California’s Age Verification Law Forces Tech to Choose Between Privacy and Compliance
AB 1043 mandates OS-level age checking starting January 2027, creating enforcement nightmares for Linux distros while Big Tech quietly supported the compromise.
California’s Digital Age Assurance Act requires every operating system provider—from Windows to obscure Linux distributions—to collect age data at account setup and transmit it to app developers via real-time API, with enforcement beginning January 1, 2027.
The law, signed by Governor Gavin Newsom in October 2025, applies to anyone who “develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device,” according to Tom’s Hardware. OS providers must maintain a “reasonably consistent real-time application programming interface” that categorizes users into four age brackets—under 13, 13 to under 16, 16 to under 18, and 18 or older—and hand that signal to any developer who requests it when their app is downloaded or launched.
The approach differs markedly from Texas, Louisiana, and Utah laws that California joined as the fourth state to enact age signal legislation in 2025. Unlike those states which require “commercially reasonable” verification methods such as government-issued ID checks, AB 1043 does not require photo ID uploads or facial recognition, with users instead simply self-reporting their age. Kelley Drye notes that this compromise approach was reported to garner support from Big Tech companies that had opposed the earlier initiatives in Utah and Texas.
The Liability Shift That Changes Everything
The law’s most consequential feature isn’t the age collection mechanism—it’s what happens afterward. Developers who receive the signal are “deemed to have actual knowledge” of their users’ age range under the law, which shifts legal liability for age-appropriate content decisions onto them. According to Alston & Bird, this knowledge can trigger additional obligations under other laws. For example, the CCPA and CAADCA impose restrictions on targeted advertising and requirements for enhanced data protection measures on businesses that knowingly process children’s personal information. Similarly, developers that knowingly collect personal information from users under 13 may be subject to COPPA, including its requirement to obtain verifiable parental consent.
The Act shifts the age assurance responsibility to providers of Operating Systems like Windows, MacOS, iOS, and Android, reducing friction caused by multiple age gates and giving developers a uniform basis to offer safer digital environments for children. However, the law places collection and disclosure restrictions on age assurance information, prohibiting operating system providers and app developers from collecting or requesting more information than necessary or sharing the signal with third parties for a purpose not required under the law.
Linux’s Existential Threat
The law’s sweeping definition creates an enforcement paradox for open-source operating systems. Enforcement against Linux distributions is likely to be problematic. Distros like Arch, Ubuntu, Debian, and Gentoo have no centralized account infrastructure, with users downloading ISOs from mirrors worldwide, and can modify source code freely. These small distros lack legal teams or resources to implement the required API, so a more realistic outcome for non-compliant distros is a disclaimer that the software is not intended for use in California.
Boing Boing reports that the OSI, FSF, Software Freedom Conservancy, and Linux Foundation all sat out the legislative process—no testimony, no public analysis, no formal opposition on the record. That silence may prove costly. Several Linux operating system distributions, such as Ubuntu, do not have a centralized account infrastructure in place, compared to Windows and macOS. Ergo, Linux OS distros are likely to be found non-compliant by default in California.
Constitutional Challenges Loom Despite Big Tech Support
While California’s self-attestation model avoided the facial ID requirements that sparked user revolts against Discord and Roblox, constitutional questions remain. Recent lawsuits have been filed by an industry association and a student advocacy organization claiming that Texas’ law is unconstitutional under the First Amendment. The lawsuits allege the law’s parental consent requirements unconstitutionally restrict speech. According to Troutman Privacy, Texas and Louisiana’s laws go into effect January 1, 2026, and Utah’s law will go into effect May 6, 2026.
The Electronic Frontier Foundation argues that courts have issued preliminary injunctions blocking laws in Arkansas, California, and Texas because they likely violate the First Amendment rights of all internet users. However, Privacy laws that have been upheld under the First Amendment, or cited favorably by courts, include those that regulate biometric data, health data, credit reports, broadband usage data, phone call records, and purely private conversations.
Governor Acknowledges Implementation Gaps
Even Newsom recognized the law’s limitations. Despite signing it, Newsom issued a statement urging the legislature to amend the law before its effective date, citing concerns from streaming services and game developers about “complexities such as multi-user accounts shared by a family member and user profiles utilized across multiple devices.” Kelley Drye reports that Assemblymember Buffy Wicks, the sponsor of AB 1043, has signaled she is open to working with streaming providers on a potential fix in the coming year, according to Politico.
“This avoids constitutional concerns by focusing strictly on age assurance, not content moderation.”
— Assemblymember Buffy Wicks, AB 1043 Author
Indeed, streaming services and videogame developers have raised concerns that the bill does not fit their current age assurance methods. Yet as of this writing, no amendments to AB 1043 have been proposed, so the law will go into effect in its current state, according to Game Rant.
The National Precedent California Sets
California’s regulatory approach typically cascades nationwide, and age verification is no exception. Ondato reports that roughly half of U.S. states now mandate some form of age gating for adult content or social media access, and additional laws are expected to take effect in 2026. 2025 was the year age verification went from a fringe policy experiment to a sweeping reality across the United States. Half of the U.S. now mandates age verification for accessing adult content or social media platforms.
| State | Verification Method | Enforcement Entity | Effective Date |
|---|---|---|---|
| California | Self-reported age signals | Attorney General only | January 1, 2027 |
| Texas | Commercially reasonable verification | AG + Private right of action | January 1, 2026 |
| Utah | Commercially reasonable verification | AG + Private right of action | May 6, 2026 |
| Louisiana | ID verification or transactional data | Attorney General | July 1, 2026 |
The EFF warns that lawmakers in Wisconsin and Michigan have set their targets on virtual private networks, or VPNs—proposing various legislation that would ban the use of VPNs to prevent people from bypassing age verification laws. AI chatbots are next on the list, with several states considering legislation that would require age verification for all users. Behind the reasonable-sounding talking points lies a sprawling surveillance regime that would reshape how people of all ages use the internet.
What to Watch
- Linux ecosystem response: Whether major distributions implement compliance mechanisms, geofence California users, or challenge enforcement. The Free Software Foundation’s continued silence suggests coordinated resistance is unlikely.
- Legislative amendments: The 2026 California legislative session could address streaming service carve-outs and multi-device account handling. Governor Newsom’s signing statement created a roadmap for industry lobbying.
- Cascade effects: Watch whether other states adopt California’s self-attestation model or stick with ID-based verification. The former preserves some privacy; the latter creates centralized identity databases.
- Federal preemption: Congress has repeatedly failed to pass COPPA 2.0 or KOSA. A national standard would eliminate the compliance patchwork, but bipartisan agreement remains elusive amid free speech and privacy debates.
- Supreme Court doctrine: The Texas adult content case upheld age verification for sexually explicit material. Whether that “pornography exception” extends to general social media platforms will determine the constitutional boundaries of age-gating laws.
The law’s January 2027 effective date gives the tech industry 10 months to build infrastructure that doesn’t yet exist in standardized form. For devices where account setup was completed prior to January 1, 2027, operating system providers must, before July 1, 2027, provide an accessible interface enabling the account holder to indicate the user’s birth date, age, or both. That grace period may prove insufficient for the decentralized open-source ecosystem that powers much of the internet’s infrastructure—a reality that California’s legislature appears to have discovered only after the bill became law.