Protecting children online is a legitimate policy goal. Nobody seriously argues against that. Yet California's latest swing at the problem reveals how easy it is to create well-intentioned legislation that creates genuine practical headaches and raises troubling questions about digital infrastructure.
California's Digital Age Assurance Act (AB 1043), signed into law by Governor Gavin Newsom on October 13, 2025, takes effect on January 1, 2027. At its core, the law aims for something reasonable:any entity that "develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device" must collect age information from users at the point of account creation.
Here's where it gets complex.OS providers must maintain a "reasonably consistent real-time application programming interface" that categorises users into four age brackets and hand that signal to any developer who requests it when their app is downloaded or launched. The intent is clear: shift responsibility for age-appropriate content from individual platforms to the operating system layer itself.
The law passed both chambers of the California State Legislature unanimously—76-0 in the Assembly and 38-0 in the Senate. That bipartisan consensus reflects something real: most people, across the political spectrum, want some guardrails around what children access online.
What distinguishes AB 1043 from similar legislation in other states is its lighter touch on verification methods.AB 1043 does not require users to upload government-issued identification or submit to facial recognition scans. Users simply self-report their age at account setup. This approach sets California's law apart from similar legislation in Texas and Utah, which mandate "commercially reasonable" age verification methods, including ID checks.
For Microsoft Windows or Apple's macOS, AB 1043 presents a manageable compliance challenge.Windows already requires you to enter your date of birth during the Microsoft Account setup procedure. But the law applies universally, and therein lies the rub.
The critics are right about one thing: implementation is murky.More niche Linux distros are run by small teams of enthusiasts who simply don't have the resources to tackle implementing the necessary systems and real-time API.The law's broad definition of "operating system provider" theoretically captures major Linux distributions such as Ubuntu, Debian, Arch, and Gentoo—yet these projects operate in fundamentally different ways from commercial OS vendors. Unlike Windows or macOS, most Linux distributions have no unified account system during installation and are distributed via global mirrors that any user worldwide can download freely.
Some projects have already responded with drastic measures.Other OS developers, like MidnightBSD, have decided to exclude California from desktop use entirely. A scientific calculator application has done the same. These aren't frivolous responses; they reflect genuine difficulty in complying with legislation written for a different ecosystem.
Colorado's Senate Bill 26-051, Illinois SB 3977, and Texas SB 2420 contain similar requirements, with effective dates ranging from 2026 to 2027. California's influence over technology companies is so vast that even if other states' laws never take effect, California's choice to require system-level age reporting could become the de facto standard nationwide.
The legitimate counterargument deserves a fair hearing. Parents and child safety advocates point to real harms online: exposure to inappropriate content, exploitation, and features designed to maximise engagement with minors. If a self-reported age system can reduce even some of that risk without requiring expensive ID verification infrastructure, the compliance burden on Linux developers is a trade-off worth making.
Yet sceptics have a point too.Determined minors can bypass technical restrictions by using VPNs, lying about their age, or using family members' devices, as has already happened with similar laws in other states and countries.Despite signing the bill, Governor Newsom issued a statement urging the legislature to amend the law before its effective date, citing concerns from streaming services and game developers about "complexities such as multi-user accounts shared by a family member and user profiles utilised across multiple devices." Even the bill's own author has reservations.
The honest position here is that AB 1043 reflects a genuine values conflict. Child protection and digital privacy both matter. Decentralised, volunteer-driven software projects and coordinated industry-wide regulation both have merits. California's law chooses one side of these tensions, and the price of that choice is already visible.
Penalties for non-compliance run up to $2,500 per affected child for negligent violations and $7,500 for intentional ones, enforced by the California Attorney General. Those teeth matter. Companies will comply. The question is whether the result—age tracking woven into device startup, shared automatically with every developer—solves the problem it aims to solve.
A better law would have given the legislature time to consult with open-source developers, worked out the multi-user device problem before implementation, and established clearer definitions of what counts as an "operating system provider."Whether amendments will materialise before January 2027 remains to be seen.
The goal is right. The execution remains uncertain. And that matters for the millions of Californians—and eventually, Americans—whose devices will carry this infrastructure whether they like it or not.