New US laws require operating systems to verify users’ ages. The problem? The people who wrote them appear to think ‘operating system’ means ‘iPhone’. Here’s what UK businesses need to know.
Something rather strange is happening in American technology legislation, and while it might seem like a distant problem, the ripple effects could reach UK businesses sooner than you’d think.
Several US states have passed or are passing laws that require operating system providers to collect age information from users when they set up an account. The intention is to protect children online by making age verification happen at the operating system level, rather than leaving it to individual apps and websites.
The intention is reasonable. The execution is a masterclass in what happens when laws are written by people who don’t understand the technology they’re trying to regulate.
What These Laws Actually Require
California’s Digital Age Assurance Act (AB 1043), signed into law on 13 October 2025 and taking effect on 1 January 2027, is the flagship example. It requires every “operating system provider” in California to collect age information from users during account setup—specifically, their birth date, age, or both—and make that information available to app developers via a real-time API.
Users would be categorised into four age brackets: under 13, 13–15, 16–17, and 18+. Apps could then query this API to determine what content or features to show each user.
Similar legislation is appearing elsewhere, though at different stages. Colorado’s SB26-051 follows a similar pattern but is still under consideration, with a proposed effective date of January 2028. New York has an active bill that goes further than California by explicitly rejecting self-reported age without supporting evidence—but it hasn’t been enacted yet.
Louisiana’s HB 570, taking effect in July 2026, is related but different: it targets app-store providers rather than operating systems directly, requiring them to request and verify age category using commercially available methods.
Brazil has adopted a broader child-safety framework for digital products and services, which includes requirements for robust age verification and specific duties for both app stores and operating systems to provide age signals. The sanctions regime includes fines up to around R$50 million, though this is a cap within a larger enforcement framework rather than a simple flat fine.
On the surface, putting age verification at the OS level sounds sensible. Solve the problem once rather than forcing every app to implement it separately.
The problem—particularly with California’s enacted law—is the definition of “operating system provider.”
The Definition Problem
California’s law defines an operating system provider as anyone who “develops, licenses, or controls the operating system software on a computer, a mobile device, or any other general purpose computing device.”
Read that again. Any general purpose computing device.
The legislators clearly had iPhones and Windows laptops in mind—devices with app stores, user accounts, and a single identifiable company in control. But that definition sweeps in vastly more than smartphones and PCs.
It covers Linux. All of it. Every distribution—Ubuntu, Debian, Fedora, Red Hat Enterprise Linux, the lot. It covers FreeBSD. It covers the operating system running on your router. It probably covers your NAS. It technically covers FreeDOS, a hobby operating system that recreates MS-DOS from 1981.
One open-source calculator project has declared itself “probably an operating system under these laws” and has pre-emptively blocked access for users in California and Colorado, stating that it “does not, cannot and will not implement age verification.”
A calculator.
The Server Problem
Here’s where things get murky, and where UK businesses should start paying attention.
Servers are general purpose computing devices. The question is whether laws like California’s—which tie compliance to account setup and app-store style distribution—could be read to reach them.
The law requires age collection at “account setup” via an “accessible interface.” But think about how servers actually work:
Automated provisioning. Cloud instances spin up and create user accounts without any human interaction. A Kubernetes cluster might create and destroy thousands of containers every day, each potentially running its own operating system image. Nobody is sitting at a setup wizard entering their date of birth.
Bulk account creation. A university Linux server might have hundreds of accounts created via scripts or LDAP synchronisation. A hosting provider might create thousands. The concept of an individual person going through an “accessible interface” at account setup doesn’t map to how any of this works.
Headless systems. Many servers have no graphical interface at all. They’re managed entirely via command line or remote administration tools. When someone runs ‘useradd’ on a Debian server, where exactly is the age verification supposed to happen?
Embedded systems. Routers, network attached storage, smart TVs, industrial controllers—many of these run Linux or BSD variants. The definitions are broad enough that it’s unclear whether they’re covered.
The honest answer is that it’s uncertain. The law’s drafters almost certainly had smartphones and app stores in mind—walled gardens with user accounts, payment methods, and a single company clearly in charge. Whether the broad statutory language could be read to reach Linux distributions, server infrastructure, or embedded devices is genuinely unclear. That uncertainty itself is a problem.
The Open Source Crisis
Open source software presents a particular problem. Who exactly is the “operating system provider” for Debian? Or Arch Linux? Or any of the hundreds of community-maintained distributions?
These projects aren’t companies. They’re loose collaborations of volunteers around the world. The Linux kernel is developed by thousands of contributors. A typical distribution assembles components from hundreds of different sources. There’s no single entity that “develops, licenses, or controls” the whole thing.
Even if someone wanted to comply, the requirement for a “real-time API” providing age data implies a backend server holding personal information about every user. This collides directly with the privacy principles that define much of the open source ecosystem. Many open source projects exist precisely because they don’t collect personal data.
GrapheneOS, a privacy-focused mobile operating system, has stated flatly that it will never require personal information for use and will remain available internationally—and if its devices can’t be sold in certain regions, “so be it.” Other projects are likely to take similar positions.
The communities behind Fedora, Linux Mint, and many other distributions are currently trying to figure out what, if anything, they’re supposed to do. Canonical, the company behind Ubuntu, has its lawyers reviewing the situation.
The Irony (California Edition)
Here’s the particularly odd part about California’s law specifically: it doesn’t actually require photo ID, facial recognition, or any robust verification. Users simply provide their birth date or age. It’s self-reported.
So, after all the compliance burden, the API infrastructure, the privacy implications, and the chaos in the open source community, California’s system is based on the honour system. A child can simply claim to be 18.
To be fair, not all jurisdictions are making this mistake. New York’s proposed bill explicitly rejects self-reporting without supporting evidence. Louisiana requires app-store providers to verify age category using commercially available methods. But California—the biggest market, with the law that’s actually been enacted—relies on users telling the truth.
Critics also point out that voluntary parental control tools already exist. Apple’s Screen Time and Google’s Family Link let parents restrict what their children can access. These laws create a permanent regulatory infrastructure that’s easy to expand and hard to roll back—without obviously solving the problem they’re meant to address.
Why UK Businesses Should Care
This is American legislation. Why should a UK business owner pay attention?
If you have US customers. If your business serves customers in California or the other affected states, and those customers access your services via servers or software, you might theoretically be in scope. The extraterritorial reach of these laws is unclear, but the definitions are broad enough to worry about.
If you use US cloud providers. How will Amazon, Microsoft, and Google respond to these requirements? Will changes they make to comply with California law affect the services you use in the UK? When a major platform makes changes for regulatory compliance somewhere, those changes often roll out globally.
If you use open source software. If Linux distributions start restricting access or fragmenting to deal with these laws, that affects every business running Linux servers—which includes most of the internet’s infrastructure.
The UK often follows. The UK’s Online Safety Act already includes age verification requirements for certain types of content. It’s not a huge leap to imagine similar operating-system-level requirements appearing in future UK legislation. Watching how this plays out in the US gives us a preview of debates that may arrive here.
Supply chain effects. If Microsoft builds age verification into Windows for California, will they maintain separate versions? Or will everyone get the same code? When Apple makes changes for regulatory compliance, they typically roll those changes out worldwide. Your UK devices and servers may end up with features designed for Californian compliance whether you want them or not.
What Happens Next
The good news, such as it is, is that even the people who passed California’s law seem to recognise it has problems. Governor Newsom acknowledged the law’s rough edges when signing it and explicitly invited the legislature to amend it before the 2027 deadline. Amendments are expected.
There are signs that open source software may be carved out. The CEO of System76, a Linux computer manufacturer, met with the co-author of Colorado’s bill, who suggested excluding open source software from the requirements.
The real picture is this: California has enacted a very broad device-level age-signal law. Colorado and New York are considering similar models. Louisiana has passed a related app-store law. Brazil has adopted a broader child-safety regime that also touches app stores and operating systems.
The issue isn’t that these laws are imaginary—California’s is very real. The issue is that some of them are drafted broadly enough to create serious uncertainty once you step outside the smartphone-app-store model that legislators clearly had in mind.
For now, UK businesses don’t need to take any immediate action. But it’s worth watching how this develops. The intersection of technology regulation and political pressure to “protect children online” is producing some remarkably broadly drafted legislation, and the knock-on effects have a way of spreading further than anyone intends.
Keeping Up With Regulatory Changes
At Trichromic, we keep an eye on technology regulation that might affect our clients—even when it originates overseas. Part of our job is making sense of these developments and letting you know when something actually matters for your business versus when it’s just noise.
If you have questions about how regulatory changes might affect your IT infrastructure, or you just want someone who can translate tech policy into plain English, give us a call on 020 3327 0310.