The California OS-level Age Confirmation Law

Great Debates
1

Plenty of warnings and hype about how this law, and its likely clones in other states, are going to impinge on our privacy and subject us to intrusive surveillance — here for one example:

I wish the people making these arguments would provide better examples of what could happen, what they think could happen, etc. It’s not that I’m inclined to be dismissive of the concern, but my own mind isn’t leaping to a situation where I’d be furious or significantly frustrated.

The law requires the person using the device to attach proof of their age, and then the OS makes that (the age? the details of the proof of age? I’m unclear on that…) available to any app that asks for it.

Nearly everyone speaks of this law as it applies to phones, but I gather that it will apply to laptops and servers and other computers and other digital devices that can network.

I could get worked up about the Principle of the Thing if I put my mind to it, but could someone conjure up a good nightmare scenario or two so I have something else to worry about?

2

ISTM it’s “thin edge of wedge” hysteria. Once your device knows who you are, then anything it transmits anywhere can theoretically be tracked back to the real you.

Internet / www anonymity would be well and truly officially dead. Unlike the current situation where it’s practically dead and has been for a couple decades, but most people haven’t noticed yet.

3

Easy; it screws up and just plain locks you out regardless of your age.

Also, it’s a given that whatever “proof of age” you are required to provide will both be for sale and handed over to the government. If they say otherwise, they’re just lying.

4

It has been said here many times in the past that edge cases make for bad law.

It is hard to argue when children are a part of the mix. We want to protect them and understandably so.

I just do not think these laws will succeed in doing that and are instead a means for more data collection.

I grew up well before the internet and I had no problem finding porn when I was a young teen (and to be clear, I wasn’t even trying…always some kid with a magazine to show).

Parents need to be the police for their children. They need to pay attention to them and be careful of what they are viewing on the internet and teach them to be careful and make good decisions. Lots do. Even then I doubt parents (or anyone) can stop it (there is always that other kid who can show you all the things).

These laws are very easily sidestepped and will achieve nothing except grabbing ever more data from you.

5

This.

One possible good consequence of this law though: Childern will learn how to disable or confuse the age verification system, thus incentivizing them to learn how the O.S. operates, I know my generation (Late X, born in 1978) would’ve found a way around in seconds, but the current generations are far less computer-wise. This will counteract that.

6

Straight dope:

https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043

Just a quick glance, I think this is preempted in part by COPPA and violates the dormant commerce clause. The red flag here is that there is no jurisdictional element limiting the reach of California’s law to goods and services in-state. That doesn’t necessarily mean it’s invalid, but it makes me suspicious. For example, state-specific vehicle emissions laws were upheld because they are, critically, limited to vehicles sold or registered in-state.

Imagine this scenario:

M (Washington state) is an operating system provider. M does not require individuals to provide age information to create (local) accounts in its operating systems. M does not allow third party developers to recieve user age data upon request. In fact, federal law (COPPA) prohibits M from collecting or disseminating user data of children under 13 without express parental consent.
U (Georgia) is a 12-year-old who buys an M operating system from a Georgia retailer, in cash.
C (California) is a data scraper that runs an online white pages site.

C requests U’s age from M. M refuses. C complains to California. California sues M for not requiring account holders to verify ages, and for not providing age signals upon request.

For children under 13, COPPA requires express parental consent before M can disseminating the very data California wants it to disemminate to developers automatically upon request, so federal law preempts state law in those cases. Specifically, the age bracket is “information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier,” 16 CFR 312.2 “personal information” (11), and by making the age bracket data requestable via a developer API, M would necessarily have to combine the age bracket data with an identifier for U. For children under 13 who reside outside of California, COPPA requires parental consent to collect data, but California would require M to allow any account holder to provide said data; this is because “account holder” is only limited to parents for children in the state of California, and can be any adult otherwise.

For dormant commerce clause analysis, absent Congressional action, a state may not effectively control out-of-state transactions or impose regulatory requirements untethered to in-state interests. Courts balance the burden on interstate commerce against the local benefits of the regulation. These facts are designed to show a statutory violation with minimal in-state benefits, yet significant burdens on interstate commerce. M would have to redesign its products globally, possibly notwithstanding contradictory requirements from other states. M would have to set up real-time age signal request capabilities and store global user data, again, possibly in violation of the laws of other jurisdictions. Meanwhile, under these facts, there is no in-state transaction, no in-state child, no in-state interest… except California’s interest in letting data scrapers like C obtain the age of out-of-state children like B.

~Max

7

It’s incredibly dumb. By identifying who is an adult, you also inherently identify who is a child, and thus you’ve now made your children easier to target with whatever this bad stuff is that you want to protect them from.

Verification requires checking some sort of ID, which will be linked to the user in some way. And these companies that handle this stuff get hacked all the time. Discord had one they were using that just got hacked.

And, of course, who buys the computer? Not the kids. Parents can easily just set it up for themselves and let the kids use them, bypassing this nonsense, or let them know that the device is for a kid and make them an easier target.

8

In fact they had two different ones that got hacked, in short succession.

9

The text is short and not very precise. The gist is:

  1. When you create a user account, the OS needs to ask for the age or DOB.
  2. App stores need to use this information to comply with other laws (e.g. California Age-Appropriate Design Code Act).
  3. Civil penalties are up to $2500 / $7500 per child for unintentional/intentional violations.

#3 is the one that bothers me. It’s one thing to force OS vendors and app stores to put an unverified age verification mechanism in place. It’s another to have such high penalties for individuals.

For personal devices, this won’t have much impact; people will comply or not and CA won’t know either way. However, this can make things very complicated for businesses or institutions that have shared devices / shared accounts: An intern that uses a shared computer in the lab, someone in the field uses a work tablet to enter an order, a library card catalogue that can get to Windows app store, etc. Again, CA generally won’t know, but companies will need to put processes in place to prevent this.

Finally it is odd that it is a violation to indicate an age bracket that is younger than the user. This implies that you can’t play it safe and set shared devices to age 13.

The parent or legal guardian is the one that is supposed to be entering the age verification information. I don’t think there is a strong case that the child is disseminating the age.

(a) (1) “Account holder” means an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state.

It is clear that app stores are required to do the age verifications, but it is not clear if other apps are allowed to do age verification. It seems they are, but with restrictions on how they can use the information.

10

The government already has that information. The county I was born in issued my birth certificate, the state I live in my driver license, the federal government my passport and social security number, and so on. My address? On file at the county courthouse. Voter registration? The same. The list goes on, but what it comes down to is that this stuff is already not secret.