You’ve probably heard by now that California just passed a law requiring operating system distributors to verify the age of its users.
But first, I recommend reading the law here. It’s honestly not that long, but you don’t have to if you want to keep reading this article.
I find it interesting this law is making headlines now, of all times, since the law was published on October 13th 2025 and is going into effect in a year from now, on January 1st 2027. That’s usually a red flag.
The news coverage is coming amidst the legitimate controversy of the Discord age verification requirements, and the news is trying to capitalize on these privacy concern sentiments by catastrophizing on old and almost inconsequential news, such as this California law.
I read the law, and here’s the deal:
- It targets distributors and app developers. Using OSes without age indication is legal for Californians. Linux’s Open-Source nature makes this easy.
- OSes need to ask for the user’s age bracket, not the specific age. There is only 4 brackets, including one “18+.”
- Apps need to have a way to read that age bracket during installation and startup.
- It’s all local, there is no requirement to run any specific software, or to send any data to the government.
- There is no verification required (despite being called verification). It uses a trust system, same as Steam, for instance.
- Apps can’t share how they read the user’s age bracket with third-party apps.
- It only targets OSes used directly by users who can install apps. So, for instance, Minix on Intel CPUs isn’t targeted.
It could literally be implemented as a user environment variable $AGE_BRACKET=4on Linux and fulfill all the requirements. The law speaks of a “signal,” but it doesn’t have to be an actual POSIX signal. It’s a generic OS-agnostic term for “mechanism to share information.”
Regardless, programs could decide not to read it, they’re not forced to act on it. The operating system only needs to make this information accessible.
The law doesn’t say anything about users lying, this hypothetical variable could be overridden by users very easily, or disabled in the account install script.
One Note on Enforceability#
People have been skeptical on how this would be implemented in the Linux world, since Linux is decentralized and open-source.
Firstly, the law does not target users, so users modifying or making their own Linux OS aren’t targeted by the law.
Secondly, the distribution of Linux distros isn’t always decentralized. For instance, Ubuntu is distributed by Canonical Ltd., OpenSUSE by SUSE S.A., RHEL by Red Hat Inc., Debian by the Debian Project, POP!_OS by System76 Inc. (located in California), etc.
These entities can each be individually monitored and targeted by the California Attorney General, except for decentralized organizations like the Debian Project or the Fedora Project because they have no independent legal identity. I am not a lawyer, so I will not elaborate on the details, but there is precedence in targeting decentralized organizations.
Thirdly, the law also targets app developers. They must “request a signal,” meaning they must ask the OS for age-verification. But if the signal is implemented as an environment variable, that information would already be available at runtime, so the developers likely wouldn’t have to do anything.
Applications developers are just like OS distributors; they can be individuals, centralized or decentralized organizations. All can potentially be fined. But realistically, since the law requirements are so low, since regulators and AGs have finite resources, and since many small and hobby programs are distributed, likely very few if no small developer will be sued. Those sorts of laws are in place to fight against large entities like Apple or Google.
Update: The Slippery Slope#
The common held belief is that while this specific law isn’t intrusive, the Californian government will expand age verification at the ID-level, creating a severe privacy issue.
I believe this is a slippery slope fallacy.
While the current situation with this California law is clearly trivial, it is easy to catastrophize and assume government will expand the law. But, at this time, there seems to be no concrete evidence that California is planning on requiring ID or government servers approval. This kind of “are you 18” checkbox has existed for decades and in the vast majority of cases has remained as such, without growing into privacy concerns.
This California law enforces nearly no scaffolding for more serious age verification. If this law was to require data sent to government servers, it could become a privacy nightmare, even if they’d promise to respect privacy, but that’s not what’s happening.
There are actual privacy issues happening right now, like Palantir, for-profit communication monopolies, Discord age verification, the UK Child Safety Law, etc. We have enough real problems. Let’s not waste energy on made up ones like this California law.
Conclusion#
That seems a lot less scary and absurd, doesn’t it? Essentially, this is a nothing burger. Maybe Californians will have to check a box in a year, but that’s about it.
Then, why all the fuss in Linux circles about this half-a-year-old law? Because it generates clicks for Tom’s Hardware, Yahoo, Shacknews and every other news source, and because of our human nature to seek out patterns and catastrophize.
This is a very different situation to the Discord ID situation which is a legitimate concern.
I hope this was a good lesson in always reaching for primary sources and to actually read new laws that might really affect you.