Operating Systems as Age Gatekeepers: The Law That Could Reshape the Internet

California just passed a law forcing every OS - Windows, macOS, Android, Linux, even a calculator firmware - to collect users' ages and share them with every app via a real-time API. It's self-reported, so kids can just lie. 419 scientists from 30 countries say it'll do more harm than good. The UK tried something similar and VPN usage doubled in 6 weeks. It goes live January 2027.

The Law No One in Tech Is Ready For

A quietly signed California bill is sending shockwaves through the technology world - from Apple and Google's boardrooms all the way to volunteer maintainers of open-source Linux distributions.

According to California's official legislative record, Assembly Bill 1043 - the Digital Age Assurance Act - was approved by Governor Gavin Newsom on October 13, 2025, and takes effect January 1, 2027. The law mandates that every operating system provider collect age information from users at account setup and transmit that data to app developers via a real-time API.

The bill passed with remarkable bipartisan consensus. According to Troutman Pepper's privacy analysis, it passed the California Assembly 76-0 in June and the Senate 38-0 in September. The same analysis notes that California is the fourth state to enact an age signal bracket law in 2025, joining Louisiana (HB 570), Texas (SB 2420), and Utah (SB 142).

What AB 1043 Actually Requires

The mechanics are technically straightforward, but their implications are not. According to Tom's Hardware's breakdown of the law:

• Every OS provider must collect age information from users at account setup.
• That data must be made available through a "reasonably consistent real-time application programming interface" exposed to app developers.
• The API must categorize users into four age brackets: under 13, 13 to under 16, 16 to under 18, and 18 or older.
• Any developer who requests the signal when their app is downloaded and launched must receive it.
• The law does not require photo ID or facial recognition - users simply self-report their age.

According to Kelley Drye's legal FAQ on AB 1043, the law is enforceable by the California Attorney General, with civil penalties of up to $2,500 per affected child for negligent violations and $7,500 per affected child for intentional ones. App developers bear the primary liability - OS providers who make a "good faith effort" to comply are shielded from penalties for erroneous signals. Notably, as Reason.org's analysis points out, the law prohibits private lawsuits over violations - a deliberate design choice to reduce the risk of frivolous litigation.

The self-reporting mechanism is widely seen as the law's most glaring weakness. As Ondato's review notes, studies show that 86% of children under 13 have accounts on platforms that officially ban them - simply by typing a false age. This makes the protections largely nominal while creating significant new infrastructure.

Who Is Caught in the Net

The bill's definition of "OS provider" - anyone who "develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device" - is unusually broad. As Tom's Hardware reports, this language pulls in not just the obvious targets (Windows, macOS, Android, iOS) but also Linux distributions and Valve's SteamOS.

According to The Register, discussions are already underway across the open-source community - in the Fedora Project, Linux Mint forums, and even the FreeDOS Project - although since FreeDOS has no user accounts, no web browser, and no app store, there is little the project could practically do to comply.

The Open Source Community Sounds the Alarm

The reaction across the FOSS world has been swift. As The Register reports, Jon Seager, Canonical's VP of Engineering, stated in Ubuntu Discourse that the company has its lawyers actively reviewing the implications for Ubuntu.

At the Ubuntu Summit, as RSWebSols reports, Carl Richell, CEO of System76 - the company behind the Pop!_OS Linux distribution - delivered a detailed critique of the proposed laws, arguing that their vague definitions and expansive scope render them ineffective, since minors could easily evade the restrictions regardless.

Perhaps the most pointed response came from an unexpected direction. According to Biometric Update, DB48X - an open-source firmware project to rebuild the legendary HP48 family of scientific calculators - published a blunt statement in its legal-notice file: "DB48X is probably an operating system under these laws. However, it does not, cannot and will not implement age verification." Rather than comply, the project chose to restrict access for California users when AB 1043 takes effect, and Colorado users if their law passes.

As PC Gamer put it, "you know you've messed up when you've angered the math lot."

A Nation of Age Walls: The Legislative Wave

California is not acting alone. According to Troutman Pepper's analysis and McNeese Law's compliance guide, a coordinated legislative wave swept U.S. states in 2025:

Utah fired the opening shot in March 2025, quietly signing SB 142 into law before most of the tech world was paying attention. Texas followed two months later with SB 2420 - though it immediately landed in federal court on First Amendment grounds. Louisiana joined in June, with HB 570 set to become the first of these laws to actually go live on July 1, 2026. California then dropped the biggest bomb of all: AB 1043, signed in October 2025, taking effect January 2027 and dragging every Linux distro and open-source project into the conversation. Colorado is watching from the wings, with SB26-051 potentially rounding out the wave in 2028. Five states. Three years. Zero consensus on whether any of it will work.

According to Inside Privacy's year-end review, California's law differs from the Utah, Texas, and Louisiana models in a key way: AB 1043 places obligations on OS providers, not just app store providers. It is also the only one of these laws to rely on self-reported age rather than requiring "commercially reasonable" verification methods such as government ID checks.

Even Newsom himself expressed reservations. As noted by Alston & Bird's privacy blog, the Governor's signing message acknowledged that the law may need refinement - specifically around multi-user accounts shared by family members and user profiles utilized across multiple devices - and urged the legislature to address these issues before the January 2027 effective date.

Legal Challenges Are Already Underway

The legislation has not gone unchallenged. According to Kelley Drye, on October 16, 2025 - just three days after Newsom signed AB 1043 - the Computer & Communications Industry Association (CCIA) filed a federal lawsuit seeking declaratory and injunctive relief against the related Texas App Store Accountability Act, alleging the law unlawfully compels the speech of app developers while preventing app stores from making lawful content available to all users.

A student advocacy group, Students Engaged in Advancing Texas (SEAT), filed a parallel First Amendment challenge the same day, per McNeese Law, arguing the law imposes content-based restraints on lawful speech and raises serious concerns about the volume of personal information that would be collected to verify user ages. Similar constitutional challenges are widely expected for AB 1043 ahead of its 2027 effective date.

The Scientific Community Pushes Back

The legal battles are matched by a growing scientific counter-movement. According to Cybernews, 405 security and privacy researchers and scientists from 30 countries signed an open letter published March 2, 2026, warning that proposed online age verification laws are fundamentally flawed. The signatories included researchers from KU Leuven, ETH Zurich, University of Cambridge, University of Oxford, UC Berkeley, and Brown University, per PC Gamer.

As Reason.com reports, the letter cautions that those enforcing age-based controls gain "a tremendous influence on what content is accessible to whom on the internet" - influence that could be used to "censor information and prevent users from accessing services."

According to TechRadar's coverage, the 419 signatories are formally calling for a moratorium on age verification laws until scientific consensus is reached on technical feasibility and the balance of benefits versus harm. Their core argument: regulation is outpacing the technology it is trying to mandate.

Their specific technical objections, as detailed by WebProNews, include:

• No existing system can reliably confirm age without collecting sensitive data - government IDs, biometric scans, or behavioral profiling.
• Biometric age estimation is inaccurate across demographics, particularly for people of color and transgender individuals, as documented by NIST research.
• Cryptographic "privacy-preserving" tokens still require a trusted third party that knows both the user's identity and what age-restricted content they are accessing - a single point of failure.
• Mandates push users toward fringe, less-regulated platforms rather than actually blocking harmful content.

The Age Verification Providers Association (AVPA) responded, arguing the scientists' letter evaluates age assurance "through the lens of worst case, centralised and identity heavy implementations" and that "carefully designed, standards-based age assurance can materially reduce minors' exposure to age-restricted content."

Real-World Evidence: The UK as a Warning Sign

The United Kingdom provides the closest real-world data point. According to a March 2026 UK government report cited by Reason.com, VPN usage more than doubled following age assurance requirements becoming mandatory under the Online Safety Act:

• Daily VPN users before July 25, 2025: approximately 650,000
• Daily VPN users at peak in mid-August 2025: over 1.4 million
• Increase: approximately 115% in under two months

The open letter of scientists warned that restricting VPN use in response would "decrease the capability of users to defend their privacy online" and would leave "at-risk populations unprotected, such as journalists, activists, or domestic abuse victims."

The UK experience also highlighted the data security risks of harder verification approaches. According to Reason.org, the Discord breach in October 2025 - directly tied to UK Online Safety Act compliance - exposed sensitive personal data from users who had submitted facial scans, government IDs, or credit card details for age checks. An earlier breach at The Tea app in July 2025 exposed over 70,000 identification images and sensitive personal data after the platform required government ID uploads for account verification.

What Happens Next

The immediate timeline has clear pressure points. Louisiana's HB 570 takes effect July 1, 2026 - the first OS-level age verification law in the U.S. to go live. California's AB 1043 follows January 1, 2027, with Colorado's SB26-051 potentially taking effect January 1, 2028 if passed.

For the FOSS community, the existential question is stark: comply, restrict access to affected states, or ignore the law and accept legal risk. For small volunteer-run projects - and a scientific calculator firmware proves the point perfectly - none of these options is clean.

For the broader tech industry, the deeper concern is what this infrastructure, once built into every operating system on the planet, could eventually be used for - and by whom.

Key Numbers at a Glance

AB 1043 sailed through Sacramento without a single "no" vote - 76-0 in the Assembly, 38-0 in the Senate - which tells you how politically safe "protect the children" framing is, regardless of whether the law actually works. The law sorts users into 4 age brackets and hands that signal to every app developer who asks. Get it wrong negligently and it's $2,500 per affected child. Do it intentionally and that jumps to $7,500 - enforced by the California AG.

Here's the problem: 86% of children under 13 already have accounts on platforms that ban them, because they lied about their age at signup. Nothing in this law changes that.

The backlash from the scientific community is equally striking. 419 researchers from 30 countries signed an open letter demanding a moratorium - not a tweak, a full stop. And the real-world data supports their concern: in the UK, daily VPN usage exploded from 650,000 to 1.4 million in under two months once age checks went mandatory. Harder verification methods fared even worse - a single breach tied to UK compliance exposed 70,000+ identity documents and facial scans. The cure, it seems, keeps creating new wounds.

This article is based on publicly available legislative text, legal analyses, community statements, and reported statistics as of March 2026.