US state laws push age checks into the operating system

New US state laws are forcing operating system vendors to implement age verification systems, creating significant compliance challenges for open-source software providers while raising serious privacy concerns.

The Legislative Push

California's Assembly Bill No. 1043, approved last October, takes effect January 1, 2027. The law requires operating system providers to implement an accessible interface during account setup that collects users' birth dates or ages. The OS must then share this information with app stores in a manner that avoids anti-competitive practices.

Colorado's Senate Bill 26-051 goes further, mandating that OS vendors collect age brackets and notify app stores when users are underage. The penalties are steep: $2,500 for negligent violations and $7,500 for intentional ones. New York's Senate Bill S8102A extends requirements even further, demanding age verification from all internet-enabled device manufacturers and requiring sharing of age data with websites, online services, and mobile applications.

Why This Matters for FOSS

While commercial operating systems like Windows and macOS already require online accounts and payment methods, these requirements pose unique challenges for free and open-source software. Many FOSS distributions don't have centralized account systems, app stores, or even user account management in the traditional sense.

Some projects are already taking drastic measures. FreeBSD distribution MidnightBSD has added a clause to its license banning California residents from using the desktop version starting January 1, 2027. The DB48X scientific calculator app has implemented similar geographic restrictions, blocking California users next year and Colorado users in 2028.

Industry Response

Major FOSS vendors are scrambling to understand their obligations. Canonical's VP of Engineering, Jon Seager, confirmed the company's legal team is examining the implications. The Fedora Project and Linux Mint forums are actively discussing potential responses, though concrete solutions remain elusive.

Even projects with minimal user data collection are affected. The FreeDOS Project, which doesn't maintain user accounts or include web browsers, finds itself discussing compliance despite having limited ability to implement age verification mechanisms.

Broader Implications

This isn't just a US issue. The European Union has guidelines for protecting minors that could have similar wide-ranging effects. The laws raise fundamental questions about privacy, data collection, and the role of operating systems in enforcing age restrictions.

System76 CEO Carl Richell has published one of the more nuanced analyses, arguing that the bills are poorly specified and won't achieve their intended goals since children will easily circumvent the verification systems. His company is evaluating its response while advocating for clearer, more practical legislation.

The Privacy Paradox

The irony isn't lost on industry observers: these laws mandate exactly the kind of data collection that privacy advocates have long warned against. Users must now provide sensitive personal information to their operating systems, which will then share it with third parties.

As one industry veteran noted, watching commercial operating systems throw errors when payment methods can't be provided highlights the absurdity of the situation. The laws create a world where even basic OS functionality depends on sharing personal data with corporate entities.

Looking Forward

With implementation deadlines approaching, FOSS communities face difficult choices. Some may choose geographic restrictions, others might implement minimal compliance mechanisms, and some could potentially abandon certain markets entirely.

The situation underscores a growing tension between regulatory intentions and technical realities. As governments push for greater online safety measures, they're forcing fundamental changes to how software operates and what data it collects. For the FOSS world, which has long prided itself on user privacy and minimal data collection, these laws represent a significant philosophical and practical challenge.

The coming months will reveal how the open-source community adapts to this new regulatory landscape, and whether these age verification requirements actually achieve their stated goals of protecting minors online.