System76's CEO Carl Richell met with Colorado Senator Matt Ball, the co-author of the Colorado OS age attestation bill, who suggested excluding open-source software from the bill. The conversation marks a potential win for free and open-source software advocates facing an unprecedented regulatory challenge: operating system-level age verification mandates spreading across America.
Colorado's Senate Bill 26-051, titled "A Bill for an Act Concerning age attestation for users of computing devices," requires OS vendors to collect and store age brackets for users, and tell app stores if they're underage, with penalties of up to $2,500 for negligent violations or $7,500 for intentional ones. System76, the Denver-based Linux hardware company, has a direct stake here because its Pop!_OS operating system and associated software infrastructure are open-source projects that could theoretically fall under age verification mandates.
The Colorado bill is not an isolated case. California's AB 1043 requires every operating system provider (Windows, macOS, iOS, Android, Linux) to collect user age at account setup and broadcast an age bracket signal to app developers via API. Louisiana HB 570 takes effect July 1, 2026; Illinois SB 3977 takes effect January 1, 2027; Texas SB 2420 applies specifically to mobile devices; and Utah SB 142 has various parts in force at different times.
The appeal of operating system-level age verification is obvious to policymakers: it creates a single point where age checks can be enforced, rather than requiring every website and app to implement its own system. Yet the approach creates practical problems that Richell and other technologists have highlighted. Richell noted that a parent who creates a non-admin account and sets the age for a child account could see the child install a virtual machine, create an account on that virtual machine, and set the age to 18 or over; or the child could simply reinstall the OS and not tell their parents.
The bills are written broadly enough to potentially cover any software platform where users interact, including open-source communication tools and code repositories, meaning a solo developer maintaining a chat application used by a few thousand people would face the same compliance obligations as Meta. If passed, it would be the first state-level acknowledgment that broadly written child safety laws threaten volunteer software projects that lack resources to comply.
Richell's argument carries weight beyond system design. System76 stated: "We are a part of this world and we believe in the rule of law. We still hope these laws will be recognized for the folly they are and removed from the books or found unconstitutional." That language reflects a genuine dilemma: companies and projects can comply with state mandates, yet still harbour doubts about whether the laws will survive constitutional scrutiny or achieve their stated aims.
The conversation in Denver is encouraging for advocates, but fragile. The legislative process is unpredictable, amendments can be stripped at any stage, and opposition from child safety advocacy groups could complicate efforts to exclude open-source software. Utah, Texas, Louisiana, and several other states have already passed or are considering age verification laws, and none currently include open-source exemptions. Even if Colorado creates a model and other states adopt it, if a federal bill passes without an open-source carve-out, state-level exemptions become irrelevant.
The tension at the heart of this debate is real. The political appeal of protecting children online is clear, yet the harder question is whether operating system-level age attestation can deliver meaningful protection without reshaping digital identity systems in ways that raise new constitutional and privacy concerns. Reasonable people disagree about whether the laws will work. What is clear is that they will work differently for a volunteer-run Linux distribution than for Microsoft or Apple, and that asymmetry matters.