California’s new law forces operating systems, including community-run Linux distributions, to collect and share user age data, pushing open-source platforms into compliance burdens traditionally faced by Big Tech.
California has passed the Digital Age Assurance Act (Assembly Bill 1043), the first US law to directly regulate operating system behaviour, requiring OS providers to collect users’ age at account creation and share that data with app developers through a real-time API.
Under the statute, users must be placed into four brackets — under 13, 13–15, 16–17, or 18+. When an app requests it, the OS must transmit the relevant bracket. Once received, developers are deemed to have “actual knowledge” of age, exposing them to legal liability.
Enforced by the state Attorney General, penalties reach $2,500 per child for negligent violations and $7,500 for intentional breaches. The law takes effect on January 1, 2027. Governor Gavin Newsom signed it in October 2025.
The definition of “operating system provider” is sweeping. Commercial platforms such as Windows, macOS, Android, and iOS are covered — but so are open-source systems including Ubuntu, Debian, Arch Linux, Gentoo, and SteamOS from Valve.
That inclusion creates friction for decentralised Linux projects, many of which lack central accounts, rely on global mirrors, and operate without legal or compliance teams. Building mandatory age-verification APIs could force account centralisation, raise engineering costs, and deter volunteer maintainers. Some may even consider geo-restrictions for California users.
Although age reporting is self-declared and avoids ID checks, the measure signals a broader shift: open-source operating systems may now face the same regulatory obligations as Big Tech, reshaping how community software handles identity and accountability.
