US age verification policy

California Retreats From Extending Age-Verification to Browsers, But the Device-Level Mandate Still Arrives in January

AB 1856's amendment drops a plan to pull browsers and websites into age-gating, easing EFF's objections ahead of AB 1043's 2027 rollout.

California's Age-Signal Law, By the Numbers People of Internet Research · US Jan 1, 2027 Effective date A.B. 1043's device-level age-signa… 4 Age brackets required Under 13, 13–15, 16–17, and 18-plu… $7,500 Max penalty, intentional violation Per affected child, for intentiona… $2,500 Max penalty, negligent violation Per affected child, for negligent … peopleofinternet.com
California's Age-Signal Law, By the Nu… People of Internet Research · US Jan 1, 2027 Effective date 4 Age brackets required $7,500 Max penalty, intentional viol… $2,500 Max penalty, negligent violat… peopleofinternet.com

Key Takeaways

A Retreat, Not a Repeal

On July 15, 2026, the California legislature amended A.B. 1856 to strip out language that would have expanded the state's age-assurance regime to web browsers and websites, and to exempt open-source operating systems from its device-level signaling mandate. The Electronic Frontier Foundation, which had opposed the bill's expansion, formally withdrew that opposition the same day, thanking the bill's author "for listening to concerns" from the open-source community and digital rights advocates.

That is a real, if narrow, win for proportionate policymaking. But it should not be read as California backing away from age verification. A.B. 1043, the underlying Digital Age Assurance Act that A.B. 1856 amends, still takes effect January 1, 2027, requiring operating system providers to collect a user's birth date or age at device setup and pass an age-bracket signal — under 13, 13 to 15, 16 to 17, or 18 and over — to app stores and, per the statutory text, to application developers who request it.

The Case for Age Signals

Proponents of A.B. 1043, led by Assemblymember Buffy Wicks (D-Oakland), have a genuine grievance to address: parents and regulators have spent years watching platforms treat age-appropriate design as optional, while COPPA-era self-certification ("are you over 13?" checkboxes) has become a running joke rather than a safeguard. An operating-system-level signal is, in principle, less invasive than app-by-app ID checks — it centralizes one disclosure instead of scattering government-ID uploads across hundreds of services. If the choice is between a single OS-level age bracket and a proliferation of per-app verification systems each holding their own copy of a user's identity documents, the OS model is the more privacy-protective architecture. That is a fair point, and it is why some age-verification skeptics have been more receptive to A.B. 1043 than to app-store or website-level mandates elsewhere.

Why Scope Mattered So Much Here

The version of A.B. 1856 that existed before this month's amendment would have undone that relative restraint. By requiring "browser providers" and "internet website operators" to also request and honor age signals, the bill would have converted a narrow OS-to-app-store handshake into a general-purpose internet age-gating layer — the exact expansion EFF warned, in its May 2026 post, would make it "nearly impossible for regular internet users to avoid AB 1043's age gates" simply by opening a browser. That is the difference between an OS declaring an age bracket to a handful of app stores and every website a user visits being entitled to demand the same signal — a shift from a bounded compliance surface to an unbounded one, with all the tracking, chilling-effect, and security risks that follow from turning ordinary web browsing into an age-gated activity.

The open-source carve-out mattered for a related but distinct reason. As drafted, the bill's definition of "operating system provider" would have swept in Linux distributions with no central authority capable of collecting a birth date at setup, no app store to report to, and no realistic way to comply without either abandoning the license terms that make open-source software open or exposing maintainers to per-child civil penalties of up to $7,500 for an "intentional" violation and $2,500 for a "negligent" one, per the statute. Exempting software "distributed under license terms that permit a recipient to copy, redistribute, and modify" the code removes that threat without weakening the law's application to the commercial platforms — Apple, Google, Microsoft — it was actually built to reach, as Phoronix reported in tracking the amendment's drafting.

What January 2027 Still Requires

None of this touches the core mandate. Come January 1, 2027, iOS and Android device setup will ask for a birthdate, that data will generate an age-bracket signal, and app developers will be expected to treat that signal as the "primary indicator" of a user's age absent "clear and convincing" evidence otherwise. EFF's institutional position on that core mandate has not moved: the organization still maintains that "no one should have to provide or verify their age to access the internet," and that linking device-level age data to app-level behavior creates exactly the kind of identity-linkage infrastructure that, once built for children, tends to get repurposed for everyone.

The Sequencing Lesson

The more durable lesson from this episode is procedural. A.B. 1043 passed in October 2025 with broad, bipartisan, industry-backed support, in part because its OS-signal architecture looked modest next to app-store or ID-upload alternatives. A.B. 1856 then nearly re-expanded that modest law into a browser-wide mandate before it had even taken effect — scope creep arriving via amendment rather than fresh legislative debate. That the legislature caught it this time, under public pressure from open-source developers and civil liberties groups, is reassuring. It is not a substitute for scrutinizing the base law itself, which still deserves the skepticism EFF continues to apply to it, before enforcement begins in six months.

Sources & Citations

  1. EFF: California Steps Back From Dangerous Expansion of its Age-Gating Law (July 15, 2026)
  2. Bill Text — AB-1856, California Legislature
  3. Bill Text — AB-1043 (Digital Age Assurance Act), California Legislature
  4. EFF: One Step Forward, Two Steps Back on AB 1856 (May 2026)
  5. Phoronix: California's Age Verification Bill May End Up Exempting Most Linux Distributions