Colorado’s SB26-051 applies its age-attestation requirements to operating-system providers and application stores that distribute third-party software “on a commercial basis.” That five-word qualifier is doing all the work. The bill does not contain an explicit “open-source” exemption category. Instead, non-commercial repositories and community-maintained app stores fall outside the statute’s scope by virtue of not operating commercially. The distinction matters because the penalty for getting it wrong is up to $7,500 per affected minor for intentional violations, enforced by the Colorado Attorney General.
What SB26-051 actually requires
The bill mandates that covered OS providers and application stores collect an age signal from users before granting access to applications. According to the bill summary, age brackets are defined as under 13, 13-15, 16-17, and 18+. The mechanism relies on self-declared birth date or age, not government-verified ID. The requirement is mandatory: the bill requires covered providers to present an age-collection interface at account setup, and the OS routes that signal to application stores that request it.
Civil penalties scale with intent: up to $2,500 per affected minor for negligent violations, up to $7,500 for intentional ones. The Attorney General’s office handles enforcement.
The bill has passed both chambers of the Colorado legislature and awaits the governor’s action.
The “commercial basis” language is the entire exemption
Here is where the statutory text gets slippery. SB26-051 defines “covered application store” by whether it distributes third-party applications on a commercial basis. Non-commercial open-source repositories, volunteer-run package indexes, and community distributions that don’t charge for access or sell advertising appear to fall outside this definition.
The bill also lists explicit exemptions: enterprise software, internal business communication apps, and technical support applications. Open-source software is not among the named exemptions. It is excluded by omission, not by design.
This interpretive gap is where the risk lives for projects that sit between “hobbyist” and “commercial”: F-Droid (which is volunteer-run but accepts donations), community Linux repositories (many of which are maintained by organizations with paid staff), and self-hosted federated services that an individual operates but that the public can access.
California did it differently, and the contrast is sharp
Colorado is not the first state to push age-attestation into the OS layer. California’s Digital Age Assurance Act (AB 1043) takes effect January 1, 2027, a full year before Colorado’s January 1, 2028 start date. California’s version has no “commercial basis” qualifier. If you distribute an OS or app store in California, the age-signal obligation applies regardless of your revenue model.
The open-source community’s response to California’s law has been fragmented. Fedora proposed an /etc age-file workaround, essentially a local configuration file that stores the user’s declared age and surfaces it to requesting applications. The calculator project DB48X publicly refused to implement compliance. Ubuntu’s position has not been formally stated, but OpenSourceForU’s March 2026 report notes that major Linux distributions are still evaluating their exposure.
| Colorado SB26-051 | California AB 1043 | |
|---|---|---|
| Effective date | January 1, 2028 | January 1, 2027 |
| Commercial qualifier | Yes (“on a commercial basis”) | No |
| Age verification method | Self-declared age signal | Not yet specified in full |
| Explicit open-source exemption | No (implicit via commercial qualifier) | No |
| Max penalty (intentional) | $7,500 per affected minor | TBD |
The federated-software problem
Mastodon, Lemmy, and Matrix homeservers present a category error for legislation written with app stores in mind. A single Mastodon instance run by one person on a $5/month VPS is a software distribution point in the functional sense: it serves a web application to users who create accounts. But it is not an “application store,” and its operator is not a commercial entity.
Under Colorado’s framework, the question is whether a self-hosted Mastodon instance distributes third-party applications “on a commercial basis.” Almost certainly not. Under California’s framework, the question does not even get asked, which is the problem.
The same logic applies to community-operated Linux repositories, F-Droid’s catalog of free Android applications, and self-hosted Nextcloud instances that offer app installations to users. Each of these is a distribution channel for software. None of them is a commercial app store. Whether a state regulator agrees depends on how “commercial basis” is interpreted, and that interpretation has not been tested.
What maintainers should do now
The practical steps are straightforward, if annoying.
First, audit your distribution model. If you operate a package repository, app catalog, or software distribution service and you accept payment, sell advertising, or have corporate backing, you may fall inside Colorado’s “commercial basis” scope regardless of your license. If you are purely volunteer-run with no revenue, document that.
Second, track the governor’s signature. If Polis signs SB26-051, the compliance clock starts ticking toward January 2028. If he vetoes, the bill dies and the open-source community in Colorado gets a reprieve.
Third, read the amendment text. The bill summary on the legislature’s site does not include the full text of all amendments, which may narrow or broaden the “commercial basis” definition. Those amendments are where any explicit safe harbor for open-source distributions would appear.
Fourth, plan for California first. AB 1043 takes effect a year earlier and has no commercial qualifier. If your project distributes software to California users and has not evaluated its compliance posture, that is the deadline that matters sooner.
The open-source community has been through regulatory ambiguity before: export controls on encryption, GDPR’s territorial reach, and the ongoing confusion around “selling data” in state privacy laws. Each time, the projects that documented their posture early fared better than the ones that waited for enforcement letters. SB26-051 is another entry in that pattern, with the added wrinkle that the exemption it offers is implicit, fragile, and untested.
Frequently Asked Questions
Do projects under fiscal sponsors like Software Freedom Conservancy fall inside the commercial-basis scope?
The statute doesn’t address fiscal sponsorship. A project that distributes software for free but routes donations through an organization with paid staff and revenue could be argued either way. The same ambiguity extends to Linux Foundation package repositories and Apache Software Foundation distributions, both of which operate package indexes through entities with employees and balance sheets.
Was the legislative vote close enough that a Polis veto would stick?
The House passed SB26-051 40-23, a comfortable margin but short of a two-thirds veto-proof threshold on its own. The Senate concurred 33-0, unanimous and well above the override bar. Governor Polis, a Democrat and former tech entrepreneur, has not signaled a position. If he vetoed, the Senate’s unanimous vote makes a legislative override politically plausible.
Which specific amendments could change the commercial-basis interpretation?
Amendments L.004 through L.008 were adopted during the legislative process, but their full text is not reflected in the public bill summary on the legislature’s site. Those amendments could narrow or broaden the definition of ‘commercial basis,’ add explicit safe harbors for non-profit distributors, or adjust the penalty structure. The amendment text linked from the official bill page is the authoritative source, not the summary.
What is the liability ceiling if an AG treats donation-funded distribution as commercial?
Penalties accrue per affected minor, not per violation. A repository serving 10,000 Colorado minors without an age signal would face up to $75 million in intentional-violation penalties ($7,500 each). Enforcement comes from the Attorney General directly, with no private right of action and no statutory minimum threshold defining what activity counts as ‘commercial.’ The first enforcement action would set the working definition.