On October 13th, 2025, Governor Newsom signed the Digital Age Assurance Act (AB 1043) into law. Introduced by co-authors Assembly Member Buffy Wicks and Senator Tom Umberg, the law establishes age-assurance requirements for computer and mobile operating system providers and app stores as well as app developers with an aim to protect children’s online safety. The Digital Age Assurance Act enters into effect on January 1, 2027.
Background of the Digital Age Assurance Act
Addressing concerns of California children being exposed to “cyberbullying, sextortion, mental health struggles and more,” Wicks’s press release accompanying the bill’s introduction framed the bill as “critical step needed for us to require social media and other online companies to implement higher consumer safety standards for products accessed by kids.”
Newsom’s press release echoed these concerns. While granting the benefits of chatbots and social media, Newsom noted that “without real guardrails, technology can also exploit, mislead, and endanger our kids.” The Digital Age Assurance Act follows a line of recent children online safety legislation in California, including measures “to protect children from social media addiction, strong privacy requirements, and transparency measures.”
The law is co-sponsored by Children Now and International Centre for Missing & Exploited Children and supported by groups such as AAPI Equity Alliance, California Parents for Public Virtual Education, Parents Support for Online Learning, and Protect Our Kids. However, certain groups such as Chamber of Progress, Oakland Privacy, Technet registered in opposition, raising privacy and security concerns around sensitive personal information gathering required by stringent age verification measures.
Requirements Under the Digital Age Assurance Act
The Digital Age Assurance Act defines operating system provider as “a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.” Presumably, this would cover mobile smart phone operating systems and PC operating systems but not operating systems of gaming consoles as those would not be considered general purpose computing devices. The law does not apply to broadband internet access services, telecommunications services, and the delivery or use of physical products.
The law is aimed at adult account holders providing computer and mobile devices to others, including minors. “Account holder” under the law means an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state.
Operating system providers are required to provide an interface for account holders to indicate the birth date or age of the user of the device. This birth date or age information is processed into a signal of the device user’s age bracket.
These age brackets match those found under the California Consumer Privacy Act (“CCPA”):
Under 13 years of age.
At least 13 years of age and under 16 years of age.
At least 16 years of age and under 18 years of age.
·At least 18 years of age.
Operating system providers must provide these signals to applications available in a “covered application store,” defined as a publicly available platform “that distributes and facilitates the download of applications from third-party [software application] developers.” Computer and mobile app developers in turn are required to request such signals from the operating system provider or the covered application store when their application is downloaded and launched.
The law does not provide technical requirements for these signals or give an agency authority to promulgate rules pursuant to it. It is not immediately clear how covered application stores may receive and send such age bracket signals. Indeed, streaming services and videogame developers have raised concerns that the bill does not fit their current age assurance methods. Newsom’s signing letter acknowledged the complexities of the existing age verification landscape and urged the California legislature to address the concerns during the 2026 session.
The law places collection and disclosure restrictions on age assurance information, prohibiting operating system providers and app developers from collecting or requesting more information than necessary or sharing the signal with third parties for a purpose not required under the law. Presumably, this would allow sharing the age signal with third party advertisers for opt-out purposes but would prohibit sharing the age signal for those third parties’ marketing and advertising profiling and targeting purposes.
The signal’s receipt is deemed “actual knowledge” of the user’s age and to be the primary indicator of the user’s age range for the purposes of determining the user’s age, unless the developer has “internal clear and convincing information” contradicting the signal.
The law’s protections are in addition to those provided by other laws aimed at minors such as the California Age-Appropriate Design Code Act, the California Consumer Privacy Act, the Protecting Our Kids from Social Media Act, and Children’s Online Privacy Protection Act (COPPA). Because application of these laws is often triggered by knowledge that a user is a minor in a certain age range, the Digital Age Assurance Act would effectively provide actual knowledge of a user’s age range to businesses subject to the Act. This presents particular challenges for app developers who sought to avoid such actual knowledge of the age of their users and have yet to implement requirements under these laws.
Key Takeaways
Under California’s Digital Age Assurance Act --
Mobile and computer operating system providers will need to:
Develop a means to receive age signals from account holders.
Transmit such age signals upon request to app stores and/or app developers.
Determine how knowledge of age may affect their own processing of information of users and laws meant to protect minors triggered by actual knowledge.
App developers that distribute their apps through app marketplaces on computer and mobile devices will need to:
Understand how to request age signals from app stores through which they distribute their apps.
If they already have an internal means to determine age, evaluate what they will do if there is a conflict between age information they have and the age information received from the app store.
Develop ways to comply with the many laws that are triggered by actual knowledge of the user’s age. Such compliance actions may include:
Developing processes to restrict or obtain consent from teens or parents of children for targeted advertising,
Limiting collection and use of data to those that fall under exceptions under these laws,
Directing children or teens to different areas or experiences, and/or
Eliminating certain functionality and features that could be considered sharing of data.
App developers should be prepared to comply with these laws across all states as app stores may choose to implement a proactive age notice system for all users nationally.
Operating system providers and app developers should also be on the lookout for subsequent legislation that may adjust the scope of the Digital Age Assurance Act.
Operating system providers and app developers will also need to develop a strategy for how to resolve potential conflicts with this law and the similar app store accountability laws that have already been enacted in other states like Texas (in effect January 1, 2026), Utah (in effect May 6, 2026), and Louisiana (in effect July 1, 2026), and a similar federal bill is under consideration, the App Store Accountability Act.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.
Hansenard Piou is an Associate at Hintze Law PLLC with experience in global data protection issues, including kids’ global privacy laws, AADC, privacy impact assessments, GDPR, and privacy statements.