California’s Digital Age Assurance Act, AB 1043, would require operating-system providers to generate an “age assurance signal” that apps request when users download or launch software. The measure takes effect January 1, 2027, and applies to general‑purpose internet‑connected devices, including smartphones and laptops. Only the user’s age bracket is shared; no personal data is exposed.
What the law requires
The act defines four age brackets: under 13, 13 to under 16, 16 to under 18, and 18 or older. The signal is designed to protect privacy by sharing only the bracket; adults or guardians set the age during device setup, and apps request the signal when users install, launch, or sign up for an account. Regulators expect developers to treat the bracket as the primary indicator for compliance with COPPA and California’s Age‑Appropriate Design Code.
Penalties and enforcement
Violations carry substantial penalties: up to $2,500 per affected child for negligent violations and up to $7,500 per child for intentional violations. For large platforms with millions of users, those fines could add up quickly.
Privacy benefits and architectural tradeoffs
Supporters argue that sharing only an age bracket could reduce the amount of sensitive data circulating online by avoiding birthdates, IDs, or biometrics. Critics warn that the OS layer could become a new chokepoint in enforcement and that centralizing age verification at a single layer of the technology stack concentrates power over access online.
Scope and pushback
AB 1043 applies to companies that develop, license, or control operating systems for general‑purpose devices, including iOS, Android, Windows, macOS, ChromeOS, SteamOS, and Linux distributions. That breadth has drawn pushback from some open‑source developers who argue centralized platforms and decentralized ecosystems may struggle to comply. Linux developers have framed the framework as incompatible with open‑source norms.
“AB 1043 was designed for a world of centralized platforms,” Linux developer Eric Stanek wrote. “Linux is the precise architectural opposite… The entity California needs to compel into compliance does not exist.”
Ubuntu and other Linux communities have begun acknowledging the discussion and directing users to longer answers in community forums. Some developers argue enforcement against decentralized open‑source systems could be difficult or impossible, and some projects may choose to restrict downloads in California rather than implement compliance systems.
Civil-liberties and broader implications
Civil‑liberties advocates warn that once an OS‑level age‑verification layer exists, it could become a regulatory chokepoint. Future laws could expand the signal or require stronger forms of identity verification. The law does not require identity documents or biometric verification; ages can be self‑reported at device setup, and shared devices complicate enforcement when a child uses a parent’s device.
What to watch next
Despite those gaps, AB 1043 signals a broader shift in how governments regulate the internet. Rather than targeting individual apps or sites, lawmakers appear to favor infrastructure‑level rules that can be applied more uniformly. If other states adopt similar frameworks — Colorado is considering one — age verification could become a standard feature built directly into the devices people use to access the internet. For now, California’s system deadline remains 2027, and major OS providers have not publicly detailed how they will implement the approach.
