California’s Age Verification Law May Spare Open Source Projects Like Linux
Table of Contents
A Critical Carve-Out for the Open Source Community
For the developers and distributors of open-source operating systems, a looming regulatory deadline in California just became slightly less daunting. A proposed amendment to the Digital Age Assurance Act (AB 1043) suggests that software distributed under licenses that permit copying and modification—essentially the bedrock of the open-source movement—may be exempt from the state’s strict age verification requirements.
The original law, signed by Governor Gavin Newsom last October, targets the systemic way children access the internet. It mandates that operating system providers and app store operators implement an accessible interface during account setup where users must provide their birth date or age. The intent, championed by Assemblymember Buffy Wicks and Senator Tom Umberg, is to curb the prevalence of cyberbullying, sextortion, and other mental health risks facing minors online. However, the practical application of such a rule on a kernel or a community-driven distribution of Linux has always been a technical and philosophical nightmare.
The Technical Friction of Compliance
The challenge for projects like Linux and FreeBSD is structural. Unlike macOS or Windows, which have centralized account creation and corporate telemetry, many Linux distributions are installed via bootable USBs and lack a centralized “account setup” phase that would allow for a government-mandated age check. Implementing such a feature would require a fundamental shift in how these systems are deployed, potentially forcing community developers to build surveillance infrastructure they are ideologically opposed to.
The fallout from the initial legislation was immediate. MidnightBSD, for example, briefly took the drastic step of banning California residents from using the OS entirely via a license clause in February, before pivoting to explore potential verification mechanisms. The proposed language in AB 1856, published in May 2026, seeks to resolve this by clarifying that an “operating system provider” does not include entities distributing software under licenses that allow redistribution and modification.
The Proprietary Gray Area
While the amendment provides a clear path for community distros, it leaves a murky area for hybrid models. The primary question now is whether this exemption extends to companies like Valve. Valve’s SteamOS is based on Linux, but it ships with the proprietary Steam Client and is tightly integrated into a commercial ecosystem. If the law distinguishes between the operating system and the application layer, Valve might find itself in a position where the OS is exempt, but the store—the primary gateway for users—is not.
A Growing National Patchwork
California is not alone in this push. At least 25 states have enacted similar age verification laws, and West Virginia is set to implement its own next month. Interestingly, other states are already adopting the open-source exemption. Carl Richell, CEO of Linux laptop manufacturer System76, noted that Colorado’s recently approved legislation includes specific carve-outs for open-source operating systems, applications, and code repositories.
Despite these exemptions, the Electronic Frontier Foundation (EFF) remains critical of the broader trend. The EFF argues that these mandates effectively outsource censorship to developers and entrench the dominance of Big Tech. Because only giant corporations have the resources to build massive, compliant verification databases, smaller developers are pushed out, or forced to rely on third-party “identity providers.”
The Cost of the ‘Balk Rate’
The economic and social cost of these laws is often measured by the “balk rate”—the percentage of users who abandon a site or service when asked for identification. Eric Goldman, a law professor at Santa Clara University, recently highlighted that for some high-traffic sites, this rate can climb as high as 99%.
Beyond user attrition, there is the issue of the “verification industrial complex.” As the Age Verification Providers Association estimated, the market for these services in OECD countries could reach $11.4 billion annually. By mandating these checks, governments are essentially creating a mandatory subscription fee for internet access, payable to a handful of centralized authentication firms.
