California's New Age Verification Law Puts Linux, SteamOS, and Every Major OS on Notice

California’s New Age Verification Law Puts Linux, SteamOS, and Every Major OS on Notice

California’s New Age Verification Law Puts Linux, SteamOS, and Every Major OS on Notice

March 2, 2026 — California has enacted a sweeping new digital age verification law that will affect virtually every operating system on the market — including Microsoft Windows, Apple macOS, Google Android, Apple iOS, Valve’s SteamOS, and a wide range of Linux distributions.

The state’s Digital Age Assurance Act (AB 1043), signed into law by Governor Gavin Newsom on October 13, 2025, takes effect on January 1, 2027.

What the Law Requires

Under AB 1043, any entity that “develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device” is classified as an operating system provider (OSP) and must:

Collect age information from users at the point of account creation.
Maintain a standardized, real-time API that categorizes users into one of four age brackets:
- Under 13
- 13 to under 16
- 16 to under 18
- 18 and over
Transmit the appropriate age signal to app developers when a user downloads or launches an application.

Once a developer receives that signal, they are legally “deemed to have actual knowledge” of the user’s age range — shifting the burden of age-appropriate content compliance from platforms onto app developers.

No Photo ID Required

Importantly, AB 1043 does not require users to upload government-issued identification or submit to facial recognition scans. Users simply self-report their age at account setup. This approach sets California’s law apart from similar legislation in Texas and Utah, which mandate “commercially reasonable” age verification methods, including ID checks.

Assemblymember Buffy Wicks, who authored the bill, said in a press release that this design “avoids constitutional concerns by focusing strictly on age assurance, not content moderation.”

Broad Scope, Stiff Penalties

The law passed both chambers of the California State Legislature unanimously — 76–0 in the Assembly and 38–0 in the Senate — reflecting broad bipartisan support.

Penalties for non-compliance are significant:

Up to $2,500 per affected minor for negligent violations
Up to $7,500 per affected minor for intentional violations

Enforcement is overseen by the California Attorney General.

Newsom Signed — But Has Reservations

Despite signing the bill, Governor Newsom accompanied his signature with a statement urging lawmakers to revisit the law before its 2027 implementation date. He cited concerns raised by streaming services and game developers about practical complexities — specifically, how to handle family-shared accounts and user profiles that span multiple devices. Whether amendments will be passed before January 2027 remains an open question.

The Linux Problem

Perhaps the most contentious aspect of AB 1043 is its potential impact on the open-source Linux ecosystem. The law’s broad definition of “operating system provider” theoretically captures major Linux distributions such as Ubuntu, Debian, Arch, and Gentoo — yet these projects operate in fundamentally different ways from commercial OS vendors.

Unlike Windows or macOS, most Linux distributions:

Have no unified account system during installation
Are distributed via global mirrors that any user worldwide can download freely
Allow users to modify the source code at will
Are maintained by small communities with limited legal and engineering resources

Enforcing the law against such distributed, decentralized projects presents obvious practical challenges. For smaller distributions, a likely real-world outcome may simply be the addition of a disclaimer noting that the software is not compliant with California law — an imperfect but pragmatic response to an enforcement gap.

Valve’s SteamOS — a commercial, Debian-based Linux distribution developed by a well-funded company — is a different case. As a managed platform with an integrated storefront and account system, Valve is more realistically positioned to implement the required API.

A Shifting Liability Model

AB 1043 represents a notable shift in how California approaches online child safety. Rather than requiring every app or website to independently verify user ages, the law pushes that infrastructure down to the operating system layer — centralizing age assurance at the point where users first interact with their devices. Once developers receive the age signal from the OS, they bear legal responsibility for what content minors can access.

Supporters argue this approach is more privacy-preserving and consistent than the patchwork of individual platform-level age checks in use today. Critics worry about the technical burden it places on a diverse ecosystem of OS providers — particularly those in the open-source community — and whether self-reported age data provides meaningful protection at all.

What Happens Next

With the January 1, 2027 deadline roughly ten months away, major OS vendors will need to begin planning compliance strategies now. The coming year is likely to bring lobbying from the tech industry, potential amendment proposals, and possibly legal challenges. For the open-source Linux community, the picture remains murky — and the practical outcome may vary widely depending on a distribution’s size, commercial backing, and willingness to engage with California regulators.

Sources: California Legislative Information (AB 1043 full text); Tom’s Hardware; Troutman Pepper Privacy + Cyber + AI analysis; Tech Newsday.

California's New Age Verification Law Puts Linux, SteamOS, and Every Major OS on Notice