On October 13, 2025, California Governor Gavin Newsom signed Assembly Bill 1043, the Digital Age Assurance Act (Act), into law. Effective January 1, 2027, the Act introduces a device-based age verification system designed to create safer digital environments for children under 18. The Act underscores a trend of state laws that require age verification or assurance to address growing concerns about the risks children face online, such as exposure to harmful content or predatory data management practices. Under the Act, developers of software applications must confirm the age range of California users. This process may implicate children’s privacy and online safety requirements under other laws, such as the federal Children’s Online Privacy Protection Act (COPPA), California Consumer Privacy Act (CCPA), and currently enjoined California Age-Appropriate Design Code Act (CAADCA).
Who Does the Act Govern?
The Act applies to “operating system providers” that develop, license, or control operating systems software for computing devices and “developers” that own, maintain, or control software applications. The Act requires operating system providers to collect the birth date or age of the primary user of a device through an account holder’s account setup process. Operating system providers need not collect additional information like photos of government IDs to verify the user’s age. Based on this age information, operating system providers must send digital signals via real-time API (age signals) to developers upon request, transmitting the user’s age range bracket – under 13, at least 13 and under 16, at least 16 and under 17, or at least 18. When a user downloads and launches a developer’s application, the developer must request an age signal from the relevant operating system provider or the application store from which the user downloaded the application.
Notably, unlike operating system providers, application stores are not required to collect users’ age or send age signals to developers. But the Act assumes that application stores may have the capability to provide the required age signals to developers. This presumption may stem from the new app store accountability acts (ASAAs) in Louisiana, Texas, and Utah, which require mobile application stores to verify users’ age range and transmit that information to developers upon request. Importantly, while the ASAAs implement an age assurance process for mobile applications, the Act applies more broadly to all software applications, including desktop applications.
What Are the Act’s Implications on Developers?
Currently, developers are responsible for adopting their own age gates and privacy controls. This process often results in disjointed user experiences, costly implementation, and compliance challenges. The Act shifts the age assurance responsibility to providers of operating systems like Windows, MacOS, iOS, and Android, reducing friction caused by multiple age gates and giving developers a uniform basis to offer safer digital environments for children. In turn, the Act requires developers to treat age signals from operating system providers or application stores as the primary indicator of a user’s age range absent clear and convincing information indicating the user’s actual age range differs from the signaled one. In addition, developers may not request more information from operating system providers or application stores than necessary for compliance with the Act or share age signals with third parties for purposes unrelated to compliance with the Act.
A violation of the Act can result in an injunction or a civil penalty of up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation. The Act does not provide the private right of action, and the California Attorney General has the exclusive authority to bring claims against alleged violators.
But the Act’s material implications to developers go beyond the technical handling of age signals or enforcement actions by the California Attorney General under the Act. By collecting age range information, developers are deemed to have actual knowledge of users’ age range. As a result, developers of applications used by children will gain actual knowledge that they are processing children’s personal information. This knowledge can trigger additional obligations under other laws. For example, the CCPA and CAADCA impose restrictions on targeted advertising and requirements for enhanced data protection measures on businesses that knowingly process children’s personal information. Similarly, developers that knowingly collect personal information from users under 13 may be subject to COPPA, including its requirement to obtain verifiable parental consent before collecting personal information from children under 13. The Act also creates unique challenges for developers that maintain user profiles across devices. Developers that offer cross-device profiles may receive conflicting age signals about a user who uses multiple devices and indicates different age range for each device. The Act is silent on how developers must resolve those inconsistencies.
What Should Developers Do to Prepare for the Act?
Developers should closely monitor potential amendments to the Act as Governor Newsom recognized in his signing message that the Act may need further refinement. The signing message, while commending the Act “would establish a much-needed system of age verification for users of mobile devices and computers,” references concerns that the Act’s framework may not fit applications that support user profiles utilized across multiple devices. Governor Newsom urged the legislature to enact legislation in 2026 to address these concerns.
Developers may also take the following compliance steps:
- Update onboarding and launch flows to request age signals from operating system providers or application stores.
- Treat age signals as the primary indicator of users’ age range and handle personal information of known children in compliance with laws governing children’s privacy and online safety, such as COPPA, CCPA and CAADCA. Applicable requirements may include obligations to provide parental notice and obtain parental consent, restrictions on targeted advertising, and enhanced mandatory data protection measures.
- Establish decision-making procedures for handling conflicting age signals from different devices, operating systems, or application stores and maintain clear records of those decisions.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor developments in state-level children’s privacy and online safety laws. Please contact us if you have questions about how these laws may affect your organization or need assistance with establishing tailored compliance strategies.
