Age Verification Has Been Climbing the Tech Stack and It Just Reached Your OS

Governments have been moving age checks up the internet's infrastructure layer by layer for years. Each step came with the same justification and the same promise: this will protect children. Each step also left behind a little more surveillance architecture than the one before it.

The latest step is the most consequential. California has signed a law requiring every operating system to collect your age at device setup and pipe it to app developers on demand, with Colorado drafting a near-identical version. A proposed amendment carves out Linux and other open-source systems, which sounds like progress until you consider that the vast majority of people on earth don't run Linux. For everyone else, the infrastructure is being built into the device itself, and it won't disappear when the political moment passes.

Key Takeaways

• California's Digital Age Assurance Act (AB 1043), signed in October 2025 and effective January 2027, requires every OS to collect user age at setup and pipe it to any app developer who requests it via a real-time API.
• Colorado's SB26-051 mirrors the structure and would take effect January 2028, confirming this is a spreading model rather than a one-state experiment.
• A proposed amendment (AB 1856) would exempt open-source Linux distributions from AB 1043's scope but leave Windows, macOS, Android, and iOS fully subject to the law.
• The verification is entirely self-reported with no identity check, meaning children can bypass it by typing any birth year they want.
• The Electronic Frontier Foundation warns that these laws create a censorship trap, effectively outsourcing content restriction decisions to developers who will over-restrict to avoid liability.

How Age Checks Climbed From Adult Sites to Your Desktop

Age verification as a regulatory tool didn't start with operating systems. It started much further down the stack, with adult content websites facing state-level ID check requirements in the US from around 2022 onward, with the UK pushing its own version shortly after.

Those laws were contentious, often unconstitutional, and routinely blocked by courts. Yet legislators kept writing them, and by the end of 2025, half of US states had already enacted some form of age verification mandate for adult content or social media platforms, with nine state laws taking effect in that year alone.

The next move was to apps and app stores. Meta lobbied hard in Europe for verification to be handled at the operating system or app store level rather than by individual platforms, framing it as shared responsibility and, as usual, shifting the blame away from itself. The argument had a certain surface logic: if the device already knows your age, why make every app ask separately?

However, the main issue is that the surface is as far as most lawmakers are willing to look when enacting these laws, and naturally, California took that logic to its conclusion. Assembly Bill 1043, the Digital Age Assurance Act, was signed by Governor Newsom in October 2025. It doesn't ask social media platforms or adult websites to verify your age. It asks your operating system to do it, at account setup, before you've installed a single app.

That's not a marginal extension of the existing approach but a complete structural shift, and it's the one that's actually hardest to walk back once it's in place. At this pace, using most of 21st-century technologies might soon no longer be possible without completely giving up your digital privacy.

What These Laws Actually Require From Your Device

Under AB 1043, every operating system provider must collect a user's age or date of birth during account creation and then maintain a live API that any eligible app developer can query in real time. The signal they receive places you in one of four brackets: under 13, 13 to 15, 16 to 17, or 18 and older.

The law covers everything: Windows, macOS, Android, iOS, SteamOS, Linux distributions, and any project that qualifies as an OS under California's deliberately broad definition. No photo ID is required at any point. Users simply self-report their birth year, which means a thirteen-year-old can type 1990, and the system has no mechanism to challenge it.

What the law does create, though, is infrastructure. From the moment an OS is set up, it maintains a data pipeline broadcasting your age bracket to every developer who asks, indefinitely.

Colorado's SB26-051, which passed the state Senate 28 to 7 in March 2026 and mirrors the California structure almost exactly, would impose the same requirements effective January 2028. The penalty scale runs from $2,500 per minor for negligent violations to $7,500 per minor for intentional ones, with enforcement via the state attorney general.

Because the age-bracket signal gives developers statutory knowledge of a user's age, receiving a "minor" signal creates liability exposure under other laws like California's Age-Appropriate Design Code. Developers facing that exposure won't make careful distinctions between content that's fine for minors and content that isn't. They'll restrict everything they're uncertain about, and minors have First Amendment rights to access the vast majority of apps and services. Yet, I'd say the most uncomfortable part is that the law creates this dynamic by design and then calls it child protection.

The Linux Carve-Out That Doesn't Fix the Problem

The backlash to AB 1043 from the open-source community was immediate and, by some measures, effective. Developers from Fedora, Ubuntu, and MidnightBSD raised concerns about how a decentralized, volunteer-maintained project could possibly operate a real-time age API. MidnightBSD modified its license to exclude California residents from desktop use entirely.

GrapheneOS publicly refused to comply under any circumstances, stating it would remain usable worldwide without requiring personal information and would accept being banned rather than implementing age checks.

The pressure worked in the narrowest sense. Assembly Bill 1856, introduced by Assembly Member Buffy Wicks on February 11, 2026, the same lawmaker who wrote AB 1043, proposes to amend the original law by excluding any OS distributed under a license permitting users to copy, redistribute, and modify the software. The latest version is dated May 18, 2026, and as of May 19, it was ordered to a third reading.

If it passes, Debian, Fedora, Ubuntu, Arch Linux, and FreeBSD would likely be exempt. And yet, AB 1856 doesn't repeal the Digital Age Assurance Act. It narrows who counts as an "operating system provider." Linux-based platforms tied to proprietary app stores, SteamOS being the clearest example, may still face compliance questions.

Windows, macOS, Android, and iOS remain fully subject to the original law. Those four platforms account for the overwhelming majority of devices in use worldwide. The carve-out spares the developers who revolted loudly enough and leaves everyone else enrolled in the age-bracket API they never asked for.

The Infrastructure Outlasts the Politicians Who Built It

The real problem with these laws isn't that they're ineffective at protecting children, even though they most certainly are. No serious evidence exists that any age verification regime has meaningfully reduced minors' access to restricted content. Kids route around age checks within days, using a parent's device, a borrowed account, and anything else they can think of, including drawn-on mustaches, which, apparently, is enough to fool these systems.

The problem is what these laws build and leave behind: A permanent infrastructure, OS-level API broadcasting your age bracket to any developer who requests it, sitting inside the software that runs your device, waiting to be expanded. 

Laws framed around protecting children have consistently produced censorship infrastructure rather than protection, with developers over-restricting to avoid liability and users losing access to content they have every right to see. The shared-device problem alone illustrates how poorly thought-out the architecture is. In households where multiple people use the same computer, the age signal reflects whoever created the OS account, not whoever is actually at the keyboard.

AB 1043 and SB26-051 have this flaw baked in structurally. There is no account for shared use, no mechanism for correction, and no sunset provision on the data pipeline once it exists. One future amendment to either law, and the bracket API that currently outputs four categories can output something else entirely.

Legislators will move on to the next child safety bill. The API they've mandated into your operating system won't. Every device running Windows, macOS, Android, or iOS will maintain a live age-bracket signal from the moment of setup, available to any developer who requests it, with no expiration date and no mechanism for users to opt out. The question worth asking now, before the infrastructure is fully in place, is who gets to decide what it's used for next. 

And sure, it might seem like nothing right now. After all, it’s not like self-reporting your birth date will change much in your day-to-day experience, at least for now. But this opens doors that surely won’t be left unopened, and before you know it, you won’t be able to pass through your PC's login screen without scanning your government ID or your face. That’s quite a bit worse, isn’t it?