Key point: California’s new Digital Age Assurance Act will likely create significant compliance challenges for many businesses.

On October 13, 2025, California Governor Gavin Newsom signed AB 1043 — the Digital Age Assurance Act — into law. In doing so, California joins Louisiana, Texas, and Utah, in passing laws this year requiring app developers to receive age bracket signals. While California’s law is more operational in nature, and in key respects narrower than the content-focused nature of the laws passed by Louisiana, Texas, and Utah, when AB 1043 goes into effect on January 1, 2027, the law will likely require companies to consider unique implementation strategies and may frustrate approaches to creating a uniform age-assurance compliance program. Further, the law will likely affect almost every app developer operating in California, including many that have never dealt with age verification requirements.

In the below article, we provide background and a summary of the law, discuss how it compares with other similar-in-kind laws, and outline some implications businesses will need to consider.

I. Background

AB 1043 is authored by Assemblymember Buffy Wicks. Wicks is no stranger to children’s data privacy issues, having carried 2022’s California Age-Appropriate Design Code Act (AB 2273) although that law is currently enjoined.

The bill received unanimous, bipartisan support in both chambers. It passed the Assembly 76-0 in June and passed the Senate 38-0 in September. Although Governor Newsom signed the bill into law, he issued a signing statement urging the legislature to amend the law prior to its January 1, 2027 effective date to address concerns from streaming services and video game developers of the impact of the law on their existing age verification systems, including the “complexities such as multi-user accounts shared by a family member and user profiles utilized across multiple devices.”

As noted, California is the fourth state to enact an age signal bracket law this year, joining Louisiana (HB 570), Texas (SB 2420), and Utah (SB 142). We wrote about the other three laws in our article analyzing the children’s data privacy laws and regulations enacted in 2025. Texas and Louisiana’s laws go into effect January 1, 2026, and Utah’s law will go into effect May 6, 2026.

These laws are not without controversy. For example, recent lawsuits have been filed by an industry association and a student advocacy organization claiming that Texas’ law is unconstitutional under the First Amendment. The lawsuits allege the law’s parental consent requirements unconstitutionally restrict speech.

II. Bill Summary

The law primarily creates obligations on operating system providers and app developers to create an age signaling framework that makes it possible for parents to set parameters on their children’s online activities. As explained in the Assembly Floor Analysis:

California has enacted or proposed several laws to better protect minors in digital spaces, but enforcement and implementation remain stymied by a basic infrastructure gap: there is no standardized, privacy-preserving method for determining whether a user is a child. AB 1043, the Digital Age Assurance Act, seeks to fill that gap by establishing a secure signaling framework at the device and app store level. This framework allows developers to receive a tamper-resistant digital signal reflecting a user’s age bracket — without requiring the collection of personal data or documents — and to treat that signal as the authoritative indicator of a user’s age for compliance purposes under California law.

     A. Operating System Provider Obligations

Operating system providers (OSPs) have two obligations:collect user ages and distribute user age signal information.

OSP is defined as “a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.” Examples of OSPs are Microsoft Windows, Google Android OS, and Apple iOS. Arguably OSPs live a “layer” above app stores in computing infrastructure terms, in which case app stores’ age-signals are a subset of those mandated to be shared by OSPs.

OSPs must provide an accessible interface at account set up that requires an account holder “to indicate the birthdate, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.” The law defines “user” as a child under 18 that is the primary user of the device. The law defines “account holder” as “an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age.” Piecing this together, for individuals under 18 years of age, a parent or legal guardian must provide the age information.

OSPs also must provide “a reasonably consistent real-time” application programming interface (API) to app developers that identifies the user’s age bracket, i.e., under 13; 13 to 15; 16 to 17; and at least 18. The law defines this age bracket data as a “signal.”

     B. App Store Obligations

The law defines a covered application store as “a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application” but does not specify requirements on app stores. While the law refers to developers being required to request age signals from OSPs and app stores, the law does not require app stores to collect age information or distribute age signals to developers. In this respect, the law seems to include app stores as a permissive source of a legally compliant age signal, cognizant that laws from other states will require app stores to develop mechanisms to share age signals with developers.

C.  App Developer Obligations

The law defines developer as a “person that owns, maintains, or controls an application.” The law defines “application” as “a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.”

Developers are required to request age signals from an OSP or app store when the application is downloaded and launched.

A developer that receives an age signal is deemed to have actual knowledge of the user’s age range even if the developer willfully disregards the signal. The developer must treat the age signal as the primary indicator of the user’s age range unless the developer has internal “clear and convincing information” indicating a different age.

Finally, the law states that developers must use age signals “to comply with applicable law.” While the law does not specify which law(s) are in scope, the bill analysis refers to section 1798.120 of the California Consumer Privacy Act (CCPA), which states that “a business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.” The bill analysis explains that an “age assurance signal sent to online businesses could provide that actual knowledge.”

     D. Enforcement

The law is enforceable by the attorney general, who can seek injunctive relief and monetary fines of $2,500 for negligent violations and $7,500 for intentional violations.

III. Implications and Analysis

California’s new law creates far-reaching implications for businesses that extend well beyond the obvious requirement to integrate age signals. Although not enforceable for a year, AB 1043’s unique technical implications may trigger unintended commercial and compliance consequences as organizations work to adapt their comprehensive data protection programs to refine scalable age-assurance controls responsive to these new laws.

The age-verification regimes adopted in Louisiana, Texas, and Utah target specific content categories. They focus on the role of app stores to proactively verify age and prevent minors from accessing applications without parental oversight and consent. These laws require app stores to associate minors’ accounts with the account of a parent or guardian and obtain parental/guardian consent prior to allowing minors to download any application, purchase any application, or make a purchase with any application.

California’s law takes a markedly different approach. Rather than targeting specific content, AB 1043 establishes a device-level framework that applies to all applications. The goal is to provide age information that can support compliance with existing laws (i.e., CCPA and COPPA) rather than creating new access restrictions. Unlike the other states’ laws, AB 1043 creates a more fundamental, device-level infrastructure and places the collection burden on OSPs rather than app stores.

A weather app, productivity tool, or news application faces the same signal reception obligation as a social media platform. The difference is what obligations are triggered once the signal is received. While developers must request and receive signals, they are not required to actively verify ages or implement parental consent mechanisms unless other laws require it. The signal itself, however, creates “actual knowledge” that triggers obligations under those other laws. For example, CCPA regulations clarify that “personal information of consumers that the business has actual knowledge are less than 16 years of age” must be classified as sensitive personal information. Therefore, the collection of age signal information indicating that a business collects information of consumers under 16 years of age could trigger additional CCPA requirements.

To limit liability, developers that do not already restrict the use of their apps to individuals over a certain age, may begin imposing age limits de novo. To the extent such age limits exist or are imposed, armed with reliable age-signals, some developers may begin actively blocking new and deleting discovered child or teen accounts. Similarly, where companies are not intentionally targeting or designed to maintain relationships with minors, they may curtail and restrict user experiences for minor users where the alternative is to manage a complex process of parental verifications, manage age-appropriate experiences, and safeguard sensitive personal data of minors. Alternatively, app developers with commercial incentives and operational infrastructure to court and maintain relationships with younger individuals will need to review and document their compliance safeguards to ensure that their user interface, data collection and user functionalities are parentally permissioned, and age appropriate.

While companies must begin their respective compliance journeys soon, maintaining strategic and operational flexibility in the short term will be key as additional states may join California, Louisiana, Texas and Utah to legislate in this space and OSPs and app stores will continue to publish and revise technical guidance for app developers.