Labels

Age Verification Laws and the Open-Source World

Age Verification Laws and the Open-Source World
Age Verification Laws and the Open-Source World

Table of contents:-

What the Laws Actually Say

The Open-Source Community in the Crosshairs

Decentralised App Ecosystems: Flathub, Snap Store, AppImages, and Package Managers

A Global Patchwork Taking Shape

Conclusion

There is a quiet legislative revolution unfolding in the world of software, and most of it has slipped past the open-source community almost entirely without warning. From the sun-drenched offices of California's state legislature to the mountain-state capital of Denver, Colorado, a new generation of digital child-safety laws is being written — and whether you run a one-person BSD hobby project, maintain a corporate Ubuntu fleet, or simply distribute AppImages from a personal server, these laws may well apply to you.

What the Laws Actually Say

On 13 October 2025, California Governor Gavin Newsom signed Assembly Bill 1043 — the Digital Age Assurance Act — into law, introducing a device-based age verification system designed to create safer digital environments for children under 18, with the Act taking effect on 1 January 2027.

The core mechanism is elegant in theory, if thorny in practice. Rather than requiring every website or application to run its own identity checks, AB 1043 seeks to fill an infrastructure gap by establishing a secure signalling framework at the device and application store level. This framework allows developers to receive a tamper-resistant digital signal reflecting a user's age bracket — without requiring the collection of personal data or documents — and to treat that signal as the authoritative indicator of a user's age.

The law's broad definition of an "operating system provider" — anyone who "develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device" — pulls in not just Windows, macOS, Android, and iOS, but Linux distributions and Valve's SteamOS. According to the Act, OS providers must maintain a "reasonably consistent real-time application programming interface" that categorises users into four age brackets — under 13, 13 to under 16, 16 to under 18, and 18 or older — and hand that signal to any developer who requests it when their app is downloaded or launched.

Crucially, the law does not require photo ID uploads or facial recognition, with users instead simply self-reporting their age — a detail that has drawn considerable scepticism. Penalties are real, however: a violation of the Act can result in an injunction or a civil penalty of up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation, with the California Attorney General holding the exclusive authority to bring claims.

California's law takes a markedly different approach from the content-focused laws passed by Louisiana, Texas, and Utah. Unlike those states' laws, AB 1043 creates a more fundamental, device-level infrastructure and places the collection burden on operating system providers rather than app stores. Developers who receive the age signal are deemed to have actual knowledge of users' age range — and this knowledge can trigger additional obligations under other laws, such as CCPA and COPPA, including restrictions on targeted advertising and requirements for enhanced data protection measures.

Colorado is following close behind. Senate Bill 26-051, "Age Attestation on Computing Devices," was introduced by Democratic Senator Matt Ball and Representative Amy Paschal, calling for operating system providers — including Microsoft, Google, Apple, and Canonical — to present an interface during device account setup that asks the account holder to specify the birth date or age of the device's user. That age data is then translated into an identical four-bracket age signal, queryable by applications via an API. The bill passed the Colorado Senate 28–7 on 3 March 2026 and is now heading to the House, with an effective date of 1 January 2028 if signed into law.

The emerging legislative picture is even broader still. Comparable bills are being debated in various other US states, including Illinois Senate Bill 3977, Louisiana House Bill 570, Texas SB 2420, and Utah SB 142. Brazil's similar Law Number 15.211/2025, known as the "Brazilian Statute for the Protection of Children and Adolescents Online," was passed in September 2025. This is no longer a California curiosity — it is an accelerating global trend.

The Open-Source Community in the Crosshairs

Here is where things get genuinely complicated for the free and open-source software world, at every level from individual hobbyist to large enterprise.

The definition of "operating system provider" is sweeping. Commercial platforms such as Windows, macOS, Android, and iOS are covered — but so are open-source systems including Ubuntu, Debian, Arch Linux, Gentoo, and SteamOS from Valve. That inclusion creates friction for decentralised Linux projects, many of which lack central accounts, rely on global mirrors, and operate without legal or compliance teams.

For large, commercially-backed distributions, the path — while challenging — at least has a starting point. Ubuntu developer Aaron Rainbolt proposed on the Ubuntu mailing list an optional D-Bus interface (org.freedesktop.AgeVerification1) that can be implemented by arbitrary applications as a distro sees fit, but Canonical responded that the company does not yet have a solution to announce for age declaration in Ubuntu. Fedora Project leader Jef Spaleta has suggested that a solution "might be as simple as extending how we currently map uid to usernames and group membership," though that remains an early-stage idea rather than a shipped implementation.

Corporate users running enterprise Linux fleets face a different kind of headache. Sysadmins managing hundreds or thousands of workstations on Debian, RHEL, SUSE, or CentOS derivatives will need to understand whether their managed accounts trigger compliance obligations — not just for California-based employees, but potentially for any user whose software interacts with a California-based application store or developer ecosystem.

For volunteer-run projects, the situation borders on the impossible. Distros like Arch, Gentoo, and Debian have zero centralised user accounts, no revenue, and no legal counsel. Volunteer maintainers now face fines of up to $7,500 per intentional violation, with no carve-out for projects that lack the resources to build compliance infrastructure. The bill's own legislative committee reportedly flagged this as "overbreadth," noting that even a basic alarm clock or calculator app would fall under its scope, with no clear line between regulated and unregulated software. The bill passed anyway.

Independent hardware vendors are not immune either. System76, the Denver-based company behind Pop!_OS and the COSMIC desktop environment, published a notable statement on the matter. CEO Carl Richell argued that the law is fundamentally ineffective: "A parent that creates a non-admin account on a computer, sets the age for a child account they create, and hands the computer over is in no [way guaranteed to protect that child]" — because, as Richell points out, a determined child can simply reinstall the OS or spin up a virtual machine with a different age. Rather than technical or legal remedies, Richell ultimately advocates for educating children about the digital world they inhabit.

Most strikingly, MidnightBSD — a FreeBSD-derived open-source operating system — took what might be the most dramatic stance of any project so far. MidnightBSD modified its licence to exclude residents of California from using the OS for desktop purposes, effective 1 January 2027, describing this as a temporary measure until a better solution emerges. The irony is not lost on observers: MidnightBSD's very name contains a nod to the BSD lineage that traces directly back to the University of California, Berkeley.

There is, however, a glimmer of hope on the legislative front. System76 CEO Carl Richell met with Colorado Senator Matt Ball, co-author of SB26-051, who suggested excluding open-source software from the bill — and Richell indicated this appears to be a real possibility, with amendments also expected for the California bill. Whether those amendments materialise in time to spare the open-source community from compliance burdens remains to be seen.

Decentralised App Ecosystems: Flathub, Snap Store, AppImages, and Package Managers

If the OS-level obligations are complex, the picture for decentralised application distribution is even murkier.

The laws would apply to all distributions, desktop environments, and application hubs like Flathub and the Snap Store, which will have to comply in some way or another. Flathub, the primary distribution hub for Flatpak applications across virtually every major Linux desktop, operates as a volunteer-supported, community-governed project. The Snap Store is operated by Canonical, giving it at least the backing of a commercial entity — but the scope of what counts as a "covered application store" under California law remains legally untested.

The problem runs deeper still when you consider the statutory language. The statute's definition of "application" covers any software running on "a computer, mobile device, or general-purpose computing device that can access a covered application store or download an application." On any Linux box running a package manager — apt, Flatpak, Snap, you name it — that language plausibly sweeps in every package you can pull down, including command-line tools and core OS components.

This raises a question that nobody in the legislature appears to have considered: what does age verification even mean for a command-line tool? A terminal-based text editor, a network diagnostic utility, a system library — none of these have any meaningful relationship with child safety, yet all could theoretically fall within the scope of AB 1043 as currently written.

AppImages present yet another problem. Unlike Flatpak or Snap packages, AppImages are fully self-contained executable bundles that users download directly from a developer's website or repository — with no centralised store in the middle. There is no platform operator to serve as an age signal intermediary, no account-based infrastructure to query, and no single maintainer accountable for enforcement. The self-contained, decentralised nature that makes AppImages attractive to privacy-conscious users and system administrators is precisely what makes age-signal compliance structurally incompatible with how they work.

Desktop and laptop environments remain far more open than mobile ecosystems. There is no single universal app store that governs all software installation — in stark contrast to the vertically integrated mobile platforms where lawmakers found a convenient compliance point. Legislators appear to have designed these laws with the App Store and Google Play in mind, then applied the language broadly enough to ensnare an entirely different ecosystem that was never consulted.

BSD distributions — including FreeBSD, OpenBSD, NetBSD, DragonFly BSD, and their derivatives — face analogous challenges to their Linux counterparts, with the additional complication that many are used in server, networking, and embedded contexts where a "primary user" age, as the law contemplates, is a conceptually meaningless notion. A firewall appliance running pfSense or OPNsense does not have a human user whose age bracket is relevant to any application download.

A Global Patchwork Taking Shape

The US state-level laws do not exist in isolation. They are one part of a genuinely global regulatory movement, and open-source users and maintainers around the world should be paying attention regardless of where they are based — because the software they use, distribute, or develop may interact with ecosystems subject to these rules.

In the European Union, the Digital Services Act became fully applicable on 17 February 2024, and for services exposing minors to higher risk categories, expectations around mitigation and systemic risk handling are no longer theoretical. The European Commission published a blueprint for an age verification solution on 14 July 2025, allowing users to prove they are over 18 without sharing any other personal information, with a second blueprint published on 10 October 2025 offering onboarding using passports and ID cards. This "mini wallet" approach is designed to be interoperable with the forthcoming EU Digital Identity Wallet, due to roll out across member states by the end of 2026.

In the United Kingdom, the Online Safety Act 2023 became fully live as of 25 July 2025, requiring platforms to implement "highly effective" age assurance for access to adult entertainment, self-harm content, and eating disorder content — with Ofcom able to impose fines up to £18 million or 10% of global annual turnover. Unlike California's self-declaration model, the UK's acceptable verification methods include facial scans, photo ID, and credit card checks, making it a considerably more invasive regime.

Australia implemented its ban on under-16s accessing social media in late 2025, and courts in France have ruled that pornography websites must verify users' ages. Canada published a national standard for age assurance — CAN/DGSI 127:2025 — in August 2025, requiring a Child Rights Impact Assessment before any age assurance technology is deployed. Brazil's statute, mentioned above, explicitly requires age verification technology rather than self-declared ages.

The Electronic Frontier Foundation has warned that through this wave of age verification bills, politicians are burdening internet users and forcing them to sacrifice their anonymity, privacy, and security simply to access lawful speech. The EFF's concern is not an abstract one for the open-source world: anonymous and pseudonymous computing matters for journalists, whistleblowers, abuse survivors, and activists in jurisdictions where digital privacy is genuinely a matter of personal safety.

The open-source community has erupted in criticism over risks such as apps inferring exact birth dates or enabling government surveillance — describing it as a profound and dangerous step toward a society in which anonymity in public life becomes a relic of the past. That sentiment is shared across technical communities on multiple continents, and it is growing louder as the compliance deadlines approach.

Conclusion

Age verification laws like California's AB 1043 and Colorado's SB26-051 were written with the walled gardens of commercial mobile app stores in mind. The open-source world — with its thousands of distributions, decentralised package managers, self-hosted repositories, volunteer maintainers, and privacy-first philosophies — was largely an afterthought, if it was thought about at all. The consequences, however, are very real: existential fines for small projects, structural incompatibility for ecosystems like AppImages, and a chilling effect on the kind of decentralised computing that has always been free software's greatest strength.

The most constructive path forward involves the open-source community doing what it should have done before these bills were passed: engaging directly with lawmakers. System76's meetings with Colorado legislators show that advocacy works, and that legislators can be receptive when presented with the technical realities. In the meantime, everyone from solo BSD hobbyists to enterprise Linux architects should be tracking these laws carefully, consulting legal counsel where necessary, and following organisations such as the EFF and the Software Freedom Conservancy for the latest developments. The legislative clock is ticking, and the open-source world has very little time to spare.

Disclaimer

All product names, operating systems, distribution names, trademarks, and registered trademarks mentioned in this article — including but not limited to Linux, Ubuntu, Debian, Fedora, Arch Linux, Gentoo, openSUSE, Pop!_OS, FreeBSD, OpenBSD, NetBSD, MidnightBSD, SteamOS, Flathub, Snap Store, AppImage, Windows, macOS, Android, iOS, and all associated logos — are the property of their respective owners. The Distrowrite Project makes no claim of affiliation with, endorsement by, or sponsorship from any of the organisations or projects named herein. We have made every reasonable effort to ensure the accuracy and factual integrity of the information presented, drawing exclusively from official legislative sources and reputable published reporting; however, this article does not constitute legal advice, and readers should consult qualified legal professionals regarding their own compliance obligations. The Distrowrite Project does not endorse, promote, or facilitate any activities involving malware, viruses, spyware, ransomware, or any harmful content that may compromise the security, integrity, or availability of networks, devices, or digital infrastructure.

References

  1. California Legislature — AB 1043 (Digital Age Assurance Act), Official Bill Text: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB1043

  2. Colorado General Assembly — SB26-051 (Age Attestation on Computing Devices): https://leg.colorado.gov/bills/SB26-051

  3. Hunton Andrews Kurth — "California Introduces New Age Verification Requirements for Software Applications": https://www.hunton.com/privacy-and-information-security-law/california-introduces-new-age-verification-requirements-for-software-applications

  4. Troutman Pepper — "Analyzing California's Digital Age Assurance Act": https://www.troutmanprivacy.com/2025/10/analyzing-californias-digital-age-assurance-act/

  5. Alston & Bird — "California Enacts Digital Age Verification Law": https://www.alstonprivacy.com/california-enacts-digital-age-verification-law/

  6. Tom's Hardware — "California Introduces Age Verification Law for All Operating Systems, Including Linux and SteamOS": https://www.tomshardware.com/software/operating-systems/california-introduces-age-verification-law

  7. It's FOSS — "Colorado Wants Operating Systems (Including Linux) to Tell Every App How Old You Are": https://itsfoss.com/news/colorado-age-attestation-bill/

  8. It's FOSS — "How Linux and BSD Distros Are Responding to the New Age Verification Laws": https://itsfoss.com/news/distros-response-age-verification-laws/

  9. Phoronix — "Ubuntu Still Figuring Out A Plan For Dealing With California's Digital Age Assurance Act": https://www.phoronix.com/news/Ubuntu-Digital-Age-Assurance

  10. Phoronix — "There's Hope That At Least Colorado's Age Attestation Bill Could Exclude Open-Source": https://www.phoronix.com/news/Colorado-Maybe-Exclude-OSS

  11. Phoronix — "System76 Comments On Recent Age Verification Laws": https://www.phoronix.com/news/System76-Age-Verification-Laws

  12. 9to5Linux — "Ubuntu, Fedora, Linux Mint Discuss Age Verification Amid California Law Backlash": https://9to5linux.com/ubuntu-fedora-linux-mint-eye-age-verification-amid-california-law-backlash

  13. GamingOnLinux — "System76 Fighting for Open Source Being Excluded from Colorado Age Checks": https://www.gamingonlinux.com/2026/03/system76-fighting-for-open-source-being-excluded-from-colorado-age-checks/

  14. The Register — "System76 Tries to Talk Colorado Down Over OS Age Checks": https://www.theregister.com/2026/03/10/foss_age_verification_2/

  15. Boing Boing — "California's Age Verification Law Could Regulate Every Linux Command": https://boingboing.net/2026/03/02/californias-age-verification-law-could-regulate-every-linux-command.html

  16. PC Gamer — "Open Source Operating Systems Are Wrestling With How to Comply With California's Age-Checking Bill": https://www.pcgamer.com/software/operating-systems/resistance-to-operating-system-age-checks-coming-from-checks-notes-open-source-calculator-and-an-os-that-may-just-exclude-californians-altogether/

  17. Biometric Update — "Colorado Moves Age Checks from Websites to Operating Systems": https://www.biometricupdate.com/202602/colorado-moves-age-checks-from-websites-to-operating-systems

  18. Biometric Update — "California's OS-Based Age Verification Law Challenges Open-Source Community": https://www.biometricupdate.com/202603/californias-os-based-age-verification-law-challenges-open-source-community

  19. Open Source For You — "Volunteer-Run Linux Projects Must Build Age-Tracking APIs Under New California Mandate": https://www.opensourceforu.com/2026/03/volunteer-run-linux-projects-must-build-age-tracking-apis-under-new-california-mandate/

  20. Ageless Linux — State Law Tracker: https://agelesslinux.org/map.html

  21. Electronic Frontier Foundation — "Age Verification Threats Across the Globe: 2025 in Review": https://www.eff.org/deeplinks/2025/12/age-verification-threats-across-globe-2025-review

  22. European Commission — "The EU Approach to Age Verification": https://digital-strategy.ec.europa.eu/en/policies/eu-age-verification

  23. Ofcom / UK Online Safety Act Compliance — LexisNexis Risk: https://risk.lexisnexis.co.uk/insights-resources/article/online-age-verification-regulations

  24. IAPP — "Are New Global Age Verification Requirements Creating a Children's Online Safety Legal Patchwork?": https://iapp.org/news/a/are-new-global-age-verification-requirements-creating-a-children-s-online-safety-legal-patchwork-

  25. Reason.org — "Examining California's Digital Age Assurance Act": https://reason.org/commentary/examining-californias-digital-age-assurance-act/

  26. Wilson Sonsini — "2026 Year in Preview: Global Minors' Privacy and Online Safety Predictions": https://www.wsgr.com/en/insights/2026-year-in-preview-global-minors-privacy-and-online-safety-predictions.html

⚖️

Labels:
Location: Dagenham, UK

Comments

Post a Comment

Hello and welcome to The Distrowrite Project! We appreciate your engagement and value diverse perspectives. Our community thrives on respectful and constructive discussions. Please ensure your comments align with our guidelines: no hate speech, personal attacks, or spam. Let us foster a positive environment where everyone feels comfortable to share their thoughts and insights. Kindly direct any complaints and suggestions for any software/hardware directly, clearly and politely to the respective developer(s). Thank you for being a part of our community!

Popular Posts