California Proposes AB 1856 to Exempt Permissively Licensed Operating Systems from OS-Level Age Verification Mandate

California Assembly Bill 1856 proposes to amend the Digital Age Assurance Act (AB 1043) by exempting operating systems distributed under licenses that permit copying, redistribution, and modification. This amendment resolves architectural and enforcement conflicts for decentralized open-source platforms that lack the centralized telemetry, user-account registries, and corporate structures required to expose OS-level age-bracket signals.

California is moving to scale back the scope of its upcoming Digital Age Assurance Act (AB 1043) by introducing a legislative amendment designed to exempt open-source operating systems from mandatory age-verification mechanics. The proposed amendment, Assembly Bill 1856 (AB 1856)—introduced by the same lawmaker who authored the original act—would modify the definition of an "operating system provider" to exclude entities distributing software under permissive, open-source licenses.

The AB 1043 OS-Level Mandate Passed in late 2025 and scheduled to take effect on January 1, 2027, AB 1043 shifts age-verification requirements down the software stack from edge application layers to the operating system level. Under this framework, operating systems are required to capture a user's age or date of birth during initial device setup. The OS must then expose an "age bracket signal" to downstream applications and web-based app stores. The law defines these brackets as: * Under 13 * 13–15 * 16–17 * 18+

Architectural Incompatibilities of Decentralized Systems The original mandate assumed a highly centralized, vertically integrated OS architecture characteristic of proprietary platforms like iOS and Android. It did not account for the decentralized, community-driven nature of GNU/Linux distributions such as Debian, Arch Linux, Fedora, Ubuntu, and Mint.

• Absence of Centralized Identity and Telemetry: Many Linux distributions do not require user accounts, cloud synchronization, or telemetry pipelines during OS installation.
• Lack of Corporate Custody: Many distributions are managed by decentralized networks of volunteer maintainers, operating without formal corporate structures capable of assuming legal liability.
• Source Forkability: Because the underlying source code is open, downstream users can easily strip out verification APIs or hardcode false positive signals, making enforcement unrealistic.

Privacy advocates, including the Electronic Frontier Foundation, warned that enforcing these requirements would necessitate the creation of a persistent, invasive identity-tracking infrastructure. This concern prompted resistance from security-focused projects like GrapheneOS, which refused to comply with the mandate.

The AB 1856 Exemption Strategy To address these technical realities, AB 1856 excludes any "person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software" from the definition of an operating system provider.

By tying the exemption directly to licensing terms, the amendment shields mainstream, community-developed Linux distributions. However, proprietary operating systems and highly integrated commercial distributions, such as SteamOS, could still be affected depending on how their commercial distribution terms align with the new statutory language.

AB 1856 is currently moving through California’s legislature ahead of committee reviews scheduled for June.