California is embedding age verification directly into digital devices. For those of us concerned with personal liberties, this is an emergency. We are creating online infrastructure that could reshape how internet access is controlled nationwide.
Starting January 1, 2027, new iPhones, Android devices, and tablets sold in California will have to classify users by age range during initial setup. The system will automatically share this ‘age signal’ with apps, creating age-classification infrastructure at the operating system level. Lawmakers say this will protect minors online by allowing apps to adjust content and features based on the user’s age.
The legislation, AB 1043, which Gov. Gavin Newsom signed into law in October 2025, requires device manufacturers like Apple and Google to collect the user’s age or date of birth during device setup. The system generates an encrypted ‘signal’ that places the user into one of four age categories. Apps can request this signal and adjust functionality accordingly. California’s Attorney General enforces compliance and can bring civil action against companies that violate the law, with penalties reaching $7,500 per intentional violation.
California has around 40 million residents. Roughly 32.5 million of them use smartphones. If companies fail to comply with this new law, the fines would quickly spiral into the billions of dollars, unaffordable even for large technology companies.
American tech firms already face absurdly large fines under European laws like the Digital Markets Act and the Digital Services Act, where fines seem to be more about revenue-raising than law enforcement. As President Trump has pointed out, the European Union makes more money from fining US tech companies than taxing them.
As aggressive regulations pile up, the financial risk from these fines becomes significant. This creates strong incentives for companies to act with excessive caution, preemptively restricting content and features for adults as well as minors, in an effort to dodge liability.
Compared with federal proposals such as the Kids Online Safety Act (KOSA) or laws already passed in Texas and Utah, California’s approach is arguably less intrusive because it does not require document uploads or biometric verification. But it still creates a permanent age-classification layer built directly into the device, which is a disaster for civil liberties.
More importantly, the law will not protect minors the way it promises. Determined minors can bypass technical restrictions by using VPNs, lying about their age, or using family members’ devices, as has already happened with similar laws in other states and countries. In the United Kingdom, for example, the Online Safety Act led to a 1,400 percent surge in VPN use shortly after implementation.
To make matters worse, devices do not belong to one user. Families share tablets. Households share computers. Even smartphones pass between users. A single age classification cannot reflect this reality. Errors are inevitable. Children will continue to access restricted content, one way or another. In some cases, they may be pushed toward less safe and harder-to-supervise digital environments in the darker corners of the internet, thanks to well-intentioned but poorly written laws like AB 1043. Meanwhile, adults may face unnecessary limitations due to incorrect classifications.
Voluntary tools like Apple’s Screen Time and Google’s Family Link already allow parents to supervise their children’s access without mandatory age classification at the device level. Government regulation cannot and should not replace parental oversight. The tools already exist. It is families, not operating systems, which must teach young people how to navigate the internet in a healthy and responsible way.
By mandating age classification at the operating system level, AB 1043 does not replace parental responsibility. It adds a new regulatory layer, with costs and consequences for companies and users. And this infrastructure will not necessarily stay confined to California.
This law could spread beyond California due to the so-called “California effect,” under which rules adopted in the largest technology market in the United States often become national standards. This happened with privacy laws like the California Consumer Privacy Act, which reshaped practices across the country. Companies adopted its requirements nationwide rather than operate separate systems.
California is not fixing a sudden market failure. It is pursuing a policy goal — protecting minors — by embedding age classification into operating systems. In doing so, it transforms age verification from a voluntary feature into a permanent digital infrastructure. Once embedded into the operating system, this infrastructure will be easy to expand and difficult to remove.
