Age Verification Laws Are About to Change How Your Business Manages Devices

If you manage devices for a business, a wave of new legislation is about to make your life more complicated. Starting January 2027, operating systems will be required to collect user age information and expose it to applications through a standardized API.

TL;DR: Age verification laws passed in California and Colorado require operating systems to implement age-verification APIs. For businesses running managed device fleets, this means new compliance considerations, potential MDM policy changes, and questions about how employee privacy intersects with device management. Planning now avoids scrambling later.

This isn't a hypothetical. California's AB 1043 was signed in October 2025. Colorado passed near-identical legislation in March 2026. Illinois and New York have bills in the pipeline. Brazil's version is already live.

What is the Digital Age Assurance Act?

The Digital Age Assurance Act (California AB 1043) is legislation requiring operating system providers to collect a user's age during account setup and make that information available to third-party applications through a real-time API. The stated goal is child safety online, but the implementation requirements apply to every device running an affected operating system - including the ones sitting on your employees' desks.

What This Means for Businesses

For organizations with managed device fleets, the practical implications break down into a few categories.

MDM and Endpoint Management. Once operating systems start shipping with age-verification APIs, your mobile device management platform will need to account for them. Group policies, configuration profiles, and compliance baselines will all need review. The API itself may need to be configured, restricted, or monitored depending on your industry and regulatory environment.

Employee Privacy. Age data collected at the OS level creates a new category of personal information flowing through your infrastructure. If your organization falls under HIPAA, SOX, or state privacy laws, you'll need to understand where that data lives, who can access it, and how it's retained. An age-verification API that third-party apps can query adds another surface area to your data governance model.

Mixed Operating Systems. Organizations running Windows, macOS, and Linux workstations will likely see different implementations across platforms. Microsoft and Apple will build something polished. Linux distributions are still debating their approach, with responses ranging from minimal local-only solutions to outright refusal. If your environment includes Linux servers or developer workstations, expect inconsistency.

BYOD Complications. Bring-your-own-device policies get messier when the operating system is collecting personal information that your MDM platform can potentially see. The boundary between corporate management and personal privacy, already blurry with BYOD, gets blurrier.

What You Should Be Doing Now

The laws don't take effect until 2027 in most jurisdictions, which means there's time to prepare without rushing.

Start by inventorying which operating systems and versions are deployed across your organization. Understand your current MDM capabilities around OS-level APIs. Have a conversation with your compliance team about how age data fits into your existing data governance framework.

If you're in a regulated industry, this is worth putting on the radar for your next compliance review cycle rather than waiting for the OS updates to ship and reacting.

The Bigger Picture

Whether these laws achieve their stated goal of protecting children is a separate debate. What matters for IT leadership is that they create new infrastructure at the operating system level that will require management, monitoring, and policy decisions. The same way Microsoft 365 migrations create cleanup work that organizations don't anticipate, OS-level compliance requirements will generate follow-on work that's easier to handle with a plan than without one.

If you're thinking about how these changes affect your device management strategy, let's talk.