To download an app in Texas from now on, you’ll need to show your papers – not at a physical store, but to Google and Apple. The US Supreme Court has refused to block the state law that turns the two app stores into the age gatekeepers of mobile software, a move that reshapes the perimeter of control over digital platforms.

Designed to protect minors, the law forces the stores to verify a user’s age before allowing any app install. Beyond its stated goal, the mechanism clashes head-on with the current architecture of mobile ecosystems: until now, age was managed at the individual app or account level, with fragmented data exposure. Texas now centralizes that function, compelling the global gatekeepers to collect and process personal identity information on a potentially unlimited scale.

This strikes a raw nerve for anyone thinking in terms of data sovereignty. Faced with the obligation, Apple and Google could build the verification infrastructure on external cloud services, with all that entails for personal data flows, GDPR compliance, and exposure to surveillance demands. Or they could push toward on-device verification models, where age is attested without ever leaving the device, perhaps relying on secure enclaves and decentralized authentication. It’s the same choice the Large Language Model world knows well: run inference in the cloud or locally, trading off convenience against control.

The story carries a structural signal. For years, the on-premise AI ecosystem has grown because companies and developers refuse to hand sensitive data management to third parties. If the Texas law inspires copycat regulation in other states or in Europe, it will push the identity layer in the same direction: no longer a service outsourced to big providers, but a function embedded in the device or in self-controlled infrastructure. Those already orchestrating self-hosted machine learning pipelines, with heavy quantization to make models run on modest hardware, might soon need to integrate age-verification modules without ceding data to intermediaries, just to comply with similar laws.

Of course, the Apple-Google duopoly won’t sit idle. The law’s actual implementation could turn into opaque mechanisms valid only for a specific store, adding yet another barrier for alternative stores or sideloading. But that very friction opens space for open architectures: if age verification becomes a legal requirement, systems based on anonymous attestations and zero-knowledge proofs could give users back control of their identity, turning the device into a vault of verifiable credentials rather than a mere terminal for a remote database.

Texas just lit a fuse that goes far beyond child protection. It has placed on the table the question that has haunted the cloud for years: who guards identity, and with what guarantees? The answer, still to be built, could reward those who already refuse to delegate anything that can stay locked inside their own servers or, even better, inside the chips of the device in our pocket.