Comment by davorak
5 days ago
> The point is that you can't just externalize age verification and expect that data to never be sent to facebook
facebook and similar social media companies have a ton of ways to get peoples age and or to narrow it down.
> either way, in the end facebook will know that your child is 6-9.
The main point of the law is not about restricting facebook or similar operator in the laws lanuage from knowing user ages. Though the does say the age bracket can not be used for anything other than to implement the intent of the law.
> The power is then in facebook's hands. Facebook won't see a copy of their government issued ID, but what difference does that make when they've got their age, their selfies, and a list of every friend and family member.
May not matter much for facebook or similar, it matters a bunch for any random website/forum/service you might sign up for where the intent of the service is not about public posting that sort of personal infromation.
> facebook and similar social media companies have a ton of ways to get peoples age and or to narrow it down... May not matter much for facebook or similar, it matters a bunch for any random website/forum/service you might sign up for
You're right about that. There are websites and services that won't have the kind of data needed to identify an individual using the age bracket data, and there are those who could do it anyway or could make some guesses about the ages of users even without having OS gathered age data sent to them. That said, I've seen how bad companies are at making those kinds of assumptions. For example, I've seen youtube's AI age guesser fail completely and mischaracterize viewers ages in both directions.
> Though the does say the age bracket can not be used for anything other than to implement the intent of the law.
I didn't see that anywhere in the text. It does have a section where it says that the age data collected can't be shared with third parties unless they're made a part of the implementation of age-check scheme. There's also this: "All information collected for the purpose of obtaining the verifiable parental consent required under this Section shall not be used for any purpose other than obtaining verifiable parental consent and shall be deleted immediately after an attempt to obtain verifiable parental consent" but it's entirely unclear if age bracket data is considered part of the data collected when "obtaining verifiable parental consent". I suspect that it isn't and this language is intended to protect the data of the adults who will be forced to prove they are the child's parents. In fact they don't define at all what "obtaining verifiable parental consent" should or shouldn't involve.
> I didn't see that anywhere in the text...
You are right it is hard to use it for anything else though given the constraints.
> An operator that receives a signal in accordance with 20this Section shall use that signal to comply with this Section 21but shall not: 22 (1) request more information from an operating system 23 provider or a covered application store than the minimum 24 amount of information necessary to comply with this 25 Section;
You know the age bracket but nothing else and are not allowed to store more data on the topic to figure anything out. So you can not legally figure out someones age by keeping track of when they change age brackets.
> In fact they don't define at all what "obtaining verifiable parental consent" should or shouldn't involve.
It is the "Account holder". The user that set up the account and provide the age is considered the parent or legal guardian.