This is my reading of the law. The adult enters the child’s age or DOB when creating the account. The child does not share any data.
The signal is only to be provided to app stores, not just any old app. On mobile this is easy because there are already special permissions to be an app store. I don’t know about Windows and I don’t think so for Linux.
No, it says general compute only, so not embedded systems.
This is all based on my reading, which may have mistakes (like the one earlier that @Jas09 found).
It seems like the intention is to add an unverified age-verification at the OS level similar to what liquor companies have for their websites. I’m sure it will be as effective as those are.
But as @LSLGuy said way up-thread, everyone already knows the user’s age bracket.
Embedded systems can be made of general purpose computers. Think of the Arduino R3, which is actually used by children in an educational setting. The hardware itself is sufficient for general purpose computing. You could, and people have, run an operating system on it. The law requires operating system providers to provide an interface to collect age information to provide a signal to applications in an app store. No app store? Barring the good faith safe harbor, that provider appears to violate the law…
Gaming consoles are also embedded systems, as are exercise bikes, smart displays, smartphones, dumbphones, PDAs, smart TVs, smartwatches, etc. Clearly the statute covers at least some of these, so an embedded system can be a general purpose computing device under the statute.
As defined, though, an app store is “a publicly available website, software application, or platform that distributes and facilitates the download of third-party applications to users of computers or mobile devices.”
You want to know a user’s age? Throw in some third party freeware on your website or application.
I also fail to see how you don’t need verification if they get in trouble if the signal is fraudulent. How else can they make sure that you didn’t put in the wrong birthdate?
I do know all but the biggest Linux distros have refused to implement. I also know about this fun little website:
Note, this is not what we would usually consider an OS, but it fits the definition given. It’s obviously a humorous take, but it makes a point.
For those who might need help understanding the tech jargon:
I do believe, as someone else here said, that the privacy arguments here are mostly a slippery slope. App makers have had age verification for years, and they’re all “big tech”; I suppose someone could have gone all this time without a YouTube or Facebook account, but that’s a pretty small percentage of the population.
Other security concerns that should be considered are probably a side-effect, though. Always ask – why does this bill exist? Not, why does it purport to exist, but how did the text come to be up for debate in a legislature?
A well-researched Reddit post lays some of this out. The short of it is that Meta is funding this. A little late, maybe, since they just lost a lawsuit for making an addictive product, but they’re pushing legislation that mostly impacts their competitors Apple, Google, and Microsoft. (Meta does have an OS for their VR devices that already does age verification). Those other companies will have to pay to modify their products AND adopt the liability for violating other child protection laws.
Does that make this bad? I don’t really know. I hate Meta, but I also hate those other 3 companies so… maybe it’s a wash? The reddit post goes into some details of the EU approach to this, and while the author thinks that the EU approach is better, he acknowledges some problems with it (I’m a little more on the fence about which one is worse than he is).
I note that the constitutional white paper which preceded this law does not really address the preemption or dormant commerce clause concerns I raised above, but mostly limits itself to the First Amendment:
I agree that the First Amendment (as incorporated by the Fourteenth) is not implicated by this law.
ETA:
Requiring an operating system sold or used in a state to transmit the owner’s age-range based upon the device’s registration data is a minimal burden that neither interferes with interstate commerce (i.e., it does not violate the dormant commerce clause despite potentially broad extraterritorial effect outside of the enacting state), (see Nat’l Pork Producers Council v. Ross, 598 U.S. 356 (2023) (upholding California statute requiring all pork sold in state to meet animal-welfare requirements)) …
The statute as ultimately passed by California is not limited in application to operating systems sold or used in-state. If it were, I would concede the dormant commerce clause issue.
An air intake system is an embedded device and not general compute, same for exercise bikes, dishwashers, and displays. Smartphones are, PDAs might be, etc.
A general compute device has a meaning here as does what is an app store and what is not.
Is there still ambiguous cases? Likely. The text just isn’t that long to be unambiguous.
TBH it’s not clear to me how an internet-based app store is supposed to get the age bracket from the OS. The browser isn’t obligated to pass it through. Seems like a gap.
For app-based app stores, the user would have to grant the app store permission before it could query the age bracket.
If I understand your point, this is covered in 1798.503. (b). The OS and app stores just need to query the age bracket. They are not liable beyond that.
The law would have been more practical if it defaulted to the lowest age bracket for systems that don’t comply unless the company already has this info (e.g. steam). Then there would be no need to implement backwards compatibility.
This is a case of something that is conceptually very simple, but is a mess in reality. The devil is in the details.
A browser capable of downloading applications over the internet is a covered application store:
“Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
“Covered application store” means a … software application … that distributes and facilitates the download of applications from third-party developers to users of a … general purpose computing that can … download an application.
Developers must request a signal from the operating system provider or a covered application store when downloaded and launched. Operating system providers are required to respect these requests; however, covered application stores are not obligated to respect these requests.
Inexplicably, covered application stores are not required to send age bracket signals to developers upon request. Therefore, because all covered application stores are also applications controlled by developers, all covered application stores are prohibited from sharing signals:
(4) A developer that receives a signal pursuant to this title … shall not … Share the signal with a third party for a purpose not required by this title.
The result is that developers with their own application stores can circumvent the requirements of the act by only requesting a signal from the store, and ignoring the request.
Some general computing devices are embedded systems, such as smartphones, smart televisions, smart watches, most modern dumbphones, and game consoles.
Most embedded systems are not general computing devices, but contain general purpose computing devices. For example, modern electronic control units rely on programmable, general-purpose microprocessors to regulate air intake. It’s been that way since Bendix filed its patent in 1978, which was granted in 1981 as No. 4,255,789 (“Microprocessor-based electronic engine control system”). The general-purpose programmability was essential because it allowed car manufacturers to use off-the-shelf ECUs instead of redesigning control circuits for every car. Multi-function printers are also in this category. Arduino R3 boards are in this category, for another example. Arcade games also fit here.
Some embedded systems are not general computing devices, nor contain general computing devices. These are mostly systems with discrete components, FGPAs, and ASICs.
Not being an engineer, I struggle to accept the central premise: “no age verification system can operate without creating a surveillance mechanism.” In the context of physical interaction, historically, we do a pretty good job of sorting little kids (e.g. under 13) from adults, at point of entry and point of sale. Teenagers are more iffy. Business owners probably prefer not to keep a record of who they sell to.
Today, of course, if you walk into a retail store, chances are 50-50 that the retailer or an affiliate builds a permanent profile on you (cameras, payment systems, loyalty programs). But that has nothing to do with age verification.
I think this age-verifications mania is less about age verification than ease of control and quality of data collection. The data you give usually includes DOB plus other personally identifiable items like full name, address, etc. All these make it easier for the data collection and aggregation bullies to associate your data with other data, drawing a more accurate (and obtrusive) portrait of you and your surroundings. This makes it more valuable to data brokers.
Facebook/Meta, Peter Thiel, Open AI are all examples I’ve heard given of the people and groups behind it. They all have in common that they want to control people, and they want to harvest data.
I really don’t believe that “protecting the children” is anywhere on the list of actual reasons for these laws. That’s just the excuse.
Sorry took me some time. You were right about this. I took person to mean human, but after searching I learned that CA law does not make this distinction.
An embedded system is a computing system focused on a narrow set of tasks (like washing dishes). It’s “embedded” and not visible to the user.
A general compute system is a computer system that can run a wide-range, un-scoped set of tasks. It’s “general” and visible.
It’s not about the technology, but about the scope of the system. An Arduino has a microprocessor that can run lots of programs. On your desk it might be general compute. But once you constrain it to a task and stick it inside a product, it’s an embedded system. This law doesn’t require it to now have a user account and age verification.
I’m happy to be corrected on this, but my assumption was that once the developer knows the age bracket, they have obligations from other laws. The point of this law is to ensure app stores have this info so that they are about to implement the filtering required.
As I said, this is an assumption. I didn’t go looking for these other laws.