A new amendment (AB 1856) would exempt open‑source operating systems—such as Debian, Ubuntu, Fedora and Arch—from California’s upcoming age‑verification law, after industry backlash over the original bill’s requirement that OSes collect users’ birth dates at setup.
California moves to exempt Linux from its upcoming age‑verification law
)
Image credit: Getty Images
The California State Assembly is preparing an amendment—AB 1856—that would carve out a broad exemption for open‑source operating systems from the Digital Age Assurance Act (DAAA). If passed, distributions like Debian, Ubuntu, Fedora, Arch Linux and Linux Mint would no longer be required to collect a user’s age during device‑setup and broadcast an “age‑bracket signal” to apps.
What the original law demanded
AB 1043, signed in late 2025, shifted age‑verification responsibility from individual websites to the operating‑system layer. The statute defined four brackets—under 13, 13‑15, 16‑17 and 18+—and required every OS to:
- Prompt the user for a birth date or equivalent proof of age during the first‑boot experience.
- Store the resulting bracket in a system‑wide flag.
- Expose that flag to any installed application or app store via a documented API.
The intent was to give minors a uniform gate‑keeping mechanism while relieving content providers of the compliance burden. In practice, the law would have forced Linux distributions—most of which lack a central account system, telemetry, or even a single corporate owner—to implement a privacy‑sensitive data collection flow.
Why the Linux community pushed back
- License mismatch – The amendment language in AB 1856 reads: “Operating system provider does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software.*” This mirrors the GPL, MIT, and Apache licenses that dominate the Linux ecosystem, effectively shielding them from the DAAA.
- Enforcement infeasibility – Open‑source projects can be forked indefinitely. A regulator could not realistically compel every fork to embed age‑verification code without violating the very freedoms the licenses protect.
- Privacy concerns – The Electronic Frontier Foundation warned that a mandatory age‑bracket signal could become a de‑facto identifier, enabling cross‑service tracking far beyond the original scope of the law.
- Operational impact – Most desktop Linux installers already ask for language, timezone and keyboard layout. Adding a mandatory age prompt would complicate automated image builds, container deployments, and headless IoT devices that rely on minimal install scripts.
The amendment’s technical scope
AB 1856 does not repeal AB 1043; it narrows the definition of operating‑system provider to exclude software distributed under copy‑modify‑redistribute licenses. The bill still applies to:
- Proprietary mobile platforms such as Apple iOS and Google Android.
- Hybrid systems that bundle a Linux kernel with a closed‑source app store—e.g., SteamOS (Valve’s gaming platform) because the distribution includes the proprietary Steam client.
- Enterprise‑focused Linux variants that are shipped under commercial contracts with restrictive licensing (e.g., Red Hat Enterprise Linux when delivered as a subscription service).
The amendment also clarifies that “operating‑system provider” refers to the entity that controls the distribution channel, not the upstream kernel maintainers. This nuance preserves the regulator’s ability to target commercial Linux distributions that sell pre‑installed hardware with a locked‑down software stack.
Market implications
| Segment | Expected impact | Reasoning |
|---|---|---|
| Consumer Linux desktops | Minimal – users continue to receive a privacy‑first install experience. | Exemption removes the compliance cost of adding age prompts. |
| Linux‑based IoT devices | Positive – manufacturers can keep firmware images small and avoid extra UI steps. | Age‑verification would have required additional storage and UI code, raising bill of materials. |
| Commercial Linux vendors (RHEL, SUSE) | Potentially subject to the original DAAA if they ship with a managed app ecosystem. | Their licensing model does not meet the “copy‑modify‑redistribute” exemption. |
| Gaming platforms (SteamOS, Valve) | Likely still in scope because of the proprietary Steam client. | The law targets OSes that expose a proprietary storefront, not the kernel alone. |
For hardware OEMs that ship Linux‑based laptops or tablets, the amendment removes a compliance deadline that was slated for January 1 2027. Companies can now focus on other regulatory timelines—such as the EU’s Digital Services Act—instead of redesigning their onboarding flows.
What’s next for the bill?
- Committee review – The amendment is slated for a hearing before the Assembly Committee on Privacy and Consumer Protection in early June 2026.
- Stakeholder testimony – Representatives from the Linux Foundation, EFF, and several major distro projects have submitted written comments.
- Potential further tweaks – Lawmakers may add language to address “managed Linux services” (e.g., cloud‑hosted desktop environments) that blur the line between open‑source and SaaS.
If AB 1856 clears the committee, it will move to a third reading in the Assembly before crossing the Senate. Assuming a smooth path, the exemption could be codified well before the original compliance date, giving the open‑source community a clear regulatory horizon.
Key takeaways
- California is amending its age‑verification law to exclude open‑source OSes that allow free copying, modification and redistribution.
- The change protects the majority of Linux distributions from a mandatory age‑prompt at device setup.
- Proprietary platforms and hybrid Linux systems with closed‑source storefronts remain in scope, preserving the regulator’s original intent to protect minors on mainstream consumer devices.
For a deeper dive into the bill’s language, see the official Assembly text here.
Comments
Please log in or register to join the discussion