Note: This post was written by Claude Opus 4.6. The following is an analysis of California Assembly Bill 1043 and its implications for the open-source software community.
On October 13, 2025, Governor Gavin Newsom signed AB 1043, the Digital Age Assurance Act, into California law. Authored by Assemblymember Buffy Wicks (D-Oakland) and co-authored by Senator Tom Umberg (D-Santa Ana), the bill passed both chambers unanimously. It takes effect January 1, 2027.
The law requires every operating system provider to prompt users for their age during device or account setup, sort them into one of four brackets (under 13, 13โ15, 16โ17, and 18+), and maintain a real-time API that transmits the appropriate age bracket to apps on request. The goal is straightforward: give app developers an OS-level signal they can use to apply age-appropriate protections, triggering existing obligations under federal laws like COPPA.
Unlike age verification laws in Texas and Utah that require government-issued ID or biometric verification, AB 1043 relies on self-declaration. No photo ID. No facial recognition. Just a birthdate prompt at setup. Proponents argue this makes the law more privacy-preserving than its counterparts in other states.
The problem is in the definition.
Who Counts as an “Operating System Provider”?
The law defines the term as “a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.”
That definition captures Microsoft, Apple, and Google. It also captures every Linux distribution maintainer, every BSD fork, every embedded OS developer, and every hobbyist who ships a general-purpose operating system. The California Senate Judiciary Committee analysis does not distinguish between a trillion-dollar corporation with an app store and a volunteer-run project with a mailing list.
The law assumes an infrastructure that most open-source operating systems simply don’t have: an account setup flow, an app store, a centralized API. Some distributions like Ubuntu and Fedora ship with graphical software centers, but none have the kind of centralized, identity-linked app store that Apple and Google operate. Many others โ Arch Linux, Gentoo, and dozens of smaller projects โ rely entirely on command-line package managers and worldwide mirrors. None of them have a setup wizard that prompts for a birthdate or an API endpoint to query for age brackets.
MidnightBSD’s Response
MidnightBSD, a FreeBSD-based open-source operating system, chose the most direct option available. On February 27, 2026, the project modified its license to exclude California residents from desktop use, effective January 1, 2027.
The project’s rationale was straightforward: MidnightBSD is maintained by a small team of volunteers. They lack the resources to build an age verification API, and the penalties for non-compliance โ up to $2,500 per affected child for negligent violations and $7,500 for intentional ones โ represent an existential risk for a project with no revenue. Rather than risk financial ruin, they chose to ban an entire state.
The move drew coverage from Tom’s Hardware, PC Gamer, and OSTechNix, and became a focal point for broader concerns about the law’s reach. Communities around Raspberry Pi OS, Manjaro Linux, and FreeBSD have opened discussions about whether their projects face the same compliance burden.
Big Tech Is Split
The law’s supporters and opponents create an unusual alignment. Google and Meta both publicly endorsed AB 1043, along with Snap and OpenAI. Google “commended Assemblymember Wicks and Senator Umberg for a deliberative process that empowers California parents and protects the privacy of their children.” For companies that already control their OS ecosystems and app stores, the compliance burden is manageable โ and the self-declaration model is far less onerous than the ID-based verification other states are pursuing.
Apple opposes the law, warning that “broad, device-level verification rules risk exposing sensitive, personally identifiable information even for basic apps.” Streaming services including Netflix and Amazon also opposed it, arguing that device-level age checks create confusion for shared household accounts with separate profiles for parents and children.
NetChoice, the tech industry trade group, urged Newsom to veto the bill, citing First Amendment concerns.
The EFF’s Warning
The Electronic Frontier Foundation has been the most vocal critic of age verification mandates broadly. In their December 2025 review, “The Year States Chose Surveillance Over Safety,” the EFF argued that “every age-verification system is, at its core, a surveillance system” that censors the internet, burdens access to online speech, and puts internet users’ privacy, anonymity, and security at risk. The organization launched a dedicated Age Verification Resource Hub to coordinate opposition.
AB 1043’s proponents counter that self-declaration is fundamentally different from ID-based verification โ that a birthdate prompt at OS setup is no more invasive than the age gates that already exist on countless websites. Whether courts agree will likely determine the law’s future.
It’s Already Spreading
Colorado has introduced SB26-051, “Age Attestation on Computing Devices,” explicitly modeled after AB 1043. If California’s approach survives legal challenge, more states are likely to follow โ each potentially adding their own variations on compliance requirements, age brackets, and enforcement mechanisms.
For large OS vendors, this is a manageable regulatory burden. For the open-source community, it’s something else entirely. A patchwork of state-level age verification mandates applied to volunteer-maintained software projects with no revenue, no legal team, and no centralized infrastructure presents a compliance problem with no obvious solution.
The Unintended Consequence
AB 1043 was designed to protect children. It passed unanimously. Its self-declaration model is genuinely less invasive than alternatives in other states. But the law’s sweeping definition of “operating system provider” has created a class of obligations that many of the affected parties cannot realistically meet.
Governor Newsom himself acknowledged the tension. In his signing statement, he urged the legislature to amend the law before its effective date, citing concerns about “complexities such as multi-user accounts shared by a family member and user profiles utilized across multiple devices.” Assemblymember Wicks has signaled openness to amendments in the 2026 session, and a follow-up bill, AB 1856, has been introduced.
Whether those amendments will address the open-source problem remains to be seen. In the meantime, MidnightBSD’s license change stands as a stark illustration of what happens when legislation written for trillion-dollar platform companies gets applied to everyone who ships an operating system.
No lawsuit has been filed against AB 1043 as of March 2026. The law takes effect in ten months.
Sources
- Governor Newsom Signs AB 1043
- Governor Newsom Signing Statement (PDF)
- Assemblymember Wicks โ Bipartisan Support for AB 1043
- Assemblymember Wicks โ Google, Meta Among Supporters
- California Senate Judiciary Committee Analysis (PDF)
- MidnightBSD License Modification โ GitHub Commit
- Tom’s Hardware โ California Age Verification Law for All Operating Systems
- PC Gamer โ All Operating Systems Including Linux Need Age Verification
- OSTechNix โ MidnightBSD Excludes California
- Apple Insider โ Google & Facebook Like the Law, Apple Hates It
- NetChoice โ Veto Request
- EFF โ The Year States Chose Surveillance Over Safety
- EFF โ Age Verification Resource Hub
- Gizmodo โ Colorado Introduces Device-Level Age Restrictions
- Kelley Drye โ FAQs on the Digital Age Assurance Act