(b) "COVERED APPLICATION" DOES NOT INCLUDE:
(I) A SOFTWARE APPLICATION THAT DOES NOT PROCESS USERS' PERSONAL DATA; OR
(II) AN APPLICATION FROM A FREE, PUBLICLY AVAILABLE CODE REPOSITORY.
On the other hand, I do appreciate that a possible unintended consequence of the out provided by (5)(b)(I) could be that PII (along with user generated content in general) becomes similarly radioactive to if the US had passed a GDPR equivalent. Either that or it's used as a justification for every single online service to require government ID in order to interact with it "because liability". Unfortunately I assume the latter is somewhat more likely at this point.
Also is it defined precisely what it means to "process users' personal data"?
Call your representatives. There is overwhelming demand for age gating social media (based on, honestly, good evidence). This will be implemented based on who calls in. If the status quo of technical people being hopelessly nihilistic continues, it will be written in the stupidest ways possible.
Nah. Can’t stop the money. Let make brain destroying scams and ad spam legal as long as you’re over 18.
As far as this specific Colorado legislation goes (which is concerned with the ability to comply with their previously passed data privacy law) I think it's not entirely bad but I have two issues with it.
First, it reverses the problem. Services should be sending an age-appropriateness (or even just general content classification) signal to the device for local processing, not the other way around. If you're going to mandate that OS creators do anything it should be to implement a certain baseline level of (interoperable!) functionality as far as parental controls are concerned.
Second, the entire thing should be predicated on some metric such as MAU or revenue or combination thereof not on the exceedingly vague idea of a "free, publicly available code repository".
OK, so say the device receives a signal that say that an app is not appropriate for children under 13. How would the device find out if the user trying to run the app is under 13?
The software on the device can do whatever it would like with the signal it receives, including consulting the user account metadata for declared age if the device owner so desires.
If the app tells the OS the age range it is appropriate for the filtering will only be able to either block or allow the app to run.
If the systems tells the app the age range of the user the app can operate in a mode appropriate for that age range. For example a multiplayer game app can put kids in games that only have other kids playing.
I think it being limited is a feature. This was modeled after the California law, and I think the intent is the same although the changes made after the initial draft make it less clear. The California law is clearly aimed at being a parental control on the child's device, with minimal privacy implications. Hence relying entirely on the age information provided by the parent.
You may choose to sign up to see all the toxic sludge you wish, as is our constitutional rights as Americans.
You say “they signal to the algorithm”, but how? How did they see it in the first place to be able to provide that signal? It was suggested to them.
Often because that kind of content is really sticky for the site. Whether because you like it or it outrages you or scares you it’s manipulative in a way that is symbiotic with the platform’s goals.
It provides perverse incentives for creators and companies.
And again: the only reason the algorithm promotes things is because that person signaled that they were interested in it. They might've gotten it recommended by a friend, acquaintance, whatever, but the point is that if nobody had recommended anything to them the algorithm would have no data.
And again: how do you propose to get this to survive the first amendment? Algorithms are a form of speech under law.
Obviously that's nonsense. Government bodies in the US are permitted to regulate the products traded on the market, at least within reason.
> the only reason the algorithm promotes things is because that person signaled that they were interested in it.
What point do you believe yourself to be making here? The only reason anyone shoots up heroin is because they want to. Or alternatively, someone can want a particular product without appreciating the toxic chemicals it happens to expose him to.
Except that this is case law, not something I'm pulling out of my ass. See Moody v. NetChoice, LLC, 603 U.S. ___ (2024), in which the court ruled that compiling and curating user-generated content into "a distinctive expressive offering" is protected editorial discretion, and that "the First Amendment offers protection when an entity engaging in expressive activity, including compiling and curating others' speech, is directed to accommodate messages it would prefer to exclude." The court did not rule on whether the same First Amendment protection extends to personalized curation decisions made algorithmically solely based on user behavior online without any reference to a site's own standards or guidelines. However, we cannot definitively say that the algorithms Facebook and co. use are not making decisions based on standards or guidelines of some kind, whether those be the community guidelines FB publishes or something else, because we don't know how they work internally, and they very well could be AI-driven with community guidelines in the prompt or something. Or they could be generic off-the-shelf recommender algorithms. Or something totally different. This bit TikTok in Anderson v. TikTok, where the third circuit court ruled that TikTok's "for you" feed was first-party expression and therefore not shielded by section 230, which is itself a massively misunderstood law of it's own.
Literally the only thing I am trying to illustrate is that "ban all the algorithmic feeds" is not as easy as you suggest, and the definitive research proving that they are harmful has yet to actually be found when meta-analysis is conducted[0][1]. The (far more) harmful thing is these platforms extremely lax moderation. Granted, moderation is impossible to truly do competently at scale, but still.
[0]: https://www.techdirt.com/2023/12/18/yet-another-massive-stud... (this one links to 6 other studies)
[1]: https://www.techdirt.com/2026/01/21/two-major-studies-125000...
> is directed to accommodate messages it would prefer to exclude.
That says speech can't be compeled, which is consistent with lots of past case law. That doesn't mean various forms of expression can't be incidentally restricted by regulation that exists for some other legitimate purpose.
Of course the court could decide that algorithmic feeds are a protected form of expression that product regulations can't directly target. But in doing so they would (IIUC) be recognizing them as a form of intentional editorial expression and thus their output would no longer (again IIUC) receive section 230 protection. That would presumably constitute a de facto ban due to the imposed liability.
You can watch a popular video on benign topic A and somehow that leads you to it being more likely to recommend extreme topic Q.
I’ll say it again: no algorithm. recommendations based on anything involving you are algorithmic.
If you follow a friend, and a friend shares a post, that’s not an algorithm picking what you see. It’s just a post like RSS. You can go choose to follow that new person to see more.
If I follow my friend Bob and his friend likes UFO conspiracies that shouldn’t lead to me seeing UFO conspiracy stuff unless Bob promotes it manually.
* The homepage of Reddit * The YouTube homepage * The federated timeline of my Mastodon instance * The algorithmic feed that Bluesky uses (which is more customizable than Facebooks)
I could sit here and go on and on. All of these, in one way or another, are algorithmic, in the strict definition of an algorithm. So, are you also saying that the federated timeline of my Mastodon instance shouldn't exist? I mean, in a sense, that's an "algorithmic feed". How am I supposed to find interesting users who I should follow then? By word of Mouth? Because that's not going to work. By forums or awesome lists? Now you've just created yet another kind of echo chamber because what I find depends on what forums or awesome lists I frequent, and that leads to me only seeing what I want to see. Which... Doesn't really solve the root problem that "banning the algorithm" would try to solve. If anything, it makes it worse. Instead of everyone being able to look at alternate viewpoints/ideas, they are suddenly restricted to only those viewpoints/ideas which they want to see/read/hear/whatever. In something like Email that's fine: I only want to see emails for mailing lists and such I've subscribed to for example. On something that is supposed to be a social network, federated or no, that... Kind of destroys the "social network" part.
Like maybe I'm just misunderstanding what everybody means when they talk about "banning the algorithm" and "getting rid of the toxic sludge" but the law (the first amendment) prohibits viewpoint discrimination. Being "content neutral" isn't possible (everything is biased in some manner). So I guess what trips me up is: how exactly would you word the law and thread the needle fine enough that you would only ban the kind of feeds Facebook uses for example, without also causing a ton of second, third, fourth, and maybe even fifth-order effects far beyond what anybody intended to do? And how do you do that without violating the first amendment in the process? Maybe I'm missing something critical here or something, but from all the studies I've looked at that indicate that screen time and such is not actually as harmful as the narrative would like you to think, this looks to me like a solution in search of a problem, and a solution that would have consequences that people haven't thought about.
Then make a public case for prohibition. Currently, there isn’t support for it. There is for age gating social media the way we do drugs.
Can't say I agree. Notice that the proposed legislation isn't specific to social media. Rather it's explicitly advanced in support of Colorado's data privacy laws as they apply to minors.
There's evidence of lots of different issues, a few age related but most not. Adults certainly aren't immune to adversarial algorithms and dark patterns and the practical need for privacy isn't limited to children. It's more that we only seem to be able to achieve broad consensus to add additional regulations where it concerns children.
My personal burden of evidence for prohibition versus age gating is higher. I don’t know if that’s how others think. But the truth is we are getting age gating one way or another, that battle has already been debated and won, and everyone who called in or responded to polls was almost universally in favor of age gates (in Wyoming, New York and Virginia, the states I’m more familiar with).
As someone that relies on third-party clients to get usable interfaces, if this gets widely adopted it would be great news. It would end the cat-and-mouse game from companies trying to force users onto first-party clients.
It's also naive to believe that a fraction of open source in a companies pipeline would give them a free pass for everything.
(e) AN OPERATING SYSTEM PROVIDER OR DEVELOPER THAT DISTRIBUTES AN OPERATING SYSTEM OR APPLICATION UNDER LICENSE TERMS THAT PERMIT A RECIPIENT TO COPY, REDISTRIBUTE, AND MODIFY THE SOFTWARE WITHOUT ANY PLATFORM-IMPOSED TECHNICAL OR CONTRACTUAL RESTRICTIONS IMPOSED BY THE PROVIDER OR DEVELOPER ON INSTALLING ALL MODIFIED VERSIONS.
Does that mean I need to download the Android apk from a git repository? Would a clever lawyer be able to argue that the release section on GitHub is outside the repository and therefore not fulfilling this clause?
Would F-Droid still not be exempt because it is structured like a store and offers pre-built binaries?
You have to add a couple fields or so to whatever gathers user info at account creation time. Personally I would find that non-trivial because nowadays those are usually GUIs and I haven't done any GUI stuff in ages. People who current write GUI apps for current OSes would have no problem.
Then you need to use that data in a way that lets you provide an API for apps to check the age bracket of the current user.
That part is easy, although some people will no doubt make it way more complicated than it needs to be (probably making it part of systemd or something ridiculous like that).
What I would do is create a file in some standardized location for each age bracket. These files would be protect so that ordinary users cannot open them for reading. When an account is set up, an access control list entry would be added to the appropriate files that allows that user to open the file for reading.
The API for apps to check if the user is in an age range they allow is to simply use the normal file access API to try to open the age bracket files corresponding to the age ranges they are checking for.
Annoyed by the age gating, or feel it to be commercially burdensome? Open your source, and poof, no more mandate!
Just trying to build and maintain a cool thing, and share it with the world? Never mind the compliance burden.
A colleague is hosting a virtual session on these and other similar bills around the world in two days https://maintainermonth.github.com/schedule/2026-05-22-age-a...
Or, now slightly out of date, read https://github.blog/news-insights/policy-news-and-insights/w... Added: I had not scrolled far enough on the front page, https://news.ycombinator.com/item?id=48214215 is on this blog.
Edit: It looks like these laws will be enforced by app stores primarily, because they have more significant liability. I'm guessing they won't take the effort to provide exemptions to jurisdictions with the open source carveout unless it is common.
"It's only for porn sites" to "its only for social media" to "its doesn't include open source projects" to "its only when you need an internet connection".
Whoever is behind this needs to be exposed, tarred, and feathered.
Meta's well know campaign was actually to make the app stores (and maybe OSes) responsible for age verification, not apps.
Google and Apple campaigned to make apps responsible for it.
how/why did children survive all those generations ago where these dangerous things have existed, and all of a sudden, parents are now powerless and unable to parent?
You had to go to a special store where an adult checked your age.
But I guess the better option would be to give parents the propper tools. For example every OS could have the option to set up a child account, that gives the age range to the app store / website the user visits. And the app store owner and website owner (of a certain size? Not sure) have to implement it. Just like store owners can't sell alcohol or porn mags to underage customers.
They didn't survive, they died:
https://www.statista.com/statistics/1041714/united-kingdom-a...
Names matter. We saw ChatControl 1.0 get defeated, it probably didn't hurt that the name implied censorship.
I feel like age verification is important online - a copy of the real world. Check my ID before I go in the pub.
It feels like it's jumped all the way to positive-ID. Not just "of age" but become you are "First Last".
It's possible (right?) to assert age and is-human attributes w/o knowing which specific human at what specific age I am online?