What “Commercially Reasonable” Actually Means in 2026

Every age compliance statute passed in the last two years uses some variation of the same phrase: commercially reasonable. It appears in AB 1043. It appears in proposed federal legislation. It shows up in regulatory guidance from the FTC, the ICO, and half a dozen state attorneys general.

And yet, until recently, nobody could tell you what it actually meant.

The phrase was designed to be flexible — a standard that could evolve alongside the tools available to companies. That flexibility was a feature when age assurance technology was nascent. In 2026, it’s becoming a trap. Because the tools have arrived, and the definition of “reasonable” is being rewritten in real time.

The statutory baseline

AB 1043 doesn’t prescribe a specific age verification method. Instead, it requires companies to use “commercially reasonable measures” to determine whether a user is a minor before collecting, selling, or sharing their personal information. The statute deliberately avoids mandating ID uploads, biometric scans, or any particular technical approach.

This design choice reflects a regulatory philosophy: legislators understood that prescriptive mandates would become outdated quickly and would disadvantage smaller companies that couldn’t afford enterprise-grade identity verification systems. A “commercially reasonable” standard, by contrast, scales with the market.

The problem is that it also scales against companies. As better tools become available, the floor rises. What was reasonable in 2024 is not necessarily reasonable today.

What has changed

Three developments have materially shifted the “commercially reasonable” bar in the past eighteen months:

Platform-level age signals went mainstream. Apple’s Declared Age Range API and Google’s Play Age Signals are no longer experimental. They’re documented, stable, and available to any developer who requests access. A company that ignores these signals can’t credibly argue it lacked reasonable means to determine a user’s age on mobile.

Third-party age assurance APIs reached production quality. A generation of purpose-built age assurance services now offers sub-second age verdicts across platforms, without requiring PII collection or document uploads. These services are commercially available, competitively priced, and straightforward to integrate. Their existence makes the “it was too hard” defense substantially weaker.

Regulators started issuing specific guidance. The California AG’s office, the FTC, and the UK ICO have all published guidance documents in the last year that reference specific categories of age assurance technology. While none mandate a particular vendor or approach, they collectively signal that regulators expect companies to be using something — not just age gates and checkbox attestations.

The emerging test

Based on published enforcement actions, regulatory guidance, and early litigation, a practical test for “commercially reasonable” is taking shape. It consists of four questions:

1. Did you use available platform signals? If Apple or Google provided an age signal and you didn’t consume it, that’s a gap. Regulators view ignoring available data as a choice, not an oversight.
2. Did you extend coverage to all platforms? Age assurance on iOS but not on the web creates a constructive knowledge liability. A reasonable company applies consistent protections wherever its users are.
3. Did you evaluate commercially available solutions? Companies are expected to survey the market. If a viable, affordable, privacy-preserving solution existed and you didn’t consider it, that looks like willful disregard.
4. Can you produce evidence of your determination? A checkbox age gate with no audit trail is indistinguishable from doing nothing. Regulators expect structured records: what signal was received, what decision was made, and on what basis.

No single question is dispositive. But failing multiple elements makes a “we acted reasonably” defense very difficult to sustain.

What no longer meets the bar

Some practices that were defensible two years ago are now clearly insufficient:

The pattern is clear: passive approaches are out, and mobile-only approaches are under pressure. The only category that remains defensible is active, cross-platform age assurance with auditable output.

Building a defensible position

Companies that want to stay on the right side of “commercially reasonable” should focus on three things:

• Unified coverage. Age assurance must work on every surface your users touch — iOS, Android, and web. A platform-by-platform approach creates gaps that regulators will identify.
• Privacy-preserving methods. Solutions that require ID uploads or biometric data solve one compliance problem while creating others (GDPR, CCPA, BIPA). Signal-based approaches that process data in real time and retain nothing are the cleaner path.
• Audit-ready evidence. Every age determination should produce a structured, timestamped receipt that documents what signals were evaluated and what conclusion was reached. When regulators ask “what did you do?”, the answer shouldn’t be a policy document — it should be a data trail.

This is the design philosophy behind the Arcadia Age API (A3): a single integration that returns age assurance verdicts across all three platforms with sub-second latency, zero PII retention, and cryptographically signed audit receipts. The goal is to make “commercially reasonable” the default, not a research project.

The bar will keep rising

“Commercially reasonable” is not a fixed standard. It’s a ratchet. Every new age assurance API that launches, every regulatory guidance document that references specific technology categories, every enforcement action that faults a company for ignoring available tools — each one turns the ratchet.

Companies that invest in cross-platform age assurance infrastructure now aren’t just meeting today’s bar. They’re building the foundation to meet tomorrow’s. The companies that wait will find that the standard has moved past them — and that regulators have little sympathy for those who had the tools and chose not to use them.