Age-assurance laws now reach into open-source apps, not just big platforms

GitHub published a developer-facing primer on age-assurance regulation, and the underlying point is simple: the laws are no longer aimed only at Meta-scale platforms [GitHub Blog].

── What shipped ──

The post catalogues the wave of age-verification rules that have now landed or are about to: the UK Online Safety Act (in force, with phased duties through 2026), the EU Digital Services Act, KOSA-style state laws in Texas, Utah, Louisiana, and Mississippi, and Australia's eSafety amendments. Each takes a slightly different shape — some target adult content, some target social platforms with minor users, some impose duties on operating-system and app-store layers.

What's new is who's in scope. Earlier interpretations exempted small services. Recent rulings — particularly under the UK OSA and the Texas HB1181 line of cases — narrow that exemption. App stores enforcing age gates push the duty downward to apps. A self-hosted UGC project with a few thousand users in the wrong jurisdiction can now be on the hook for age-assurance compliance, even though the developer has no customer-data infrastructure to verify ages with.

── Why it matters ──

Three implications for shipping engineers:

One — "small enough to ignore it" is no longer a safe heuristic. Earlier safe-harbour patterns assumed platforms with under N users were exempt. The newer rules don't always include that escape hatch, especially when the platform exposes user-to-user content.

Two — the compliance surface moves into the build. Age-gating used to be a runtime business problem solved by buying a vendor (Persona, Yoti, Onfido). Now app-store policy and OS-level controls demand it earlier — in onboarding flows, content-rating metadata, and account-creation gates that ship in the binary.

Three — open-source projects are not insulated. GitHub's own framing is the give-away here. They published this primer because their users — distributing UGC apps via app stores — are starting to be asked about age-assurance compliance by Apple, Google, and EU regulators downstream.

── Editor's take ──

The interesting move here is how the duty ladders down through app-store enforcement. Regulators don't have to litigate against a 5,000-user open-source social network to get the duty enforced — Apple does it for them, by removing apps that fail the policy review. The chokepoint shifts from "is your service big enough to sue?" to "did your OS distributor accept your app?" That makes age-assurance a de-facto build-time concern, not a runtime one, and it's why a primer about regulation is now appearing on a developer blog rather than a legal one.