State Age Verification Laws 2026 — Adult Site Compliance by State

Three implementation patterns dominate the market. The geographically-routed pattern detects the user's state from edge signals (CloudFront-Viewer-Country-Region, MaxMind GeoIP), routes users in AV-mandated states through a verification flow before any content renders, and serves non-AV-state users normally. The universal pattern verifies every user on first visit regardless of state — operationally simpler but loses non-AV-state users to verification friction. The exempt-content pattern routes AV-state users to a non-adult "safe" version of the site, with adult content available only after verification. Most operators pick the first or third pattern.

Verification methods vary by statutory tier. Tier-A states accept "reasonable methods" with operator discretion (in practice still government-ID or transactional-data verification — a self-attestation pop-up is unlikely to survive post-Paxton scrutiny). Tier-B states statutorily enumerate methods: a digitized identification card, verification of a government-issued ID, or a "commercially reasonable method based on public or private transactional data" (credit-header, mortgage, education, or employment records). Tier-C — Arkansas only — requires NIST Identity Assurance Level 2 proofing, which demands one piece of SUPERIOR or two pieces of STRONG identity evidence per NIST SP 800-63A plus an attribute binding to the user.

The verification-vendor capability landscape. Operators choose between full identity-verification platforms (document OCR, liveness detection, selfie-to-ID matching), commercial-database providers (transactional-data lookups against credit-header and public-record databases), age-estimation providers (neural models that infer age band from a selfie), state-issued digital ID systems (mobile drivers' licenses, or mDLs, under ISO/IEC 18013-5), and anonymized token providers (third-party issuers that return only a session-bound over-18 attestation without disclosing identity to the operator). Florida statutorily requires that at least one anonymized option be offered. Arkansas effectively requires an NIST IAL2-accredited vendor (Kantara IAL2 accreditation is the common attestation). The Louisiana, Utah, and Mississippi statutes explicitly contemplate state mDL credentials.

Age estimation is a filter, not a final verification. The May 2024 NIST IR 8525 evaluation reported an across-algorithm mean absolute error of approximately 3.1 years on the visa-photo database. That is insufficient near the 18-year statutory threshold to discharge a verification duty alone, but it is sufficient to filter clearly-over-21 users into a fast-path before invoking ID-based verification for users the model assesses as near 18. The two-stage pattern (estimation first, ID-verification for the close cases) materially reduces per-verification cost and friction without weakening compliance posture.

Edge-gating vs. origin-verification architecture. The dominant architecture is edge-level state determination plus session validation (CloudFront Functions, Lambda@Edge, or Cloudflare Workers intercept requests, determine which state's rules apply, check for a valid age-verification session cookie, and redirect unauthenticated AV-state users to the verification flow). The verification flow itself runs at the origin or with a third-party vendor. Edge gating minimizes origin load and supports the state-aware geofencing that Ohio HB 96 requires; in-house origin verification gives more control but exposes the operator to direct identity-data custody, raising retention-compliance issues.

Session state and cookie design. The standard pattern is an HMAC-signed cookie containing user identifier, verified flag, verification timestamp, assurance level, and (for Ohio) the geofence-cleared timestamp. Recommended attributes: HttpOnly, Secure, SameSite=Lax, and a TTL that respects Tennessee's 60-minute session limit, Ohio's 2-year reverification window, or the operator's internal expiry — whichever is shortest for the user's state. HMAC signing keys must be rotated and segregated from application-tier secrets. Session tokens must be tied to the verified user, not transferable across devices, and invalidated on logout or suspicious activity.

Data retention is the trap most operators fall into. Texas, Mississippi, Virginia, and Ohio prohibit retention of identifying information after verification; Texas penalizes per-instance retention at $10,000 per occurrence on top of the daily fine. Tennessee, conversely, requires 7-year retention of anonymized verification metadata. The compliant architecture: the verification vendor holds the underlying identity data (or, ideally, never persists it), the operator receives only a verified/not-verified token plus the age range (if needed) plus the geography, and the operator retains anonymized audit logs sufficient to demonstrate the verification ran. Vendor contracts should require zero retention or ultra-short retention windows (24 hours or less) as the baseline.

Geolocation strategies and the Utah problem. IP-based geolocation (commercial GeoIP databases plus CDN-supplied country/region headers) is adequate for Tier-A "reasonable" gating in most states. It is not sufficient by itself for Ohio, which requires a "licensed location-based technology provider" with dynamic monitoring, nor for Utah's SB 73 deemed-location rule (effective May 6, 2026, with enforcement stayed by stipulation until September 3, 2026), which treats VPN users as in-state regardless of the exit-node geography. The conservative posture: apply the strictest applicable state's verification regime by default for any user not affirmatively confirmed to be outside that state. Commercial VPN exit-node lists are maintained by several providers and updated continuously.

Rate limiting, WAF rules, and abuse prevention. Per-IP and per-device-fingerprint rate limits on the verification endpoint (typical: 5 attempts per hour per IP, 10 per device per 24 hours) reduce credential-stuffing and ID-replay attacks. CAPTCHA gating and managed-WAF rules sit in front of the verification flow on every production deployment. Brute-force attempts against the verification gate are continuous and visible in any well-instrumented logging stack.

Documentation is the practical compliance work. Every AV-state enforcement action filed to date has centered on whether the operator was running verification at all. Operators with documented verification infrastructure — vendor contract, traffic logs showing the verification gate intercepting AV-state users, audit trail showing per-user verification events — have not been the targets. Indiana's December 3, 2025 enforcement action against Aylo specifically pleads that the Indiana AG investigator accessed Aylo sites from Indiana using a VPN with a Chicago IP, and that geoblocking alone is "insufficient to comply with Indiana's Age Verification Law." Documentation is the work; the verification mechanics are the easier part.

Active pending legislation, as of May 25, 2026. Two state bills are with governors: Iowa HF 864 passed the Senate 46–0 and the House 82–2 in April 2026; if signed, it takes effect July 1, 2026 with a $1,000 per-violation civil penalty under new Iowa Code Ch. 554J. Missouri HB 1839 passed both chambers and codifies the existing Missouri AG rule (15 CSR 60-17.010 et seq.) with $10,000-per-day penalties and a $250,000 per-minor penalty under proposed Mo. Rev. Stat. § 407.3405. Wisconsin AB 105 was vetoed by Governor Tony Evers on April 3, 2026, citing privacy and surveillance concerns — Wisconsin remains a non-AV state.

Ohio HB 84 is a deliberate redo of HB 96. Ohio HB 96 (the FY 2026–2027 biennial-budget AV provisions) took effect September 30, 2025. Aylo has publicly asserted that Section 230 of the Communications Decency Act immunizes its user-uploaded-content sites from HB 96. HB 84, reported out of the House Technology and Innovation Committee unanimously in early March 2026, is drafted to redefine covered entities and grant the Attorney General investigatory powers to address that asserted Section 230 defense. Reported daily penalties under HB 84 may reach $100,000. The Ohio Section 230 question is not settled, and HB 84 is the legislative response.

2026 session pipeline. Pennsylvania SB 603, Hawaii HB 1212 and HB 1198, Michigan SB 901 / SB 284 / HB 4429, and Minnesota HF 1875 / SF 2105 / HF 1434 are all active in their 2026 sessions. New Hampshire, New Jersey, New York, and Washington have AV bills introduced but not advanced. Historical passage rates for introduced state AV bills since 2023 run roughly 60–70% in red-state legislatures and 30–40% in swing-state legislatures. The realistic 2027 projection: 28–32 U.S. states with AV statutes in force, covering a clear majority of the U.S. population by population share.

Device-level legislation is the second wave. Where the first wave targeted website operators, the second wave targets operating systems, device manufacturers, and app stores. California AB 1043 (Digital Age Assurance Act, signed October 2025) requires an OS-level age signal at account setup, effective January 1, 2027. Utah SB 142 / SB 152 already imposes app-store-level age verification. North Dakota SB 2380 mandates device-manufacturer and OS-level age signals. Texas SB 2420 (the state-level App Store Accountability Act) was preliminarily enjoined by a federal district court in December 2025, suggesting app-store-level AV faces stricter First Amendment scrutiny than site-level AV does after Paxton. Operators should not assume the device-level wave will displace site-level AV obligations — it is more likely to compound them.

Federal pipeline: pending, none enacted. Three federal AV bills are in process. The SCREEN Act (S.737 / H.R.1623, introduced February 26, 2025) is a site-level mandate with explicit VPN-aware verification language and FTC enforcement. The App Store Accountability Act (H.R.3149 / S.1586) is a store-level age-category verification with verifiable parental consent for minors and an express preemption clause; it was voted out of the House Energy and Commerce Committee on March 5, 2026 but floor consideration is pending. The Parents Decide Act (H.R.8250, introduced April 13, 2026) is an OS-level mandate requiring date-of-birth collection at account setup. None has cleared either chamber, and operator compliance planning should not yet incorporate federal preemption relief.

What to plan for if you are launching an adult site in 2026. Build verification infrastructure into your compliance design from day one. The cost of retrofitting verification after launch is materially higher than building it in. Pick a verification vendor whose contract permits per-state activation; you may not need verification in California today, but the device-level California AB 1043 mandate effective January 1, 2027 plus the realistic 2027 projection of 28–32 AV states means you want the ability to toggle states on without a re-procurement. Require zero-retention or ultra-short retention windows in the vendor contract; require SOC 2 Type II and ISO 27001 as baseline; require Kantara IAL2 accreditation if you intend to serve Arkansas users.

What to plan for if you are operating already. Re-audit your verification infrastructure annually and after any state passes a new law. Monitor state-AG enforcement priorities through industry channels (XBIZ, AVN, ASACP) and through the AVPA US State Compliance Calendar. The compliance work compounds — building robust verification infrastructure once pays back as each new state adds a configuration line rather than a new project. The states most likely to bring the next post-Paxton AG action are Texas, Florida, Indiana, Missouri, and Ohio (after the HB 84 redo lands); operators with traffic in those states should treat documentation and audit logs as first-class production deliverables, not after-the-fact compliance theatre.

Eight of the 25 in-force state AV statutes impose distinctive architectural or operational requirements that go beyond a generic government-ID verification flow. These provisions force operators into state-specific code paths and they are where most compliance gaps occur. The following deep-dive walks through each.

Ohio HB 96: geofencing plus biennial reverification. Ohio Revised Code § 1349.10, effective September 30, 2025, requires that any covered organization "utilize a geofence system maintained and monitored by a licensed location-based technology provider" that dynamically determines whether each user is in Ohio; if so, the site must block access until age verification has been completed. The statute also requires biennial reverification of every user's age every two years, and mandates that all information collected for age verification be deleted immediately after completion (except as needed for billing or account maintenance). Transfer of verification data is prohibited. Enforcement is AG-only with a 45-day cure period. Ohio is the only state requiring a licensed geofencing provider as a statutory minimum.

Florida HB 3: anonymized verification option required. Florida Statutes § 501.1737, effective January 1, 2025, applies to sites with 33.3% or more "harmful to minors" content. Florida is the only state that requires at least one anonymized verification option conducted by an independent third party that does not retain personal data. Civil penalties run up to $50,000 per violation; enforcement is AG-only. The Florida AG has filed multiple enforcement actions throughout 2025. The architectural pattern that satisfies HB 3: a session-bound token issued by a third-party credential provider that returns only an over-18 attestation, with no PII transmitted to the operator and no retention beyond the verification session.

Utah SB 73: VPN deemed-location and the 2% excise tax. Utah's original SB 287 (2023) was amended by SB 73 (signed March 19, 2026) with three significant changes. First, the deemed-location provision (effective May 6, 2026, with enforcement stayed by stipulation until September 3, 2026 pending preliminary injunction proceedings in Aylo v. Utah): a user is "deemed" to be in Utah based on physical location, even when using a VPN. Sites are prohibited from "encouraging" or providing instructions for VPN circumvention. Second, a 2% excise tax (effective October 1, 2026) on revenue from digital images, audio-visual works, audio content, digital books, and gaming services subject to AV — 90% earmarked for youth mental-health programs, 10% for enforcement. Third, a new enforcement architecture: $4 million startup appropriation, with the Utah Division of Consumer Protection gaining monitoring, investigation, citation, and disgorgement authority. The deemed-location provision creates asymmetric risk: an operator cannot reliably know a VPN user's true location, yet is liable if that user is physically in Utah.

Arkansas Act 612: the NIST IAL2 standard. Arkansas Code § 4-88-1304 (Act 612, effective August 1, 2023) is the only state statute that requires NIST Identity Assurance Level 2 proofing. IAL2, defined in NIST Special Publication 800-63-3, requires either remote or in-person identity proofing with strong evidence — typically one piece of "SUPERIOR" or two pieces of "STRONG" identity evidence per NIST SP 800-63A — plus a verified attribute binding to the user. Compliance practically requires a verification vendor whose proofing pipeline is independently tested (Kantara IAL2 accreditation is the common attestation). Enforcement is by private right of action; the "located in Arkansas" jurisdictional language has prompted commentary about whether out-of-state operators are within scope, with the prevailing reading being that any operator targeting Arkansas consumers triggers liability.

Tennessee: Class C felony plus 60-minute session limit plus 7-year retention. Tennessee Code Annotated § 39-17-912 (Public Chapter 1021, effective January 1, 2025) is the only state AV statute carrying felony penalties: a Class C felony for each violation, carrying 3–15 years of imprisonment plus a corporate fine up to $250,000 under Tenn. Code § 40-35-111(c), with parallel civil damages. The statute also imposes a 60-minute re-verification session limit — the operator must re-verify the user's age every 60 minutes — and requires 7-year retention of anonymized verification metadata. The preliminary injunction (entered by the Western District of Tennessee, December 30, 2024) was vacated November 4, 2025 post-Paxton; the statute is fully enforceable.

Texas, Mississippi, and Virginia: zero-retention prohibitions. Three Tier-B states explicitly prohibit retention of identifying information after verification completes. Texas HB 1181 imposes a per-instance retention penalty of $10,000 on top of the $10,000/day non-compliance penalty and the $250,000 per-minor penalty. Mississippi SB 2346 and Virginia SB 1515 carry the prohibition without the per-instance penalty but still expose operators to civil-damages and AG-enforcement risk for non-compliant retention. The compliant architecture: the verification vendor holds the underlying identity data (or, ideally, never persists it), the operator receives only a verified/not-verified token plus the geography, and the operator retains anonymized audit logs sufficient to demonstrate the verification ran.

Kansas's 25% threshold and Wyoming's no-threshold rule. Most state AV statutes use the 33⅓% "substantial portion" threshold borrowed from the federal Miller obscenity standard. Two states deviate. Kansas Stat. § 21-6420 sets the threshold at 25%, sweeping in more mixed-content sites than the standard rule. Wyoming Stat. § 6-4-201 sets no threshold at all — any adult content on a commercial site triggers AV obligations in Wyoming, regardless of how small a fraction of the site's overall content it represents. Mixed-content operators (general-audience sites with adult sections) should audit their Kansas and Wyoming exposure carefully before launch.

Louisiana's state-credential model. Louisiana HB 142 (Act 440, effective January 1, 2023) was the first state AV statute. Its distinctive feature is integration with the state-operated digital ID, which returns an over-18 attestation without disclosing the underlying identity. The PAVE Act (HB 77) layers on AG enforcement with a 30-day cure period and a civil penalty of $5,000 per day of violation, or $10,000 per day for knowing violations. Louisiana's state-credential model is increasingly the template other states reference when introducing mobile-drivers'-license-based AV provisions; per the American Association of Motor Vehicle Administrators, 21 U.S. states plus Puerto Rico have active TSA-accepted mDL programs as of mid-January 2026.

Alabama's health-warning requirement. Alabama Code § 13A-12-200.16 (effective October 1, 2024) and Texas HB 1181 both require operators to display a statutorily worded health warning about pornography's purported harms. The Texas warning's constitutionality was rejected by the district court below in Paxton and not appealed; the Alabama provision remains intact and enforceable. Operators should treat these compelled disclosures as required where statutorily mandated, while monitoring future First Amendment challenges to compelled-speech provisions in the AV context.

The architectural takeaway. A compliance architecture designed for a single Tier-A state will not scale across the 25-state landscape without state-specific branches. The minimum viable architecture is: edge-level state determination, verification-vendor abstraction with per-state method selection (IAL2 for Arkansas, anonymized for Florida, transactional-data-or-IAL2 for Tier-B states, reasonable method for Tier-A), per-state session TTL (60 minutes for Tennessee, up to 2 years for Ohio with biennial reverification), per-state retention policy (zero for Texas/MS/VA/OH, 7-year anonymized for Tennessee, vendor-default elsewhere), and per-state disclosure rendering (health warnings for Texas and Alabama). Build the abstraction once; let new states add configuration, not code.

Twenty-five U.S. states have age-verification statutes in force as of May 25, 2026. Two more (Iowa HF 864 and Missouri HB 1839) have been passed by both chambers and await gubernatorial signature. Wisconsin AB 105 was vetoed in April 2026. The table below summarizes the current statutory landscape.

Tiering by verification-method specificity. The 25 in-force statutes fall into three tiers. Tier A states allow "reasonable methods" with operator discretion (in practice still government-ID or transactional-data verification — a self-attestation checkbox is unlikely to be defensible after Paxton). Tier B states statutorily enumerate methods, requiring a digitized ID, government-issued ID, or a "commercially reasonable method based on transactional data" (credit-bureau, mortgage, education, or employment records). Tier C — Arkansas alone — requires NIST Identity Assurance Level 2 (IAL2) proofing, the strictest standard on the books.

What "covered site" means. Most state AV laws apply to sites where one-third or more of the content is "harmful to minors" (the threshold language borrowed from the federal Miller obscenity standard). Two states deviate: Kansas sets the threshold at 25%, and Wyoming sets no threshold at all — any adult content triggers AV obligations. Sites that are clearly adult-content businesses are unambiguously covered everywhere. Sites that are mixed-content or have adult sections grafted onto general-audience platforms occupy murkier territory and have been the focus of most enforcement-edge litigation.

How to read the enforcement column. AG-only states (Texas, Florida, Ohio, Missouri) concentrate risk in state-AG enforcement priorities — political will and a single decision-maker drive exposure. Private-right-of-action states (Arkansas, Mississippi, Idaho, Wyoming, South Dakota, North Dakota) expose operators to potentially many private suits, including class actions. The states that authorize both AG and private enforcement (Indiana, Tennessee, Virginia, Utah, Georgia, Arizona, Louisiana) present the highest combined exposure surface. Indiana's December 3, 2025 enforcement action against Aylo (parent of Pornhub) was the first post-Paxton AG enforcement and is expected to set precedent on whether geoblocking alone discharges the duty when VPN circumvention is foreseeable.

Treat this table as the starting point, not the entirety of your compliance work. Each state's implementing regulations specify which methods qualify, what data may be retained, and what disclosures must accompany the verification flow. Engage adult-industry counsel licensed in your operating states before launching anywhere with active AG enforcement.

The Supreme Court settled the constitutional question on June 27, 2025. In Free Speech Coalition, Inc. v. Paxton, 606 U.S. 461 (2025), the Court upheld Texas H.B. 1181 by a 6–3 vote, holding that state age-verification mandates targeting websites with material obscene-as-to-minors are reviewed under intermediate scrutiny rather than strict scrutiny. The practical effect is direct: every preliminary injunction previously entered against a state AV statute has been vacated, and the rate of new state passage has accelerated. State legislatures now operate with confidence that AV laws as currently drafted will survive constitutional challenge.

The wave started with Louisiana in 2022. Louisiana's House Bill 142 (Act 440) took effect January 1, 2023, making it the first U.S. state to impose a verified-age requirement on commercial adult websites with civil liability for non-compliance. The statute was permissive in mechanism — operators could choose from several verification methods, and Louisiana's state-issued digital ID could satisfy it — but it established the template. As of May 25, 2026, 25 states have AV statutes in force and two more (Iowa HF 864 and Missouri HB 1839) are awaiting gubernatorial action.

The underlying political coalition is unusual. Adult-site AV laws have passed in deep-red states (Mississippi, Alabama, Tennessee, Arkansas) and in swing or purple states (Virginia, Montana, North Carolina, Florida, Indiana) with comparable margins. Wisconsin AB 105 was the lone 2026 veto, struck down by Governor Tony Evers on April 3, 2026 on privacy and surveillance grounds. The coalition supporting these laws spans religious conservatives, child-protection advocates, parents' rights groups, and some anti-trafficking organizations. Opposition has come from the adult industry, civil-liberties groups, and privacy advocates worried about government-ID collection for sexual-content access. As a political matter, the coalition for is concentrated and motivated; the coalition against is diffuse and split.

What "intermediate scrutiny" means for operators. Under Paxton, a state AV law survives First Amendment review if it (1) furthers the state's compelling interest in shielding minors and (2) does not impose more than an incidental burden on adults' access to protected speech. That standard is meaningfully more permissive than the strict-scrutiny standard the adult industry argued for and that lower courts had previously applied to age-gating regimes. The Court distinguished its 1990s internet cases — Reno v. ACLU (1997) and Ashcroft v. ACLU (2004) — on the ground that they addressed "the internet" as it existed before mobile devices and streaming. Justice Thomas wrote the majority; Justices Kagan, Sotomayor, and Jackson dissented.

The Paxton holding does not generalize to social media. In an August 14, 2025 concurrence to the denial of an emergency stay in NetChoice, LLC v. Fitch (challenging Mississippi's social-media AV law), Justice Kavanaugh wrote that the Mississippi law "is likely unconstitutional" under existing precedent. Operators running general-audience platforms should not assume Paxton extends to their regulatory exposure; AV requirements on speech that is constitutionally protected for both adults and minors remain on different footing.

The practical implication. The state-AV landscape is not a phase that passes; it is the new baseline. Operators should plan for: more states passing similar laws year-over-year, existing laws getting stricter via amendments (Utah's SB 73 added VPN-deemed-location liability and a 2% excise tax in 2026), the verification-vendor market consolidating around providers with NIST IAL2 accreditation, and meaningful traffic loss from AV-state geographies as users either go to compliant alternatives or shift to VPN traffic. The compliance work is real but tractable; the revenue impact is real and not fully avoidable.