California has passed a law that sounds reasonable on the surface: require operating systems to ask users for their age, then share that information with app developers to protect children. The problem is that reality—technical, legal, and practical—appears fundamentally misaligned with what the Digital Age Assurance Act (AB 1043) actually does.
California Governor Gavin Newsom signed the Digital Age Assurance Act (AB 1043) into law on 13 October 2025. Operating system providers must provide an accessible interface at account setup requiring account holders to indicate the birth date, age, or both of the device's primary user, to provide a signal regarding the user's age bracket to applications available in covered application stores; operating system providers must also provide, upon a developer's request, a digital signal specifying the user's age bracket, and minimise data sharing to only what is necessary for compliance with the Act. The Act becomes effective on 1 January 2027.
The stakes are substantial. Penalties for noncompliance include up to $2,500 per affected child for negligent violations and up to $7,500 for intentional violations. The law applies to Windows, macOS, Linux, iOS, Android, and arguably anything running code on a computing device. Yet there is a critical problem: lawmakers appear to have legislated without fully understanding the technical and legal terrain they were entering.
The Texas Precedent
A federal court has already rejected a similar approach. On 23 December 2025, the U.S. District Court for the Western District of Texas issued a preliminary injunction blocking SB 2420 from taking effect, finding that the law likely violates the First Amendment and cannot survive constitutional scrutiny. The court's decision found that SB 2420 is a content-based regulation of speech because the law applies differently depending on the type of content an application provides, triggering strict scrutiny, the highest level of judicial review.
The judge's reasoning was cutting: While protecting children from unlawful or obscene content is a legitimate goal, SB 2420 extended far beyond that scope, restricting access to virtually all mobile applications regardless of whether they posed any demonstrated harm. California's law differs in important respects from Texas's, focusing on age signals rather than content blocking, but the constitutional vulnerability remains.
The Linux Problem
For open-source operating systems, AB 1043 presents a different kind of crisis. Enforcement against Linux distributions is likely to be problematic because distros like Arch, Ubuntu, Debian, and Gentoo have no centralised account infrastructure, with users downloading ISOs from mirrors worldwide and able to modify source code freely; these small distros lack legal teams or resources to implement the required API, so a more realistic outcome for non-compliant distros is a disclaimer that the software is not intended for use in California.
The philosophical collision is stark. Under the law's current wording, a Linux distribution downloaded from the internet could technically make the downloader the 'device manufacturer'; in practice, this type of language is rarely enforced, but it highlights how laws written for centralised platforms like iOS and Android struggle to define who is responsible in open computing ecosystems where anyone can install or distribute the operating system.
The Enforcement Fiction
Perhaps most troubling is that the law relies on honesty in an inherently dishonest system. There is no actual age verification; whoever installed the operating system or created the account simply says what age they are. They can lie. They will lie. They're being encouraged to lie for fear of being restricted to a nerfed internet.
This is not a minor flaw. If compliance depends on voluntary truthfulness, the entire regulatory edifice collapses. A teenager facing internet restrictions has clear incentive to claim they are 18 or older. A child creating a virtual machine or reinstalling an operating system faces no meaningful penalty. The law creates compliance theatre rather than actual protection.
California lawmakers sought to protect minors from online harms, a goal that carries real legitimacy. The question is whether a law that creates confusion among tech companies, potential liability for open-source projects, constitutional vulnerability, and unworkable enforcement actually advances that goal. The Texas court's decision suggests it does not—and AB 1043's structural problems suggest California's version may not either.