A new California law says all operating systems need to have age verification

Original Article ↗ Hacker News Discussion ↗

What the law actually does (per thread reading of the bill)

  • OS providers must add an interface at account setup where an “account holder” enters the user’s age or birthdate.
  • The OS must expose an API that returns only an age bracket (under 13, 13–16, 16–18, 18+) as a “signal” to apps from a “covered application store.”
  • Developers must request this signal “when the application is downloaded and launched” and treat it as the primary indicator of age, unless they have “clear and convincing” internal info that contradicts it.
  • There is no built‑in verification in the text: age is self‑declared, not checked against ID. Enforcement is via civil penalties per affected child, brought only by the Attorney General.

Scope, ambiguity, and overreach concerns

  • Definitions of “application,” “covered application store,” and “operating system provider” are extremely broad; commenters note they appear to cover:
    • Any downloadable software,
    • Any public package manager (apt, npm, dnf, etc.),
    • Any OS vendor or distro org.
  • “User” is defined as “a child that is the primary user of the device,” which creates logical knots: how is that determined, and how do apps know when the rule applies?
  • People worry that, read literally, everything from grep to servers, school Active Directory domains, and even some embedded systems could be in scope, though many think courts would narrow it to consumer OS + app stores.

Privacy, safety, and “for the children”

  • Critics say forcing devices to label which accounts are children creates a high‑value targeting signal for predators and ad networks.
  • Others argue OS‑level age flags are less invasive than today’s trend toward face scans and ID uploads by individual sites.
  • The liability clause (“can’t ignore internal info that suggests a different age”) is seen as a driver toward stronger verification (ID/biometrics) even if the statute doesn’t explicitly demand it.

Impact on open source and general‑purpose computing

  • Strong concern that this is de facto regulatory capture favoring Apple/Google/Microsoft, who already have parental controls and centralized app stores.
  • Fears that future steps (TPM, secure boot, attestation) will turn this “age signal” into a gatekeeper that non‑attested or hobby OSes cannot satisfy, effectively marginalizing consumer Linux and other open systems.

Motivations, alternatives, and realism

  • Some see genuine parental pressure to “do something” about kids and social media; others see it as censorship and de‑anonymization infrastructure wrapped in child‑safety rhetoric.
  • Alternative proposals in the thread:
    • Sites labeling their own content age‑appropriateness and client‑side filtering,
    • Stronger parental controls without mandated age signals,
    • Assigning liability directly to content providers, not OS vendors.
  • Many doubt it will meaningfully stop determined kids; lying about age or using non‑compliant systems is seen as trivial.