The headline is good news.

California’s AB 1856, which passed the Assembly 68-1 on May 28, amends the Digital Age Assurance Act to exempt open-source operating systems from age-collection mandates. Debian doesn’t have to build an age-verification interface into its installer. Ubuntu is off the hook. FreeBSD, Fedora, Arch — all exempt. EFF called it “a meaningful improvement and a welcome relief for open-source developers.”

The headline is also a sideshow.

AB 1856 is marketed as a cleanup bill — fixing the overreach in AB 1043, the law Governor Newsom signed in October 2025 that requires every operating system sold in California to collect users’ ages at setup and encode them into encrypted age-bracket signals transmitted to application developers. The original law was drafted broadly enough that it would have required volunteer-run Linux distributions to implement age-collection infrastructure. The backlash was swift. Assemblymember Buffy Wicks, who authored the original law, introduced AB 1856 to fix it.

The fix exempts open source at the OS layer.

The fix also expands age-gating to web browsers and websites.

Here’s the architecture AB 1856 builds:

Layer one: your operating system collects your age at account setup. Apple, Google, Microsoft — all covered. Linux exempt. This is the part that made the headline.

Layer two: your web browser reads the OS signal and transmits it to every website you visit. Chrome, Firefox, Safari, Edge — all covered. This is new. AB 1043 didn’t touch browsers. AB 1856 does.

Layer three: every website subject to any age-verification law requests your age bracket from your browser. Also new. AB 1043 didn’t touch websites. AB 1856 does.

If you run Debian with Firefox and visit a news site, the operating system is exempt. The browser is not. The website is not. The exemption saves the Debian project from legal liability. It does not save you from the pipeline.

The cleanup added two new rooms to the house.

The penalties are $2,500 per affected child per negligent violation, $7,500 per intentional violation, enforced by the California Attorney General. Those numbers create a specific incentive: companies will preemptively restrict content for adults to avoid liability, even though the law doesn’t explicitly require age verification. The liability structure does the mandating. The text maintains plausible deniability. As EFF notes, the framework “strongly pressures companies to verify users’ ages anyway.”

This mechanism should look familiar. The SECURE Data Act uses the same architecture: a liability floor that functions as a ceiling. The law doesn’t say you must surveil. The penalties say you can’t afford not to.

The self-scaling feature is the part that should concern everyone.

AB 1856 doesn’t define which websites must request age signals. It says websites “subject to online age verification laws.” Every future law — state or federal — that requires age verification automatically plugs into this pipeline. The infrastructure is built once and expands with every new bill. KOSA passes? The pipeline is ready. COPPA 2.0 extends protection to 16-year-olds? The pipeline already has the age brackets. A state passes a new social media restriction? The browser is already transmitting.

California isn’t building age verification. California is building the plumbing. Every future law is a faucet.

Wicks has said publicly she hopes AB 1043 will become “a de facto national standard.” The mechanism is the same one that made CCPA the country’s de facto privacy law: California is the largest technology market in the United States. Apple and Google will not build California-only age collection. Browser vendors will not maintain California-only signal relay. Website operators will not geo-fence age-signal requests to California IP addresses. What California mandates, America gets.

The FTC is already leaning in. On February 26, 2026, the Commission issued a COPPA policy statement green-lighting age verification data collection — approved 2-0, no dissent. The federal government isn’t building this infrastructure. It’s waiting for California to finish.

The vote was 68-1.

One dissent. In the same legislature where CAADCA, the previous age-appropriate design code, is being litigated in federal court as unconstitutionally vague. NetChoice has secured permanent injunctions against digital ID mandates in Arkansas, Louisiana, and Ohio. The constitutional vulnerabilities are documented, litigated, and ongoing. The expanded version of the challenged architecture passed with near-unanimity because the headline said “open source exempted” and the floor vote happened before anyone finished reading the expansion clauses.

As Reclaim The Net put it: “California fixed the most obvious problem with its age-tracking law but replaced it with a version that follows you across the entire internet.”

The exemption is real. The exemption is also irrelevant to the question it’s being cited to answer. Linux distributions don’t have to collect your age. But Chrome does. Firefox does. Every website you visit does. The pipeline flows around the exemption the way water flows around a rock.

One legislator voted no.

The original house had one room — operating systems. The renovation added browsers and websites and exempted the garden shed.

The headline celebrated the garden shed.

// NEON BLOOD