Systemd, the init system running on the vast majority of Linux distributions, has an open pull request to add a birthdate field to its user database. On the surface, it is an optional field in a JSON record. Nobody would be required to fill it out. There is no validation. You could enter January 1, 1970, and move on with your life.
But this is not a story about a JSON field. It is a story about what happens when legislation starts reshaping the infrastructure layer of software, and why SaaS businesses need to be paying attention right now.
The Infrastructure Is Being Built
The systemd proposal is one piece of a larger pattern. The freedesktop.org xdg-desktop-portal project is working on age verification APIs. GNOME is deepening its dependency on systemd's userdb for session management and user account data, the same component where this birthDate field would live. Apple and Google are building age signal APIs into their app store platforms to comply with new state laws. The pipeline runs from legislation to operating system to desktop environment to app store to your application.
Today, the field is optional and self-reported. The Reddit and Lemmy threads about this change are full of people pointing out that you can enter a fake birthday, and they are right. But as one commenter put it: "The point is that all apps have to learn to listen to this signal. Once all apps are already expecting an age from the user, the law will just get tightened." The infrastructure comes first. The enforcement follows.
What Changed Legally
Two things happened in 2025 that turned age verification from a niche policy concern into an operational reality for software businesses.
First, the U.S. Supreme Court upheld Texas's age verification law in Free Speech Coalition v. Paxton (June 2025). The Court applied intermediate scrutiny and ruled that states can require websites to verify user ages to prevent minors from accessing content deemed harmful. This effectively displaced two decades of precedent where courts had consistently applied strict scrutiny to strike down similar requirements. The Court distinguished its earlier decisions as products of a different technological era. The constitutional framework that had been protecting online platforms since the late 1990s has fundamentally shifted.
Second, states moved fast. As of early 2026, at least 17 states have enacted laws addressing age verification for social media, adult content, or both. A new category of legislation, the App Store Accountability Acts, emerged in Texas, Utah, Louisiana, and California. These laws do not just target social media platforms or adult content sites. They impose obligations directly on app developers, regardless of whether the app is directed at children.
The App Store Accountability Acts
This is where it gets concrete for SaaS businesses. The App Store Accountability Acts (ASAAs) create a two-tiered compliance structure. App stores must verify user ages at account creation and categorize users into age brackets: child (under 13), younger teenager (13 to 15), older teenager (16 to 17), and adult (18 and over). They must then pass that age category data to developers via API.
Developers, in turn, must assign age ratings to their apps, receive and act on the age signal from the app store, enforce restrictions for minor users, obtain parental consent where required, and delete age verification data after the process is complete. These obligations apply to every app distributed through a covered app store, not just apps with age-restricted content. A B2B project management tool on the App Store is in scope just like a social media platform.
A federal version of the ASAA was introduced in May 2025 and would apply these requirements nationally.
State-by-State Landscape
The current patchwork of state laws creates a compliance maze. The table below covers the most significant enacted laws as of March 2026, focusing on those with direct implications for software businesses.
| State | Law | Effective Date | Scope | Key Requirement | Penalties | Status |
|---|---|---|---|---|---|---|
| Texas | SB 2420 (ASAA) | Jan 1, 2026 | App stores and developers | Age verification at account creation, parental consent for minors, age ratings for all apps | Deceptive trade practice; private right of action | Preliminarily enjoined (Dec 2025) |
| Utah | App Store Accountability Act | May 6, 2026 | App stores and developers | Age verification, parental consent, age ratings | Deceptive trade practice; private right of action ($1,000 per violation) | Enacted; compliance deadline pending |
| Louisiana | HB 570 | Jul 1, 2026 | App stores and developers | Age verification, parental consent, age ratings | Up to $10,000 per violation; 45-day cure period | Enacted |
| California | Digital Age Assurance Act | Jan 1, 2027 | OS providers, app stores, developers | OS-level age signal API; birth date or age at device setup | Up to $2,500 per affected child (negligent); $7,500 (intentional); AG enforcement | Enacted |
| California | SB 976 | Dec 31, 2026 | Social media platforms with "addictive feeds" | Age determination; parental consent for algorithmic feeds for minors | Under rulemaking | Partially enjoined; core provisions in effect |
| New York | SAFE for Kids Act | Tied to AG rulemaking | Social media platforms | Age determination, parental consent for addictive feeds | Up to $5,000 per violation | Enacted; awaiting AG regulations |
| Florida | HB 3 | Jan 1, 2025 | Social media platforms | Age verification; account ban for under 14; parental consent for 14-15 | Up to $50,000 per violation | Preliminary injunction stayed on appeal; currently enforceable |
| Tennessee | Public Chapter 899 | In effect | Social media platforms | Third-party age verification, parental consent | State AG enforcement | In force; appellate proceedings active |
| Virginia | SB 854 | Jan 1, 2026 | Social media platforms | Commercially reasonable age determination; one-hour daily limit for under 16 without parental consent | Up to $7,500 per incident | Enacted |
| Nebraska | LB 383 | Jul 1, 2026 | Social media platforms | Age verification, parental consent for under 18 | Up to $2,500 per violation; private right of action | Enacted |
This is not exhaustive. Over 25 states have enacted some form of age verification law, and roughly 30 additional bills were introduced in the 2025 legislative session alone. The trend is accelerating, not slowing.
Follow the Money
It is worth understanding who is pushing these laws and why. A detailed open-source investigation published on GitHub documented that Meta spent a record $26.3 million on federal lobbying in 2025, deployed over 86 lobbyists across 45 states, and covertly funded a group called the Digital Childhood Alliance (DCA) to advocate for App Store Accountability Acts. Bloomberg confirmed the funding relationship in July 2025.
The structural incentive is notable: the ASAA laws impose compliance requirements on app stores and operating system makers (Apple, Google) while exempting social media platforms. Meta's apps face no new mandates under these laws. A Meta lobbyist reportedly brought the legislative language for Louisiana's HB 570 directly to the bill's sponsor, who confirmed this publicly. This is not conspiracy. It is public record, documented through IRS filings, state lobbying disclosures, and hearing transcripts.
The practical consequence for SaaS businesses is that this legislation is being shaped by large platform companies with the resources to absorb compliance costs, while the burden falls disproportionately on smaller developers who lack dedicated legal teams and vendor integrations.
What This Means for SaaS
If your SaaS has a mobile app distributed through an app store, you are in scope now. The ASAA laws in Texas (currently enjoined), Utah, Louisiana, and California impose direct developer obligations. You will need to assign age ratings, integrate with app store age signal APIs, handle parental consent flows for minor users, enforce access restrictions based on age categories, and delete verification data after use. This applies regardless of your target audience.
If your SaaS is web-only, the impact is less direct but growing. The social media laws primarily target platforms with algorithmic feeds, user-generated content, or explicit material. A pure B2B web application without those features is likely not covered today. But California's SB 976 defines "addictive feeds" broadly, and the federal ASAA bill would apply nationally to any app distributed through a covered store. The definitions are expanding with each legislative session.
Architecture decisions you make now will matter. If you do not have an age-aware user model, you will need one. If your onboarding flow does not account for age verification, it will need to. If your data retention policies do not address age verification data separately, the ASAA laws require you to delete it after the verification process. These are not trivial changes, and retrofitting them into an existing product is significantly more expensive than designing for them from the start.
Approaches to Compliance
The laws generally require "commercially reasonable methods" for age verification, which leaves room for interpretation. The current approaches fall into three categories.
Self-declaration (age gates). The user enters a birth date or confirms they are over a certain age. This is the simplest and cheapest approach, and it is what the systemd change enables at the OS level. For many laws, self-declaration alone may not satisfy the "commercially reasonable" standard, but for the ASAA laws, the app store handles the initial verification and passes the age signal to you.
Document-based verification. The user uploads a government-issued ID, which is verified by a third-party service. This is what many adult content laws require. It is more robust but introduces significant privacy concerns, data breach risk, and friction that can destroy conversion rates. Several states' laws have been challenged specifically because of the privacy implications of this approach.
Age estimation. AI-based facial analysis estimates a user's age from a selfie. This avoids collecting identity documents but raises its own concerns about accuracy, bias, and data processing. It is being used by some platforms but is not yet widely adopted as a primary compliance mechanism.
The EU is taking a fundamentally different approach. Under the eIDAS 2.0 regulation, all EU member states must offer citizens a Digital Identity Wallet by the end of 2026. These wallets support zero-knowledge proofs, meaning a user can prove they are over 18 without revealing their birth date, name, or any other identifying information. The wallet stores data locally on the user's device, with no tracking or profiling by design. Denmark's AltID wallet, set to launch in spring 2026 as one of the first implementations, is designed to support this. It is privacy-preserving age verification without the surveillance infrastructure, and it stands in stark contrast to the US approach of requiring platforms to collect and store identity data.
The Pipeline
Here is why the systemd proposal matters even though it is "just a field." The pipeline looks like this:
Legislation passes. The OS adds a field to store age data. Desktop environments expose that field through APIs. App stores require developers to consume the age signal. Your application needs to handle it. Each step is small. Each step is reasonable on its own. The cumulative effect is an age verification layer baked into the entire software stack, from the kernel to the user interface.
GNOME's growing dependency on systemd's userdb means that the most widely used Linux desktop environment will have direct access to this data. Commercial distributions like Ubuntu, Red Hat, and SteamOS will face pressure to comply. Cloud infrastructure is an open question: as one observer noted, "Just think of all those Azure and AWS VMs needing age verification as they're spooled up, destroyed and recreated every few minutes." The absurdity of applying age verification to server instances highlights how poorly these laws map to the reality of how software is built and deployed.
Jeremy Soller from System76 commented on the systemd PR that his team is in talks with legislators and that open-source operating systems may be exempted entirely. That is encouraging, but it also underscores the point: the legislation is being written right now, and the people building the software stack are already at the table.
What to Do Now
If you are building or maintaining a SaaS product, this is not something to defer until enforcement arrives. The compliance deadlines are in 2026 and 2027. The architectural changes required are not trivial. Here is what is worth doing now.
- Audit your distribution channels. If you have a mobile app in the App Store or Google Play, you are likely in scope for at least one ASAA law. Review the specific obligations for developers in Texas, Utah, Louisiana, and California.
- Add age awareness to your user model. Even if you are not yet required to verify ages, having the data model in place to store age categories, parental consent status, and verification timestamps will make future compliance significantly easier. Design for it now rather than retrofitting later.
- Review your data retention policies. The ASAA laws require that personal data collected for age verification be deleted after the process is complete. If your current infrastructure does not support targeted deletion of specific data categories, that is a gap to close.
- Monitor the litigation. The Texas ASAA is currently enjoined. Several social media laws have been blocked or partially blocked. The legal landscape is shifting rapidly, and a law that is enjoined today may be enforceable tomorrow. Build compliance strategies that can adapt.
- Watch the federal bill. A federal ASAA would preempt the state-by-state patchwork and apply nationally. If it passes, every app developer in the country is in scope.
The EFF titled their 2025 year in review "The Year States Chose Surveillance Over Safety." Whether you agree with that framing or not, the practical reality is the same: age verification is no longer a niche regulatory concern. It is becoming part of the software stack. The businesses that prepare for it now will have an easier time than the ones that scramble when the deadlines arrive.
If you are building a SaaS product and need help assessing how age verification laws affect your architecture, compliance posture, or product roadmap, we work with teams on exactly this kind of problem. Get in touch.
