California Digital Age Assurance Act Mandates OS-Level Age Signaling via API
California’s Digital Age Assurance Act (AB 1043) establishes a statewide requirement for operating system providers to collect a user’s age information during OS account setup and expose an age-range signal to application developers through a “reasonably consistent” real-time API when an app is downloaded or launched. The law’s definition of OS provider is broad enough to include major commercial platforms (Windows, macOS, Android, iOS) as well as Linux distributions and Valve’s SteamOS, and it specifies four age brackets: under 13, 13 to under 16, 16 to under 18, and 18+. Developers who request and receive the signal are treated as having “actual knowledge” of the user’s age range, shifting compliance and content-suitability liability toward app providers; enforcement is assigned to the California Attorney General with penalties up to $2,500 per affected child for negligent violations and $7,500 for intentional violations.
Separate reporting highlights broader age/identity verification pressure across consumer platforms, including Discord’s planned move to require age verification in 2026, which has triggered privacy concerns about submitting government IDs or face scans and renewed scrutiny following a prior breach that exposed IDs for roughly 70,000 users. Other items in the set are not about AB 1043 or OS-level age signaling and instead cover general security roundups, interviews, conference write-ups, exam prep material, and unrelated policy or industry commentary; they do not add substantiated details about the California OS age-verification mandate or its implementation requirements.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
California age-verification requirements set to take effect
Starting January 1, 2027, operating system providers covered by California’s law are expected to provide a real-time API returning one of four age brackets for app developers. Developers requesting the signal are treated as having actual knowledge of a user’s age range for compliance purposes.
California enacts Digital Age Assurance Act (AB 1043)
Governor Gavin Newsom signed California’s Digital Age Assurance Act (AB 1043) in October 2025. The law requires operating system providers to collect users’ age information at account setup and later expose age-bracket data to app developers through an API.
Discord breach exposed about 70,000 users’ IDs
Discord previously suffered a data breach that exposed identification documents belonging to about 70,000 users. The incident later became a factor in user concerns about submitting age-verification data to the platform.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
California introduces age verification law for all operating systems, including Linux and SteamOS - user age verified during OS account setup | Tom's Hardware
tomshardware.com
Open sourceLet’s explore the best alternatives to Discord | TechCrunch
techcrunch.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apple Expands App Store Age Assurance and 18+ Download Restrictions
Apple introduced expanded *age assurance* capabilities for the App Store to support compliance with new or emerging regulations in multiple jurisdictions, including Brazil, Australia, Singapore, Utah, and Louisiana. As of **Feb. 24, 2026**, Apple began blocking downloads of **18+ rated apps** in Brazil, Australia, and Singapore unless the user is confirmed to be an adult, using what Apple describes as “reasonable methods” for age confirmation. Apple also expanded the **Declared Age Range API** (iOS/iPadOS/macOS) and related platform components (including PermissionKit’s *Significant Change API*, a new StoreKit age-rating property type, and App Store Server Notifications) to provide developers with an age category plus signals about the assurance method and whether regulatory requirements apply; in Brazil, certain disclosures (e.g., loot boxes) can drive an app’s rating to **18+**. Broader policy debate continues around online age assurance in the U.S. and internationally, with jurisdictions adopting or considering stricter mandates and platforms preparing new verification requirements. Public skepticism remains elevated due to backlash against age-gating (including reported VPN usage spikes in response to the UK’s requirements) and concerns about data security following breaches at age-verification providers (e.g., **Sumsub** disclosing a previously undetected 2024 compromise). The policy environment is also being shaped by U.S. state laws and litigation, including the Supreme Court’s decision in *Free Speech Coalition v. Paxton* upholding Texas’s age verification law, while proponents argue that privacy-preserving age assurance approaches are becoming more technically mature and scalable.
Mar 26, 2026
Debate Over Kids Online Safety Act and Age-Verification Requirements for Minors
Policymakers in multiple jurisdictions are advancing **child online safety** rules that would restrict minors’ access to social media, “addictive” product features, and certain content (including pornography), increasing pressure on platforms to implement **age assurance/age verification** to determine users’ ages before allowing access. The Lawfare analysis highlights that while protecting children online is a widely shared goal, enforcing age-based restrictions at scale effectively requires collecting and validating age signals for *all* users—raising significant implementation, privacy, and governance challenges as governments consider measures such as the **Kids Online Safety Act (KOSA)**, the **Kids Off Social Media Act**, and the **App Store Accountability Act**.
Jun 23, 2026
Discord Global Age Verification Rollout After Third-Party ID Image Breach
**Discord** announced a phased global rollout requiring users to verify their age using **video selfies or government IDs**, citing growing regulatory pressure for age checks on social platforms and a goal of providing a “teen-appropriate experience by default.” Discord said the verification data will be **deleted immediately after age is confirmed** and claimed it **will not leave the user’s device**; the company also described new defaults that restrict access to age-gated features (e.g., blurring sensitive content and limiting age-restricted channels/commands to verified adults). The rollout is expected to begin in early March, following earlier “teen-by-default” measures introduced in the U.K. and Australia. The policy change triggered backlash in gaming communities due to privacy and breach concerns, amplified by a prior incident in which **roughly 70,000 images of government IDs** were exposed after users had uploaded them for customer service purposes; reporting attributes the exposure to a **third-party service** Discord used to manage data. Discord is attempting to reassure users by pointing to tightened controls and a partnership with *k-ID* for age checks, but critics highlighted perceived ambiguity in how ID scans may be handled (including potential uploads to vendor servers and involvement of additional third parties), and warned that expanding collection of sensitive identity data increases the platform’s attractiveness as a target.
Mar 21, 2026