SB 659 requires any person or business that does business in California and offers products or services that state law prohibits selling to minors to take “reasonable steps” to verify purchasers’ ages at the point of sale or delivery. The bill lists specific verification options (government ID, nonprepaid credit cards for some online sales, account-designation blocks, and shipping only to adults) and bars reliance on a minor’s consent.
The measure creates civil penalties available to public prosecutors and parents or guardians, ties damages to the limited civil case ceiling multiplied by factors depending on culpability, authorizes a $7,500 fine per violation in public-prosecutor actions, and gives courts power to suspend business operations for repeated or deliberate violations. It also limits how businesses may retain or use any age-verification information and exempts entities already subject to stricter state or federal privacy or verification rules.
At a Glance
What It Does
The bill mandates reasonable age-verification steps for sales into California of products/services illegal for minors, enumerates acceptable methods (ID checks, payment method rules, account-designation controls, adult-only shipping), and restricts retention/use of verification data to compliance purposes. It establishes civil penalties, private- and public-enforcement rights, and court-ordered business suspensions for injunction violations.
Who It Affects
Retailers and online businesses that sell regulated items into California (including e-commerce sites, platforms, social media marketplaces, and app stores), payment processors used to enforce card rules, and regulated brick-and-mortar sellers of the enumerated products. The bill excludes online businesses with under $100 million in prior-year gross revenue from the statutory definition of “online business.”
Why It Matters
This bill pushes age verification from a best practice into enforceable legal obligations with significant financial and operational consequences. It forces businesses to choose verification systems that balance privacy law constraints with enforcement risk, and it gives both public prosecutors and parents direct enforcement tools against sellers who allow minors to obtain prohibited items.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 659 compels sellers who do business in California to take ‘‘reasonable steps’’ to ensure buyers are of legal age before completing sales or deliveries of items state law already bans for minors. The statute gives a non-exhaustive list of acceptable verification steps: presenting or scanning government-issued ID, requiring a nonprepaid credit card for online purchases of certain items, restricting purchases through accounts marked as belonging to minors, or shipping only to adults.
For a subset of items the bill treats slightly differently, some verification options (like requiring nonprepaid cards) appear only for the items listed in subdivision (b).
The bill carefully limits how businesses may treat any age-verification data they collect. Firms may only retain, use, or disclose that information to comply with the statute, show they complied with California law, or follow a court order; other uses are prohibited.
The text also makes clear that obtaining consent from a minor cannot substitute for verification and grants an affirmative defense where a seller reasonably and in good faith relied on bona fide evidence of age.Enforcement is twofold. Public prosecutors can seek a flat civil penalty up to $7,500 per violation; parents or guardians (and prosecutors) can bring civil actions where damages are tied to the maximum amount in controversy for a limited civil case under Code of Civil Procedure section 85 and multiplied by factors that vary with culpability (negligent/knowing/intentional).
Courts may further suspend business operations for violations of injunctions—ranging from 10 days to 90 days, up to indefinite suspension where violations are intentional and a receiver must certify future compliance.The statute defines key terms and draws an exemption: businesses already regulated by state or federal laws that offer greater privacy or age-verification protections are treated as complying, and compliance with those laws satisfies this statute with respect to the relevant subjects. The bill also narrows ‘‘online business’’ by excluding entities that had less than $100 million in gross revenue during the preceding calendar year from that definition, which affects which platforms face certain obligations under the statute.
The Five Things You Need to Know
The bill lists specific verification methods sellers must consider, including government-issued ID checks, nonprepaid credit-card requirements for some online sales, account-designation blocks for minor accounts, and adult-only shipping.
Public prosecutors may recover civil penalties up to $7,500 per violation under the statute.
Parents or guardians (and prosecutors) can sue online businesses; damages are tied to the limited civil case ceiling under CCP §85 and multiplied by 1× for negligent, 10× for knowing/willful, and 20× for intentional violations.
Courts may suspend violating businesses’ operations for injunction breaches: 10 days for negligent breaches, 90 days for knowing/willful breaches, and indefinite suspension for intentional breaches until a court-appointed receiver affirms compliance.
The statute limits retention/use of any age-verification data to compliance purposes only and bars using a minor’s consent as a substitute for verification; it also exempts entities already subject to stricter state or federal privacy/verification rules.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Duty to take reasonable steps to verify age
Subdivision (a) establishes the central obligation: any person or business that does business in California and seeks to sell products or services illegal for minors must take ‘‘reasonable steps’’ to verify purchaser age at time of purchase or delivery. It provides an affirmative defense when sellers reasonably and in good faith rely on bona fide evidence of age and restricts the use of verification information to compliance-related purposes. Practically, this creates an operational duty that firms must document and a compliance record to rely on in litigation.
Enumerated verification methods for subdivision (b) items
This paragraph lists acceptable verification options for the items in subdivision (b): government-issued ID checks (with cross-references to California privacy and data-protection statutes), requiring nonprepaid credit cards for online purchases, blocking purchases from accounts designated as minor accounts, and shipping only to adults. Each method carries different implementation costs and privacy trade-offs; the law treats them as nonexclusive examples of ‘‘reasonable’’ measures rather than mandatory, exclusive paths.
Verification methods for subdivision (c) items
For the products in subdivision (c) — primarily firearms, ammunition, tobacco and vape products, and similar items — the bill narrows the enumerated verification options to ID checks and adult-only shipping. Notably, the nonprepaid credit-card requirement appears only in (a)(2), which means online-sales controls differ depending on which product category applies, creating a two-track compliance regime.
Lists of covered products and services
Subdivision (b) lists items (e.g., aerosol paint for vandalism, etching cream, dangerous fireworks, UV tanning, certain ephedrine supplements, body branding) and subdivision (c) lists more strictly regulated items (firearms, BB devices, ammunition, tobacco and e-cigarette products, less-lethal weapons). The separation matters operationally because the bill ties different verification options to each list, so merchants must map their inventory to the correct subdivision and adopt the corresponding verification controls.
Civil penalties and private enforcement
Subdivision (d) creates civil remedies: public prosecutors may obtain penalties up to $7,500 per violation. It also authorizes suits by parents or guardians (and prosecutors) where damages are calculated relative to the limited civil-case ceiling under CCP §85, multiplied depending on culpability — negligent, knowing/willful, or intentional — which can materially increase per-incident exposure for businesses that serve minors.
Injunction enforcement and business suspensions
This provision instructs courts to suspend a business’s operations in California after violations of an injunction enforcing the statute: 10 days for negligent violations, 90 days for knowing/willful violations, and indefinite suspension for intentional violations until a receiver certifies compliance. That creates a high-stakes enforcement tool beyond monetary fines, particularly for repeat or deliberate violators.
Exemptions and definitions (privacy safeguards and online-business threshold)
The statute exempts businesses already subject to stronger state or federal privacy or verification laws, treating compliance with those laws as compliance here for the covered subjects. It defines ‘‘government-issued identification’’ broadly and sets definitions for culpability standards. Important operational definitions include ‘‘online business,’’ which excludes businesses with less than $100 million in prior-year gross revenue — a threshold that narrows the set of platforms subject to some obligations — and the exclusion of minor consent as a valid verification method.
This bill is one of many.
Codify tracks hundreds of bills on Justice across all five countries.
Explore Justice in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Minors and their parents — the bill strengthens practical barriers against minors obtaining regulated products (from fireworks and tanning services to firearms and vaping products), offering parents private enforcement options to hold sellers accountable.
- Public prosecutors and local enforcement agencies — the statute provides clear statutory causes of action, per-violation fines, and court-ordered suspension remedies that expand enforcement leverage.
- Retailers and platforms that adopt robust verification systems — compliant firms gain a defense (good-faith reliance) and reduce litigation risk by documenting adherence to enumerated verification options.
Who Bears the Cost
- Online marketplaces and platforms that sell or facilitate sales of covered items — they must implement, monitor, and audit age-verification controls and may face multiplied damages and business suspensions for enforcement failures.
- Small brick-and-mortar sellers and specialized vendors — even if some small online entities fall outside the ‘‘online business’’ definition, physical retailers will still need to implement ID-check policies and train staff, increasing operating costs and potential transaction friction.
- Payment processors and merchant acquirers — if nonprepaid-card rules are used for online items, payment flows and onboarding rules will change; processors may face increased disputes and compliance burdens related to verification data handling.
Key Issues
The Core Tension
The bill pits two legitimate aims against each other: protecting minors by forcing reliable age verification versus protecting privacy and preserving feasible commerce. Strong verification lowers the risk minors obtain dangerous products but requires collecting sensitive personal data and imposes operational burdens that can exclude smaller sellers or push commerce outside regulated channels; the statute tries to thread that needle with limited retention rules and exemptions, but those mechanisms leave open difficult compliance and enforcement judgments.
The bill bundles child-protection objectives with detailed privacy constraints, but the interaction is messy. Requiring government-issued IDs or nonprepaid cards improves age assurance but forces businesses to choose between collecting sensitive personal data and facing enforcement risk.
The statute limits retention and use of verification data to compliance purposes, yet it also cross-references multiple California privacy statutes; businesses will need clear policies about what records to keep to demonstrate compliance without creating a secondary privacy liability.
Several drafting and enforcement ambiguities could complicate implementation. ‘‘Reasonable steps’’ is intentionally non-exhaustive, which gives flexibility but creates litigation risk about what measures were sufficient in a particular context. The bifurcation between subdivision (b) and (c) — and the narrower menu of verification options for some items — forces merchants to make fine-grained product classifications and apply different online controls across inventory, which is operationally complex for multi-SKU sellers.
The civil-damages scheme uses the limited civil-case ceiling multiplied by factors that escalate dramatically; because that ceiling can change, businesses face variable exposure that is hard to price into compliance costs.
Finally, the bill’s extraterritorial reach (applying to anyone who ‘‘conducts business in California’’ and ‘‘seeks to sell in or into California’’) creates jurisdictional and enforcement questions for out-of-state sellers, intermediaries, and platforms. Paired with the exemption for entities already governed by stricter verification or privacy rules, firms will need to analyze which federal or state regimes qualify as ‘‘greater protection’’ — an interpretive issue likely to produce litigation and guidance needs from regulators.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.