Privacy & Information Security Law Blog

On October 13, 2025, California Governor Gavin Newsom signed into law the Digital Age Assurance Act (AB-1043) (the “Act”), which introduces new requirements for age verification in software applications. The operative date is January 1, 2027.

The Act applies to the following entities:

• Operating System Providers: An operating system provider is a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general-purpose computing device.
• Covered Application Stores: A covered application store is any publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general-purpose computing device that can access a covered application store or can download an application. Covered application stores do not include platforms that distribute extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application.
• Application Developers: A developer is a person who owns, maintains, or controls an application. An application means a software application that may be run or directed by a user on a computer, a mobile device, or any other general-purpose computing device that can access a covered application store or download an application.

The Act does not apply to broadband internet access or telecommunications services, or the delivery or use of physical products. There is no liability for actions of persons other than the primary user.

The Act contains key requirements, including:

• Operating System Providers Must Provide an Accessible Interface at Account Setup for Age Verification and Provide Age Bracket Signals Upon Developer’s Request. Operating system providers must provide an accessible interface at account setup requiring account holders to indicate the birth date, age, or both, of the device’s primary user. This is to provide a signal regarding the user’s age bracket to applications available in covered application stores. Operating system providers must also (1) provide, upon a developer’s request, a digital signal specifying the user’s age bracket, (2) minimize data sharing to only what is necessary for compliance with the Act, and (3) not share signal information with a third party for a purpose not required by the Act.
• Operating System Providers and Covered Application Stores Must Comply with Nondiscrimination Provisions. Operating system providers and covered application stores must comply with the Act in a nondiscriminatory manner, including by (1) imposing at least the same restrictions and obligations on their own applications and application distribution as they do on those from third-party applications or application distributors and (2) not using data collected from a third party in the course of compliance with the Act to compete against that third party, give the covered application store’s services preference relative to those of a third party, or to otherwise use the data in an anticompetitive manner.

• Application Developers Must Request an Age Bracket Signal When the Application Is Downloaded and Launched. Application developers must request an age bracket signal with respect to a particular user from operating system providers or covered application stores when the application is downloaded and launched. A developer who receives a signal is deemed to have actual knowledge of the user’s age range, even if the developer willfully disregards the signal. Developers must not willfully disregard clear and convincing information otherwise available that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store. Developers must not (1) request more information than necessary for compliance with the Act or (2) share the signal with a third party for a purpose not required by the Act.

The Act provides for key compliance dates as follows:

• For devices where account setup was completed prior to January 1, 2027, operating system providers must, before July 1, 2027, provide an accessible interface enabling the account holder to indicate the user’s birth date, age, or both.
• For applications last updated on or after January 1, 2026, and downloaded to devices before January 1, 2027, where the developer has not requested a signal with respect to the user of the device on which the application was downloaded, developers must, before July 1, 2027, request a signal regarding the user’s age bracket from a covered application store.

Penalties for noncompliance include up to $2,500 per affected child for negligent violations and up to $7,500 for intentional violations. The Act provides for enforcement by the California Attorney General and does not contain a private right of action.