California age verification law

California's age-verification posture is shaped by two distinct statutes that interact: the California Consumer Privacy Act (CCPA, 2018), which governs how personal information is handled during and after verification, and the California Age-Appropriate Design Code Act (AB-2273, 2022), which requires platforms likely to be accessed by children to estimate user age with a reasonable level of certainty and configure default privacy settings accordingly. Neither statute imposes a single uniform verification mechanism — both leave the implementation to the operator subject to the law's risk-based framework.

AB-2273's reasonable-age-estimation requirement is the more directly age-verification-shaped of the two. The act's framework is risk-based: services with higher-risk data practices (precise geolocation, behavioural advertising, dark-pattern designs targeting children) face a stronger obligation to estimate user age with confidence. The most common implementation is a verification flow at signup that establishes the user's age tier; document capture + liveness produces a high-confidence age signal, while transactional-data signals produce a lower-confidence signal that still satisfies the act for lower-risk services.

Enforcement context as of mid-2026: the U.S. District Court for the Northern District of California and the Ninth Circuit have partially enjoined AB-2273's enforcement on First Amendment grounds. Operators serving California users should track the current case status via their counsel before relying on AB-2273-specific configurations; CCPA's data-handling obligations are unaffected by the AB-2273 litigation and apply regardless of the outcome.

Who must comply: CCPA applies to businesses meeting the act's revenue, data-volume, or revenue-from-personal-data thresholds that handle California residents' personal information. AB-2273 applies to businesses providing online services, products, or features likely to be accessed by children — the act's scope-of-coverage triggers turn on the likely-to-be-accessed-by-children analysis the operator's compliance team conducts. Penalties: CCPA carries civil penalties of up to $2,500 per violation ($7,500 for intentional violations); AB-2273 (where enforceable) carries civil penalties of up to $2,500 per affected child for negligent violations and up to $7,500 per affected child for intentional violations.

How Stile satisfies the verification side: Stile's age-verification flow produces a signed eligibility signal backed by document capture, liveness, and face match — high-confidence age estimation that satisfies AB-2273's reasonable-certainty standard for high-risk services. Released attributes are minimised by default (only the age-tier eligibility, not the underlying birth date) which aligns with CCPA's data-minimisation principle. Source-document retention is per the operator's configured retention policy — see the security page for the per-account retention configuration. Operators can pair Stile's verification with their downstream privacy-defaults logic to land both halves of the AB-2273 compliance requirement.

Age verification — the underlying age-tier resolution flow. Identity verification — full identity-attribute case. Digital ID verification — mDL deep dive. California has shipped a CA DMV Wallet mDL credential; mDL acceptance for age verification is per-operator-policy. Age-restricted commerce and High-risk retail both ship per-state rulesets covering California.