California appears to have understood, perhaps late, a problem the open source community warned about from the start: Debian, Fedora, Ubuntu, Arch Linux or Linux Mint cannot be treated as if they were iOS, Android, Windows or macOS. The new AB 1856 proposal introduces an amendment that would exclude from the definition of “operating system provider” those who distribute software under licences that allow users to copy, redistribute and modify the code. In practice, that wording would leave most Linux distributions and much of the free software world outside the scope of the obligations planned under the Digital Age Assurance Act.
The shift comes after months of criticism of AB 1043, the law passed in 2025 that moved age verification down to the operating system and app store level. The rule, scheduled to take effect on 01/01/2027, requires operating system providers to ask for the age or date of birth of the device’s primary user during account setup and to generate an age-bracket signal that can be accessed by apps and app stores.
The stated intention is to protect minors in digital environments. The problem is that the chosen mechanism turns the operating system into a central layer for age identification. That may make sense for closed commercial platforms with accounts, app stores and centralized control. Applied to free software, however, it raised an almost absurd question: who is supposed to verify age in a Debian ISO downloaded from a mirror server?
The amendment that changes the scope of the law
AB 1856 does not repeal the Digital Age Assurance Act. Instead, it modifies several definitions and obligations to better narrow who the law applies to. The most important change for Linux is in the definition of “operating system provider”. The proposal still defines it as the person or entity that develops, licenses or controls the operating system, but adds that it does not include anyone who distributes an operating system or application under licence terms that allow the recipient to copy, redistribute and modify the software.
That phrase seems written directly with free software in mind. Licences such as GPL, MIT, Apache or BSD are based precisely on those freedoms. The consequence would be significant: community distributions, volunteer-maintained projects and Linux-derived systems would, in principle, be outside the obligation to create age-declaration interfaces and signalling APIs.
The amendment also clarifies that the operating system obligation would only apply if the system has an account setup function for using that operating system on a specific device. That matters because many Linux distributions do not have a centralized account model comparable to Apple, Google or Microsoft. The proposal also extends the flow of signals not only to app stores and developers, but also to browsers and website operators subject to age-verification laws.
| Point of the law | Original AB 1043 | Proposed AB 1856 |
|---|---|---|
| Entry into force | 01/01/2027 | Keeps the framework, with changes |
| Operating system | Had to request age or date of birth during setup | Only if it has an account setup function |
| Free software | Not clearly excluded | Excludes software licensed for copying, redistribution and modification |
| Age signal | For covered apps and app stores | May also reach browsers and websites subject to verification |
| Risk for Linux | High due to broad definition | Lower for open source distributions |
Why Linux did not fit the model
The reaction from the Linux community was so strong because the law started from an idea rooted in modern mobile platforms: an operating system controlled by a company, with an app store, user accounts, common APIs and the ability to impose rules on developers. That model resembles iOS or Android. It does not resemble Debian, Fedora or Arch Linux.
A Linux distribution may be maintained by a global community, a foundation, a company or a mixture of all three. It can be installed without an online account, modified, rebuilt, forked and redistributed. A user can create their own image, remove components or install applications outside any store. Requiring that universe to behave like a closed age-verification platform was technically difficult and legally confusing.
There was also a compliance problem. If a community distribution has no commercial entity in California, does not collect data, does not operate a store and does not control how the system is installed, who gets sanctioned? The project? Its maintainers? A mirror? Someone packaging a derivative? The breadth of AB 1043 turned a law aimed at large platforms into a potential burden for small projects.
The Electronic Frontier Foundation was one of the organizations that criticized the approach. Its position is that mandatory age-verification systems can create unnecessary barriers for adults and young people, affect small and open source developers, and create privacy risks because no verification method is perfect in terms of data protection, universal access and secure handling of sensitive information.
Privacy remains the most sensitive point
Even if the amendment eases the pressure on Linux, the underlying debate does not disappear. California is betting on a model where age becomes a technical signal that travels from the operating system or browser to applications, stores or websites. The law tries to limit the information to the minimum necessary and prohibits sharing the signal for purposes not required by the rule, but the concern remains: an age-classification infrastructure could expand its use over time.
The legislative analysis of AB 1856 recognizes precisely these age-verification dilemmas. Asking for a date of birth is easy to bypass; requiring documents creates privacy risks and excludes those who do not have them; using biometric or behavioural methods involves more data collection and can fail around the most sensitive age thresholds. California is trying to find a middle path, but that path shifts technical responsibility onto operating systems, browsers and platforms.
For large technology companies, compliance will be costly but feasible. For free software, it could be directly incompatible with its nature. That is why the amendment makes sense. It does not solve every privacy problem, but it avoids turning a child-safety law into a requirement for community projects to become identity services.
SteamOS and other hybrid cases may remain in a grey area
The open source exemption does not mean every Linux-based system is automatically outside the law. SteamOS is the clearest example. Although it is based on Linux, it is part of a commercial ecosystem with a store, user account and proprietary client. If a platform distributes applications through a controlled environment and maintains a direct commercial relationship with users and developers, it may sit closer to a covered app store than to a classic community distribution.
That grey area will matter. Android also uses the Linux kernel, but that does not make it resemble a community distribution. ChromeOS, SteamOS or commercial embedded systems may combine open and proprietary layers. The question will not simply be whether Linux is underneath, but who controls the experience, whether there is a store, whether there are accounts, whether applications are distributed to third parties and whether the provider fits the legal definition.
| System or platform | Likely position under the amendment |
|---|---|
| Debian, Fedora, Arch, Ubuntu, Mint | Probably excluded if the open source licence test prevails |
| Small community distributions | More protected by the new wording |
| SteamOS | Possible grey area due to Steam integration |
| Android | Not excluded simply because it uses the Linux kernel; it is a controlled commercial platform |
| iOS, macOS, Windows | Would remain within the framework if they meet the definition |
| Browsers | Gain importance because AB 1856 brings them into the signal flow |
A lesson for lawmakers
The California case leaves a clear lesson: regulating the internet and software requires understanding how software is built. A law designed for Apple, Google or Microsoft can accidentally hit volunteers, foundations and community projects that have no accounts, telemetry or legal infrastructure to comply.
Protecting minors online is a legitimate goal. But if the chosen solution requires every operating system to collect or transmit age signals, the risk is creating a broader identification architecture than intended. On commercial platforms, it may become a new compliance layer. In free software, it could have become a distribution barrier.
AB 1856 appears to recognize that excess. It does not eliminate the privacy debate or settle the question of whether age verification actually works, but it does correct one of the most problematic consequences: treating open source as if it were a closed platform.
For Linux, the amendment is a sign of relief. For the rest of the sector, it is a warning. Digital laws that ignore technical architecture end up needing patches. In this case, the patch had to arrive before the law even came into force.
Frequently asked questions
Has California eliminated its age-verification law?
No. The Digital Age Assurance Act is still scheduled to take effect in 2027. AB 1856 proposes changes and clarifications, including an exemption for software distributed under licences that allow copying, redistribution and modification.
Would Linux be excluded from the obligation?
The proposed wording would probably exclude most open source Linux distributions, but the final approved text and its practical interpretation will still matter.
Why was applying the law to Linux problematic?
Because many distributions do not have centralized accounts, their own app store, telemetry or a single commercial entity capable of verifying ages and offering signalling APIs.
Would SteamOS be exempt?
That is not clear. Although it is based on Linux, it is tied to Steam, a commercial platform with a store and user accounts. It may sit in a more complex position than Debian, Fedora or Arch.
source: tomshardware