California's New Age Verification Law: Making Kids Less Safe While Breaking Open Source

Earlier this month, PC Gamer reported on a California law that's been flying under the radar: Assembly Bill 1043, the "Digital Age Assurance Act." Signed by Governor Newsom in October 2025, it goes into effect January 1, 2027. The bill requires all operating system providers to collect age information at account setup and provide that data as a "signal" to applications and websites.

The headlines focused on the obvious absurdity: Linux distributions would need to comply. My first reaction was the same. It's open source. Make the lawmakers submit their patches upstream. I'm sure Linus Torvalds would have some choice words for that pull request.

But once you get past the initial laugh, this law is genuinely dangerous. Not in the "regulations are annoying" sense. In the "this will actually harm children" sense.

What the Law Actually Says

Let's start with what AB1043 doesn't apply to. The bill defines "operating system provider" as someone who "develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device." It only applies to operating systems that work with "covered application stores."

So no, your WiFi router isn't covered. Neither are traffic lights, elevator controllers, or your microwave. This applies to operating systems on general purpose computers, phones, and game consoles that have associated app stores.

The law requires operating system providers to:

1. Collect the user's birth date or age at account setup
2. Provide a "signal" via API indicating which age bracket the user falls into (under 13, 13-15, 16-17, or 18+)
3. Make this signal available to developers who request it

Developers who receive this signal are "deemed to have actual knowledge" of the user's age range. They must use it to comply with "applicable law" but are prohibited from sharing it with third parties.

Sounds reasonable on paper. The stated goal is to let parents set up restricted accounts for their children, with the OS telling apps "this is a minor, act accordingly."

Here's the thing: that's a feature parents would actually want. It probably has market value. Apple, Google, and Microsoft already offer exactly this functionality. Parental controls exist. Family account systems exist. Age-restricted app installations exist. The market solved this problem years ago because parents were willing to pay for devices that offered it.

But California couldn't leave well enough alone. They had to mandate it. And in doing so, they created something far worse than the problem they were trying to solve.

The Signal Becomes a Target

Here's the core problem: the age signal must be made available to both apps and websites.

Think about what that means. If you dutifully enter accurate ages for everyone in your household, any app or website can query the OS and find out: "This user is under 13."

Any groomer with a website can now identify which of their visitors are children.

Congratulations, California. You just painted a target on every kid's back.

Any parent with half a brain will figure this out. And to protect their children, they'll do the only sensible thing: mark their kids as adults. Now you have minors surfing the internet with an official OS-level flag declaring they're 18+ and it's perfectly fine to show them whatever content they want.

Meanwhile, apps and websites that should be implementing real age verification will just rely on this signal instead. Porn sites can point to the OS and say "well, the operating system told us they were an adult." The signal becomes a liability shield, not a protection mechanism. In places where there's a legitimate argument for restricting minors' access, the signal makes it easier to circumvent.

So let's tally up the outcomes:

• Groomers can identify children more easily
• Parents who understand the risk will falsely mark kids as adults
• Kids will access adult content with a system-provided stamp of approval
• Sites that should verify ages will rely on the easily-gamed OS signal instead

The net effect is more children getting groomed and more children accessing inappropriate content. The exact opposite of the stated purpose.

I'm not keen to have children avoid blisters by cutting off their feet. But that's apparently California's approach to child safety.

The California Pattern

This isn't an isolated incident. There's an obvious pattern with California lawmakers: they pass laws to regulate things they have zero clue about, add them to their achievement pages, cheer for themselves, and declare, "There! I've made the world a better place."

They never bother to study the subject. They never consult with people who actually understand the technology. They just legislate based on vibes and press releases.

A few examples:

Microstamping requirements for handguns. California requires new handgun models to imprint a unique code on bullet casings when fired. Sounds clever! Except the technology doesn't reliably exist at scale, criminals can defeat it with a file in thirty seconds, and casings can be picked up from any gun range and scattered at a crime scene. The result? Gun manufacturers simply stopped submitting new models for California approval. The state's "roster" of approved handguns has been shrinking for over a decade. Older models with known issues can't be retired because there's nothing legal to replace them with. The law didn't reduce gun violence by a single incident. It just froze the market in amber while legislators patted themselves on the back.

3D printer "gun detection." California has pushed for 3D printers to include algorithms that recognize and refuse to print gun parts. Picture the embedded processor in a consumer 3D printer. It's running a stepper motor controller and a heating element. Now picture it running real-time computer vision AI to identify every possible firearm component ever designed, in any orientation, at any scale, in any colour. The idea is so technically illiterate it's almost impressive. It's security theatre for people who've never touched the technology they're regulating.

And now, operating system age verification. Do we really expect Red Hat to collect birth dates for every sysadmin who installs RHEL? The thought of legally-mandated age verification for every VM in a cloud fleet is genuinely hilarious. "Sorry, can't deploy to production until we verify the Kubernetes admin account is over 18."

At this rate, California should just go back to the Stone Age. Modern technology is simply not compatible with legislators who are more interested in virtue signaling than solving actual problems, or even bothering to spend five minutes understanding what they're regulating.

The Enforcement Fantasy

Setting aside whether this law is a good idea (it catastrophically isn't), how would California even enforce it?

If you download Linux Mint, there's no transaction. No money changes hands. No account is created. California can't exactly intercept ISO downloads at the state border. Even if Linux Mint added some age verification prompt to comply, there's no reason anyone would choose that version. You'd just download the regular one. Or a fork. Or an older release. Or build it from source.

And that raises an interesting question: would California outlaw downloading non-compliant distributions? Older versions that predate the law? When there's no exchange of money, no commercial transaction, just freely distributed software, a law like this starts looking a lot like suppression of free speech. "You cannot distribute this software to California residents without modifying its source code to include state-mandated data collection" is quite a sentence for a state that prides itself on being progressive.

The more likely outcome is exactly what commenters on Reddit predicted: Linux distributions will slap a disclaimer on their websites saying "not for use in California" and absolutely nothing will change. The law will be completely unenforceable against the open source ecosystem while simultaneously making it quasi-illegal.

Meanwhile, Microsoft, Google, and Apple already have this functionality built in. They'll comply with zero effort. Almost like this law was written to benefit them.

The Malicious Compliance Fantasy

I'll admit, part of me wants to see someone take this law to its logical conclusion.

Every California state government system runs on some operating system. The servers. The databases. The web portals. The phones. The WiFi. The building access systems. The traffic lights. The alarm systems. 911 dispatch. The DMV. Payroll. The HVAC. Everything.

Imagine if, on the day this law takes effect, everyone running California's critical infrastructure simply... complied. "We need to implement age verification on this traffic light controller before it can be used. It's an operating system. It's the law. Sorry, we don't make the rules."

Shut down everything. The data centers, the 911 systems, the payroll, the state websites. Everything running any operating system, which is everything. Get the IT vendors to coordinate. Pick a day. Call it an OS Boycott. Don't turn anything back on until the law is repealed.

It would never happen, of course. But it's a satisfying thought experiment in the absurdity of trying to regulate technology you fundamentally don't understand.

Why Canadians Should Care

You might be wondering why I'm writing about California law on a Canadian blog.

Here's why: if California mandates this, we're getting it too.

Microsoft, Apple, and Google aren't going to maintain two versions of their operating systems. They're not going to ship a "California Edition" of Windows with age verification prompts and a "Rest of World Edition" without them. They'll implement the requirements globally because it's simpler, and the rest of us will be stuck with it by proxy.

California has 39 million people and an economy larger than most countries. When they pass technology regulations, the ripple effects are global. CCPA effectively became the privacy baseline for American companies. California emissions standards drove automotive design nationwide. The same pattern will play out here.

So when California passes a law that broadcasts children's ages to every app and website, creates unenforceable mandates for open source software, and makes kids demonstrably less safe while legislators congratulate themselves on "protecting children," Canadians need to pay attention.

Because ready or not, it's probably coming to a Windows update near you.

The Bottom Line

AB1043 will:

• Expose children's ages to any app or website that asks for the signal
• Incentivize parents to falsely mark their children as adults
• Give adult content providers a liability shield to avoid real verification
• Be completely unenforceable against open source software
• Create absurd compliance theatre for enterprise environments
• Do absolutely nothing to actually protect children
• Probably make kids less safe overall

But hey, some California legislator got to add "protected children online" to their campaign website. That's what really matters, right?

This is what happens when lawmakers regulate technology they've never used, based on problems they don't understand, with solutions designed by staffers who've never talked to anyone in the industry. It's governance by press release. Achievement unlocked. Move on to the next bill.

Meanwhile, actual children are worse off. But at least the law had good intentions.

If you're a Canadian concerned about these kinds of regulatory spillover effects, keep an eye on what's happening in major US states. We may not have a vote, but we'll be living with the consequences.