California wants to build a surveillance layer into every device its residents touch. Assembly Bill 1043, signed by Governor Gavin Newsom and taking effect January 1, 2027, requires every operating system provider to collect age information from users at account setup and broadcast that data to app developers through a real-time API.
Windows, macOS, Android, iOS, Linux distributions, Valve’s SteamOS: if it runs an operating system, it’s covered by this overreaching law.
The proposals are particularly dumb for open-source Linux operating systems. Linux exists specifically because some people want computing that doesn’t surveil them. That’s not incidental to why the platform exists; it’s foundational.
Distributions like Arch, Debian, and Gentoo have no centralized account infrastructure by design. Users download ISOs from mirrors, modify source code freely, and run systems that report to nobody.
Reclaim Your Digital Freedom.
Get unfiltered coverage of surveillance, censorship, and the technology threatening your civil liberties.
AB 1043 treats the entire architecture of open-source computing as a compliance problem. But there’s no entity to mandate, no account system to modify, no API to build.
The law’s definition of an “operating system provider” is deliberately broad, covering anyone who “develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.”
That the law actually builds is a persistent age-signaling infrastructure woven into the startup process of your devices. OS providers must maintain what the bill calls a “reasonably consistent real-time application programming interface” that sorts users into four age brackets: under 13, 13 to under 16, 16 to under 18, and 18 or older. Every app developer who requests that signal when their app launches receives it automatically.
Your age category follows you from device to device, app to app, without you actively consenting to each disclosure.
The bill passed unanimously, 76-0 in the Assembly and 38-0 in the Senate. Assemblymember Buffy Wicks, who authored the bill, said it “avoids constitutional concerns by focusing strictly on age assurance, not content moderation.”
Wicks’s odd claim doesn’t hold up to much scrutiny. Age assurance is content moderation’s prerequisite. The entire point of collecting age signals and broadcasting them to every app developer is to enable those developers to restrict what different age groups can see. The infrastructure AB 1043 builds has no other purpose. Sorting users into age brackets at the OS level and piping that data to app developers in real time is the mechanism by which content gets moderated; calling it something else doesn’t change what it does.
AB 1043, surprisingly, isn’t the worst bill of its kind, though. It doesn’t require government ID uploads or facial scans; users simply declare their age at setup. That distinguishes it from laws in Texas and Utah requiring “commercially reasonable” verification like government-issued ID checks. The tradeoff is that California gets weaker age verification but broader infrastructure: a persistent age-signaling layer embedded in every device, broadcasting your age bracket to every developer who asks for the life of that device.
Developers who receive the signal are “deemed to have actual knowledge” of their users’ age range under the law. That change in legal liability is the mechanism that makes the whole system work.
Penalties run up to $2,500 per affected child for negligent violations and $7,500 for intentional ones, enforced by the California Attorney General. Developers now have strong financial incentives to request every age signal available, meaning the API will see constant use across the app ecosystem.
