AB 2358 creates a statutory duty for any person or business doing business in California to take ‘‘reasonable steps’’ to ensure a purchaser or recipient is of legal age before selling or delivering items that state law already bans to minors. The statute covers two enumerated groups of goods and services and ties compliance to specific verification techniques described in the bill.
The bill matters because it converts a criminal-prohibition-for-minors regime into a civil compliance obligation for sellers and platforms. It imposes operational verification choices, limits how age-verification data may be used, creates an affirmative defense for good-faith reliance on age evidence, and exposes noncompliant sellers to civil penalties when prosecuted by a public prosecutor.
At a Glance
What It Does
Establishes a ‘‘reasonable steps’’ standard obligating sellers offering items illegal for minors to buy to verify age at purchase or delivery; the statute lists acceptable verification options and forbids relying on consent obtained from the minor. It restricts retention and reuse of verification data to only what is necessary to comply or demonstrate compliance with the law.
Who It Affects
Brick-and-mortar and online retailers that sell or ship products into California, marketplaces and platforms that facilitate those sales, and out-of-state sellers targeting California customers. Payment processors and account-management systems will be implicated to the extent they implement required checks (for example, nonprepaid credit-card requirements or account designations).
Why It Matters
The measure shifts compliance risk onto sellers and intermediaries and tightens the intersection of commercial checkout flows with California privacy law. Businesses will need technical and operational changes to verification workflows, and compliance teams will have to reconcile age checks with strict state data-retention and disclosure limits.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill divides covered items into two groups and prescribes what sorts of ‘‘reasonable steps’’ count for each group. One group includes items typically used to deface property, certain fireworks, tanning services using ultraviolet devices, dietary supplements containing ephedrine alkaloids, and body branding.
The other group contains weapons and weapon-like items, ammunition, tobacco and vaping products, electronic cigarettes, and less-lethal weapons. The statute references existing California penal, health and business code sections to define those items.
For items in the first group the statute gives sellers a wider menu of acceptable measures: requiring a buyer to present or input a government-issued ID, requiring an online buyer to use a nonprepaid credit card, configuring account systems to block purchases by accounts designated for minors, and shipping only to an adult recipient. For the second group the acceptable measures are narrower: presenting or inputting a government-issued ID or shipping the item to someone of legal age.
The statute explicitly states that consent obtained from the minor does not count as a ‘‘reasonable step.’’The bill places strict limits on what sellers may do with information collected to verify age. It prohibits retaining, using, or disclosing verification data for any purpose other than complying with the statute, demonstrating compliance, complying with California law, or complying with court orders.
The text cross-references multiple California privacy provisions, signaling that businesses must follow existing state limits on retention, disclosure, and handling of personally identifiable information collected during verification.The statute defines ‘‘government-issued identification’’ broadly: state driver’s licenses and ID cards (including certain non-driver licenses), U.S. and foreign passports, U.S. military IDs with birth date and photo, consular IDs, and federally recognized tribal IDs. The bill also contains a carve-out: entities already regulated by state or federal rules that provide greater protections for personal information or require stronger age verification are treated as satisfying this statute for the regulated subjects.
The text states an operative date of January 1, 2020.
The Five Things You Need to Know
The statute creates a civil penalty up to $7,500 per violation, but only when a public prosecutor brings the enforcement action.
The bill provides an affirmative defense when a seller reasonably and in good faith relies on bona fide evidence of the purchaser’s age.
Reasonable steps listed for the first product group include requiring a nonprepaid credit card for online purchases and configuring account systems to block minor-designated accounts; the second group lacks those two options.
Entities that are already subject to state or federal regimes imposing greater age-verification or personal-information protections are treated as in compliance for the regulated subjects.
The law limits the use of collected verification information to compliance-related purposes and cross-references multiple California consumer privacy statutes to govern retention and disclosure.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
General duty to take reasonable steps to verify age
This provision imposes the core obligation: any person or business conducting business in California that sells or ships items illegal to sell to minors must take ‘‘reasonable steps’’ to ensure the purchaser is of legal age at sale or delivery. Practically, it makes verification an affirmative, statutory duty regardless of private contract terms or seller disclaimers.
Acceptable verification techniques for the first product group
This section lists examples of ‘‘reasonable steps’’ for the first group of products: requesting or scanning a government-issued ID (subject to strict privacy statutes), requiring a nonprepaid credit card for online purchases, restricting purchases from accounts labeled as minor accounts, or shipping only to an adult recipient. Each of these is framed as nonexclusive examples, but businesses relying on them should document processes and data flows to show compliance while observing the referenced privacy rules.
Acceptable verification techniques for the second product group
For weapons, ammunition, tobacco and vaping products, electronic cigarettes and less-lethal weapons, the bill narrows the acceptable methods to asking for a government-issued ID or shipping to an adult. Notably, the nonprepaid-credit-card and minor-account restrictions are absent here — which will affect online sellers of regulated products who cannot rely on payment-type checks alone.
Limits on what counts and how verification data may be used
The statute disqualifies consent obtained from the minor as a valid verification method, creates an affirmative defense for ‘‘reasonable and good faith’’ reliance on age evidence, and confines collected verification data to compliance or demonstration-of-compliance purposes. It also requires businesses that collect IDs to follow existing California data-protection laws referenced in the text, making privacy compliance part of the age-verification obligation.
Enumerated covered items — two separate lists
Subdivision (b) enumerates items such as aerosol paint capable of defacement, etching cream, dangerous fireworks, ultraviolet tanning, certain ephedrine-containing supplements, and body branding. Subdivision (c) enumerates firearms, BB devices, ammunition, tobacco and related paraphernalia, electronic cigarettes, and less-lethal weapons. The split matters because the statute prescribes different verification menus for the two lists.
Enforcement, exemptions, identity definition, and operative date
The enforcement clause limits civil penalties to actions brought by public prosecutors and sets a maximum penalty of $7,500 per violation. The statute exempts businesses already regulated by stronger state or federal privacy or age-verification rules from additional obligations under this law for the same subjects. The bill defines ‘‘government-issued identification’’ with a list of acceptable forms and states an operative date of January 1, 2020.
This bill is one of many.
Codify tracks hundreds of bills on Justice across all five countries.
Explore Justice in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Minors and parents: the direct beneficiary is the minor population because the bill tightens commercial access routes by making sellers verify age and forbidding minors’ consent as a verification method.
- Local prosecutors and public-safety officials: giving public prosecutors a civil enforcement path enables targeted enforcement without clogging criminal dockets, potentially creating a tool to deter unlawful sales to minors.
- Entities already under stricter regulatory regimes: industries already subject to stronger federal or state rules (for example, federally regulated firearm dealers or tobacco distributors under federal law) gain certainty because compliance with those regimes is deemed compliant with this statute.
Who Bears the Cost
- Retailers and online marketplaces selling covered goods: they must implement technical and operational changes (ID scanning, checkout flow changes, account flagging, shipping controls) and maintain documentation to demonstrate compliance.
- Small or out-of-state sellers shipping into California: sellers without existing compliance infrastructure will face new engineering, customer-service, and privacy-consent burdens to avoid penalties for sales into California.
- Privacy/compliance teams and third-party service providers: privacy officers must reconcile verification data flows with California privacy statutes; vendors offering ID-checking, age-gating, or account-classification services will see new demand but carry integration and liability risks.
Key Issues
The Core Tension
The central tension is between protecting minors by forcing sellers and platforms to verify age and protecting consumer privacy and commercial feasibility; stricter verification reduces access but increases collection and retention of sensitive identity data, forcing businesses to choose between blocking sales, exposing themselves to privacy risks, or investing in systems that both verify age and minimize data footprints.
The bill mixes age-verification policy with California’s detailed privacy architecture by cross-referencing several consumer-data statutes. That linkage protects consumers but complicates implementation: a seller may need to justify short-term retention of ID images for compliance while abiding by rules that generally constrain retention and disclosure.
The statute’s requirement that verification data be used only to comply or demonstrate compliance is sensible but invites tactical questions about standard audit windows, incident response, and lawful disclosure in civil litigation.
Enforcement design raises practicality issues. Civil penalties are available only to public prosecutors, which centralizes enforcement but may create uneven application across jurisdictions depending on local priorities.
The affirmative defense for ‘‘reasonable and good faith’’ reliance is meaningful but fact-intensive—sellers will need documented policies and transaction logs to rely on it. The bill’s exemptions for entities regulated by federal or state regimes create a layering problem: businesses must map which rules are ‘‘greater protections’’ and document that mapping to rely on the exemption.
Finally, the statute sets an operative date of January 1, 2020, which appears to predate the bill’s introduction and creates ambiguity about retroactivity and compliance timelines that implementers will want clarified before operational changes go live.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.