Lacuna (n): a blank space or missing element.
California signed AB 1043, also known as the Digital Age Assurance Act, into law in October 2025. The signing past without much fanfare. Then for some reason, blog posts about it have popped up in the last few days.
Accompanying the blogs (to which I suppose I'm adding) has been a flurry of takes, ranging from "this is annoying" to "this is fascism." As usual, the internet has little patience for nuance. But around here, "embrace complexity" is something of a motto. So let's attempt to answer some questions about AB 1043.
- What does the law require?
- Who must follow it?
- Who supports this? Who opposes it?
- How bad is it?
- How bad could it be?
- Can it be fixed?
Before we go any further, let's get this out the the way. I am not a lawyer, and nothing in this article or any of my writing is legal advice.
I will also put my hypothesis right up front here: I don't think the bill's authors are evil so much as ignorant—especially about open source and how software works beyond the most general consumption of "apps" in the modern sense. It was this type of computing for which the bill was written, with no regard at all for open source software.
Age verification is so hot right now, with multiple states passing legislation requiring this or that from developers/app stores/websites, and applications themselves making some questionable decisions all in the name of "protecting the children." I have personally made the choice to move my community off of Discord because of their choices in this matter. So please understand that I am no fan of this effort. I do however have a measure of sympathy for those who are in good faith trying to figure out something that protects kids from the worst that the internet has to offer.
Okay, let's dig in.
What Does the Law Require?
This law, which I'll be referring to as AB 1043 because DAAA is a stupid acronym, includes new requirements for both operating system developers and application developers. For the former, the operating system must allow adult parents to create "child accounts." Setting up these accounts needs to include a way to collect the date of birth or numerical age of the child in question. That information must then be made available via an API as a "signal" of age range. The ranges are:
- Under 13
- 13-16
- 16-18
- 18+
Developers must access this API to collect and process this signal when their application is first downloaded and launched. This signal is meant to be the authoritative indicator of age of the user. The developers are under no obligation to take further action with this information, but they are said to have "actual knowledge" of the user's age range. In other words, if your application is inappropriate for children and you disregard this signal, you're on the hook for fines.
Speaking of fines, they're steep. Any OS maintainer or app developer found in negligent violation is liable for civil fines of up to $2500 per affected user (!). Intentional violations run $7500 per affected user (!!). How you determine negligence or intent is a question for the defense attorneys, I guess. But those numbers will add up quickly.
Also worth noting that the bill requires that only the "minimum amount of information" (i.e. the age bracket) be sent to the application, and the application should not share this information with a third party.
So yes, this law requires quite a lot of changes in existing OS and application code for compliance in the State of California.
Who Must Follow It?
This is a little fuzzy, but the answer appears to be "every OS and application developer who wants Californian users." Much like GDPR, the law "protects" California citizens regardless of where the code is coming from.
So yes, that would include Linux distributions and applications intended for Linux. But that's not all, and this is where the open source lacuna starts to reveal itself. The definition of "covered application store" from which impacted applications are retrieved is:
...A publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
That includes things like GitHub and other code forges, to say nothing of package repositories for Linux distributions.
Weirdly, there is a specific carve out for any "online service or platform that distributes extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application."
So the Google Chrome webstore is exempt. Pretty ironic, considering how many gross VPNs and other extensions come from that one source alone. It's unclear why this language was added, but it was done so via amendment in the State Assembly.
Who Supports It? Who Opposes it?
AB 1043's author, Buffy Wicks (D-Oakland), says of the bill:
Creating a statutory age assurance framework that balances privacy and usability will give parents greater peace of mind, build trust with children and families, and create consistency for businesses looking to innovate responsibly. AB 1043 provides a scalable path forward — one that encourages the development of safer online experiences while preserving the benefits of digital participation for young users.
A review of Assemblywoman Wicks' record suggests a good-faith policymaker who is not aligned with the current regime in power in Washington. There yet exist people dedicated to public service, and after a little homework, it really seems like Assemblywoman Wicks is one of them. That does not make her infallible, just well-intentioned.
In addition to a unanimous passage in both houses of the California legislature, multiple children's welfare and mental health advocacy groups, as well as California's own civil liberties association were in support.
On the other hand, opposition to the law came from three primary sources: Google, Chamber of Progress, and TechNet. Chamber of Progress is a "center-left industry policy coalition promoting technology’s progressive future." Their CEO Adam Kovacevich, was Google's head lobbyist. TechNet is the tech industry lobbying organization, and they go to bat against all legislation that threatens them.
I tried to find anything resembling a position statement from the Electronic Frontier Foundation on this bill, but could not find anything beyond an offhand mention in a year roundup. If they are opposed, they are not vocally so.
So to recap: the tech industry hates this thing, but civil liberties and mental health advocates do not. Let's afford that these groups probably don't know a lot about open source software. Instead, they are attempting to mitigate the harms of the ghoulish behavior by companies like Meta, X, and Google, along with the moral panic around pornography. It's a gnarly subject, because there is both real cause for concern around the mental health of kids, and FUD about the dangers of the wide-open internet. But there's something there, and polling backs that up. Even teens agree social media should include age verification.
Again, this seems to be like a good faith, albeit myopic, effort to preserve privacy but address real concerns from real people.
Although Govern Gavin Newsom (who sucks) signed the bill, he did so with the addendum of a signing statement. Signing statements are a somewhat common tool and custom of California governors, used to indicate potential enforcement direction by the executive, or even reservations about the bill despite signing. The latter is the case here. Newsom writes:
I am signing Assembly Bill 1043, which would establish a much-needed system of age verification for users of mobile devices and computers. Parents who allow their child to be the main user of a device will be able to configure the device to inform application developers of the child's age. This, in turn, will assist parents in ensuring that their children are downloading and using age-appropriate applications.
Streaming services and video game developers contend that this bill's framework, while well-suited to traditional software applications, does not fit their respective products. Many of these companies have existing age verification systems in place, addressing complexities such as multi-user accounts shared by a family and user profiles utilized across multiple devices. As this bill does not take effect until January 1, 2027, I urge the Legislature to enact legislation in 2026 to address these particular concerns.
Newsom is, of course, in the pocket of big tech. His reservations are about industry in California, not open source. Nevertheless, the urge for amendment/legislation suggests the story of this law is far from over.
And we can make sure that's so. More on that later.
How Bad Is It?
On its face, AB 1043 is at the very least extremely onerous—particularly for application developers. It also places what I would consider an undue burden on open source software and operating systems, given the fractiousness and diversity of the ecosystem.
For commercial software, this is not as large a lift. Apple introduced its Declared Age Range API in iOS/iPadOS/macOS 26. Windows/Android could in theory do the same, although I won't hold my breath for Android, given Google's opposition to the bill.
It is useful to compare this (bizarre) approach to the age verification issue with more mainstream ones like what Utah passed last year. That bill, like other states', requires strong identity verification in app stores. "App stores" are widely-defined (almost identically) in that law as well.
A lot of the "bad" really comes down to enforcement, and it's an open question. In the analysis of the bill as introduced for the last vote, one finds the following fiscal comments:
Actual costs will depend on whether the Attorney General pursues enforcement actions, and, if so, the level of additional staffing DOJ needs to handle the related workload. If DOJ hires staff to handle enforcement actions authorized by this bill, the department would incur significant costs, likely in the low hundreds of thousands of dollars annually at a minimum. If DOJ does not pursue enforcement as authorized by this bill, the department would likely not incur any costs.
Those are some big ifs, especially since the title has no provisions whatsoever for the establishment or funding of a DOJ task force or somesuch to track down these violations, and doing so would be extremely laborious. This wouldn't be the first time a law was passed without an enforcement mechanism, making it effectively toothless. But of course, that could change at any moment, or be weaponized opportunistically by a state Attorney General with a vendetta.
I'm classifying this right now as "a huge pain in the ass." But it isn't the end of privacy or the criminalization of Linux or whatever else it's been made out to be.
It sure as hell isn't fascism. Knock it off with that crap; it's offensive and unhelpful. I have neighbors getting abducted from the streets of my city; we have a police force blinding protesters with excessive force and no consequences. Fascism is here, no doubt. This ain't that.
How Bad Could It Be?
Slippery slope arguments about this bill abound. One popular Mastodon thread connected dots between this legislation and hardware/firmware-level enforcement of age verification. Indeed, most of the arguments against this I've seen take some form of "This is the foot in the door! If you allow this, you allow the next thing." That's a neat argument because it can always be true, but each case requires specific scrutiny. Could California introduce more stringent, hardware-level requirements? Sure; so could any other entity.
But that door was already open; no foot need be inserted to help out. Such a proposal could well have been introduced, but I have my doubts it would have passed unanimously, if at all. The appeal of this measure is its "simplicity," its attempt to respect privacy, and its design to evade constitutional issues introduced in other legislation.
If the California Attorney General decides to go all-in on enforcing this law as written, it will objectively suck for open source; no two ways about it. The amount of coordination, hacks, and new development required for compliance will likely be beyond the capacity of many projects. I literally don't know how you could possibly make GitHub compliant; it's not like Git itself will participate in age verification, so what are you going to do?
Elementary OS developer/maintainer/CEO Danielle Foŕe is working on an implementation of a potential solution. Ubuntu is having a conversation about it. It's going about as you'd expect.
Without clearer guidance from California, I expect the worst fallout to be self-inflicted by open source projects falling to rancor about how to handle this. It's a predictable and regrettable outcome.
Can It Be Fixed?
Maybe! California remains, for all intents and purposes, a representative democracy. We have more direct democracy than most states and nations. Given the Governor's suggestion of amendment, and the time between now and enactment of the law as written, I believe we have a window to urge California lawmakers to propose useful fixes. My proposal:
Exempt anything with a FOSS license from this law. Look, the target of this thing is obviously big tech—that's why they lobbied so hard against it, and why the bulk of the conversation in support was about the harms of their products. This conversation is about parents, kids, and phones. That's the world being imagined here. Our world, the one of terminals and repos and free software, never entered their imagination. Honestly, that's our failure. I had no idea this bill was even being introduced, much less chartered six months ago. Seems like the EFF didn't either.
But we're here now, and the open source community can make itself known. If you are a California resident, you can use this site to identify your state Assemblymember and Senator. Here's a script for an email or phone call you might wish to deliver.
Dear
$representativeI am [calling/writing] with grave concern about AB 1043, the Digital Age Assurance Act, as chartered in October 2025. While it appears to be a good-faith effort to protect children from the dangers of the internet, the law as written would place an undue burden on the vibrant and vital community of open source software developers. Free and open source software, which is provided without warranty and without charge to the user, is at the core of many technologies you use every day, including your web browser and phone operating system. There are even open source operating systems that serve as alternatives to offerings from Apple, Google, and Microsoft. This software is of a different species than the harmful, addictive products from big tech that the Act attempts to address. Open source software is not a threat to children. Indeed, many talented software engineers got their start as children because of the availability of open source software on their computers and through the internet.
Put simply, open source is a driver of innovation and growth.
The nature of these community-driven efforts prevents a reasonable method of meeting the requirements of AB 1043. The onerous fines associated with violation could well bankrupt the small teams or individuals who offer their creations free of charge.
I am therefore asking you to sponsor an amendment to the bill that exempts software and operating systems "released under free and open source licenses" such as those listed here:
https://opensource.org/licenses?categories=popular-strong-community
Exempting free and open source software from the burdens of this title will preserve technological innovation in California while continuing to protect children. Thank you for your time and attention.
Sincerely,
$Your_Name
Will this work? I don't know. But if we don't try, it's a little bit on us if the worst comes to pass.