California Governor Gavin Newsom signed AB 1043 on October 13, 2025, creating a first-of-its-kind mandate that forces every operating system provider to build age verification into their software before apps can reach young users. The law, formally titled the Digital Age Assurance Act, applies to any software that controls device functions, a definition broad enough to cover not just Windows, macOS, iOS, and Android but also Linux distributions and Valve’s SteamOS. With a compliance deadline of January 1, 2027, OS makers large and small now face a tight window to redesign account setup flows and build new developer-facing tools.
What AB 1043 Actually Requires
The bill’s statutory text, now codified in Civil Code Title 1.81.9 starting at Section 1798.500, sets two core obligations. First, beginning January 1, 2027, every operating system provider must present users with an interface to input their age, birthdate, or both during account setup. Second, providers must relay that information to app developers as an age-bracket signal through a “reasonably consistent real-time application programming interface.” The intent is to give apps a standardized way to know whether a user is a minor without each app running its own verification check.
The law defines “operating system provider” as any entity that offers software controlling the core functions of a computing device. That language does not carve out open-source projects, hobbyist distributions, or gaming-focused platforms. A volunteer-maintained Linux distribution shipping to California users would, on a plain reading, fall under the same obligations as Apple or Google. The bill text describes age verification with respect to software applications beginning on that 2027 date, leaving little ambiguity about the timeline or the expectation that OS-level signals must be available whenever an app requests them.
Self-Reported Ages Won Over ID Uploads
The version of AB 1043 that reached the governor’s desk reflects a deliberate policy tradeoff. Rather than requiring government ID scans or biometric checks, the law relies on self-reported age brackets. That design choice emerged from a contentious legislative fight in Sacramento, where tech companies backed the self-reporting model while the entertainment industry and the Motion Picture Association pushed for stricter verification methods. The tech coalition’s preferred approach prevailed, as coverage in Politico documented, with lawmakers ultimately siding with arguments that heavier-handed verification would chill access to lawful content and create new privacy risks.
The self-reporting mechanism lowers the privacy risk for users but also raises an obvious question: what stops a 14-year-old from claiming to be 18? The law does not appear to mandate secondary checks beyond the initial declaration, nor does it require providers to cross-reference government databases or payment records. Supporters argue the system still creates friction, gives parents a visible touchpoint during device setup, and shifts legal liability onto OS providers if the signal is absent or broken. Critics in the entertainment sector viewed the approach as too permissive, preferring document-based verification that would be harder to circumvent. The compromise that landed in the final bill text essentially traded enforcement strength for broader political support and faster passage, embedding a lighter-touch model into the statute while leaving room for future legislatures to tighten the standard if circumvention proves rampant.
Why Linux and SteamOS Cannot Dodge This
Most online age-check laws target websites or app stores, which lets smaller platforms argue they fall outside the statute’s scope. AB 1043 operates one layer deeper by placing the obligation on the operating system itself. Canonical, the company behind Ubuntu, ships its OS to users worldwide, including California. Valve distributes SteamOS on its Steam Deck hardware. Neither company currently asks for a birthdate during initial OS setup in the way the law envisions. Building a compliant age-input screen and a real-time API that third-party developers can query represents a nontrivial engineering and legal lift, especially for open-source projects that rely on decentralized contribution models rather than corporate compliance teams.
The practical burden falls unevenly. Apple and Google already collect birthdates through their respective account systems and have the infrastructure to expose an age-bracket API to developers. For a community-driven distribution like Fedora or Arch Linux, there is no centralized account system to retrofit, and many users deliberately choose those systems to avoid cloud-linked identity. The law does not prescribe how the interface must look or where the data must be stored, but it does require the signal to be “reasonably consistent” and available in real time. Meeting that standard without a cloud-backed account service would require architectural decisions that many open-source maintainers have historically resisted on privacy and philosophical grounds. No public statements from the Linux Foundation or Valve regarding their compliance plans were available in the sourcing for this report, leaving open questions about whether smaller or volunteer-run projects will attempt compliance, geo-block California, or seek legislative clarification.
Newsom Frames the Law as Child Protection
The governor’s office cast AB 1043 as part of a broader package aimed at shielding minors from online harm. A press release from Governor Newsom described the bill as establishing required age verifications by operating system and app store providers and stated the signing would “further strengthen California’s leadership in protecting children online.” The framing positions the state as a regulatory pacesetter, much as it has been on vehicle emissions and consumer privacy through earlier landmark statutes, and signals that Sacramento expects industry to adapt its core software layers rather than placing the entire burden on individual apps and websites.
That framing, though, glosses over the tension between the law’s stated goal and its mechanical reach. A child-protection statute that technically covers every Linux installation worldwide, yet relies on self-reported ages with no secondary verification, invites skepticism about whether the mandate will meaningfully reduce minors’ exposure to harmful content. The state’s official portal groups AB 1043 with other child-safety efforts but does not address how enforcement would work against open-source projects headquartered outside California or maintained by distributed volunteer teams with no corporate entity to fine. Civil penalties are available under the statute, but collecting them against loosely organized communities or overseas entities is inherently difficult, raising the possibility that enforcement will focus on major commercial players while leaving edge cases unresolved.
The Compliance Clock and What Comes Next
OS providers now have roughly 14 months before the January 1, 2027, effective date to design, test, and deploy compliant systems. For large companies, that likely means integrating an age prompt into device onboarding, building or extending back-end services to translate raw birthdates into standardized age brackets, and exposing those brackets through a documented API for app developers. They will also need to update developer policies, software development kits, and review processes to ensure that apps actually check the signal and adjust their experiences accordingly when a user is flagged as a minor. Because the law speaks in terms of “reasonably consistent” interfaces and “real-time” access, providers may face disputes over edge cases such as offline devices, shared family hardware, or users who refuse to provide any age data at all.
Smaller OS vendors and open-source communities face a more fundamental design dilemma: whether to build centralized identity layers they have historically avoided, or to attempt localized, device-only implementations that still satisfy the law’s requirement for an app-accessible age signal. Any approach that stores age data locally will have to grapple with multi-user scenarios and parental controls, while cloud-based systems raise privacy and data-security concerns that run against the ethos of many alternative operating systems. Legislators could revisit the statute to clarify how noncommercial projects should comply, but absent new amendments, AB 1043’s broad definition of “operating system provider” leaves little formal room to opt out. As the deadline approaches, OS makers, app developers, and civil-society groups will be watching closely to see whether the law nudges the market toward more uniform, privacy-conscious age signaling, or simply adds another compliance checkbox that determined teens learn to bypass.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
