Bill text (it’s longer, but the rest is mostly definitions of the terms used here):

1798.501. (a) An operating system provider shall do all of the following:

(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.

(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:

(A) Under 13 years of age.

(B) At least 13 years of age and under 16 years of age.

(C) At least 16 years of age and under 18 years of age.

(D) At least 18 years of age.

(3) Send only the minimum amount of information necessary to comply with this title and shall not share the digital signal information with a third party for a purpose not required by this title.

(b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.

(2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.

(B) A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.

(3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.

(B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.

(4) A developer that receives a signal pursuant to this title shall use that signal to comply with applicable law but shall not do either of the following:

(A) Request more information from an operating system provider or a covered application store than the minimum amount of information necessary to comply with this title.

(B) Share the signal with a third party for a purpose not required by this title.

▲

whynotmaybe 3 hours ago | parent | next [-]

How does that apply to windows server with active directory for a school ?

Does that mean that the admin will have to manage dob of every student when creating accounts ?

> A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.

>If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.

So, I have a button "I'm older than 18" on my app but the signal is "under 13", I can decide that the user is older than 18 ?

	▲	cptroot 3 hours ago \| parent [-]
		So because there is no requirement for the age to be accurate, it would be pretty easy to say "all student accounts are the age of the youngest allowed school entrant for that school year", right? That resolves the age issue and also prevents both PII leakage as well as possible school bullying opportunities.

▲

frshgts 8 hours ago | parent | prev | next [-]

The definitions of the terms are completely bananas

The language is so broad it seems to cover all software that exists and is accessible via the internet, and every install of an operating system on any kind of machine

> (c) “Application” means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.

> “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.

> “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.

So any piece of software you can download from the internet will be required to check this "signal" made available by the os?

▲

general1465 7 hours ago | parent | next [-]

> “Covered application store” means a publicly available internet website,

Client side JavaScript can be considered an application, and then ad business would need to first verify that I am over 18 in order to allow me to see their ads.

Ultimate ad blocker.

▲

wtallis 4 hours ago | parent | next [-]

A majority of the news articles that won't load when using NoScript give an error message to the effect of "this application requires JavaScript". It would be nice to see all the unjustified overuse of heavy JS application frameworks for what could have been simple web pages lead to some significant negative consequences.

▲

autoexec 4 hours ago | parent | prev [-]

This law means that your operating system has to collect your age and make it avilable to every website/application so ad businesses can just get that data from our OS automatically and go right on serving ads without having to verify anything themselves.

	▲	general1465 3 hours ago \| parent [-]
		Yes, the presence of such mandatory kill switch is what makes it ultimate adblocker.

▲

hnburnsy 7 hours ago | parent | prev | next [-]

So my Garmin watch, my Home Assistant OS, maybe even my Shelly devices?

I want to know who is behind these laws like this one and the 3D printer gun verification, that seem to pop up across state legislatures all at the same time.

	▲	sidewndr46 7 hours ago \| parent [-]
		It sure sounds like my Arduino is subject to this since it can download a sketch and run it when hooked to my PC

▲

frshgts 8 hours ago | parent | prev | next [-]

good to know that `grep` will have to check how old i tell my os i am before it will do anything

▲

7 hours ago | parent | next [-]

[deleted]

▲

davorak 6 hours ago | parent | prev [-]

Which seems like a silly accidental overreach of the law. If that is the way it applies.

The literal reading of the law says this only required when a child is the primary user of the device.

> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.

but 'user' here is:

> (i) “User” means a child that is the primary user of the device.

So these rules should only apply to accounts/devices where a child is the primary user.

Grep on an adult's machine would not need to check how old you are, at least with a literal reading of the law.

▲

frshgts 6 hours ago | parent [-]

How else but the signal could it determine whether the user is an adult or not?

	▲	davorak 5 hours ago \| parent \| next [-]
		I do not think the law provides guidance here. The signal is only required when children are the primary device/account users. So one model would be any initial account set up is automatically considered the 'account holder' and not a child account. Then it would be prerogative of the 'account holder' to set up child accounts or not. That seems to fit into the spirt and literal parts of the law. So grep/ls/etc are all installed as part of that 'account holder' and do not need to do any age verification. The signal only needs to be checked when the device/account user is a child and when downloading apps. I think an unfortunate consequence here is that the literal definition of the law says package managers probably can not run on children accounts without jumping through a bunch of hoops. Which is bad for children learning code/computers/etc. The first thing I would change about this law would be: > (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched. Any application that does not need to know a users age should not be required request the 'signal'
	▲	singron 3 hours ago \| parent \| prev [-]
		The whole point of the bill is to create a cause of action for the Attorney General to sue companies. In the bill, they say the damages are up to $2,500 per negligently affected child ($7,500 if intentional), so it doesn't matter how many non-children it affects. E.g. if the OS/appstore/accounts/application is in the context of a workplace that only employs adults, none of this matters.

▲

jrmg 8 hours ago | parent | prev [-]

Yes, that’s clearly the intent of the bill (note I’m not commenting on the wisdom of this idea!)

▲

jmholla 8 hours ago | parent | prev [-]

Two important definitions that might surprise people:

(a) (1) “Account holder” means an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state.

(a) (2) “Account holder” does not include a parent of an emancipated minor or a parent or legal guardian who is not associated with a user’s device.

(i) “User” means a child that is the primary user of the device.

User is the most surprising here. It really should just be minors, or non-emancipated minors. Further, I think there are interesting ways the definition of account holder and user combined play out in interpreting the rest of the law.