California's AB 1043 takes effect January 2027. If your app serves California users, you'll need to request OS-level age signals from Apple/Google and treat them as "actual knowledge" of a user's age. Penalties are $7,500 per affected child for intentional violations.
We started building A3 (https://www.a3api.io) after realizing the law has a gap nobody was talking about: browsers have no OS age signal. If you have a web app, the law creates compliance obligations but the platform provides no mechanism. And on native, you're left stitching together Apple's Declared Age Range API and Google's Play Age Signals yourself — two different APIs, two different response formats, two different integration paths.
The standard industry answer is ID uploads and selfie scans. We didn't want to build that. Those approaches tank conversion rates, create PII liability, and feel disproportionate to the problem. So we went a different direction: passive behavioral signal fusion.
The idea is that children and adults interact with devices differently in measurable ways — motor control, scroll patterns, typing rhythm, form completion speed. Our browser SDK (<5 KB) collects these signals from standard DOM events, computes aggregate scores on-device, and sends only anonymized ratios and averages. No raw coordinates, no keystroke logs, no text content ever leaves the browser. The API processes everything in memory and discards it immediately.
On native, we normalize the Apple/Google OS signals into a single response. On the web, the behavioral signals become the primary assessment. Either way you get the same response format: a verdict, age bracket, confidence score, evidence tags, and an HMAC-SHA256 signed receipt for your audit trail.
To be upfront about limitations: behavioral signals are probabilistic, not deterministic. A confident 12-year-old and a hasty adult can look similar in a short session. We mitigate this with five signal categories (behavioral metrics, input complexity, device context, contextual signals, account longevity) that are weighted and cross-validated, and we apply coverage penalties when fewer categories are present. But this is age estimation, not identity verification — it's designed for the "commercially reasonable" standard the statute actually requires, not the false certainty that ID checks imply.
The stack is NestJS on AWS Lambda, with client SDKs for React/Vue/vanilla JS, SwiftUI, and Jetpack Compose. There's a free tier (100 checks/month) if you want to kick the tires, and a playground at https://www.a3api.io/playground.
If you maintain an open source project, we have a program that gives you Pro-tier access (50k checks/month) for free — the only requirement is a "Powered by A3" in your age gate UI or README. Details at https://www.a3api.io/open-source.
Docs: https://www.a3api.io/docs
Happy to answer questions about the signal fusion approach, the legal nuances, or where we think this falls short.
0 comments