Age Verification Laws Are Coming for Your Developer Tools: What's Actually Required Before 2027
California AB 1043 and Texas SB 2420 extend age verification mandates to OS providers and app developers. Here's what these laws actually require and who they catch
Age verification laws aren't just targeting adult sites and social media anymore. California's AB 1043 mandates age-tracking APIs at the operating system level, sweeping in Linux distributions like Ubuntu, Debian, and SteamOS. Texas SB 2420 is already live. Discord just botched its first major rollout. Here's what developers need to understand before the 2027 deadlines arrive.
Key takeaways
- California AB 1043 requires OS providers, including volunteer-run Linux distributions, to build age-bracket APIs by January 1, 2027. App developers must request the age signal at install and launch.
- Texas SB 2420 is already live as of January 1, 2026, requiring age categorization and parental affiliation for minors in app stores.
- Receiving an age signal creates "actual knowledge" of a user's age, triggering COPPA and CCPA obligations you can't undo.
- Discord's botched UK pilot, a vendor breach that exposed 70,000 government IDs, and a dropped partnership with Persona show how badly implementation can go wrong.
- Whether package registries like npm fall under these laws is unresolved. The 2027 deadline is the hard line for California compliance.
Fixes when it breaks. Workflows when it doesn't.
OpenClaw guides, configs, and troubleshooting notes. Every two weeks.
Table of Contents
- Key takeaways
- The Discord Mess That Started the Conversation
- The Regulatory Wave: What Laws Are Actually Live
- Where Developer Tools Fit Under California AB 1043
- What Developers Actually Have to Do
- The Privacy Counterargument
- What to Watch Before 2027
- Key Terms
- FAQ
- Evidence & Methodology
- Related Resources
- Changelog
The Discord Mess That Started the Conversation
Discord's botched UK age verification pilot in early 2026 is the clearest illustration of how badly this can go when a platform picks the wrong vendor. It's also a reminder that this story is squarely a developer problem, not just a social media one.
In late February 2026, Discord ended its partnership with Persona after the UK pilot sparked public backlash. Discord's CTO said Persona "did not meet" their new standard, which requires fully on-device facial age estimation rather than server-side ID processing. That standard shift came partly from a prior incident: in October 2025, a breach at a different Discord age-check vendor exposed roughly 70,000 government IDs. Persona confirmed it deleted all UK pilot data after the breakup.
Discord delayed its global rollout to H2 2026, missing an earlier March target. Persona, for its part, is backed by Palantir co-founder Peter Thiel, which added a surveillance-economy angle to the controversy.
Why does this matter to developers? Discord is where developers live. The platform hosts hundreds of thousands of developer communities, open-source project servers, and technical forums. When Discord's compliance decision goes wrong, the collateral damage lands on people building software, not just teenagers posting selfies.
The Regulatory Wave: What Laws Are Actually Live
Four major regulatory regimes are in force or taking effect this year. The US state laws are the most operationally disruptive for anyone building apps or maintaining platforms.
| Jurisdiction | Law | Status | Key Requirement |
|---|---|---|---|
| UK | Online Safety Act | Live (2025) | "Highly effective age assurance" for platforms that don't prohibit self-harm, eating disorders, and pornographic content |
| Australia | Under-16 Social Media Ban | Live (Nov 2025) | Platforms must ban users under 16; fines up to AUD $49.5M (~$32M USD) |
| Texas | SB 2420, App Store Accountability Act | Live (Jan 1, 2026) | Age brackets required in app stores; parental affiliation required for minors |
| California | AB 1043, Digital Age Assurance Act | Jan 1, 2027 | OS-level age APIs; app developers must request age signal on install and launch |
The UK's Online Safety Act requires highly effective age assurance on platforms that don't prohibit "primary priority content", a category that covers self-harm content, eating disorder content, and pornographic content. The Australia under-16 ban covers 10 major social platforms, from Instagram to Reddit to Twitch.
Texas and California are the US-specific pressure points. The Computer & Communications Industry Association (CCIA) filed suit in October 2025 challenging Texas SB 2420 as unconstitutional, but the law is in effect while that case works through the courts. TechRadar framed 2025 as "the year major age verification laws moved from statute to enforcement". That framing holds up.
Where Developer Tools Fit Under California AB 1043
Most coverage of AB 1043 focuses on app stores and social media. The open-source angle has gotten almost no attention, and it's the part with the most uncomfortable implications.
AB 1043, signed by Governor Newsom on October 13, 2025, defines "operating system provider" broadly. The official bill text takes effect January 1, 2027. According to analysis from Open Source For You, the definition covers Windows, macOS, Android, iOS, and open-source systems including Ubuntu, Debian, Arch Linux, Gentoo, and SteamOS.
That's not a typo. Volunteer-run Linux distributions serving California users are in scope.
Under AB 1043, OS providers must collect the user's age at account setup and make it available to apps via a real-time API. The law uses four brackets: under 13, 13-15, 16-17, and 18 and above. When an app requests the signal, the OS returns the bracket, not raw personal data.
App developers on the receiving end must request that signal when their app is downloaded and launched by a California user. That's the explicit requirement in AB 1043 as summarized by Alston & Bird.
Here's where Linux maintainers face a uniquely bad situation. Arch Linux, Gentoo, and Debian don't have central accounts. They don't have compliance teams. They don't have engineering resources to build and maintain a real-time age API. The Open Source For You analysis notes that some projects may simply choose to geo-restrict California users rather than build the required infrastructure. That's a real outcome.
What Developers Actually Have to Do
If you distribute through a covered app store in California or Texas, age signal handling is now part of your reality. The signal doesn't require you to collect IDs, but receiving it triggers legal obligations you need to plan for.
According to Alston & Bird's analysis of AB 1043, once your app receives an age signal from the OS, you're deemed to have "actual knowledge" of that user's age. That triggers COPPA and CCPA obligations, potentially including parental consent requirements for users under 13, additional data restrictions for users under 16, and deletion obligations if you receive a signal indicating a child.
AB 1043 is explicit that OS providers don't need to collect government ID photos, only a self-declared birth date or age at account setup. That distinguishes it from the kind of surveillance-heavy implementation Discord was attempting with Persona.
The penalties aren't trivial. Violations under AB 1043 run $2,500 per child for negligent violations, $7,500 per child for intentional violations, enforced by the California Attorney General.
Texas SB 2420 runs on the same four age brackets. It also requires that minors' accounts be affiliated with a verified parent or guardian.
Here's a quick read of who falls under what:
| If you... | What applies |
|---|---|
| Distribute through Apple App Store or Google Play to California users | Must handle AB 1043 age signals by Jan 1, 2027 |
| Maintain a Linux distribution accessible to California users | "Operating system provider" under AB 1043; must build age-tracking API |
| Run a developer community platform accessible to UK users | UK Online Safety Act applies; age assurance required |
| Distribute through Texas app stores | Texas SB 2420 in effect now |
| Publish packages via npm or similar repositories | Scope unresolved (see What to Watch) |
The developer community platform question deserves a separate note. Discord is the extreme example. But any platform that hosts communities, manages user accounts, and doesn't actively ban the UK's "primary priority content" categories faces UK OSA compliance pressure. Incorporation location doesn't matter.
The Privacy Counterargument
The EFF's position is worth understanding, because it's not just civil-liberties hand-wringing. It's a prediction about what these systems produce, and the Discord/Persona breach is already partial evidence.
The EFF argues that age verification laws are censorship laws that disproportionately hurt marginalized communities and the groups that serve them. They launched an Age Verification Resource Hub in December 2025 to track these laws.
The Wikimedia Foundation took a similar position. They rejected calls to implement age verification, citing data minimisation and privacy concerns.
The specific problem with third-party age verification vendors is what happened with Discord: a breach exposed 70,000 government IDs. That's not an edge case. It's what happens when you build infrastructure to collect sensitive government documents and hand them to a vendor. Persona confirmed it deleted all UK pilot data. But the breach at Discord's prior vendor is a structural warning about the entire model.
AB 1043's self-declared-birth-date approach is a better design on the privacy axis, but it also provides weaker assurance. Whether regulators will eventually push for stronger verification, and what that means for the privacy calculus, isn't settled.
What to Watch Before 2027
Three things could change the picture significantly in the next year.
The Texas lawsuit. The CCIA's challenge to Texas SB 2420 argues the law is unconstitutional. If it succeeds, it creates precedent that could affect California AB 1043 enforcement. If it fails, it confirms that app store accountability acts survive constitutional scrutiny.
The npm question. npm's privacy policy currently states it deletes data from users under 16 if discovered but doesn't verify age before users sign up. Whether decentralized package repositories like npm qualify as "covered application stores" under AB 1043 is unresolved. No authoritative source has addressed this question yet. It matters because developers interact with npm, pip, and similar registries in ways that look nothing like app store transactions. The law's definitions may not care about the practical difference.
What Discord does next. Discord's delayed rollout remains on track for H2 2026, now planning on-device facial age estimation instead of server-side ID verification. The behavioral profiling pathway (using account signals for users who don't want to do facial estimation) is also part of the plan. How Discord implements this will probably be the most visible developer-community case study before CA AB 1043 takes effect.
The EU. The European Commission is pushing forward with age-verification app testing. It's not yet a mandate, but 2025 established a pattern where "testing" becomes enforcement within 18 months.
Key dates:
- January 1, 2026: Texas SB 2420 took effect (already live)
- H2 2026: Discord global rollout planned
- January 1, 2027: California AB 1043 takes effect
Key Terms
Digital Age Assurance Act (AB 1043) is California's 2025 law requiring operating system providers to offer age-bracket APIs and requiring app developers to request that signal at app download and launch for California users.
Operating system provider is, under AB 1043, any entity distributing an OS to California users, including open-source Linux distributions like Ubuntu, Debian, Arch Linux, Gentoo, and SteamOS.
Age signal is a bracketed age-category response (under 13 / 13-15 / 16-17 / 18+) transmitted from an OS or app store to a requesting app, without transmitting raw personal data.
Actual knowledge is the legal standard that triggers COPPA and CCPA obligations. Receiving an age signal from an OS constitutes actual knowledge of the user's age under AB 1043.
CCIA is the Computer & Communications Industry Association, a trade group that filed suit in October 2025 challenging Texas SB 2420 as unconstitutional.
FAQ
Does California AB 1043 apply to Linux distributions?
Yes. AB 1043 defines "operating system provider" broadly enough to cover open-source distributions, including Ubuntu, Debian, Arch Linux, Gentoo, and SteamOS. Open Source For You's March 2026 analysis confirmed this interpretation. The practical challenge for volunteer-run projects is severe. They lack central accounts, compliance teams, and the engineering capacity to maintain a real-time age API. Geo-restriction of California users is a likely outcome for smaller distributions.
What's the difference between California AB 1043 and Texas SB 2420?
They operate at different layers of the stack. California AB 1043 works at the operating system level. OS providers must build age-bracket APIs, and app developers must request age signals at install and launch. Texas SB 2420 operates at the app store level, requiring age categorization and parental affiliation for minors' accounts. Both use the same four age brackets (under 13, 13-15, 16-17, 18+). Texas is already in effect. California takes effect January 1, 2027.
Do I have to verify ages with a government ID under AB 1043?
No. AB 1043 explicitly does not require OS providers to collect government ID photos. Alston & Bird's analysis confirms the law requires only self-declared birth date or age at account setup. The Discord/Persona situation involved a vendor model that collected government IDs; that was a choice Discord made, not a requirement under California law.
What does receiving an age signal actually obligate me to do?
Receiving an age signal creates "actual knowledge" of the user's age under AB 1043. That triggers existing obligations under COPPA and CCPA. For users under 13, COPPA's parental consent requirements apply. For users under 16, CCPA's additional protections kick in. You're not required to act on the signal itself, but you can't claim ignorance of a user's age category once you've received it.
Does AB 1043 apply if my app isn't targeted at children?
Yes, for the age signal request requirement. AB 1043 requires app developers distributing through covered app stores in California to request the age signal at download and launch, regardless of whether the app is marketed to children. What you do after receiving the signal depends on your app's content and existing data obligations.
Evidence & Methodology
This article draws on 10 sources across four tiers.
Primary sources: the California Legislature's official AB 1043 bill text, the npm official privacy policy, and Discord's official blog post on the Persona split.
Law firm analysis: Alston & Bird on CA AB 1043, Covington's Inside Privacy on the state legislative roundup, and CMS Law on the UK Online Safety Act.
Journalism: Ars Technica on the Discord/Persona split, TechRadar on 2025 in review.
The EFF is used as an explicit advocacy voice on counterarguments, not as neutral analysis. One open question (whether npm qualifies as a "covered application store" under AB 1043) has no authoritative answer yet and is flagged as such in the text.
Related Resources
- Discord Age Verification and the Persona Breach: What Actually Happened (forthcoming)
- COPPA 2.0 for Developers: What Changed and What You Actually Need to Do (forthcoming)
Changelog
| Date | Change |
|---|---|
| 2026-03-06 | Initial publication |
Fixes when it breaks. Workflows when it doesn't.
OpenClaw guides, configs, and troubleshooting notes. Every two weeks.
