As of today, about half of all U.S. states have some form of age verification law around. Nine of those were passed in 2025 alone, covering everything from adult content sites to social media platforms to app stores.
Right now, California’s Digital Age Assurance Act (AB 1043) is all the rage right now, which targets not only websites and apps but also operating systems. Come January 1, 2027, every OS provider must collect a user’s age at account setup and provide that data to app developers via a real-time API.
Colorado is also working on a near-identical bill, which we covered earlier.
The EFF’s year-end review put it more bluntly: 2025 was “the year states chose surveillance over safety.” The foundation’s concern, which I concur with, is, where does this stop? Self-reported birthday today, government ID tomorrow? There appears to be no limit to these laws’ overreach.
The OS angle is huge, and worth picking a fight with, but I haven’t seen any coverage over how this goes after developers too.
I think this is an attack on ALL open-source.
These bills are written by people who are clearly or maliciously tech illiterate and don’t understand either the terminology or the practical impacts. And of course it’s wrapped in ‘what about the children?!’
They include definitions like (paraphrasing; not quoting a specific bill, but New York, Colorado and California do this):
And then require both developers and operating system providers to handshake this age verification data or face financial ruin. I think the original intent or appearance of intent is that the store developer needs to do the handshake. I’m not a lawyer, but I can’t imagine these definitions aren’t vague enough that they can’t be weaponized against basically anything software.
I have a github account, and have contributed to “applications”. As I read them, these bills pose a serious threat to me if I continue to do so, as that makes me a “developer” and would need to ensure the things I contribute to are doing age verification – which I don’t want to do.
I think that even outside the surveillance aspect, the chilling effect of devs not publishing applications is the end-goal. Gatekeeping software to the big publishers who have both the capacity to follow the law and the lawyers/pockets to handle a suit. These laws are going to be like the DMCA 1201 language (which had much much more prose wrapped around it and was at least attempting to limit scope), which HAS been weaponized against solo devs trying to make the world better.
I fully expect some suit against multiple github repo owners on Jan 2, 2027.
I have a script on my Github that process an exported Wordpress backup to Markdown files. Am I supposed to age gate this once these rules take effect? How would I even do that? Even if there was some sort of Python library to age gate the script, easy to use, drop it in, its a script, literally anyone could comment it out or delete it.