California Open Source Carve-Out Spares Linux, Snags SteamOS

California’s age verification law was written broadly enough to demand a birthday prompt from any Linux user installing Ubuntu. As of last week, that may no longer be true.

An amendment to Assembly Bill 1856, published May 18, rewrites the definition of “operating system provider” so it excludes anyone distributing software under licenses that let users copy, redistribute, and modify it. If the amendment survives committee in June, Debian, Fedora, Arch, and the dozens of distributions built on them will sit outside the Digital Age Assurance Act’s scope when it takes effect January 1, 2027.

What the May 18 Amendment Adds

AB 1856 is sponsored by the same lawmaker who wrote the underlying statute. Assemblymember Buffy Wicks, the Oakland Democrat who chairs the Assembly Appropriations Committee, introduced it in February. A third version was published on May 18 and advanced to a second reading the next day.

The added definitional language sits inside the original act’s section on operating system providers. It says the term “does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software.” That phrasing tracks the Open Source Initiative’s long-standing test for what counts as free software, which means courts already have decades of case law to lean on if it gets challenged.

In practice, the open source carve-out captures the major desktop Linux distributions, the BSD family, and most Android forks that ship without proprietary Google services. It does not capture every Linux derivative, and that gap is where the story gets interesting.

Why the Original Law Pulled in Linux

Governor Gavin Newsom signed the Digital Age Assurance Act text on the California legislature site in October 2025. The statute defines an operating system provider as anyone who “develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.” That sweep was wide enough to land on every Linux distribution downloaded by a California IP.

The core requirement is a birthday prompt at account setup. Whatever the user enters gets bucketed and exposed to app developers through a real-time application programming interface (API, software that lets one program ask another for data). Developers never see the actual birth date. They see one of four age brackets the operating system reports back.

1. Under 13 years of age
2. At least 13 and under 16
3. At least 16 and under 18
4. 18 or older

Penalties scale per minor affected. A negligent violation costs up to $2,500 per affected child. An intentional violation runs to $7,500. With roughly 8 million Californians under 18, the math for a distribution that misses compliance is unforgiving, which is why community-led projects with no legal team or revenue stream pushed back hardest after the original signing.

Newsom himself flagged the problem when he signed. In an accompanying statement he asked the legislature to amend the act before its effective date, citing complications around multi-user family accounts and profiles shared across devices. AB 1856 is one of the answers to that ask.

The SteamOS Gap the Carve-Out Leaves Open

The amended text protects software distributed under permissive licenses. Valve’s SteamOS is built on Arch Linux, which qualifies on its own. But Valve ships SteamOS with the proprietary Steam Client preinstalled, and that client is not redistributable under terms the user can modify. Lawyers parsing the bill expect Valve will remain on the hook.

The same logic shadows the Steam Deck, the Steam Frame, and the newer Lenovo Legion Go S, all three of which ship with Valve’s platform preconfigured for retail purchase. If AB 1856 passes as written, those devices will need an age prompt the first time a California buyer powers them on, while a Steam Deck flashed with vanilla Arch by an enthusiast will not.

ChromeOS sits in a similar gray zone. The underlying ChromiumOS is open source, but the build Google ships on retail Chromebooks bundles closed components. Most Android forks loaded with Google Mobile Services, the closed bundle that includes Play Store and Maps, fall on the wrong side of the same line.

This is the second-order story behind the headline. The carve-out is real relief for community distributions and for hardware vendors like System76 that sell preloaded Pop!_OS. It is not relief for the commercial Linux derivative most Californians actually own. Valve’s hardware-survey numbers put SteamOS at roughly 2% of Steam users as of April, and the company has been promoting it aggressively as a Windows handheld alternative.

Wicks’s office has not publicly addressed the SteamOS question. Neither has Valve. Privately, several developer mailing lists have flagged the same ambiguity, and at least one Steam Deck modder community is already drafting documentation for users who plan to swap the proprietary client at first boot. That is the kind of workaround the original law was supposed to make unnecessary.

Colorado’s Parallel Path and the System76 Lobby

Carl Richell, founder and chief executive of Denver-based Linux hardware maker System76, has been working a different state capitol. Colorado’s age attestation bill, SB51, was redrafted in April after Richell met with co-author Senator Matt Ball. The revised version exempts open source operating systems, applications, code repositories such as GitHub and GitLab, and containerized formats like Docker and Podman.

That is a broader carve-out than California’s. SB51’s exemption explicitly covers code-hosting infrastructure, which Wicks’s amendment does not address. The Colorado bill cleared committee in late April and is currently awaiting the governor’s signature.

Colorado matters because it is the first state bill to treat the open source software supply chain as a category requiring its own statutory shield. At least 25 state age verification statutes are already enacted in some form, and a West Virginia version takes effect next month. The next wave, including pending bills in Illinois and New York, will choose between the California model, which protects only the operating system itself, and the Colorado model, which protects the development infrastructure around it.

Richell told a Denver Linux user group earlier this year that the bills in their original forms would have forced small distributions to choose between geo-blocking California and shutting down entirely. That second outcome is not hypothetical. One BSD project already chose the first.

MidnightBSD’s Geo-Ban and the Cost of Compliance

MidnightBSD, a niche FreeBSD-derived operating system maintained by a small group of volunteers, added a license clause this February barring California residents from using the project for desktop installations. The clause was extended in March to cover Brazil, where a separate age law takes effect this month, and it is queued up for Colorado, Illinois, and New York if those states finalize their bills without the kind of carve-out Richell is pushing.

The project’s developers then started exploring a system-level verification mechanism, codenamed aged with a companion tool called agectl. The framework lets installed apps ask the operating system whether the current user falls in one of the AB 1043 brackets, without exposing the underlying birth date. It is the same architecture the major commercial providers plan to build, engineered by a team of volunteers.

The reason a tiny project felt forced to build what Microsoft is also building is the penalty schedule. The Electronic Frontier Foundation argued in a March deeplinks post on the act’s effect on open platforms that the structure does the opposite of what it claims.

The act harms users’ and developers’ right to free expression, their digital liberties, privacy, and ability to create and use open platforms. It also, perversely, entrenches the dominance of major operating system developers and device makers.

That framing, from the EFF in March, treated the original act as a transfer of leverage to incumbents who can absorb compliance cost. The May 18 amendment partially answers the critique. It does not answer it for SteamOS, ChromeOS, or any Android fork that bundles closed code.

The Constitutional Frame After Paxton

The legal scaffolding underneath every state age verification law shifted last June. The Supreme Court’s 6-to-3 decision in Free Speech Coalition v. Paxton upheld a Texas statute that required pornography sites to verify visitors’ ages. Justice Clarence Thomas wrote that adults “have no First Amendment right to avoid age verification” in that context, and he applied intermediate scrutiny rather than the strict scrutiny that had struck down past attempts.

• 99% of Pornhub visitors in age-verified states refused to verify, per data shared with researcher Eric Goldman
• 80% drop in Pornhub’s Louisiana traffic after that state’s wall went live
• 25-plus state age verification statutes already enacted, with West Virginia’s effective next month
• $11.4 billion projected annual OECD age verification market within 10 to 15 years, per a 2021 Age Verification Providers Association estimate

The Balk-Rate Problem

Eric Goldman, a Santa Clara University law professor who has written against age verification mandates for years, published a blog post Monday on how often consumers walk away from credential checks. He calls the rate the balk rate. For pornography sites the figure runs between 80% and 99%. For mainstream social platforms it would almost certainly run lower, but no platform that has tested age gating publicly has reported numbers below double digits. Goldman’s argument is that courts after Paxton may not treat high balk rates as constitutionally significant, even when credential checks measurably suppress lawful adult traffic.

The VPN Workaround

George Ford, chief economist at the Phoenix Center for Advanced Legal and Economic Public Policy Studies, posted an SSRN paper on the unintended consequences of age verification laws this month built on Google Trends data for “VPN” and “free porn” queries across all 50 states from January 2022 through September 2025. His finding: VPN searches spike inside states the week verification takes effect, while motivated minors who already use VPNs to defeat school filters carry straight through. The intended targets bypass the gate. The adults who do not run a VPN absorb the cost.

Who Collects the Toll

Goldman’s structural point is the one most often missed in coverage. Centralized age authentication is not free, and the credential issuers are positioned to extract what he calls “monopoly rents” on a government mandate. The Age Verification Providers Association’s own modeling, published in its 2021 estimate of the global age verification opportunity, pegged the OECD market at roughly £9.8 billion ($11.4 billion at 2021 rates) annually within 10 to 15 years. That estimate predated the US state wave entirely.

If AB 1856 clears its June committee read and reaches the governor’s desk in the same shape it left the Assembly, the open source exemption becomes law alongside the underlying act on the first day of 2027. If the SteamOS ambiguity gets read against Valve when enforcement starts, the first test case will be a Steam Deck that did not ask for a birthday.