Learn more about the latest security and privacy threats
Back

Nebraska's social media age verification law blocked days before it took effect

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Published July 2, 2026 Reviewed by Charlene Wang
Editorial illustration for the article "Nebraska's social media age verification law blocked days before it took effect".

A federal judge blocked Nebraska's social media age verification law on First Amendment grounds, days before its July 2026 start. What it means for compliance.

Table of contents

A federal judge blocked the core of Nebraska's social media age verification law on 27 June 2026, days before it was due to take effect. In NetChoice v. Hilgers, Judge John Gerrard enjoined the age check and parental consent duties as likely to violate the First Amendment, while leaving the parental monitoring log in force.

  • Judge Gerrard preliminarily enjoined LB 383 sections 28(1)(a) and 28(2), the age verification and express parental consent requirements, on 27 June 2026.
  • The court held LB 383 is "facially content-based," applied strict scrutiny, and found "the law is not narrowly tailored."
  • The parental oversight log and the rest of LB 383 may still be enforced by the Nebraska Attorney General.
  • The ruling splits from the Supreme Court's 2025 Paxton decision, which upheld adult-content age checks under a lower standard.
  • This is a preliminary injunction, not a final judgment; an appeal to the Eighth Circuit is likely.

What did the court actually block?

The US District Court for the District of Nebraska enjoined the two provisions that force platforms to gate accounts. On 27 June 2026, Senior Judge John Gerrard granted NetChoice's motion in part, barring the Attorney General from enforcing the social media age verification and parental consent duties that were set to start on 1 July 2026. Everything else in the statute survives.

LB 383, the Parental Rights in Social Media Act, required a "social media company" to "use a reasonable age verification method to verify the age of an individual seeking to become an account holder," and to obtain "express parental consent" before a minor could open an account. A minor is anyone the platform reasonably believes is under eighteen and resident in Nebraska. Those are the two clauses now frozen. On the constitutional question, Judge Gerrard wrote that "the law is not narrowly tailored" (order at 19).

ItemDetail
CaseNetChoice v. Hilgers, No. 4:26-CV-3149 (D. Neb.)
RulingPreliminary injunction granted in part, 27 June 2026
Provisions enjoinedLB 383 section 28(1)(a) age verification, section 28(2) parental consent
Left in forceParental activity log and remaining sections
Original start date1 July 2026
EnforcerNebraska Attorney General

The distinction matters. The court did not strike down parental oversight as a concept. It struck down the gate that would have required every prospective user, adult and minor, to prove their age before speaking on a covered platform. That gate, not the monitoring dashboard, is what burdened protected speech for every user. The court's separate finding that the law is content-based is what pushed that burden into strict scrutiny.

Why did the judge apply strict scrutiny?

The court applied strict scrutiny because it found LB 383 is content-based, the most demanding constitutional test. A law is content-based when whether it applies turns on what a platform lets people say rather than on some neutral feature. Judge Gerrard found LB 383 met that description because its exemptions carved out platforms by the type of content they carry, so it fails unless narrowly tailored to a compelling interest.

Nebraska argued the statute was content-neutral and should face only intermediate scrutiny, the standard the Supreme Court used to uphold Texas's adult-content law in Free Speech Coalition v. Paxton in June 2025. The court rejected that comparison. The order found social media carries what earlier precedent calls "the very stuff of the First Amendment," politics, religion and art, not just material a state may keep from minors. Because LB 383 was "facially content-based" (order at 16), reached protected speech and was underinclusive, it could not clear the bar. The mental-health evidence, the court found, did not match a statute that captured many benign platforms and exempted others with the same features.

FactorFSC v. Paxton (2025)NetChoice v. Hilgers (2026)
Speech reachedAdult content sitesAll covered social media
Scrutiny appliedIntermediateStrict
OutcomeStatute upheldProvisions enjoined
CourtUS Supreme CourtD. Neb., preliminary
StatusFinalInterlocutory, appealable

This is why the same broad idea, verify age before access, can pass in one setting and fail in another. Paxton concerned speech states may lawfully keep from children. A social media age verification mandate reaches lawful speech for everyone, which is why it drew the tougher standard.

What does this mean for your age assurance obligations?

For any platform serving Nebraska users, the immediate obligation is narrow and specific. You are not required to run social media age verification or collect parental consent under LB 383 sections 28(1)(a) and 28(2) while the injunction stands. You still must honour the parental activity log and the other provisions the court left untouched, so do not switch off compliance work wholesale.

The wider mapping is where the real work sits, because a single injunction does not lift duties elsewhere. The table below shows how the main regimes interact with this ruling, and how much of your programme actually changes.

Regime or dutyWhat it requiresChanged by this ruling?
LB 383 s.28(1)(a), s.28(2)Age check and parental consent to open an accountEnjoined in Nebraska while the injunction stands
LB 383 s.29 and remaining sectionsParental activity log and handling of age dataIn force
Other state age-assurance and app-store lawsVary by state, with separate effective datesUnaffected
UK Online Safety Act, EU age verificationAge assurance for in-scope servicesUnaffected
GDPR and US state privacy lawsPurpose limitation, data minimisation, deletionUnaffected
COPPADuties for users under thirteenUnaffected

The signal is that only two specific duties pause, and only in Nebraska. Where you still collect age or identity signals, data-protection rules bite hard, and LB 383 itself at section 29 constrains how age data may be handled. None of the privacy or child-safety duties above is suspended by this ruling.

The practical lesson is to decouple the legal trigger from the technical method. Whether a given age check is lawful is a fast-moving constitutional question. How you perform it, and how much personal data you retain if you do, is squarely within your control and is where liability accumulates when a vendor is breached.

What is still uncertain about social media age verification law?

The biggest uncertainty is that this is a preliminary ruling, not a final one. The injunction rests on NetChoice's likelihood of success, so the merits are not settled and Nebraska can appeal to the Eighth Circuit. A higher court could restore the provisions, and the standard, strict versus intermediate scrutiny, is exactly what is contested.

There is also a live split among courts. The order notes that the Sixth Circuit and courts in Utah have subjected similar laws to First Amendment scrutiny, while the Ninth Circuit and a Fifth Circuit panel went the other way. That divergence invites Supreme Court review and leaves multi-state platforms guessing which rule applies where.

Operationally, the risks are concrete. Build age verification to meet one state, and a neighbouring court may bless or bar the same design. Turn systems off, and a reversal could leave you non-compliant within weeks. The parental log survived here, so any platform reading the ruling as a green light to drop all child-safety features is misreading it. The safest posture treats age assurance capability as something you can switch on per jurisdiction, not a single global toggle, and minimises the identity data you hold in the meantime.

How does this fit the wider age verification patchwork?

This ruling is one data point in a rapidly diverging map of social media age verification law. Multiple US states set effective dates around 1 July 2026, courts are reaching opposite conclusions, and Europe is moving on a parallel track through the EU Digital Identity Wallet and national schemes. A compliance team cannot assume the Nebraska outcome travels.

The through-line across all of them is that age checks increasingly demand an identity signal, which turns every covered platform into a collector of sensitive data. The privacy critique that runs through these cases, that forcing users to hand over a government identity document to speak chills lawful expression, is the same risk that makes centralised identity stores a target. Data-minimising age assurance, which proves a single attribute such as "over 18" without disclosing or storing the underlying document, addresses that privacy harm even where it cannot resolve the separate constitutional question about which speech a state may gate. See our related coverage of the EUDI wallet biometric portrait change and Germany's Digital Identities Act for how Europe is trying to square that circle.

How should compliance teams respond?

Start by scoping exactly which of your services meet each state's definition and which provisions are enjoined versus in force, because the Nebraska injunction is partial and specific. Keep the parental log and other surviving duties running. Map your age assurance obligations across every jurisdiction you serve, and record the acceptable methods and retention limits for each. Then audit what identity data any age check collects and stores, and cut retention to the legal minimum so a vendor breach cannot become a mass exposure. Build the capability to enable or disable age verification per jurisdiction, given how fast the courts are moving. See how it works for the data-minimising pattern, and our analysis of whether KYC data is safe after recent identity-vendor breaches.

Zyphe was built for exactly this problem. Our decentralised network shards personal data across more than 60,000 nodes with no central honeypot and a customer-held key, so an age or identity proof can be verified without any single store holding a complete record. If you want to offer age assurance that minimises the data you retain, book a demo.

The bottom line

The Nebraska ruling shows how unsettled social media age verification law has become. A court can bless age checks for adult content and bar them for general speech in the same year, and the split among circuits means the rule you build to today may not survive tomorrow. For teams running age assurance, the durable move is to treat the legal trigger as jurisdiction-specific and volatile, and to minimise the identity data any check retains, so a shifting constitutional line never becomes a data-breach headline.

Cited sources

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.

Frequently Asked Questions

No. Judge Gerrard granted a preliminary injunction in part. He enjoined the age verification and parental consent provisions in LB 383 sections 28(1)(a) and 28(2), but left the parental activity log and the remaining sections in force. The case now proceeds toward a final judgment, and the ruling can be appealed.

The 2025 Paxton decision concerned adult content, speech that states may lawfully keep from minors, and the Court applied intermediate scrutiny. LB 383 reached all speech on covered social media, including politics and religion. The Nebraska court found the law content-based, applied strict scrutiny, and held it was not narrowly tailored.

While the injunction stands, platforms are not required to perform the LB 383 age check or collect parental consent under the enjoined provisions. Other duties the court left in place, and obligations under other states' laws and privacy regimes, continue to apply. The position could change if an appellate court restores the provisions.

Any age check that captures a government identity document or biometric creates a store of sensitive data that can be breached, misused or over-retained. Data-protection rules require purpose limitation and deletion of what you no longer need. Minimising the identity data an age check retains reduces both regulatory and breach exposure.

Not directly. The decision interprets the US First Amendment and binds only the parties in Nebraska. The EU is advancing age verification through the Digital Identity Wallet, and the UK enforces the Online Safety Act. Platforms operating across regions must map each regime separately rather than assume one outcome applies everywhere.

See privacy-first KYC in action

Verify identity without storing a single document. Reusable credentials, an exportable audit trail, and a 15-minute integration.

Book a demo