Back to Blog

California's AB 1043 Forces Every OS to Check Your Age — Here's What That Means for Software and AI

AIPolicy

California just handed every major operating system maker a compliance problem. AB 1043 — the Digital Age Assurance Act — was signed by Governor Gavin Newsom on October 13, 2025, and it doesn’t target a single app or website. It targets the OS layer itself. If your software runs on a device in California, this law is already on your radar, and if it isn’t, it should be.

What AB 1043 Actually Requires

The law is simpler than you might expect — and that simplicity is part of what makes it so structurally interesting. OS providers (think Apple, Google, Microsoft, and Linux distributions) must display an interface during device account setup that prompts an account holder to declare the age or birthdate of the device’s user. It doesn’t require a government ID. It doesn’t require biometrics. A parent can enter a child’s age on their behalf. That’s it.

From that declaration, the OS generates an encrypted age-bracket signal — think “under 13,” “13–17,” or “18+” — and makes that signal available to apps and app stores. App developers can query the signal but cannot request additional identifying information, and they’re prohibited from sharing it with third parties for any purpose other than age assurance. The law takes full effect January 1, 2027, with a transition window for apps last updated before that date extending to July 1, 2027.

Noncompliance isn’t theoretical. Penalties run up to $2,500 per affected child for negligent violations and $7,500 per affected child for intentional ones, enforced by the California Attorney General.

How This Reshapes the Software Landscape

The impact fractures across three layers of the stack. At the OS level, Apple, Google, and Microsoft have the engineering resources and the existing account infrastructure to build age-signal APIs. For them, this is a compliance project — significant, but solvable. The harder problem sits with Linux distributions and other open-source operating systems, which don’t have centralized account systems or the commercial incentive to build them. As Biometric Update noted, the requirement “sounds incompatible with many of today’s open source software, including Linux.” Some projects are already considering geo-blocking California users rather than attempting to comply — a blunt outcome nobody intended.

For app developers, compliance means integrating a new OS-level API call and wiring content-restriction logic to the returned age bracket. The law prohibits asking users to reverify their age once the OS signal is available, so developers who currently run their own age gates will need to pivot. It’s not a massive engineering lift for most apps, but it does require a policy decision: what does your app actually do differently for users under 18?

Privacy advocates have flagged that even the self-declared model creates new data flows and new surfaces for error. Apple’s existing stance on on-device privacy suggests it may be one of the more natural fits for a privacy-respecting implementation of the age-signal architecture — but the devil is in how the encrypted signal is stored, transmitted, and audited.

Where AI Enters the Picture

AB 1043 deliberately avoided AI-driven age estimation. No facial analysis, no biometric inference — the framers wanted a lightweight, declarative model that didn’t create new surveillance surfaces. But AI shows up in this law in three ways regardless.

First, enforcement. Identifying whether a developer is misusing age signals, sharing them with unauthorized third parties, or systematically ignoring them will require pattern detection at scale. The California AG’s office isn’t going to audit every app manually; AI-assisted compliance monitoring — the same class of tooling that already flags privacy policy violations — will almost certainly be part of how violations surface.

Second, the gap problem. Self-declared age is only as good as the honesty of the declaration. A teenager whose parent set up the device with an adult age gets an adult signal. AI content moderation systems — already deployed by platforms to catch inappropriate content before it reaches minors — don’t go away under AB 1043; they become a second-layer safety net. The law handles the signal; AI still handles what the signal misses.

Third, open-source compliance tooling. The open-source supply chain is already under pressure from security vulnerabilities and fragmented governance. AB 1043 adds a new compliance surface on top of that. AI-assisted tools that help maintainers audit their distributions for regulatory exposure will help smaller projects understand what they owe.

What to Watch

The law is state-level, but California is large enough that most software makers treat its requirements as de facto national baselines — CCPA proved that. If AB 1043 survives legal challenge (civil liberties groups have already signaled concern) and the 2027 deadline holds, expect other states to follow. Colorado already has had a similar bill in motion and as of the dat of this post, has successfully passed both chambers of the Colorado General Assembly. The bill, identified as SB26-051 (Age Attestation on Computing Devices), is no longer just “in motion”.

The real pressure point isn’t the age-signal API itself — it’s whether the self-declaration model is adequate, or whether political pressure eventually pushes toward harder verification mechanisms where AI and biometrics would become unavoidable.

Build the API integration now. The policy debate will keep running after your deadline.

Further Reading

AI Disclosure

This document is drafted by an AI skill and is provided for informational and governance support purposes only. It does not constitute legal advice or a formal compliance determination. Do not publish or rely on this notice as a substitute for review by qualified legal counsel or a licensed compliance professional with jurisdiction-specific expertise.