US State Laws Mandate Age Verification in Operating Systems

The push for digital age verification is expanding beyond websites and apps, with several U.S. states now proposing laws that would require operating system providers to collect and confirm user ages. This shift aims to create a foundational layer of protection for minors but introduces significant technical and privacy challenges, particularly for open-source software communities. While commercial platforms may adapt, these mandates could reshape how free and open-source operating systems (FOSS) are distributed and used.

California’s Assembly Bill 1043, approved last October, sets the stage. Starting in 2027, it would require OS vendors to implement an accessible interface during account setup that collects a user’s birth date or age. This information must then be shared with app stores in a manner deemed non-anti-competitive. The bill represents a direct move to embed age checks at the device level, shifting responsibility from individual applications to the core system software.

Colorado and New York are advancing similar legislation. Colorado’s Senate Bill 26-051 mandates that OS vendors store user age brackets and notify app stores if an account holder is underage, with app developers required to check this status. Penalties for non-compliance range from $2,500 for negligence to $7,500 for intentional violations. New York’s Senate Bill S8102A goes further, requiring manufacturers of internet-enabled devices to conduct age assurance and provide that data to virtually all online services and applications, not just app stores.

For major commercial operating systems like those from Microsoft and Apple, these laws may align with existing practices. Modern versions often require online accounts, and Apple typically encourages adding a payment method. The new rules essentially formalize and expand data collection that is already commonplace, albeit under the banner of child protection.

The situation is markedly different for FOSS projects. Many open-source operating systems are built by decentralized communities, not corporations, and lack the infrastructure or legal teams to implement such mandates easily. Some are already taking preemptive measures. The MidnightBSD distribution, for instance, has added a license clause prohibiting desktop use by California residents starting in 2027. Similarly, the DB48X scientific calculator app plans to ban users in California next year and in Colorado by 2028.

These developments have sparked widespread concern within open-source circles. Discussions are underway in the Fedora Project, Linux Mint forums, and even the FreeDOS Project, though the latter notes its lack of user accounts or app stores limits what it can do. Canonical, the company behind Ubuntu, has its legal team reviewing the implications. System76 CEO Carl Richell has published a detailed critique, arguing the bills are poorly specified, overly broad, and ultimately ineffective since tech-savvy minors could easily bypass such checks.

This regulatory trend isn’t confined to the United States. The European Union also has guidelines for protecting minors online that could lead to similar requirements, potentially creating a complex global patchwork of compliance rules. Observers note that more nuanced approaches, like those seen in Norway, might offer better models for balancing safety with practical implementation and user rights.

As debates continue, the core tension remains between the goal of shielding young users and the realities of software development, especially in the FOSS world. These laws could inadvertently restrict access to open-source tools or push projects to exclude users from certain regions, fundamentally altering the inclusive ethos that has long defined the community.

(Source: The Register)