The Compliance Funnel

Have you ever watched a roomful of engineers get angry about a dropdown menu?

I have. Last week I brought up California's Assembly Bill 1043 in the Omarchy community, and the conversation moved fast. Within days of the law making headlines, an open-source scientific calculator had banned California from using it.

That's not a joke. DB48X is a project that rebuilds the legendary HP48 family of calculators. Under AB 1043, signed by Governor Newsom in October 2025, every "operating system provider" must collect a user's age or date of birth during account setup and share that information with applications via API. DB48X might qualify as an operating system. It has no web browser, no app store, and no mechanism to ask anyone for their birthday. So its developers added a legal notice. California residents may no longer use DB48X after January 1, 2027.¹

They weren't alone. MidnightBSD, a FreeBSD distribution born from the University of California, Berkeley's own Unix fork, modified its license to exclude California entirely. The FreeDOS project discussed compliance too, though FreeDOS has no user accounts, no web browser, and no app store. There isn't much it can do.²

Many go in. Few come out.

The Funnel

The thing is, the law was clearly written with Apple, Google, and Microsoft in mind. For them, compliance is straightforward. Windows already requires an online account. Apple already collects your date of birth. These companies built data collection into their onboarding years ago. AB 1043 just gives it a legal mandate.

For the open-source community, it's a different calculation entirely. There are hundreds of Linux distributions. Most are maintained by volunteers with no legal departments, no revenue, and no mechanism for collecting personal data. Fedora's project leader, Jef Spaleta, suggested a pragmatic workaround. A D-Bus service that stores age data in a local file, no telemetry, just a local API that applications can query.³ Ubuntu has its lawyers looking into it. Canonical can afford lawyers. Most projects can't.

And that's the funnel. A law that treats Apple and a teenager maintaining a desktop environment in Brazil as the same category of "operating system provider" doesn't just create headaches. It creates a gravitational pull toward the distributions that can absorb the cost. The ones with legal teams and corporate backing survive the filter. The ones running on volunteer hours and donated server space face an impossible choice. Build compliance infrastructure with no budget, ban California, or ignore the law and hope nobody notices.

It's not just California, either. Colorado has SB26-051. Illinois filed SB 3977 with identical language. New York's version goes further, explicitly forbidding self-reporting and leaving verification methods to the Attorney General. Louisiana and Texas already have their own versions signed into law.⁴

Where the real conversations happen.

What the Community Is Saying

I brought AB 1043 up in the Omarchy community this week. The reactions were immediate.

"If the state wants it, the state should pay for it," one member said. "Most distributions are non-commercial. It's ridiculous to think that Linux distros would have to bear the expense of heavy PCI compliance and data storage. If California wants an ID system, they should develop their own software system and resource for managing the data."

Another followed the logic forward. "Then what? Then they want biometric identification updates. Then they want motion activity updates to prevent other people from using the PC. Then what? Retina scanner at login step hooked up to a state database?"

A third member put it simply. "I think the big names will probably comply, but I really do hope that Linus puts his foot down and says this shall not be in my kernel. A second-best would be it has to be done this specific way so it's easy to patch out."

That last point stuck with me. Over 400 computer scientists signed an open letter in early March warning that age verification mandates "might cause more harm than good," citing censorship, centralized power, and loss of privacy.⁵ Australia's version led to teenagers circumventing restrictions with bogus birthdays and unregulated apps. The UK's led to a 1,400 percent surge in VPN use. The pattern is consistent. The infrastructure gets built. The kids find another door.

The entire verification system.

The Dropdown Menu

Here's the part that makes me sit back. California's age verification law doesn't actually verify age. It asks you to self-report. A dropdown menu. If you lie, you can be fined $2,500. Governor Newsom himself, when signing the bill, said he hoped it would be amended because of how problematic it would be to implement.

So we have a law that mandates compliance infrastructure across every operating system on earth, accepts an honor system as verification, and was acknowledged as problematic by the person who signed it. The burden falls lightest on the companies that already collect your data and heaviest on the communities that made a principle of not collecting it.

Who Pays for the Gate?

Here's what doesn't get discussed enough. The moment you collect someone's date of birth, you become a data custodian. That's not a metaphor. That's a legal obligation. You need secure storage. You need encryption. You need access controls and audit trails. If a single European user touches your software, you're subject to GDPR. If you store payment-adjacent personal data, PCI compliance enters the picture. Breach notification requirements. Data retention policies. The right to be forgotten.

Apple can absorb that. Google has entire departments for it. A volunteer maintaining a Linux distribution from their apartment does not have a compliance department, a legal team, or a budget for data infrastructure. They have a laptop and a Saturday afternoon.

This is the part that needs to be said plainly. If a state mandates an identity verification system, the state should fund it. Build the library. Maintain the infrastructure. Develop an open, interoperable API that any operating system can plug into without becoming a data controller in the process. The state collects and manages the data. The state bears the compliance burden. The state handles the GDPR headaches, the breach notifications, the storage security.

Don't hand that bill to a global community of volunteers who chose, deliberately, to build software that doesn't track you. They didn't opt into becoming custodians of personal data. The state opted them in. The state should pay for what the state requires.

The compliance funnel doesn't just push open-source projects toward corporate structures. It pushes the entire concept of non-commercial software toward a world where building an operating system requires a legal department. And if that's where we're headed, we should at least be honest about what we're choosing.

Footnotes

1. Edser, Andy. 2026. "Resistance to operating system age checks coming from checks notes open source calculator." PC Gamer. ↩

2. Proven, Liam. 2026. "US state laws push age checks into the operating system." The Register. ↩

3. Staff. 2026. "California's OS-based age verification law challenges open-source community." Biometric Update. ↩

4. Dawe, Liam. 2026. "Many more US states are planning or already have operating system age verification laws." GamingOnLinux. ↩

5. Tuccille, J.D. 2026. "Computer scientists caution against internet age-verification mandates." Reason. ↩