California's Digital Age Assurance Act: Implications for Free and Open Source Software

Introduction

The California Digital Age Assurance Act (AB-1043) represents a significant legislative effort to protect minors online, but its broad language creates substantial uncertainty for the Free and Open Source Software (FOSS) ecosystem. This analysis examines how the Act's definitions and requirements might apply to FOSS distributions, package repositories, and developers, highlighting the practical challenges of compliance.

Coverage Analysis

Traditional Distributions as Operating System Providers

The Act defines an "operating system provider" as "a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device" (Section 1798.500(g)).

Traditional FOSS distributions clearly fit within this definition:

• Development: Distributions create releases, select official packages, set defaults, and publish installation media
• Control: They maintain package repositories, manage updates, and determine system behavior
• No commercial requirement: The statute contains no language limiting coverage to commercial entities

This broad definition encompasses community-run, nonprofit, and commercial distributions alike, without discrimination based on business model or distribution method.

Package Repositories as Covered Application Stores

The definition of "covered application store" (Section 1798.500(e)(1)) describes "a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users."

Package repositories satisfy these criteria:

• Public availability: Most repositories are openly accessible
• Distribution platform: They serve as online services distributing software
• Third-party applications: They host applications from external developers
• Facilitation of download: Repository metadata and package managers enable installation

The statute's narrow exception for software that "run[s] exclusively within a separate host application" (Section 1798.500(e)(2)) doesn't meaningfully exclude traditional repositories, as they distribute diverse software beyond browser extensions or similar hosted applications.

FOSS Developers as Statutory Developers

The Act defines "developer" as "a person that owns, maintains, or controls an application" (Section 1798.500(f)).

FOSS maintainers clearly qualify under the "maintains" prong:

• Ongoing maintenance: Reviewing changes, triaging issues, fixing bugs, tagging releases
• No ownership requirement: The statute doesn't limit "maintains" to exclusive code owners
• Control considerations: Even without binary distribution, maintainers exercise control through source code governance

However, occasional contributors who submit isolated patches likely fall outside this definition, as "maintains" implies more than sporadic contribution.

Statutory Exceptions and Their Limitations

Several exceptions exist but don't clearly exclude FOSS distributions:

• Section 1798.504(f): Excludes broadband services, telecommunications services, and physical product delivery
• Section 1798.504(g): Limits liability for device/application use by non-account holders

These carve-outs address specific commercial contexts rather than the general-purpose software distribution activities of FOSS projects.

Practical Compliance Challenges

Account Setup Interface Requirements

Section 1798.501(a)(1) mandates that operating system providers offer an accessible interface at account setup requiring age indication. This presents multiple challenges:

• No universal account setup: FOSS systems support diverse account creation methods (pre-installation, during installation, post-installation, command-line)
• Administrative control: System administrators, not end users, often create accounts
• Alternative architectures: Some systems may lack traditional user concepts entirely

The statute assumes a singular "account setup" event that doesn't align with FOSS flexibility.

Age Signal Accuracy

Section 1798.500(i) defines the relevant user as "the child who is the primary user of the device," creating potential conflicts:

• Multi-user systems: Adult administrators may create accounts for child users
• Application context: Applications receive age signals regardless of which user account runs them
• Primary user ambiguity: Determining the "primary user" on shared or multi-user systems proves difficult

Conclusion

The Digital Age Assurance Act's broad definitions plausibly encompass FOSS distributions, repositories, and developers. While statutory exceptions exist, they don't clearly exclude ordinary FOSS activities. More critically, the Act's compliance requirements assume centralized control and standardized user interfaces that conflict with FOSS principles of user freedom and system flexibility.

FOSS projects face significant challenges in determining their obligations under this statute and implementing compliant solutions without compromising their core values. The tension between legislative intent to protect minors and FOSS principles of user control and system openness remains unresolved, suggesting potential conflicts between California's regulatory framework and the global FOSS ecosystem.