Sacramento. The US state of California intends to introduce another layer of monitoring into every device used within its territory. The law, known as Assembly Bill 1043, was recently signed by Governor Gavin Newsom. It will enter into force on 1 January 2027 and from that point will require every operating system provider to collect users’ age information when accounts are created. The data must then be made available to app developers through a real-time API.
An API – an Application Programming Interface – acts as a bridge or rulebook that allows different software applications to communicate and exchange data. It automates processes, simplifies system integration and enables developers to access functions provided by other services. In practice, this would embed age verification directly into devices. The law applies to Windows, macOS, Android, iOS, Linux distributions and Valve’s SteamOS. Every operating system falls under the scope of the legislation.
Problems for Linux
The idea behind the law is particularly problematic for open-source Linux operating systems. Linux was created for users who prefer computer technology that does not monitor them. That is precisely why the platform exists. The difference is fundamental. Distributions such as Arch, Debian and Gentoo do not rely on any central account infrastructure and have no single provider behind them. Users download ISO images – complete system snapshots – from mirror servers that distribute the files. They are free to modify the source code and run the systems on their own devices without oversight from any central authority. Assembly Bill 1043 nevertheless shifts responsibility onto the operators of operating systems.
According to the specialised outlet Linux News, the Californian law applies to all operating systems, including Linux. OS providers must record users’ age and pass age categories on to apps. For open-source projects such as Linux distributions, implementation is controversial because enforcement would be difficult. Nevertheless, violations could result in fines of up to 7,500 US dollars. The issue has already sparked debate within many distributions over how to deal with the law.
At the very least, individual distributions will face additional development work to integrate the required query into their installation process. Some see the simplest solution in adding a disclaimer prohibiting the use of the distribution in California. Yet that approach would only work until other states or countries adopt similar age-verification rules. Ultimately, critics argue, the law represents another attempt to introduce a surveillance mechanism under the banner of protecting minors.
Who counts as a provider?
Independent systems have long irritated both commercial providers and government authorities. Assembly Bill 1043 effectively treats the entire architecture of open-source computing as a compliance problem. Yet there is no central authority that could enforce such requirements, no universal account system that could simply be modified and no single API that could easily be implemented.
For that reason the law defines the term ‘operating system provider’ extremely broadly. It includes anyone who ‘develops, licences or controls operating system software on a computer, mobile device or other general-purpose computing device’.
The law therefore creates a permanent age-signalling infrastructure embedded in the start-up process of devices. Operating system providers must maintain a ‘reasonably consistent real-time application programming interface’ that classifies users into four age groups: under 13, 13 to under 16, 16 to under 18 and 18 or older. The categories correspond to US youth protection rules. Any app developer requesting the signal when launching an application will receive it automatically. Every app installed on the system can therefore be configured according to the user’s age category. Once selected, the age category follows the user from device to device and from app to app, without requiring explicit consent each time the information is disclosed.
No concerns?
Assemblywoman Buffy Wicks, who authored the law, said it ‘avoids constitutional concerns by focusing solely on age assurance rather than content moderation’. That unusual claim is unlikely to withstand scrutiny. Age assurance is precisely the prerequisite for content moderation. The entire point of collecting age data and transmitting it to app providers is to determine – or restrict – what different age groups are able to see.
The infrastructure created by AB 1043 is designed exactly for that purpose. Classifying users into age categories at operating system level and transmitting the information to app providers in real time is the mechanism through which content is moderated. Calling it something else does not change what it is: censorship.
However, even critics acknowledge that AB 1043 is not the most intrusive law of its kind. It does not require users to upload identity documents or biometric data. Instead, they simply state their age when setting up the device. That distinguishes it from laws in states such as Texas and Utah, which require ‘commercially reasonable’ verification methods such as government ID checks.
The downside in California is a weaker form of age verification – but one embedded in a far broader infrastructure. The result is a persistent age-signalling mechanism built into every device, transmitting the user’s age category to every programme and its operator whenever the signal is requested.
Operators of applications, including social networks, that receive the signal are legally deemed to have ‘actual knowledge’ of the age group of their users. This effectively reverses the usual burden of liability. That is precisely the mechanism that makes the system function. The penalties are severe: up to 2,500 US dollars per affected child for negligent violations and up to 7,500 dollars for intentional ones. Operators of apps, social networks and games therefore have strong financial incentives to request the available age signal, ensuring that the API will be used constantly throughout the entire app ecosystem.