Age verification (user tracking) from individual websites and apps directly onto Operating System

Slashdot Talk
1

Stand 05/2026

One of day-to-day business our affiliated law group is monitor recent legislative developments. In the United States, Europe, and Asia have begun to shift the burden of age verification from individual websites and apps directly onto Operating System (OS) providers.This include Gnoppix,RedHat Ubuntu and all other Linux Distributions.

While most existing laws target “online platforms” (social media and adult sites), new statutes specifically define OS providers as the primary gateway for age assurance.

1. United States: California’s Digital Age Assurance Act

California is currently the only US state with a law explicitly naming Operating System Providers as regulated entities for age verification.

  • Statute: Digital Age Assurance Act (AB-1043), signed in October 2025.
  • Requirements: OS providers (entities that develop or control software on computers or mobile devices) must provide an accessible interface during account setup that requires holders to indicate their age or birth date.
  • Enforcement: The law becomes operative on January 1, 2027. It requires the OS to provide “age bracket signals” to third-party developers upon request, effectively centralizing age checks at the system level rather than the app level.

2. Europe: Digital Services Act (DSA) & EU Wallet

The European Union’s approach focuses on providing the infrastructure for age verification, which OS distributions (especially mobile ones) are expected to integrate.

  • Framework: The Digital Services Act (DSA) mandates that platforms implement “robust and privacy-preserving” age verification.
  • Implementation: In April 2026, the European Commission finalized a harmonized “blueprint” for age verification.
  • The “Mini Wallet”: By the end of 2026, all EU Member States must offer a Digital Identity Wallet. OS providers are being encouraged to integrate these wallets to allow users to prove they are 18+ (or other age brackets) without sharing their full identity.

3. United Kingdom: Online Safety Act

The UK’s Online Safety Act 2023 places heavy duties on services to prevent children from accessing harmful content. While it primarily targets “user-to-user” services, the regulator (Ofcom) has broad powers to set codes of practice. Current 2026 guidance suggests that mobile OS providers (like Apple and Google) are key partners in implementing these age-gating mechanisms at the device level.

4. Asia: Mandatory Registration & eKYC

Laws in Asia often lean toward Real-Name Registration which inherently includes age checking through government-issued IDs.

  • Malaysia: Starting January 1, 2026, social media platforms must implement age verification via eKYC (electronic Know Your Customer) in line with their Online Safety Act. This effectively forces users to register with official identification.

  • Indonesia: Enacted a ban on social media for children under 16 on March 28, 2026. While the law targets platforms, the enforcement relies on centralized digital ID systems often integrated into mobile device ecosystems.

  • China: The Draft Law on Cybercrime Prevention and Control (2026) consolidates existing “Real-Name” requirements. It mandates that internet service providers—which often include OS-level app stores and cloud services—strengthen user activity tracing and identity management.

  • Thailand: The Digital Identity Push

Thailand is moving toward a highly centralized digital identity system, primarily focused on preventing cybercrime and fraud.

Social Media Mandates: Under a notification effective November 1, 2026, social media platforms must verify the identity of users and advertisers using government-issued IDs or approved eKYC (electronic Know Your Customer) systems.

OS & Hardware Tracking: While the law currently targets “Online Service Providers,” the Electronic Transactions Development Agency (ETDA) roadmap for 2026 includes a “Shared Responsibility” model. This encourages device and OS providers to integrate with the Thai Digital ID (ThaID) system.

Summary Table of Requirements for OS/Distributions

Region Primary Law Role of OS Distribution Status (as of 2026)
USA (CA) AB-1043 Must collect age at setup and signal to apps. Effective Jan 2027
EU DSA / eIDAS 2.0 Integration of EU Digital Identity Wallets. Rollout by end of 2026
Malaysia Online Safety Act Mandatory eKYC for user registration. Effective Jan 2026
China Cybercrime Draft Formalizes real-name management/identity. Draft (Active 2026)

Given your work with Linux distributions, these laws are particularly relevant if you distribute “pre-configured” OS images that include account-creation flows or integrated app stores, as they may eventually fall under these broad definitions of “Operating System Providers.”