California is considering an amendment to its Digital Age Assurance Act that would exempt open source operating systems like Linux from mandatory age verification requirements, potentially reducing compliance burdens for open source developers while still aiming to protect minors online.
California's Digital Age Assurance Act (AB 1043), signed into law by Governor Gavin Newsom in October 2025, established comprehensive age verification requirements for operating system providers, covered app stores, and application developers. The legislation, authored by Assemblymember Buffy Wicks (D-Oakland) and Senator Tom Umberg (D-Santa Ana), mandates that operating system providers must implement "an accessible interface at account setup" for users to indicate their birth date or age. The law aims to protect children from online risks including cyberbullying, sextortion, and mental health harms, with an effective date of January 1, 2027.
Following enactment, concerns emerged regarding the potential impact on open source software development and distribution. In response, Assemblymember Wicks introduced AB 1856 in February 2026 as an amendment to the original legislation. The most recent version of this amendment, published on May 18, 2026, includes significant language creating a carve-out for open source projects:
"(2) 'Operating system provider' does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software."
This proposed exemption would effectively relieve open source operating systems like Linux and FreeBSD from implementing age verification requirements during installation and launch. The exemption is designed to accommodate the collaborative nature of open source development, where software is distributed under licenses that typically permit unlimited copying, redistribution, and modification.
The implications of this exemption extend to various stakeholders in the open source ecosystem. For community-driven projects like Linux distributions, this could eliminate the need to develop and maintain age verification systems that might conflict with the open source philosophy of accessibility and freedom. However, questions remain about how this exemption would apply to hybrid models, such as companies like Valve that distribute proprietary software alongside open source components in their Linux-based SteamOS.
The legislative response reflects recognition of the unique characteristics of open source software development. Carl Richell, founder and CEO of Linux laptop maker System76, noted that Colorado's similar age verification legislation already includes exemptions for open source operating systems, applications, code repositories, and containers, suggesting a growing trend toward accommodating open source models in regulatory frameworks.
The broader context of age verification legislation reveals a complex regulatory landscape. At least 25 states have already enacted age verification laws, with West Virginia's law scheduled to take effect in the near future and Colorado's bill awaiting gubernatorial approval. This patchwork of state requirements creates compliance challenges for software providers operating across multiple jurisdictions.
Critics of AB 1043, including the Electronic Frontier Foundation, have raised concerns about outsourcing censorship to app developers and the potential negative impacts on free expression, digital liberties, and privacy. The advocacy group argues that such rules "entrench the dominance of major operating system developers and device makers" while creating barriers for smaller developers and open source projects.
Economic analyses suggest significant potential costs associated with age verification systems. In a paper released earlier this month, George S. Ford, chief economist of the Phoenix Center for Advanced Legal and Economic Public Policy Studies, expressed skepticism about the utility and cost-effectiveness of these laws. Ford noted that "motivated teenagers – who already use VPNs to bypass school filters – can easily circumvent age restrictions" while potentially impinging upon First Amendment rights through undue burdens on speech.
The practical implementation of age verification requirements raises additional concerns about user experience and privacy. Santa Clara University law professor Eric Goldman has examined the impact of age verification on website traffic, noting "balk rates" or refusal rates that can reach as high as 99% for some sites. While courts may not treat high balk rates as constitutionally significant, the centralized authentication required by these laws creates opportunities for concentration in the verification services market.
The Age Verification Providers Association estimated in 2021 that annual revenues from selling age verification services to OECD countries would reach approximately $11.4 billion within 10-15 years, a projection made before the current wave of US state legislation. This commercial potential has led some to warn that "a small number of entities are poised to extract monopoly rents by taking a cut of this government mandated process."
For organizations developing software distributed in California, the potential exemption for open source projects represents an important development. While the final wording of AB 1856 remains subject to legislative approval, the direction suggests a recognition of the need to balance regulatory objectives with the realities of software development models. Compliance professionals should monitor the progress of this amendment and prepare for implementation of the original requirements while noting potential carve-outs for open source components.
The legislative process continues with AB 1856 requiring further approval before it can be enacted. Organizations with interests in the California software market should stay informed about developments in this legislation and consider how potential exemptions might affect their compliance strategies.
Comments
Please log in or register to join the discussion