App store age brackets power California age assurance law, but where’s the proof?

California’s Digital Age Assurance Act may reshape how online services handle age data, but critics argue the law stops short of requiring true age assurance. Scheduled to take effect on January 1, 2027, the law puts the collection of age data on the device provider and app store operator, by requiring operating systems to ask for a date of birth when a user registers a device. The OS then shares a signal with sites and platforms, who are expected to adjust their content and services to be age-appropriate for particular age brackets.

Critics argue the framework still relies heavily on self-declared age information, long viewed as one of the weakest forms of age assurance. It’s not hard to imagine why; a fifteen year-old user who knows that they’ll have access to porn will happily tell their phone that they’re three years older.

With six months to go before the law takes effect, some parties are issuing guidance, some are bemoaning a perceived loss of privacy and free speech, and some are arguing that AB 1043’s system is not, in fact, age assurance at all.

AB 1043 departs from familiar age check models: IEEE

Standards body IEEE SA has published a piece outlining how California’s Digital Age Assurance Act will affect businesses. “While the law does not mandate government ID uploads or biometric scans,” the standards organization says, “it still carries meaningful compliance implications for companies offering digital services to California residents.”

The framework leverages a device-level “age bracket signal” based on the birthdate collected when a user registers a device. This declared age will be used to curate what’s available on the app store, and can be shared with developers as a secure signal on request to ensure age-appropriate experiences.

“Applications receive only the age range, not a birthdate or identifying documentation. The law emphasizes proportionality, data minimization, and accountability once age information has been collected.”

“For businesses, this represents a notable departure from traditional online age verification methods” – and a potential shift in how businesses establish “actual knowledge” of a user’s age under existing privacy laws.

Definition of ‘actual knowledge’ becomes slippery

According to IEEE, once a business receives an age signal indicating a user is under 18, California law treats that business as having actual knowledge of the user’s age range. The signal is treated as “the primary indicator of a user’s age range for purposes of complying with applicable law, unless a business possesses clear and convincing internal information to the contrary.”

“If an application receives an age bracket signal and ignores it, the law treats that inaction as willful. In practice, this may affect how personal data is collected, how advertising is served, and how default privacy settings are configured.”

Unlike states such as Texas or Utah, which have legislated platform-level age checks or app store checks that require age verification, California’s broad framework seeks to avoid banning whole categories of apps or mandating universal parental approval. “The emphasis is on providing age context so existing laws can be enforced more consistently,” says the IEEE. “This makes AB 1043 relevant not only to social media companies, but also to gaming platforms, productivity tools, streaming services, and other applications that may not traditionally think of themselves as child-directed.”

The IEEE says that, as an alternative to stricter, platform level age checks that other states have put in place for restricted content, California’s law could prove to be an attractive model for other countries. “While statutes such as AB 1043 do not prescribe specific technical standards or certification requirements, many organizations look to established frameworks as reference points when interpreting evolving compliance expectations.”

AVPA argues AB 1043 doesn’t mandate age assurance at all

And what does the age assurance sector think of California’s law? Not much.

In a statement, the Age Verification Providers Association says the open source exemption is great – “a sensible correction that allows policymakers to focus on the commercial operating systems that are the true target of the law” – it fails on a fundamental issue, which is that it is “a parental control framework, not an age assurance framework.”

Its argument is rather convincing. AVPA says AB 1043 “does not establish that the person currently accessing a service is the age claimed, does not tell a relying platform anything about the level of age assurance behind the signal it receives, and does not require Apple or Google to independently verify a single age declaration before transmitting an age signal downstream.”

The trade organization points out how easy it is for a 15-year-old to acquire a smartphone today in the U.S. “They can purchase a handset outright with cash from any electronics retailer or carrier store where no age check is required or customary. They can activate it using a prepaid SIM card bought over the counter at a supermarket or pharmacy with no identity check. Next, they can create an Apple ID or Google account by entering a date of birth of their choosing.”

Even though independent age verification never enters the picture, “if a user claims to be over 18, that declaration becomes the foundation of every subsequent age signal generated by the operating system.”

This poses a compliance risk for platforms, which do not receive the same legal protections as Apple and Google under the law. Big Tech gets “substantial liability protection under section 1798.503(b), including for erroneous signals and for certain downstream conduct by platforms that receive them.”

Meanwhile, platforms “are deemed to have actual knowledge based on a signal whose integrity is not guaranteed, yet they remain responsible for complying with COPPA, state privacy laws and a growing range of other age restrictions.”

EFF criticizes expansion of age-bracketing model

The Electronic Frontier Foundation (EFF) has also criticized AB 1043 and a related clean-up bill, AB 1856, arguing the framework threatens privacy, anonymity and free expression.

While EFF welcomed an exemption for open-source operating systems, it warned that expanding the age-bracketing system to browsers and websites could create what it called “a recipe for censorship.”

The group argues that mandated age-gating systems risk undermining privacy and anonymity online, even when they stop short of requiring government ID or biometric checks.

Certification gains yet more importance

The law throws yet another spotlight on the increasing importance of testing and certifications.

“For organizations navigating children’s privacy, advertising restrictions, and data handling obligations,” says IEEE, “aligning with an online age verification certification program early can help clarify expectations and reduce uncertainty as enforcement approaches.” A practical benchmark can show that a company has “taken reasonable steps to align its practices with emerging standards, rather than relying on ad hoc or outdated approaches.”

In preparing for compliance, online businesses serving California should now think beyond single statutes and check boxes, and focus on building sustainable, standards-based practices.

Look to standards for reliable age assurance

“The AVPA supports measures that help parents manage children’s online experiences. Device-level age signals and parental controls can form part of a broader child safety ecosystem and may serve as useful inputs into a platform’s age assurance process. They are not, however, a substitute for independent age assurance for medium and high risk use-cases.

“Where legislators want reliable age determination – not just a declared age passed through a pipeline – they should require publisher-level age assurance conducted against recognised technical standards such as ISO/IEC 27566-1 and IEEE 2089.1.”

Article Topics

age verification  |  AVPA  |  California  |  Digital Age Assurance Act  |  IEEE  |  legislation  |  United States