The California OS-level Age Confirmation Law

Great Debates
1

Plenty of warnings and hype about how this law, and its likely clones in other states, are going to impinge on our privacy and subject us to intrusive surveillance — here for one example:

I wish the people making these arguments would provide better examples of what could happen, what they think could happen, etc. It’s not that I’m inclined to be dismissive of the concern, but my own mind isn’t leaping to a situation where I’d be furious or significantly frustrated.

The law requires the person using the device to attach proof of their age, and then the OS makes that (the age? the details of the proof of age? I’m unclear on that…) available to any app that asks for it.

Nearly everyone speaks of this law as it applies to phones, but I gather that it will apply to laptops and servers and other computers and other digital devices that can network.

I could get worked up about the Principle of the Thing if I put my mind to it, but could someone conjure up a good nightmare scenario or two so I have something else to worry about?

2

ISTM it’s “thin edge of wedge” hysteria. Once your device knows who you are, then anything it transmits anywhere can theoretically be tracked back to the real you.

Internet / www anonymity would be well and truly officially dead. Unlike the current situation where it’s practically dead and has been for a couple decades, but most people haven’t noticed yet.

3

Easy; it screws up and just plain locks you out regardless of your age.

Also, it’s a given that whatever “proof of age” you are required to provide will both be for sale and handed over to the government. If they say otherwise, they’re just lying.

4

It has been said here many times in the past that edge cases make for bad law.

It is hard to argue when children are a part of the mix. We want to protect them and understandably so.

I just do not think these laws will succeed in doing that and are instead a means for more data collection.

I grew up well before the internet and I had no problem finding porn when I was a young teen (and to be clear, I wasn’t even trying…always some kid with a magazine to show).

Parents need to be the police for their children. They need to pay attention to them and be careful of what they are viewing on the internet and teach them to be careful and make good decisions. Lots do. Even then I doubt parents (or anyone) can stop it (there is always that other kid who can show you all the things).

These laws are very easily sidestepped and will achieve nothing except grabbing ever more data from you.

5

This.

One possible good consequence of this law though: Childern will learn how to disable or confuse the age verification system, thus incentivizing them to learn how the O.S. operates, I know my generation (Late X, born in 1978) would’ve found a way around in seconds, but the current generations are far less computer-wise. This will counteract that.

6

Straight dope:

https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043

Just a quick glance, I think this is preempted in part by COPPA and violates the dormant commerce clause. The red flag here is that there is no jurisdictional element limiting the reach of California’s law to goods and services in-state. That doesn’t necessarily mean it’s invalid, but it makes me suspicious. For example, state-specific vehicle emissions laws were upheld because they are, critically, limited to vehicles sold or registered in-state.

Imagine this scenario:

M (Washington state) is an operating system provider. M does not require individuals to provide age information to create (local) accounts in its operating systems. M does not allow third party developers to recieve user age data upon request. In fact, federal law (COPPA) prohibits M from collecting or disseminating user data of children under 13 without express parental consent.
U (Georgia) is a 12-year-old who buys an M operating system from a Georgia retailer, in cash.
C (California) is a data scraper that runs an online white pages site.

C requests U’s age from M. M refuses. C complains to California. California sues M for not requiring account holders to verify ages, and for not providing age signals upon request.

For children under 13, COPPA requires express parental consent before M can disseminating the very data California wants it to disemminate to developers automatically upon request, so federal law preempts state law in those cases. Specifically, the age bracket is “information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier,” 16 CFR 312.2 “personal information” (11), and by making the age bracket data requestable via a developer API, M would necessarily have to combine the age bracket data with an identifier for U. For children under 13 who reside outside of California, COPPA requires parental consent to collect data, but California would require M to allow any account holder to provide said data; this is because “account holder” is only limited to parents for children in the state of California, and can be any adult otherwise.

For dormant commerce clause analysis, absent Congressional action, a state may not effectively control out-of-state transactions or impose regulatory requirements untethered to in-state interests. Courts balance the burden on interstate commerce against the local benefits of the regulation. These facts are designed to show a statutory violation with minimal in-state benefits, yet significant burdens on interstate commerce. M would have to redesign its products globally, possibly notwithstanding contradictory requirements from other states. M would have to set up real-time age signal request capabilities and store global user data, again, possibly in violation of the laws of other jurisdictions. Meanwhile, under these facts, there is no in-state transaction, no in-state child, no in-state interest… except California’s interest in letting data scrapers like C obtain the age of out-of-state children like B.

~Max

7

It’s incredibly dumb. By identifying who is an adult, you also inherently identify who is a child, and thus you’ve now made your children easier to target with whatever this bad stuff is that you want to protect them from.

Verification requires checking some sort of ID, which will be linked to the user in some way. And these companies that handle this stuff get hacked all the time. Discord had one they were using that just got hacked.

And, of course, who buys the computer? Not the kids. Parents can easily just set it up for themselves and let the kids use them, bypassing this nonsense, or let them know that the device is for a kid and make them an easier target.

8

In fact they had two different ones that got hacked, in short succession.

9

The text is short and not very precise. The gist is:

  1. When you create a user account, the OS needs to ask for the age or DOB.
  2. App stores need to use this information to comply with other laws (e.g. California Age-Appropriate Design Code Act).
  3. Civil penalties are up to $2500 / $7500 per child for unintentional/intentional violations.

#3 is the one that bothers me. It’s one thing to force OS vendors and app stores to put an unverified age verification mechanism in place. It’s another to have such high penalties for individuals.

For personal devices, this won’t have much impact; people will comply or not and CA won’t know either way. However, this can make things very complicated for businesses or institutions that have shared devices / shared accounts: An intern that uses a shared computer in the lab, someone in the field uses a work tablet to enter an order, a library card catalogue that can get to Windows app store, etc. Again, CA generally won’t know, but companies will need to put processes in place to prevent this.

Finally it is odd that it is a violation to indicate an age bracket that is younger than the user. This implies that you can’t play it safe and set shared devices to age 13.

The parent or legal guardian is the one that is supposed to be entering the age verification information. I don’t think there is a strong case that the child is disseminating the age.

(a) (1) “Account holder” means an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state.

It is clear that app stores are required to do the age verifications, but it is not clear if other apps are allowed to do age verification. It seems they are, but with restrictions on how they can use the information.

10

The government already has that information. The county I was born in issued my birth certificate, the state I live in my driver license, the federal government my passport and social security number, and so on. My address? On file at the county courthouse. Voter registration? The same. The list goes on, but what it comes down to is that this stuff is already not secret.

11

Two things I think that are being overlooked about this particular law (although I could be reading it wrong).

  1. There is no verification requirement. Whatever the “account holder” puts into the age setting in the OS is considered to be truth. The only exception is if the third-party app has other information that indicates the age is false. Then they are required to use the information they already have.
  2. There are no penalties for individual users. They are only for OS developers that violate the law.

I’m still not convinced this is either a good idea, or that it is constitutional, but as written the primary complaints regarding data privacy seem to be of a slippery-slope type not anything specific to this law.

What they are trying to do is make it so that when a parent provides a device to a child (phone, laptop, whatever) they (the parent) can set the age in the OS and that information will be provided to all third-party apps. This gets around the very common issue of trying to manage parental control settings on myriad apps, all of which work difficulty and any one of which might have been disabled or bypassed without parental knowledge.

Again, I don’t think it will work, but I understand the sentiment and would be in favor of companies attempting to come up with a scheme like this (as an option!) without government intervention. It would be great if Apple, for example, provided a more global “age lock down” setting that I could trust would enable certain controls (no chatting with unknown users, for example) in all apps.

12

That wasn’t my reading, but maybe I misunderstood. The fines apply to a person only. OS vendors that make a good faith attempt have no liability.

13

That can’t be correct, because the title doesn’t have any language that an end-user could violate.

The only “shall” statements apply to “operating system provider” and “developer”. There is no language that says what an end-user is required to do, so there is nothing for them to violate.

14

This is the text I am referring to. Doesn’t this apply to end users?

1798.503. (a) A person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered only in a civil action brought in the name of the people of the State of California by the Attorney General.

15

How could it. What language in the title requires an end-user to do anything?

These are the “shall” statements in the title:

If you are not an operating system provider or a developer (or covered application store, which is defined but then only referred to in passing) then there is no liability here.

ETA: I know “proof by AI” isn’t really accepted here, but all of the summaries and specific queries I’ve generated confirm that there are no penalties for individual users.

16

I guess I’m missing your point. There’s a ‘shall’ in 1798.503.

17

Sorry, my point is just that the statute defines who it applies to. That is done in the definition section and then in the “shall” statements of the text of the statute. Then it defines penalties for violations. I can see how the word “person” might be confusing in 1798.503, but that only applies to persons that meet the definition of “operating system provider” or “developer” as defined in the statute itself.

If you can find any reference that claims the penalties apply to end users who enter a false DOB or age I’d be happy to retract the claim, but I’m pretty sure it doesn’t.

ETA: I’d be far more sanguine about this law if it explicitly required (or at least allowed) OS providers to allow account holders to skip the age entry if they want to. That would at least protect adult users that don’t want to deal with this while requiring the OS providers to give the option for parents to lock down a device with age bracket information about the user account.

18

Ok I get your point, thanks. The fines are more reasonable then if they apply to the OS or app store and not people.

19

Collecting from the child is defined to include prompting a child for information or even passively tracking the child’s IP, etc. See the 2018 VTech Settlement. Brand new FCC regulations permit temporary storage of personal information for age verification purposes, but not if retained indefinitely as California would require.

I guess you could write software to ask a parent or guardian to complete the process before asking the user’s age, so that a child is even not prompted to enter personal information. But even so, when the company discloses the child’s age bracket via an API, it almost certainly will have to include some kind of unique identifier in the signal sent to the developer, which is personal information under federal law.

~Max

20

I also wonder, for example, if you want to build a car and embed a microprocessor to do some mundane thing like regulate air intake, I guess you now need to design that component to:

  • require user accounts
  • require age verification
  • require network access
  • require app stores
  • build a backend to store age bracket data and provide it to literally any other computer program upon request

~Max