California Moves to Exempt Linux From OS Age Verification Law

California Assembly Member Buffy Wicks has filed an amendment that pulls Linux distributions, FreeBSD, and most other open source operating systems out from under the state’s January 1, 2027 age verification mandate. The latest version of AB 1856’s amended bill text on the California legislature site, published on May 18, 2026, narrows the law’s “operating system provider” definition so it does not reach anyone shipping software under licenses that permit copying, redistribution, and modification.

Hybrid platforms built on a free base with a proprietary client on top, most prominently Valve’s SteamOS, sit outside the safe harbor. So do the consumer-OS incumbents the original bill was always pointed at, the same ones the Electronic Frontier Foundation accused of being entrenched by it.

The Carve-Out Language in Plain Words

The May 18 amendment leaves the core Digital Age Assurance Act in place. AB 1043 still requires operating system providers, app stores, and developers to collect a user’s age bracket through an accessible signal at account creation and pass that signal downstream to apps and websites. What the amendment changes is who counts as an “operating system provider” in the first place.

The new sentence is short:

‘Operating system provider’ does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software.

That language tracks the standard tests for permissive and copyleft open source licenses (GPL, MIT, Apache, BSD). It also widens the recipient list inside the bill. Age signals must now reach browser providers and internet website operators, not just app stores. Liability for developers narrows in the same draft; an application receives age knowledge only when the user reaches the app from the registered device, not across every platform a user might log into.

AB 1856 was read a second time on May 19 and ordered to third reading. The Assembly still has to vote, and the Senate version Tom Umberg co-authored has its own track. If both clear, Governor Gavin Newsom (who signed the original AB 1043 on October 13, 2025) decides what reaches the books before the 2027 effective date.

How System76 and Linux Maintainers Forced the Pivot

Carl Richell, founder of the Denver-based Linux hardware vendor System76, has spent most of 2026 inside two state legislatures arguing the same case. He flagged in March that Colorado’s parallel age-attestation bill, SB26-051, was being amended to exempt open source operating systems, applications, code repositories, and containers. By late April, Colorado’s House committee had moved the amended language forward; by May, California was tracking. We have covered the broader pattern of governments engaging Linux at policy level when France swapped its government workstations to Linux for digital sovereignty.

Pressure was not only commercial. MidnightBSD briefly inserted a clause in February banning California residents from running the operating system, treating compliance as too costly at the project’s hobbyist scale. Several other small distributions began drafting their own age-verification plumbing in panic mode. The Free Software Foundation, Software Freedom Conservancy, and individual maintainers of Debian and Arch flagged that volunteer-run projects had no realistic path to building, deploying, and audit-trailing an age signal.

That coalition is the hidden stakeholder the original bill’s text overlooked. Wicks’ office targeted Apple and Google when she introduced AB 1043 in February. The drafting language swept up every Linux maintainer in the state because it defined the OS by function, not by distribution model. System76’s own write-up of the dual-state campaign credits the maintainer outreach for shifting both drafts.

SteamOS and the Hybrid OS Problem

Valve’s SteamOS sits on an Arch Linux base. The Steam Client, the storefront and DRM (Digital Rights Management, the licensing layer) that turns the device into a Steam Deck or a Steam Frame, is proprietary. Read literally, the amendment’s text exempts the base; whether Valve as the integrator and shipper of the combined product qualifies for the safe harbor is the question its lawyers are now stuck answering.

The same question reaches further than gaming hardware:

• Steam Deck and Steam Frame, where Valve ships SteamOS preinstalled and the user’s first-launch experience routes through Steam.
• Lenovo’s Legion Go S, the first non-Valve handheld with SteamOS preloaded.
• ChromeOS Flex, where Google ships a Linux-derived base with proprietary Google services bolted in.
• Android forks like LineageOS, which are open source but commonly redistributed with proprietary Google Mobile Services packages.

The dominant legal read, shared by several open source attorneys writing on Hackaday and Both.org, is that the proprietary client is the controlling fact: if Valve “develops, licenses, or controls the operating system software” on the device, and the integrated product includes proprietary pieces it controls, the exemption probably does not attach.

Valve has not commented publicly on the amendment. The company faces the same compliance fork that worried MidnightBSD on a much larger scale: build the age-verification interface into the first-launch flow, or geoblock California devices that activate after January 1, 2027. Neither is cheap. Both undercut the device experience the Steam Deck was specifically engineered around.

Who the Amendment Does Not Help

The carve-out is narrow by design. Anyone shipping a proprietary OS or running a closed app marketplace stays under the original law’s full weight. The table below maps the major OS makers against the May 18 text:

The political effect is that the law’s compliance burden lands almost entirely on the same five or six companies the EFF said it would entrench. In a March 12 deeplinks analysis of the original AB 1043, the group argued the law would “outsource censorship to developers” and concentrate computational power “in the hands of the few.” The amendment fixes the open source edge case without disturbing that core dynamic.

Germany’s Sovereign Tech Fund, which we covered when it routed €1.3 million into KDE Plasma to harden the Linux desktop, is funding the alternative the EFF is implicitly pointing toward: well-resourced public-interest Linux desktops sitting outside the consumer duopoly. AB 1856 keeps that lane legally open in California. It does nothing to shrink Apple’s or Google’s actual market share.

The Balk-Rate Math the State Did Not Run

Santa Clara University law professor Eric Goldman published a May 2026 analysis of how often consumers clear age verification walls. His shorthand: balk rates. The data set is sobering for any state betting on age signals as a compliance backstop.

• 1% balk rate for a simple checkbox self-attestation (Carnegie Mellon study).
• 49% balk rate when the gate uses AI facial-age estimation.
• 73 to 77% balk rate for government-ID checks, depending on the privacy assurances offered.
• Over 99% refusal rate on Pornhub once a verification requirement is imposed, paired with an 80% Louisiana traffic drop after the state’s wall went up.

California’s regime sits closer to the checkbox end of that spectrum. Users self-report birth date or age at OS account setup and the device signals the bracket downstream; no ID upload, no facial scan. That is by design, distinguishing the state from the Texas and Utah versions that triggered the Pornhub exits. The trade-off is the obvious one: a system designed to minimize balking is also a system trivial to defeat, which is the basis on which both the EFF and Goldman have testified against the broader category of mandates.

The Age Verification Providers Association’s 2021 market sizing estimated that age-verification services across the 37 OECD countries would clear roughly £9.8 billion in annual revenue within ten to fifteen years. That number predates almost every state law passed since. The contract pipeline now being priced into those projections includes every consumer-OS install in California.

Colorado’s Parallel Track and the States Watching

Colorado’s SB26-051 cleared its House committee with the open source exemption intact in April; Governor Jared Polis has the signed bill pending. West Virginia’s age verification law takes effect in June 2026, and at least 25 state laws of varying scope have been passed nationally. None of the others has yet adopted the operating-system-as-signal-distributor model that AB 1043 pioneered, and most are aimed narrowly at adult content sites or social platforms.

That makes California and Colorado the test bed. If the open source exemption lands as drafted in both states, expect copycat language in the next legislative session in Washington, New York, and Illinois, where similar bills are circulating. If California’s Senate strips the carve-out (a real possibility; the original bill passed 38-0 in the Senate last September with no open source debate on record), Linux maintainers face the same compliance fork MidnightBSD already flinched at.

The amendment’s third reading is the next concrete date. Until that vote lands, every project deciding whether to ship a California-aware age signal is rationally on hold. The May 18 text is the version of the law that lets a developer breathe; the November 2025 version is the one that already had MidnightBSD blocking US state IP ranges.

Frequently Asked Questions

Does the Amendment Mean I Will Not Have to Verify My Age on My Ubuntu Laptop?

Correct, assuming AB 1856 passes in its current form. Ubuntu, Debian, Fedora, Arch, Mint, and other standard Linux distributions distribute their operating systems under licenses that permit copying, redistribution, and modification, which is the exact test the amendment uses. The exemption removes the obligation at the OS layer; individual applications you install may still ask for an age signal under other provisions.

Will SteamOS Qualify for the Open Source Exemption?

Probably not. The platform runs on Arch Linux, which is exempt on its own, but Valve ships the operating system as an integrated product with the proprietary Steam Client embedded. The amendment exempts entities that distribute software under permissive licenses; Valve does not distribute the Steam Client under such terms. Valve has not commented on the May 18 amendment.

When Does the Digital Age Assurance Act Take Effect?

The state’s age verification law becomes operative on January 1, 2027, regardless of whether the amendment passes. AB 1856 changes who must comply, not when.

Who Has to Comply if the Amendment Passes?

Apple, Google, Microsoft, Samsung, and other commercial operating system providers; major app stores; application developers serving California users; browser providers; and internet website operators receiving the age signal. Standard Linux and BSD distributions would be out.

What Happens if I Am a Linux User in California After the Law Takes Effect?

If the amendment passes, nothing changes at the OS level. You would not be prompted for age verification when installing or first-launching Debian, Fedora, or similar distributions. Applications you run on top of Linux may still implement their own age checks depending on their distribution channel.