AB 2076 requires persons and businesses selling products or services that state law forbids to minors to take “reasonable steps” to verify a purchaser’s age at the time of purchase or delivery. The statute lists verification methods (government ID checks, nonprepaid credit card, minor-account controls, and shipping to an adult) and limits how verification data may be retained or used.
The bill also bars online marketplaces from offering the listed products to customers located in California, defines “online marketplace” with a $1 billion gross-revenue carve-out, and creates tiered civil penalties—up to $7,500 per violation for sellers and up to $1,500,000 per violation for marketplaces. The measure intertwines age-verification duties with California privacy rules and creates several affirmative defenses and statutory exemptions for entities subject to stricter federal or state regulation.
At a Glance
What It Does
Requires sellers doing business in California to verify purchasers’ ages before selling items that state law prohibits to minors, and prohibits online marketplaces from offering those items to California customers. It prescribes specific verification options, limits retention and use of verification data, and creates civil penalties for violations.
Who It Affects
Online marketplaces that facilitate third-party sales into California, any seller marketing listed items into California, age-verification vendors, and privacy/compliance officers responsible for data handling and information-security practices.
Why It Matters
The bill ties age-verification duties to California privacy law and imposes one of the highest per-violation penalties on marketplaces, creating a de facto compliance floor for platforms and shifting verification burdens onto sellers and platforms operating in or into California.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 2076 makes it unlawful for a person or business that seeks to sell items that state law forbids to minors to do so without taking reasonable steps to ensure the purchaser is of legal age. The statute enumerates what “reasonable steps” look like for different categories of items: requiring buyers to present or scan government-issued ID, mandating nonprepaid credit card payment for online purchases, preventing accounts designated as minor accounts from buying specified items, and shipping only to individuals of legal age.
Consent supplied by a minor is explicitly excluded as a permissible verification method.
A distinct pathway in the bill targets online marketplaces: it bars any online marketplace from offering the covered products to customers located in California. The bill defines “online marketplace” expansively as an electronically accessed, consumer-facing platform that enables third-party sellers to list, sell, pay for, store, ship, or deliver goods, but it exempts platforms that generated less than $1 billion in gross revenue during the preceding calendar year.
The definition expressly includes social media platforms and lists several specific forms of government-issued identification that platforms may accept.The bill imposes strict limits on what platforms and sellers can do with verification information. Any information collected to verify age may be used only to comply with this statute, California law, or to demonstrate compliance in court; otherwise retention, use, or disclosure is prohibited.
The law also provides an affirmative defense for sellers who reasonably and in good faith rely on bona fide evidence of age, and it disallows age verification that rests on consent obtained from a minor.Enforcement is aimed at public prosecutors. A business or person (other than an online marketplace) that violates the statute faces civil penalties of up to $7,500 per violation; an online marketplace faces civil penalties of up to $1,500,000 per violation.
Finally, the bill contains a carve-out: entities already regulated by state or federal laws that provide greater protection of personal information or more stringent age verification are deemed compliant for the covered subjects, though they must still observe other legal privacy obligations.
The Five Things You Need to Know
The bill requires sellers to take “reasonable steps” to verify age and lists acceptable methods including government-issued ID checks, nonprepaid credit card use, minor-account restrictions, and shipping only to adults.
Online marketplaces may not offer the listed products to customers in California; the statute defines marketplaces broadly but exempts platforms with under $1,000,000,000 in prior-year gross revenue.
Collected age-verification information may only be used to comply with this statute, California law, or to prove compliance in court; other retention, use, or disclosure is prohibited.
A seller’s reasonable, good-faith reliance on bona fide evidence of age is an affirmative defense; the statute forbids relying on consent obtained from the minor for verification.
Civil penalties are tiered: up to $7,500 per violation for sellers and up to $1,500,000 per violation for online marketplaces, enforceable by public prosecutors.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Core age-verification duty for sellers
This provision makes sellers who do business in California responsible for ensuring a purchaser is of legal age before selling any product or service that state law forbids to minors. It sets the legal trigger—sale in or into California—and establishes the general obligation to take “reasonable steps” at purchase or delivery. Practically, compliance officers must interpret where the sale occurs (originating seller or destination in California) and document the decision-making process that produced the chosen verification method.
Enumerated ‘reasonable steps’ for different item groups
The statute lists acceptable verification mechanisms: requiring a government-issued ID (with references to multiple privacy statutes governing retention), requiring a nonprepaid credit card for online purchases, using account-level controls that block minor accounts, and shipping only to adults. The bill separates the methods across two item groups (the text labels are inconsistent), which matters because some methods (like nonprepaid card or account flags) appear as options for one group but not the other. Compliance programs should map each product to the correct group and adopt the narrower set of methods when required.
Limits on acceptable verification and affirmative defense
The law excludes consent obtained from a minor as a permissible verification route and grants an affirmative defense to sellers who reasonably and in good faith rely on bona fide evidence of age. It also restricts the use of collected verification information to purposes necessary to comply with or demonstrate compliance with the statute or with court orders. That structure forces businesses to build forward-looking proof trails: retain minimal records required to show compliance while avoiding broader use of personal data that could trigger privacy liabilities.
Marketplace ban on offering listed items to California customers
This short but consequential clause bars online marketplaces from offering any product listed in the statutory prohibited lists to any customer located in California. Unlike the seller-duty provisions, it functions as a categorical marketplace-level prohibition, shifting the gatekeeping role to platforms. Marketplaces must therefore implement geoblocking, listing controls, or seller-facing restrictions to prevent offers to purchasers based in California.
Lists of products the statute covers (two item groups)
The bill enumerates two groups of items that cannot be sold to minors and that trigger verification duties: one group includes aerosol paint, etching cream, dangerous fireworks, tanning in UV devices, certain ephedrine-containing supplements, body branding, and nitrous oxide; the other group covers firearms, BB devices, ammunition, tobacco and related paraphernalia, electronic cigarettes, and less-lethal weapons. Practically this list ties the statute’s age-verification obligations directly to existing state criminal and health code sections, so regulated-product definitions will be controlled by those cross-references.
Civil penalties and enforcement
Enforcement is left to public prosecutors and imposes civil penalties on violators: up to $7,500 per violation for sellers (non-marketplaces) and up to $1,500,000 per violation for online marketplaces. Those figures create a strong enforcement lever and exposure for platforms that fail to block offers to California customers. The per-violation framing raises questions about what constitutes one violation—each sale, listing, or day of noncompliance—which will be a litigation and enforcement battleground.
Exemptions, definitions, and operative date
Entities already subject to state or federal regimes that provide greater privacy protection or stricter age verification are treated as compliant for the subjects covered by those laws; nonetheless, businesses must still follow any other applicable privacy duties. The statute defines government-issued identification (driver’s license, passport, military ID, consular ID, tribal ID), and defines online marketplace while excluding platforms with under $1 billion in prior-year gross revenue. The text sets an operative date (January 1, 2020), which is a drafting artifact that implementers should clarify when applying the statute to current operations.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Minors and parents — Reduced online access to inhalants like nitrous oxide and other age-restricted products, because platforms must block offers to customers located in California and sellers must verify age.
- Local prosecutors and consumer-protection agencies — A clear statutory hook to bring civil enforcement actions against sellers and marketplaces that fail to implement age verification.
- Privacy-conscious consumers — The statute limits retention and secondary use of age-verification data, reducing the risk that sensitive identity information collected for age checks will be repurposed or monetized.
- Age-verification and compliance-service vendors — Increased demand for verified-ID, age-flagging, and geofencing solutions as sellers and platforms update systems to meet the statute’s enumerated “reasonable steps.”
Who Bears the Cost
- Large online marketplaces (>$1B revenue) — Must implement blocking, listing controls, seller onboarding checks, and compliance monitoring; face steep per-violation penalties and litigation risk.
- Third-party sellers and smaller merchants selling into California — Need to add ID checks, payment restrictions, or shipping controls; compliance work increases operational friction and costs, particularly for sellers who ship interjurisdictionally.
- Privacy and IT teams — Must design systems that collect minimal verification data, implement short retention policies, secure proof-of-compliance, and reconcile these duties with other legal recordkeeping requirements.
- Consumers (adults) — May experience additional friction at checkout (ID scans, nonprepaid-card requirements) and occasional refused sales or delivery delays when platforms or sellers err on the side of blocking.
Key Issues
The Core Tension
The central dilemma is protecting minors from dangerous or age-restricted products while respecting adults’ privacy and limiting burdens on commerce: effective age checks require collecting identity data, but the bill simultaneously constrains retention and use of that data and imposes heavy penalties that incentivize platforms to block broadly, potentially reducing lawful adult access and creating compliance complexity.
The statute blends age-verification mandates with strict limits on the retention and use of identity data. That creates an operational tension: businesses must keep enough evidence to demonstrate compliance in enforcement actions while avoiding retention that would violate the statute’s privacy constraints.
Companies will need granular data-retention policies and secure, auditable processes that reconcile these opposing demands.
The bill’s enforcement structure and penalty scale create significant litigation risk. Large, platform-level penalties are likely to push marketplaces to over-block listings and to shift verification responsibilities to third-party sellers, potentially disrupting legitimate commerce.
The per-violation framing leaves open whether enforcement will target listings, individual sales, days of noncompliance, or a combination—an ambiguity that will shape settlement and litigation strategies. Additionally, the $1 billion revenue carve-out produces a sharp compliance cliff: platforms just below the threshold avoid the marketplace ban, which may distort market structure or encourage revenue reclassification strategies.
Finally, the statutory text contains inconsistent subdivision labels and an operative date that predates introduction, which raises drafting and interpretive questions. Regulators, courts, or implementing agencies will need to resolve these drafting ambiguities—particularly the split of “reasonable steps” between the two product groups—before companies can confidently design compliance programs without risking under- or over-compliance.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.