Age Assurance Laws Could Break Open Source—Here's What Devs Need to Know

TL;DR

• New laws in California, Colorado, Illinois, and New York require operating systems and app stores to collect age data and pass it to apps via real-time APIs
• Broad definitions of "app store" could accidentally capture GitHub, package managers, and open source repositories—treating them like consumer app marketplaces
• Brazil's Digital ECA is already causing some open source projects to restrict access due to legal uncertainty, despite regulators signaling FOSS should be exempt
• Developers can influence these laws now through public comment periods and direct engagement with legislators

The Big Picture

Lawmakers worldwide are racing to protect kids online. The goal is legitimate—grooming, violent content, and cyberbullying are real harms. But the technical implementation is a mess, and open source developers are about to get caught in the crossfire.

The core problem: these laws define "app stores" and "applications" so broadly that they could accidentally regulate GitHub, npm, PyPI, and every Linux distro mirror as if they were the iOS App Store. California's AB 1043 requires operating systems to collect user age at account setup and transmit an "age-range signal" to applications via a real-time API. Colorado's SB 26-051 does the same. Illinois and New York have nearly identical bills in play.

None of these laws were written with open source in mind. They're aimed at TikTok and Instagram—platforms that algorithmically serve content to passive audiences and monetize attention. But the language is vague enough to sweep in collaborative development platforms where the risk profile is fundamentally different. A 15-year-old contributing to a Rust crate on GitHub is not the same as a 15-year-old doomscrolling Reels at 2 AM.

The unintended consequence: volunteer maintainers of Debian mirrors or FreeBSD forks could face compliance requirements designed for billion-dollar corporations. That's not hypothetical. In Brazil, where the Digital ECA took effect in March 2026, some open source projects have already restricted access rather than navigate unclear legal obligations. The law was meant for commercial platforms, but legal ambiguity is forcing defensive moves.

How It Works

"Age assurance" is an umbrella term covering everything from self-reported birthdays to facial recognition scans. The spectrum runs from low-friction ("Are you over 13?") to high-friction (upload your driver's license). Most of these state bills land somewhere in the middle: they require operating systems to collect age data at account creation and pass an age bracket (e.g., "13-17" or "18+") to apps via an API.

Here's where it gets messy for developers. California's AB 1043 defines an "application store" as any service that "enables users to browse and download applications." That's broad enough to include GitHub, GitLab, package registries, and even static file hosts. The law doesn't distinguish between a curated consumer marketplace (Apple's App Store) and a decentralized repository of source code (GitHub).

Colorado's SB 26-051 initially had similar scope issues, but recent amendments clarified that software installed outside of app stores—including software downloaded from public repositories—is not covered. That's progress, but it required direct engagement from open source developers and organizations testifying at committee hearings. Without that pushback, the default legislative language would have treated every software distribution channel the same way.

The technical implementation also raises questions. Real-time age verification APIs assume a centralized architecture where the OS vendor controls user accounts and can gate access to third-party apps. That model works for iOS and Android. It doesn't work for Linux, where users compile from source, install via package managers, or run custom distros maintained by small communities. Requiring every Arch Linux mirror or Gentoo fork to implement age verification is absurd—but that's what happens when laws are written without understanding how open source operates.

Brazil's Digital ECA illustrates the compliance burden. The law applies to digital services "likely to be accessed by children and adolescents," which technically includes operating systems and platforms. The Brazilian National Data Protection Agency (ANPD) has signaled that proprietary systems are the priority, and draft guidance suggests collaborative free software models should be exempt. But "should be" isn't "are," and the legal uncertainty has already driven some projects to block Brazilian users rather than risk enforcement.

What This Changes For Developers

If you maintain an open source project, contribute to a Linux distro, or run a package registry, these laws could force you into a compliance framework designed for commercial platforms. The immediate risk is geographic fragmentation. If California, Colorado, Illinois, and New York all pass slightly different age assurance requirements, and Brazil enforces its own rules, you're looking at a patchwork of conflicting obligations. The easiest response for a volunteer maintainer? Geoblock those states or countries.

That's already happening. Some open source projects have restricted access in Brazil rather than navigate the Digital ECA's ambiguity. If U.S. state laws follow the same pattern—broad definitions, unclear exemptions, high compliance costs—expect more projects to take the same defensive posture. The result: developers in regulated jurisdictions lose access to tools, libraries, and communities that are foundational to learning and building software.

For platforms like GitHub, the stakes are different but equally high. GitHub has successfully lobbied for exemptions in Australia's Social Media Minimum Age law and France's similar proposal, arguing that code collaboration platforms don't present the same risks as algorithmic content feeds. Those exemptions exist because policymakers understood the distinction. But in the U.S., where state-level legislation moves faster and with less technical input, that understanding isn't guaranteed.

The broader risk is precedent. If one state passes a law that treats GitHub like an app store, other states will copy the language. If Brazil's Digital ECA is enforced against open source projects despite regulatory signals to the contrary, other countries will follow. The open source ecosystem thrives on permissionless access and decentralized collaboration. Age assurance laws, if poorly scoped, undermine both.

Try It Yourself

There's no code to run here—this is a policy fight, not a technical one. But you can take action:

• If you're in California, Colorado, Illinois, or New York, contact your state legislators. Tell them you're a developer, explain how open source works, and ask them to exempt collaborative development platforms and non-commercial software distribution from age assurance requirements.
• If you're in Brazil or have users there, participate in the ANPD's public consultation on Digital ECA implementation. Submit comments clarifying how open source projects operate and why they shouldn't face the same obligations as proprietary platforms.
• Join the conversation at GitHub's Maintainer Month livestream on May 22, where panelists from the FreeBSD Foundation and Open Source Initiative will discuss these issues in depth.
• Connect with organizations like the Open Source Initiative, FreeBSD Foundation, and Debian that are actively engaging with policymakers on these laws.

The Bottom Line

Use your voice if you're in a state considering these bills—legislators respond to constituent input, especially when it's technical and specific. Skip the outrage, bring the details. Explain how package managers work, why GitHub isn't TikTok, and what happens when volunteer maintainers face enterprise compliance burdens.

The real risk isn't that these laws will pass—it's that they'll pass with vague language that accidentally regulates the wrong things. The opportunity is that most policymakers, when they understand the distinction between consumer platforms and developer infrastructure, are willing to refine the scope. Colorado's recent amendments prove that. Brazil's draft guidance suggests the same. But that only happens if developers show up and explain the problem before the laws are finalized.

If you don't engage now, expect more geoblocking, more legal uncertainty, and more fragmentation of the open source ecosystem. The window is open. Use it.

Source: GitHub Blog