and your offline spending habits across billions of profiles.

Palantir builds the AI that correlates all of it into searchable, targetable, actionable intelligence.

And the government buys access to all of it without a warrant, because you “voluntarily” gave it to a weather app.

Each piece is harmless in isolation. Together, they form a composite identity that follows you everywhere you go, built not by hackers but by compliance departments following the law. Built not by conspiracy but by infrastructure.

Nobody needs to conspire when the incentives align.

The infrastructure connects itself.

In 1997, Latanya Sweeney proved that three data points could identify almost anyone. In 2026, Congress is writing the law that ensures those data points are collected, centralized, and available on demand.

The bill is called the “Parents Decide Act.” The parents did not ask for this. Neither did their children. But the data brokers, the advertisers, and the agencies who purchase commercial data without a warrant are deciding right now what this infrastructure will be used for.

Your birthday is not sensitive information. Until it is the last piece of a puzzle that somebody else is already assembling.

The Red String Wire investigates the convergence of corporate power, surveillance technology, and democratic erosion. It will remain free forever.

Sources: - H.R. 8250 Full Text, Congress.gov - USIPS: “The Parents Decide Act Will Dox You to Every Website” - Linuxiac: Federal Bill Would Bring OS-Level Age Verification to the Entire U.S. - Latanya Sweeney: Uniqueness of Simple Demographics (1997) - Colorado SB26-051 - California AB 1043 - EFF: California’s AB 1043 Age Verification Bill - State of Surveillance: The Data Broker Loophole - Lawfare: Data Broker Sales and the Fourth Amendment - EPIC: Government AI Is Coming for Your Data - Brennan Center: Closing the Data Broker Loophole - OPB: Your Data Is Everywhere, The Government Is Buying It - Oracle Acquires Datalogix, ZDNet - Oracle Acquires BlueKai, Data Center Knowledge - Privacy International: Oracle Profile - Oracle-Palantir Strategic Partnership - Palantir-Oracle Partnership Page