California's new law regarding online service providers has attracted much interest among the Linux community. After open source developer and privacy advocate opposition to an original proposed bill, CA State Legislature is proposing a bill (AB 1856) to amend its Digital Age Assurance Act which would potentially exempt all open-source operating system platforms from age verification mandates that will begin in 2027.
Highlights
| 1 | California's Digital Age Assurance Act (AB 1043) signed in October 2025 requires OS providers to collect user age data at device setup, effective January 1, 2027. |
| 2 | Amendment bill AB 1856 proposes to exclude open-source operating systems distributed under licenses allowing users to copy, redistribute, and modify the software. |
| 3 |
Most mainstream Linux distributions like Ubuntu, Fedora, Debian, Arch, and Rocky Linux would likely qualify for the exemption. |
| 4 | SteamOS sits in a grey area due to its hybrid open-source base combined with a proprietary Steam client layer. |
| 5 | Windows and macOS would still be subject to compliance requirements under the original law. |
| 6 | AB 1856 has passed second reading as of May 19, 2026 and is heading toward a June committee vote. |
The original intent behind the Digital Age Assurance Act was to provide protection to children using the Internet through the creation of "a safer" Internet. However, the resulting proposal of the legislature created a number of legitimate concerns that many open source distributions of Linux could face pressure to implement privacy-invasive age verification mechanisms. The proposed amendment for an exemption of mandatory age verification requirements for open source operating systems followed heavy backlash from both the open source development community and privacy advocacy groups. Currently there are several areas that still need clarification, including how this proposed amendment applies to SteamOS, enterprise open source Linux distributions and ultimately what broader implications it may have.
| Law Effective | Jan 1, 2027 |
| Amendment Bill | AB 1856 |
| Committee Vote | June 2026 |
| Distros Affected | Likely Exempt |
What the Original Law Actually Requires
Before looking at the exemption, it helps to understand what California was trying to enforce in the first place. The original law, Assembly Bill 1043, was signed by Governor Gavin Newsom on October 13, 2025. It formally became known as the Digital Age Assurance Act (DAAA).
The law requires operating system providers to collect age information from users during device account setup and then transmit an age-bracket signal to application developers. Users would be classified into age brackets that include: under 5 years of age, 5 to 9 years of age, 10 to 12 years of age, and under 16 years of age. The idea was to create an age-signaling layer at the OS level so that app stores and platforms could respond accordingly without needing to verify age themselves.
Governor Newsom's own signing statement acknowledged problems with the bill, specifically citing concerns about multi-user accounts shared within families and user profiles used across multiple devices. His signing statement acknowledged implementation concerns that lawmakers later sought to address, which set the stage for the 2026 legislative session amendments we are now seeing.
The law was designed with commercial platforms in mind, think Apple's iOS, Google's Android, and Microsoft Windows. These are closed, centralized systems with mandatory accounts, proprietary app stores, and direct developer relationships. Applying the same requirements to open-source Linux distributions immediately created a structural problem. Linux works completely differently. It can be downloaded from a mirror, forked, modified, and redistributed with no central authority involved at any point.
What AB 1856 Actually Changes
Assembly Bill 1856 does not repeal the Digital Age Assurance Act. That distinction matters. Instead, it narrows the definition of who qualifies as an "operating system provider" under the law. The key language in the amendment reads:
Operating system provider does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software.
AB 1856 Amendment Language
AB 1856 was introduced by the same Assemblymember who authored the original law, Buffy Wicks, on February 11, 2026. The open-source exemption language appeared in later revisions after significant backlash from Linux developers and privacy communities. The latest version is dated May 18, 2026, and as of May 19, 2026, the bill was read a second time and ordered to third reading in the California State Legislature.
The amendment also clarifies that an OS provider's obligation applies when there is an account configuration function for using the system on a specific device. This is actually an important technical distinction, as most Linux distributions do not have centralized accounts, mandatory telemetry, or controlled app stores. There is no single entity controlling the end-to-end experience in the way Apple or Google do.
Which Linux Distros Are Safe and Which Are Not
Based on the amendment language, most mainstream Linux distributions would qualify for the exemption because they are distributed under licenses that explicitly allow copying, redistribution, and modification, which is the exact criteria the bill uses. However, the situation is not uniform across all distributions.
| Distribution / OS | License Type | AB 1856 Exemption Status | Notes |
|---|---|---|---|
| Ubuntu | GPL v2 / GPL v3 | Likely Exempt | Fully open source, freely redistributable |
| Fedora Linux 44 | GPL v2 / GPL v3 | Likely Exempt | Sponsored by Red Hat, fully open source |
| Debian | DFSG / GPL | Likely Exempt | Strict free software guidelines |
| Arch Linux | GPL / Mixed | Likely Exempt | No central controlling entity |
| Rocky Linux | GPL v2 | Likely Exempt | Community-driven RHEL rebuild |
| RHEL (Enterprise) | GPL + Subscription | Grey Area | Open source kernel, proprietary support layer. May depend on account requirement interpretation |
| Bazzite Linux | GPL v2 | Likely Exempt | Open-source gaming distro, freely modifiable |
| SteamOS | Open-source base + Proprietary Steam client | Uncertain | Base OS is open, Steam client is closed. Legal interpretation unclear |
| macOS | Proprietary | Likely Affected | Closed, centralized, mandatory Apple ID |
| Windows | Proprietary | Likely Affected | Closed, centralized, Microsoft account integration |
| Android (AOSP) | Apache 2.0 / GPL v2 (Kernel) | Uncertain | AOSP itself is open, but OEM Android builds with Google services may fall under commercial platform rules |
The SteamOS Problem Nobody Is Fully Answering
SteamOS is the one case that creates the most uncertainty. Valve's gaming-focused operating system runs on a Linux base, currently built on Arch Linux, and the core operating system is free and open-source software. However, the Steam client itself, which is deeply integrated into the SteamOS experience and the primary way users interact with the platform, remains fully proprietary.
SteamOS also includes a centralized account system through Steam, a digital storefront, and a structured developer ecosystem. That combination of open-source base with proprietary commercial layer is exactly the kind of hybrid case the amendment language does not clearly address. The bill's exemption wording focuses on the license under which the OS is distributed, but SteamOS's real-world commercial structure looks more like a platform than a traditional Linux distribution.
Valve has not made a public statement on how it intends to approach AB 1043 compliance or whether it believes SteamOS qualifies under the AB 1856 exemption. This remains one of the most significant unanswered questions in this entire discussion, especially given how many Steam Deck users are based in California.
Enterprise Linux and the California Business Angle
For businesses and IT administrators in California running enterprise Linux environments, the exemption is broadly good news, but it introduces some nuance worth thinking through. While distributions like Rocky Linux are completely community-driven and free, Red Hat Enterprise Linux restricts its downstream source code behind a commercial customer portal, which is why its subscription-tied model sits in a legal grey area under the current law.
Whether the law's "account configuration function" clause could be applied to RHEL's subscription model is something that would need legal interpretation. For most sysadmins deploying Rocky Linux or AlmaLinux in their California data centers, the practical risk appears low, but organizations running formal RHEL subscriptions may want to seek guidance before January 2027.
Colorado is also moving in the same direction. Reports indicate that Colorado's own age attestation bill is similarly working toward exempting open-source software, after System76 CEO Carl Richell engaged directly with Colorado Senator Matt Ball in meetings held in March 2026. This suggests a broader recognition across state legislatures that open-source operating systems do not fit the compliance model these laws were built around.
The original law seemed to consider platforms like iOS, Android, Windows, or macOS, which are commercial systems with accounts, stores, common APIs, developer agreements, and the technical ability to enforce compliance requirements. Linux works differently. It can be downloaded from a mirror, modified, recompiled, forked, and redistributed without any central authority involved.
Analysis via Cloud News, May 2026
Why This Is Not Just About Age Verification
Setting aside the technical details for a moment, it is worth looking at the broader picture. The Digital Age Assurance Act was designed, according to its own framing, to address a gap in California's existing legal framework for protecting minors online. Previous California attempts to impose obligations on platforms accessed by children were struck down by federal courts on First Amendment grounds. AB 1043 was specifically drafted to sidestep those constitutional challenges by creating age-signaling infrastructure rather than direct content restrictions.
That approach has raised concerns among privacy advocates. The Electronic Frontier Foundation and similar organizations have highlighted that once OS-level age data collection becomes normalized infrastructure, future laws can build on top of it. What starts as an age bracket signal can become a foundation for identity verification requirements, name-linked accounts, or other forms of persistent user identification tied to device usage.
There is also the technical community reaction to note. A developer named John McCardle created a distribution called "Ageless Linux" in March 2026 specifically as a protest project. The project tracks how Linux distributions respond to age verification mandates and publishes tools to remove any compliance mechanisms that distributions add. It also highlights a massive liability trap. By showing that a simple script changing the OS name-string could legally shift multi-thousand dollar non-compliance penalties onto a hobbyist developer, the project exposes how poorly the law handles individual open-source forks.
Meanwhile, distributions like Zorin OS have also been monitoring the situation closely alongside Ubuntu, Fedora, and Linux Mint, all of which were publicly discussing how to handle compliance pressure earlier in 2026 before the AB 1856 amendment changed the conversation.
Because the legislation and amendment process are still evolving, some legal interpretations around compliance requirements, platform classifications, and open-source exemptions remain unresolved.
What Happens Next
AB 1856 passed its second reading on May 19, 2026 and is now heading to committee review in June. If the bill passes and is signed into law, open-source distributions would be formally excluded from the Digital Age Assurance Act's compliance requirements ahead of the January 1, 2027 effective date.
Commercial platforms, primarily Windows, macOS, iOS, and standard Android builds, would still need to implement age-collection mechanisms at device setup. Whether those platforms challenge the law in court, particularly on First Amendment grounds as some legal analysts have suggested, remains to be seen.
For Linux users concerned about security and privacy, the practical advice right now is straightforward: monitor the AB 1856 committee outcome in June. If the exemption passes, most desktop Linux users in California will have no immediate compliance concern. If it stalls or fails, the January 2027 deadline puts every Linux distribution in a very difficult position with very little time to respond.
