California’s Operating System Age Gate Goes Live in Ten Months
AB 1043 requires Windows, macOS, and Linux to collect user age during setup and transmit signals to every app—no ID required, but enforcement on open-source remains unclear.
California’s Digital Age Assurance Act takes effect January 1, 2027, mandating that all operating systems—from Windows and macOS to Linux distributions—collect age data during account setup and transmit age bracket signals to application developers via API. The law, signed by Governor Gavin Newsom in October 2025, marks the first time a U.S. jurisdiction has regulated age verification at the operating system level rather than targeting individual platforms or websites.
How the System Works
Operating system providers must add an interface during account setup requiring users to indicate their birth date or age, then transmit digital age bracket signals—under 13, 13-15, 16-17, or 18+—to app developers via real-time API, according to Alston & Bird. The law explicitly states that operating system providers need not collect government IDs or photos to verify age—users simply self-report.
Application developers must request age signals when apps are downloaded and launched, and once received, developers are deemed to have actual knowledge of users’ age ranges, triggering obligations under other laws including COPPA, CCPA, and California’s Age-Appropriate Design Code Act. Violations carry civil penalties up to $2,500 per affected child for negligent violations or $7,500 for intentional violations, enforced exclusively by the California Attorney General.
For devices where account setup was completed before January 1, 2027, operating system providers must provide an accessible interface enabling account holders to indicate user age by July 1, 2027, reports Hunton Andrews Kurth.
Windows Ready, Linux Unclear
Windows already requires users to enter their date of birth during Microsoft Account setup, notes PC Gamer. Apple and Google operate similar systems for iCloud and Google accounts. But the requirement that all operating system providers must comply has drawn ire from Linux communities.
The law defines an operating system provider as any person or entity that develops, licenses, or controls operating system software on computers, mobile devices, or general-purpose computing devices. This explicitly includes open-source distributions like Ubuntu, Fedora, and Linux Mint—entities typically without centralized commercial gatekeepers.
Linux Mint community members questioned enforcement feasibility. “This is basically impossible for California to enforce,” one user wrote on the Linux Mint subreddit, adding that even if distributions add Age Verification to comply, “there’s no reason anyone would choose that version”. The law provides no mechanism for compelling compliance from international volunteer-maintained projects or users who compile Operating Systems from source code.
An operating system provider is defined as any person or entity that develops, licenses, or controls operating system software on a computer, mobile device, or any other general-purpose computing device, which theoretically encompasses hundreds of Linux distributions, BSD variants, and niche operating systems with unclear legal entities.
Industry Support, Privacy Concerns
Major tech players including Google, Meta, Snap, and OpenAI supported the bill after months of negotiation, viewing device-level verification as preferable to more invasive ID-based systems, according to a Medium analysis. The California model shifts compliance obligations to app developers while dispensing with rigid age verification and parental consent frameworks, garnering support from Big Tech companies that opposed earlier initiatives in Utah and Texas.
The Motion Picture Association—representing Netflix, Disney, and Universal—formally requested a veto, citing concerns about conflicts with existing parental control systems and multi-profile account structures. Streaming services already use profile-based age controls; the device-level signal creates friction when multiple family members share devices.
“Age-verification measures censor the internet and burden access to online speech. They undermine the fundamental speech rights of adults and young people alike, create new barriers to internet access, and put at risk all internet users’ Privacy, anonymity, and security.”
— Electronic Frontier Foundation, 2025 Year in Review
The Electronic Frontier Foundation opposes age verification mandates, arguing they censor the internet, burden online speech, undermine rights of adults and young people, create access barriers, and risk users’ privacy, anonymity, and security, according to their 2025 review. Device-level and app-store age verification laws seriously impact users from accessing information, blocking not only adult content but every bit of content provided by every application.
Privacy advocates note AB 1043 correctly prioritizes privacy by using self-declared age signals rather than verification, separating identity from compliance status and ensuring user data never leaves local systems in identifiable form, per Reason Foundation analysis.
Compared to Other State Laws
Texas and Utah laws focus solely on mobile devices, while AB 1043 covers smartphones, tablets, and computers. Unlike those states, California does not require parental consent for minors to download apps. Utah’s law, effective May 6, 2026, requires app stores to verify age using “commercially reasonable methods,” while Texas’s law, effective January 1, 2026, similarly requires “commercially reasonable verification”—language that incentivizes ID collection.
| State | Scope | Verification Method | Effective Date |
|---|---|---|---|
| California | All computing devices | Self-reported age signal | Jan 1, 2027 |
| Texas | Mobile devices only | Commercially reasonable verification | Jan 1, 2026 |
| Utah | Mobile devices only | Commercially reasonable methods | May 6, 2026 |
| Louisiana | Mobile devices only | Commercially reasonable verification | July 1, 2026 |
Colorado has introduced similar legislation. SB26-051, Age Attestation on Computing Devices, would require operating systems including Windows and Linux to force age verification at the system level, according to The WinePress. The bill is scheduled for committee review on February 24, 2026.
Implementation Challenges
The Act creates unique challenges for developers maintaining user profiles across devices. Developers may receive conflicting age signals when users indicate different age ranges on multiple devices, and the Act is silent on how to resolve those inconsistencies, notes Alston & Bird.
Governor Newsom’s signing message acknowledged concerns that the framework may not fit applications supporting user profiles across multiple devices, urging the legislature to enact amendments in 2026. Assemblymember Buffy Wicks, the bill’s sponsor, has signaled openness to working with streaming providers on modifications.
The law includes good faith compliance protections. Operating system providers or app stores that make good faith efforts to comply, considering available technology and reasonable technical limitations, shall not be liable for erroneous age signals or developer conduct, according to the bill text. No such shield exists for application developers.
- Legislative amendments: Potential 2026 modifications addressing multi-device profiles and streaming service concerns before the January 2027 deadline.
- Open-source response: Whether major Linux distributions implement age collection mechanisms or challenge enforcement against volunteer-maintained projects.
- Colorado precedent: If SB26-051 passes committee review, it signals broader adoption of OS-level age requirements beyond California.
- Constitutional challenges: Federal courts have blocked portions of California’s social media age laws; similar challenges to AB 1043 could reshape implementation before 2027.
- API standardization: No industry standard exists for age signal APIs. Microsoft, Apple, and Google must coordinate technical specifications by mid-2026 for July compliance deadlines.