← Back to context

Comment by jrmg

1 day ago

The actual bill: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...

Bill text (it’s longer, but the rest is mostly definitions of the terms used here):

1798.501. (a) An operating system provider shall do all of the following:

(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.

(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:

(A) Under 13 years of age.

(B) At least 13 years of age and under 16 years of age.

(C) At least 16 years of age and under 18 years of age.

(D) At least 18 years of age.

(3) Send only the minimum amount of information necessary to comply with this title and shall not share the digital signal information with a third party for a purpose not required by this title.

(b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.

(2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.

(B) A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.

(3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.

(B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.

(4) A developer that receives a signal pursuant to this title shall use that signal to comply with applicable law but shall not do either of the following:

(A) Request more information from an operating system provider or a covered application store than the minimum amount of information necessary to comply with this title.

(B) Share the signal with a third party for a purpose not required by this title.

20 comments

jrmg

Reply
frshgts  1 day ago

The definitions of the terms are completely bananas

The language is so broad it seems to cover all software that exists and is accessible via the internet, and every install of an operating system on any kind of machine

> (c) “Application” means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.

> “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.

> “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.

So any piece of software you can download from the internet will be required to check this "signal" made available by the os?

  • general1465  1 day ago

    > “Covered application store” means a publicly available internet website,

    Client side JavaScript can be considered an application, and then ad business would need to first verify that I am over 18 in order to allow me to see their ads.

    Ultimate ad blocker.

    • wtallis  1 day ago

      A majority of the news articles that won't load when using NoScript give an error message to the effect of "this application requires JavaScript". It would be nice to see all the unjustified overuse of heavy JS application frameworks for what could have been simple web pages lead to some significant negative consequences.

    • autoexec  1 day ago

      This law means that your operating system has to collect your age and make it avilable to every website/application so ad businesses can just get that data from our OS automatically and go right on serving ads without having to verify anything themselves.

      1 reply →

  • frshgts  1 day ago

    good to know that `grep` will have to check how old i tell my os i am before it will do anything

    • nickjj  15 hours ago

      This reminds me of an org I used to work at where they had CrowdStrike installed on every work laptop.

      I once used curl to download a shell script from GitHub and it caused a defcon 1 event where security reached out to me asking why I downloaded it.

    • davorak  1 day ago

      Which seems like a silly accidental overreach of the law. If that is the way it applies.

      The literal reading of the law says this only required when a child is the primary user of the device.

      > (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.

      but 'user' here is:

      > (i) “User” means a child that is the primary user of the device.

      So these rules should only apply to accounts/devices where a child is the primary user.

      Grep on an adult's machine would not need to check how old you are, at least with a literal reading of the law.

      3 replies →

  • hnburnsy  1 day ago

    So my Garmin watch, my Home Assistant OS, maybe even my Shelly devices?

    I want to know who is behind these laws like this one and the 3D printer gun verification, that seem to pop up across state legislatures all at the same time.

    • sidewndr46  1 day ago

      It sure sounds like my Arduino is subject to this since it can download a sketch and run it when hooked to my PC

  • jrmg  1 day ago

    Yes, that’s clearly the intent of the bill (note I’m not commenting on the wisdom of this idea!)

whynotmaybe  1 day ago

How does that apply to windows server with active directory for a school ?

Does that mean that the admin will have to manage dob of every student when creating accounts ?

> A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.

>If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.

So, I have a button "I'm older than 18" on my app but the signal is "under 13", I can decide that the user is older than 18 ?

  • cptroot  1 day ago

    So because there is no requirement for the age to be accurate, it would be pretty easy to say "all student accounts are the age of the youngest allowed school entrant for that school year", right? That resolves the age issue and also prevents both PII leakage as well as possible school bullying opportunities.

  • jkrejcha  1 day ago

    > Does that mean that the admin will have to manage dob of every student when creating accounts ?

    That already happens to some extent although the mechanism by which this happens might depend on the school district, etc. The `dateOfBirth` LDAP attribute is probably the most obvious method (which admittedly should probably not be used due to the ease in accessing this info in the default configuration) but there are others.

    In secondary school when my account was set up we were told that our initial password (that we had to change on first logon) was our DOB

jmholla  1 day ago

Two important definitions that might surprise people:

(a) (1) “Account holder” means an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state.

(a) (2) “Account holder” does not include a parent of an emancipated minor or a parent or legal guardian who is not associated with a user’s device.

(i) “User” means a child that is the primary user of the device.

User is the most surprising here. It really should just be minors, or non-emancipated minors. Further, I think there are interesting ways the definition of account holder and user combined play out in interpreting the rest of the law.

FMecha  17 hours ago

How long until they add a 21+ category to this bill, though? Insofar the use of it would be for gambling and CA doesn't even have mobile sports betting.