California May Carve Out Open Source Software from Strict Age Verification Mandates
Table of Contents
A Legislative Pivot for Open Source
California is reconsidering how its aggressive push for online child safety impacts the architecture of the open internet. A proposed amendment to the state’s Digital Age Assurance Act (AB 1043) suggests that open source operating systems—including giants like Linux and FreeBSD—could be exempt from the mandate requiring users to verify their age during account setup.
The original law, signed by Governor Gavin Newsom last October, was designed as a digital shield. Authored by Assemblymember Buffy Wicks and Senator Tom Umberg, AB 1043 seeks to curb the proliferation of cyberbullying and sextortion by forcing operating system providers and app developers to implement accessible interfaces where users must disclose their birth date. The law is currently slated to take effect on January 1, 2027.
However, the rigid nature of the law created an immediate friction point for the open source community. Unlike a centralized corporation like Apple or Google, open source projects often lack a central “account setup” process or a legal entity capable of enforcing government-mandated data collection. The May 18, 2026, version of the proposed amendment AB 1856 addresses this by refining the definition of an “operating system provider.”
Under the new language, the term would not apply to any person or entity distributing software under license terms that allow the recipient to copy, redistribute, and modify the software. In plain English: if the code is open and modifiable, the provider isn’t responsible for the age check.
The Grey Area: Proprietary Wrappers
While the carve-out provides relief for community-driven distros, it creates a complex legal question for companies that blend open source kernels with proprietary layers. Valve, for example, utilizes a Linux-based foundation for its SteamOS, but delivers it alongside the proprietary Steam Client. Whether the “open source” nature of the underlying OS overrides the proprietary nature of the storefront remains an unresolved detail in the current legislative text.
The stakes are high enough that some projects have already reacted with panic. In February, MidnightBSD briefly implemented a license clause that effectively banned residents of California from using the OS to avoid legal liability. While the project later pivoted to explore actual verification mechanisms, the incident highlighted the precarious position of small-scale developers facing state-level mandates.
Privacy Concerns and the ‘Balk Rate’
The Electronic Frontier Foundation (EFF) has remained a vocal critic of AB 1043, arguing that the law essentially outsources censorship to developers. The EFF contends that these mandates not only threaten digital liberties and privacy but ironically strengthen the monopolies of Big Tech. Major players with existing identity infrastructure can easily comply, while independent developers are priced out or legally intimidated.
There is also the technical reality of the “balk rate”—the percentage of users who simply leave a site rather than provide sensitive identification. According to a recent analysis by Santa Clara University law professor Eric Goldman, some sites have seen refusal rates as high as 99 percent. For an open source project, where user adoption depends on low friction and anonymity, a 99 percent balk rate would be a death sentence.
A Growing National Trend
California is not acting in a vacuum. At least 25 states have enacted similar age verification laws, with West Virginia’s latest mandate set to trigger next month. Colorado has followed a similar path to California’s proposed amendment; according to Carl Richell, CEO of Linux laptop manufacturer System76, Colorado’s legislation explicitly includes exemptions for open source operating systems, applications, and code repositories.
Despite the legislative momentum, economists like George S. Ford of the Phoenix Center for Advanced Legal and Economic Public Policy Studies argue that these laws are largely performative. Ford notes that motivated teenagers frequently use VPNs to bypass filters, suggesting that the laws do little to protect minors while significantly burdening the First Amendment rights of adults.
Beyond the legal debate is a burgeoning industry. The Age Verification Providers Association previously estimated that the market for these services in OECD countries could reach $11.4 billion annually. As states mandate these checks, a small handful of authentication firms are poised to become the new gatekeepers of the internet, extracting “monopoly rents” from a government-mandated process.
