California’s Age Verification Law: What Businesses Must Prepare For

May 26, 2026 · By BizScoreAI · 12 min read
Stylized California map with operating system icons and a checkpoint between devices, representing the Digital Age Assurance Act

⏱ 8 min read · Last updated 2026-05-26

California lawmakers are walking back part of a controversial age-verification bill that would have forced Linux distributions to collect users’ birth dates. A new amendment, Assembly Bill 1856, would exempt most open-source operating systems from the Digital Age Assurance Act before it takes effect on January 1, 2027. The change does not repeal the original law. Commercial platforms with proprietary app stores, including SteamOS, may still be on the hook.

Why It Matters

Age verification at the operating system level is a sharp departure from how the internet has handled age gating for the past two decades. Until now, the burden has sat on individual websites and apps to check that visitors are old enough for adult content, alcohol marketing, or financial services. California’s Digital Age Assurance Act, passed as Assembly Bill 1043 in late 2025, shifts that burden down the stack to the OS itself. Every device would ship age data to every app via a standardized signal.

For business owners, that signal becomes a new input. If you run an app, sell through an app store, or operate a content platform that serves users in California, your product will receive an “age bracket signal” from compliant operating systems starting in 2027. The brackets defined in the law are under 13, 13 to 15, 16 to 17, and 18 plus. What you do with that signal, and what the law requires you to do with it, will be a compliance question your developers cannot wave away.

What’s New / How It Works

Assembly Bill 1856, introduced by California Assembly Member Buffy Wicks on February 11, 2026, narrows the definition of “operating system provider” in the original law. The relevant carve-out language is direct:

“Operating system provider” does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software.

In plain English: if the OS is free and open source, the maintainer of that OS is not responsible for collecting age data. That covers Debian, Fedora, Ubuntu, Arch Linux, Mint, and similar mainstream distributions. The people who keep those projects running, often unpaid volunteers, will not be conscripted into an age-assurance pipeline they were never built to run.

The amendment landed after months of pushback from the Electronic Frontier Foundation, privacy advocates, and Linux developers, who pointed out that infinitely forkable software cannot be meaningfully forced into centralized identity verification. You can find the current status of the bill in California’s legislative information system.

California’s age verification law was not killed, it was narrowed. If you sell through a commercial app store, the 2027 deadline still has your name on it.

The Numbers

The legislative timeline so far:

  • AB 1043 (original law): passed late 2025, effective January 1, 2027
  • Age brackets defined: under 13, 13 to 15, 16 to 17, and 18 plus
  • AB 1856 (amendment): introduced February 11, 2026 by Assembly Member Buffy Wicks
  • Latest revision date: May 18, 2026
  • Status as of May 19, 2026: read a second time, ordered to third reading
  • Effective date if passed: January 1, 2027, alongside the original law

The carve-out hinges on a single license-language test. To qualify for the exemption, an operating system must be distributed under terms that permit users to:

“copy, redistribute, and modify the software.”

That phrase, lifted verbatim from the proposed amendment, mirrors the language used in standard open-source licenses like the GPL, MIT, and Apache.

What Comes Next

AB 1856 still has to clear committee reviews in June and pass a third reading before it reaches the governor. Even if it passes cleanly, the law that remains will still impose age-assurance duties on commercial operating system vendors. Apple, Google, and Microsoft are the obvious targets. Valve’s SteamOS sits in a gray zone: the base operating system is Linux-derived and open source, but the bundled Steam storefront is proprietary. Whether that hybrid model gets treated like iOS or like Debian is the kind of question lawyers will be working through in 2027.

For businesses, the practical question is what happens to the apps and websites that receive these age signals. The original law does not specify what an app must do with the bracket data, but downstream regulation, advertising rules, and platform policies will likely use the signal as an enforcement input. App stores will probably require apps to acknowledge it. Ad networks will start filtering inventory by it. Content platforms will face pressure to gate based on it.

What This Means for You

If you sell or market anything online to consumers in California, the Digital Age Assurance Act will reach your product eventually, regardless of what AB 1856 does to Linux. The fix is not to ignore the policy fight, it is to make sure your business is ready to receive, store, and act on age signals correctly when devices start sending them in 2027.

Three concrete moves for the next six months:

  1. Audit how customers find and contact you across platforms. AI assistants and app ecosystems are already deciding which businesses to surface based on data signals you may not control. Start with a business listings audit so you know what data the broader ecosystem actually has about you.
  2. Check whether your business is even visible to AI search. Age-signal compliance is going to flow through AI overviews and assistant answers the same way it flows through app stores. If your business is not surfacing in those answers today, regulatory changes will only make the gap wider. Our writeup on why your business is invisible to AI walks through the diagnostic.
  3. Score your AI contactability. When an AI agent or compliant OS tries to verify your business identity, hours, age-appropriate audience, or service area, it needs structured data to read. Run your AI contactability check and fix the gaps before the 2027 enforcement window opens.

If you have not yet claimed your business listing, do that first. Everything else downstream depends on it. For owners who want always-on monitoring rather than quarterly check-ins, our breakdown of Manus Cloud Computer covers how to set up agents that watch your listings, reviews, and online presence for compliance and visibility changes.

The Bigger Picture

California rarely legislates alone. The Digital Age Assurance Act will set a template that other states copy, and the Linux exemption is a useful preview of how the political pressure points work. Open-source software won a carve-out because its maintainers had a clear, principled story: you cannot regulate something that is not centrally controlled. Commercial platforms did not win that carve-out, and businesses that sell on those platforms inherit the rules. The smart play is to assume age signals are coming, get your data house in order, and make sure your business is visible and contactable in the AI-driven discovery layer that will interpret those signals on your behalf.

Frequently Asked Questions

What is California’s Digital Age Assurance Act?
The Digital Age Assurance Act, passed as Assembly Bill 1043 in late 2025, requires operating systems to collect user age information during device setup and expose an age bracket signal to apps and app stores. The brackets are under 13, 13 to 15, 16 to 17, and 18 plus. The law takes effect January 1, 2027. It shifts responsibility for age verification from individual websites and apps down to the operating system level, creating a standardized signal that downstream services can use to gate content, advertising, and features for younger users.
What does AB 1856 change?
Assembly Bill 1856, introduced by Assembly Member Buffy Wicks on February 11, 2026, narrows the definition of operating system provider in the original law. It excludes any OS distributed under a license that permits users to copy, redistribute, and modify the software. That language mirrors standard open-source licenses, which means Debian, Fedora, Ubuntu, Arch Linux, Mint, and similar Linux distributions would be exempt from the collection and reporting requirements. The amendment does not repeal AB 1043. It only changes who has to comply.
Does the law apply to SteamOS?
Possibly. SteamOS is built on Linux and is open source at the base layer, but it ships with Valve’s proprietary Steam storefront and client. That hybrid setup may place SteamOS closer to Apple’s App Store or Google Play from a regulatory standpoint than to a community-run distribution. AB 1856 does not explicitly clarify the answer for hybrid platforms. Until California issues guidance or a court rules on a test case, open-source platforms with proprietary app ecosystems remain in a gray zone and should plan for compliance.
When does the California age verification law take effect?
The Digital Age Assurance Act is scheduled to take effect on January 1, 2027. AB 1856, the open-source amendment, would take effect on the same date if it passes. Businesses operating apps, app stores, or content platforms that serve California users should expect to receive age bracket signals from compliant operating systems starting that day. Use the time between now and the effective date to audit what your platform does with age data and what compliance posture your industry is likely to settle on.
How can my business prepare for age-signal compliance?
Start by mapping every customer touchpoint that involves a mobile or desktop app, an app store listing, or a content gate. Each one is a potential consumer of the OS-level age signal. Talk to your developers about the technical handshake your app will need to perform when it receives age bracket data. Review your data retention policies, since storing collected age information triggers privacy obligations under California law. Audit your business listings and AI contactability so your business surfaces correctly in the discovery layer that filters by age-appropriate audience.
Will other states copy California’s age verification law?
Almost certainly. California consumer protection rules tend to set the national template because most major platforms cannot afford to ship one product in California and another everywhere else. State legislatures in Texas, New York, Utah, and several others have already debated similar age-verification proposals. If California’s framework survives the inevitable First Amendment challenges, expect copycat bills in 2027 and 2028. The Linux exemption introduced by AB 1856 is also likely to be copied by other states facing the same open-source pushback.
What is the Electronic Frontier Foundation’s position on the law?
The Electronic Frontier Foundation has criticized California’s Digital Age Assurance Act as invasive. EFF and other privacy advocates warned that operating-system-level age collection could create infrastructure for broader identity tracking online, even if the immediate purpose is age verification. Once an OS is collecting and sharing age data with apps, the same channel could be repurposed to share other identity attributes. The Linux exemption in AB 1856 partially addresses one concern, but EFF and other groups continue to push back on the broader framework.

Sources

🤖
Is your business visible to AI assistants?

Run a free scan to see your AI Visibility Score, SEO rating, and local citation accuracy.

Check Your Score →

© 2026 List All rights reserved. Web Development - NewSunSEO.com