California Governor Gavin Newsom signed AB 1043, known as the Digital Age Assurance Act (DAAA), into law in October 2025. The DAAA was part of a raft of privacy bills passed during the 2025 legislative session, and will have a major effect on how app developers and operating systems treat the personal information of minors.
The DAAA forces operating-system providers to collect information about users’ ages, create a signal based on their “age bracket,” and then share that signal with app developers whenever a user downloads their app.
The law will take effect on January 1, 2027. In the case of user accounts that were already set up or apps that were already downloaded before that date, the operating system or app developer has until July 1, 2027 to get caught up.
Here’s how it’s going to work.
Whenever a user sets up a new account on a device, the operating system provider will be required to collect information about their age. If the user is under the age of 18, an adult must be the “account holder” and indicate the user’s age.
The bill does not appear to require any kind of verification of users’ ages.
Users will be divided into four age brackets:
The operating system must create a signal that indicates in which of these age brackets the user belongs. Any time a user downloads and launches an app from the device’s app store, the app developer must request the age signal.
Any app developer who receives a signal indicating a user’s age bracket will be deemed to have “actual knowledge” of the user’s age (more on that below).
Children’s data privacy is a high-priority among lawmakers and regulators. The California Consumer Privacy Act (CCPA) and most other state privacy laws place restrictions on how children’s data is processed. Under the CCPA, for example, businesses may not sell the data of consumers under the age of 16, or use it for targeted advertising, without their consent.
However, most of these rules only apply if a business has “actual knowledge” of the person’s age or willfully disregards it. This gives businesses a lot of leeway in the form of deniability. If they’re not specifically tracking consumers’ age and their business isn’t child-oriented, then for the most part they don’t have to worry about those rules.
The DAAA upends that status quo. It states that an app developer (and presumably the operating system provider as well) who receives an age-bracket signal will be deemed to have actual knowledge of the person’s age, and thus cannot claim ignorance. This brings children’s data rules to the forefront for a lot of businesses. They may have to choose between limiting how they use the data of minors or simply denying them the ability to download the app.
It should also be said that Texas, Louisiana, and Utah, have passed similar laws. These laws, which require age verification in order to set up an app store account, appear to be aimed at giving parents control over app downloads and purchases. However, the result may be the same; businesses would have actual knowledge of users’ ages (this would be important in Texas, which requires parental consent to process the personal data of children under 13).
This framework could quickly expand to other states once the technological framework has been established. It could also move beyond app stores at some point and apply to all websites. A previous version of the DAAA had just that in mind, though the language was trimmed out. If the system proves effective and popular in the app stores, legislators may revisit the issue and decide it should apply to the broader web. In that case, we could see a significant shift in how young people access the internet.
Rules protecting children’s data are nothing new, but laws like the DAAA are going to start making them unavoidable. With privacy enforcement ramping up sharply, businesses have to start taking this issue seriously. That’s going to mean having separate privacy configurations for each of the age brackets identified above. With TrueVault’s consent management platform, you can create custom consent profiles for specific states and age ranges.
TrueVault helps businesses of all sizes get privacy compliant in as little as a few days, and stay that way for years to come. Using our guided workflows and automated integrations, you can quickly create a consent banner, publish privacy notices, be prepared to handle consumer requests, and more. Anyone can do it—no legal background required. As new state laws are passed or old laws are amended, those changes are incorporated into your privacy dashboard at no extra cost!
Contact our team today to learn how TrueVault can help support your business’s compliance.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
