California’s effort to rewrite its first-in-the-nation age-verification law cleared the state Assembly on May 28, 2026, by a lopsided 68-1 vote, handing open-source developers a win they had pushed for since the fall. Assembly Bill 1856 would lift Linux and other freely licensed operating systems out of the law’s compliance net. It would also pull every web browser and website operator into a new age-data collection system for the first time.
Privacy advocates are calling it a mixed verdict. The Electronic Frontier Foundation (EFF), the digital rights group that opposed the original statute, summed the change up as “one step forward, two steps back.”
Why Linux’s Reprieve Came With a Catch
The law being rewritten is the Digital Age Assurance Act, signed by Gov. Gavin Newsom on October 13, 2025, and set to take effect January 1, 2027. It orders every operating system provider in California to collect a user’s age or birth date at device setup, then pass a bracketed signal to app developers that sorts users into four bands: under 13, 13 to 15, 16 to 17, and 18 and older. Volunteer-run Linux projects had no clean way to do any of that.
That mismatch is what the amendment set out to fix. The catch is that the same measure widens the rest of the system rather than trimming it.
- 68-1 – the Assembly vote, recorded May 28, 2026
- Oct. 13, 2025 – the day Gov. Newsom signed the original statute
- $7,500 – maximum civil penalty per affected child for intentional violations
The bill carries an unusual signature. Its author, Assemblymember Buffy Wicks, also wrote the original law, making this a rare case of a California legislator publicly narrowing her own statute months after it was signed.
One Sentence That Pulled Linux Out of Scope
The entire reprieve rests on one line added to the bill on May 18, 2026. It redefines who counts as an “operating system provider.”
The Carve-Out Language
The revised text says the term “does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software.” In plain terms, software you are free to copy and change falls outside the rules. That description fits Debian, Fedora, Ubuntu, Arch Linux, Linux Mint, and FreeBSD almost exactly, as set out in the amended definition of operating system provider.
The relief matters because the original draft would have treated those volunteer projects like commercial platforms. Many have no central accounts system, no legal entity, and no funding to build a real-time age-bracketing application programming interface (API), yet faced penalties for failing to ship one. AlmaLinux board chair benny Vasquez wrote in April 2026 that the project chose to watch court cases and upstream developers rather than rewrite its software ahead of any clear mandate.
Who Stays Inside the Net
Commercial platforms get no such exit. Apple’s iOS, Google’s Android, and Microsoft Windows remain fully bound by the law, and each already has compliance tooling in motion.
| Platform type | Examples | Status under the amendment | Compliance tool |
|---|---|---|---|
| Commercial operating system | Apple iOS, Google Android, Microsoft Windows | Covered | Declared Age Range API, Play Age Signals API |
| Open-source operating system | Debian, Ubuntu, Fedora, Arch, FreeBSD | Exempt | None required |
| Hybrid (open-source plus proprietary store) | SteamOS | Unresolved | Undetermined |
Apple has shipped Apple’s Declared Age Range API documentation and Google has launched its Play Age Signals API in beta to meet the wave of state rules now landing. Neither company can hand that work to a hobbyist maintainer, which is the gap the carve-out acknowledges.
The SteamOS Question the Bill Doesn’t Answer
One platform sits in a grey zone the text never closes: Valve’s SteamOS. Because SteamOS ships with Valve’s proprietary Steam client and storefront by default, Tom’s Hardware noted it looks more like Apple’s App Store or Google Play than a plain Linux distribution. Whether the bundled proprietary software keeps SteamOS inside the law is left open.
The digital rights group flagged the same ambiguity for any open-source system that ships a proprietary app store, and asked the Senate to spell out that the exemption covers open-source applications, not just operating systems. The uncertainty has already changed behavior: MidnightBSD, a BSD variant, briefly added a license clause in February 2026 barring California users outright, then began exploring an age-verification mechanism once the open-source amendment surfaced.
Browsers and Websites Join the Age-Data Pipeline
Here is the second step back. As enacted, the original law moved age signals along one path: from the operating system to app stores to app developers. The amendment opens a second age-data channel, sending age-bracket data straight from browsers to the websites a person visits.
Under the new text, browser providers must request age signals from operating system providers and pass them to website operators on request. Website operators, in turn, must ask for those signals and are treated as having actual knowledge of a visitor’s age bracket. That is a far larger group than the handful of app-store gatekeepers the law first targeted.
Mandated age-gating systems threaten users’ speech, privacy, anonymity, and security.
That warning came from Molly Buckley of the EFF, writing on May 29, 2026. Her reading, laid out in the digital rights analysis of the age-gating expansion, is that the change would make it nearly impossible for ordinary internet users to dodge the gates, and that even without a formal identity-check mandate, the law’s liability structure pressures companies to verify ages anyway.
California Joins a Patchwork Already Built on ID Checks
California is not legislating in a vacuum. By 2026, roughly two dozen states had passed laws demanding government ID, biometric face scans, or third-party verification before users reach large parts of the internet. Several deadlines land within months of each other.
- Utah’s app store age-verification rule for new accounts, May 6, 2026
- Louisiana’s app store requirements, July 1, 2026
- California’s Digital Age Assurance Act, the start of 2027
- Alabama’s App Store Accountability Act, the start of 2027
The privacy worry is not hypothetical. In October 2025, Discord disclosed that attackers breached a third-party vendor handling age-verification appeals and exposed more than 70,000 government IDs. The mechanics behind those signals are documented in the Play Age Signals API rollout for state laws.
Each new collection point, critics say, becomes another target. More browsers and websites requesting age data means more places where sensitive records can leak, which is the core of the objection to widening the regime.
What the Senate Vote Decides for Developers
The measure is not law yet. It passed the Assembly and moved to the Senate Rules Committee, and it still needs a Senate vote and the governor’s signature before the open-source carve-out takes hold. Maintainers of Linux distributions, FreeBSD, and other open-source systems are advised to keep watching the Senate rather than assume the burden is gone, because if senators strip or narrow the carve-out, the compliance question reopens.
The original law’s start date has not moved. If the Senate keeps Wicks’s language intact, Linux maintainers can stand down while browser makers and website operators start building; if it does not, the volunteer projects that thought they were clear go back to a mandate they were never designed to meet.
Frequently Asked Questions
Does California’s age verification law apply to Linux?
Not if the amendment becomes law in its current form. Open-source systems distributed under licenses that let users copy, redistribute, and modify the software fall outside the “operating system provider” definition, which covers the vast majority of Linux distributions. Under the original law, those projects were included and faced a 2027 compliance deadline they had no infrastructure to meet.
What does AB 1856 change for browsers and websites?
It adds browser providers and website operators to the list of entities that must handle age-bracket signals, a group the original law did not cover. Browsers would request age data from the operating system and pass it to websites on request, creating a direct browser-to-website age-data channel that privacy groups say is much harder to avoid.
Is SteamOS covered by the open-source exemption?
That is unresolved in the current text. Valve ships the proprietary Steam client with SteamOS, which may push it closer to a covered app store than to a standalone open-source system. The EFF has asked the Senate to clarify how the exemption treats open-source systems bundled with commercial software.
When does California’s Digital Age Assurance Act take effect?
The Digital Age Assurance Act is scheduled to take effect on January 1, 2027. The amendment now in the Senate would change its scope but not that date.
What penalty does the law carry for violations?
The statute allows civil penalties of up to $7,500 per affected child for intentional violations. That exposure was a central reason volunteer-run open-source projects pushed for an exemption, since they had no realistic way to fund compliance.
Which companies still have to comply?
Commercial platforms remain fully covered, including Apple’s iOS, Google’s Android, and Microsoft Windows. Apple has released its Declared Age Range API and Google has launched its Play Age Signals API to meet the obligations now arriving across multiple states.
