California’s new Digital Age Assurance Act requires operating systems to collect user age during device setup, triggering privacy concerns and technical challenges for open-source OS developers.
California’s Digital Age Assurance Act (AB 1043) is raising concerns across the open-source ecosystem by requiring operating systems to collect user age during device setup. The law, scheduled to take effect on 1 January 2027, mandates that operating systems request a user’s age or date of birth when a device is first configured. The declared age would then be used to filter app-store content and could be shared with developers on request to enable age-appropriate experiences.
Analysts say the OS-level requirement could conflict with the design philosophy of many open-source operating systems, including Linux distributions that prioritise privacy and minimal data collection. Developers are now debating how to comply without undermining those principles.
At Fedora Project, project leader Jef Spaleta suggested a possible workaround.
“this might be as simple as extending how we currently map uid to usernames and group membership and having a new file in /etc/ that keeps up with age.”
He added: “it might be as simple as that and we extend the administrative cli and gui tools to populate that file as part of account creation. That might be simplest and it solves the problem for the full ecosystem of Linux OSes. Then applications just have to start choosing to look at the file.”
Spaleta also suggested the information could be accessed through a D-Bus service.
Meanwhile, developers behind the open-source calculator operating system DB48X have opted against compliance. Their legal notice states: “DB48X is probably an operating system under these laws. However, it does not, cannot and will not implement age verification.”
Developers of the Linux distribution Ubuntu are still evaluating the legal implications and consulting lawyers before deciding their response.
Similar legislation is also emerging elsewhere. Colorado’s SB26-051 proposes comparable requirements that could take effect on 1 January 2028. The bills include civil fines of $2,500 for unintentional breaches and $7,500 for intentional violations, though critics question how enforcement would work for open or custom operating systems.
Critics also note that the law does not clearly specify the strength of verification required. If the system relies only on self-declared data, Spaleta noted that “a simple dropdown interface may suffice,” suggesting the mechanism could effectively function on an honour system.
Privacy advocates, open source developers and researchers warn that OS-level age data requirements could introduce surveillance-like mechanisms into digital infrastructure. They also caution that such legislation may set a precedent for regulating open source operating systems through mandatory system-level compliance mechanisms.
