California lawmakers introduced AB 1856 on May 18, 2026, narrowing the state’s age verification law to exempt most Linux distributions after volunteer-run open-source projects warned they’d either ban California users or shut down entirely rather than comply. Assembly Member Buffy Wicks, who authored the original Digital Age Assurance Act requiring every operating system to collect user ages and share that data via real-time API, proposed the amendment after MidnightBSD announced in March it would exclude California residents from desktop use starting January 1, 2027, the day AB 1043 takes effect. The exemption language redefines “operating system provider” to exclude software distributed under licenses permitting copying, redistribution, and modification, likely covering Debian, Fedora, Ubuntu, Arch, and Mint while leaving Windows, macOS, ChromeOS, and proprietary systems subject to age-checking requirements.
The Original Law That Nobody Could Follow
AB 1043, signed by Governor Gavin Newsom in October 2025, required operating systems to verify user age during account setup and transmit age bracket data to app developers through a built-in API. The law targeted Apple, Google, and Microsoft but defined “operating system provider” as anyone who “develops, licenses, or controls the operating system software.” That language inadvertently covered every Linux distribution maintainer, volunteer projects with no budgets, no legal teams, and no infrastructure to implement age verification systems.
The compliance requirements were technically and financially impossible for most open-source projects. Linux distributions like Arch and Gentoo don’t have centralized account systems. Users download ISOs, install locally, and operate without phoning home to verify anything. Creating age-checking infrastructure would require building authentication servers, maintaining real-time APIs, and accepting liability for data protection violations—tasks that require engineering resources and legal budgets volunteer projects don’t possess.
System76 CEO Carl Richell warned in April that Colorado’s parallel age verification law threatened to kill open-source operating systems in that state as well. FreeBSD forum users asked whether the operating system would remain available in California come 2027. MidnightBSD’s geographic exclusion violated the Open Source Definition’s prohibition on discrimination but represented the only legally viable path for a project facing potential fines it couldn’t afford to challenge.
Why the Exemption Still Leaves Problems
AB 1856’s language exempts software distributed under licenses permitting modification and redistribution—standard open-source terms. But edge cases remain unresolved. SteamOS includes Valve’s proprietary Steam client alongside open-source components. Does the proprietary portion make Valve an “operating system provider” subject to age verification despite using Linux as the foundation? The amendment doesn’t clarify.
Commercial Linux distributions that charge for support or enterprise features may face classification questions. Red Hat Enterprise Linux uses open-source code but operates as a commercial product with paid subscriptions. Does the exemption cover RHEL, or does commercialization trigger compliance obligations? The bill text doesn’t specify whether “distributes under license terms that permit modification” applies when those terms also include paid support contracts.
The exemption also creates enforcement asymmetry. Windows, macOS, iOS, and Android must implement age verification. Linux doesn’t. That differential treatment advantages open-source platforms for privacy-conscious users while creating potential pressure for commercial services to restrict access to “approved” operating systems with age-checking built in. Microsoft already demonstrated with Xbox that age verification can lock legitimate adult users out of services when implementation fails or data doesn’t sync properly.
The Unintended Surveillance Architecture
AB 1043’s original requirement wasn’t just age collection during setup—it mandated real-time API access so app developers could query user age on demand. That architecture creates persistent surveillance infrastructure where every application on your computer can ask the operating system “how old is this user” and receive an answer without additional user interaction. The age bracket isn’t the threat. The data pipeline is.
Once operating systems implement APIs exposing user attributes to applications, expanding beyond age becomes trivial. Today it’s four age brackets (under 13, 13-17, 18-20, 21+). Tomorrow it’s location data, payment verification, content rating preferences, or any other attribute regulators decide applications should know about users. Systemd already added birth date fields anticipating these laws, signaling that even Linux infrastructure developers see age verification mandates becoming permanent features of operating system design.
California’s exemption for open-source systems doesn’t dismantle that architecture on proprietary platforms—it just creates a bifurcated ecosystem where some operating systems expose user data to applications by default while others don’t. The privacy-conscious migrate to Linux. The majority remain on Windows and macOS where surveillance infrastructure becomes normalized as a compliance requirement rather than a design flaw.
What the Backtrack Actually Reveals
AB 1856 demonstrates that California lawmakers either didn’t understand how operating systems work when they drafted AB 1043, or understood perfectly well and counted on implementation complexity preventing organized opposition. The original bill passed in October 2025. Open-source community backlash didn’t materialize until February-March 2026 when developers realized the law applied to volunteer projects. The amendment arrived May 2026, seven months before the January 2027 enforcement date.
That timeline suggests reactive damage control rather than thoughtful policy design. If lawmakers had consulted with open-source developers before passing AB 1043, the exemption language would have been included originally. Instead, they wrote a law targeting commercial platforms, inadvertently swept up volunteer projects distributing software for free, faced backlash when MidnightBSD announced it would ban an entire state, then scrambled to fix the problem months later while preserving the surveillance requirements for commercial systems.
The pattern repeats across age verification legislation. Lawmakers want to protect children from online harms. That goal justifies mandating age checks. The technical implementation gets outsourced to technology companies. The unintended consequences—legitimate adults locked out of services, surveillance infrastructure normalized, open-source projects threatened with impossible compliance burdens, surface only after laws pass and enforcement deadlines approach. Then amendments arrive fixing the most visible problems while leaving the underlying surveillance architecture intact.
The Real Question Nobody Answered
AB 1043 requires age verification at the operating system level, not the application level. That design choice means California lawmakers believe the computer itself should know and report user age to every program running on it. Why? If the goal is preventing children from accessing age-restricted content, that happens at the application layer, websites, apps, games, social media platforms. Those services can implement their own age checks without operating systems becoming surveillance middlemen.
The OS-level requirement only makes sense if the actual goal isn’t protecting children but establishing infrastructure for broader data sharing between applications and operating systems. Once the pipeline exists for age verification, it can carry identity verification, location data, payment credentials, content ratings, or any other attribute regulators decide applications should access. The “protect children” framing gets the surveillance infrastructure built. The scope expansion happens later through amendments that barely get press coverage.
AB 1856 preserves that architecture for proprietary systems while exempting open-source projects that couldn’t implement it anyway. That’s not a victory for privacy. It’s confirmation that California intends to normalize operating system-level data sharing with applications as a permanent feature of commercial computing, with an exemption carved out for volunteer projects too small to fight in court. Linux users get privacy not because lawmakers value it, but because forcing compliance on volunteer projects would have generated politically inconvenient headlines. The surveillance architecture proceeds as planned for everyone else.
Follow us on Bluesky, LinkedIn, X, and Telegram to Get Instant Updates
