alt Hacker NewsJust a reminder of what liability the CA age verification law imposes upon developers and providers.
It's not enough to adhere to the OS age signal:
> (3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.
> (B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
Developers are still burdened with additional liability if they have reason to believe users are underage, even if their age flag says otherwise.
The only way to mitigate this liability is to confirm your users are of age with facial and ID scans, as it is implemented across platforms already. Not doing so opens you up to liability if someone ever writes "im 12 lol" on your app/platform.
Replies
I read it the exact opposite way: you are forbidden from using facial and ID scans solely for age verification (as the OS-provided signal shall be the primary indicator of age), but if you already need to obtain the user's age for other reasons using more reliable means (say, a banking KYC law requiring ID scans) you are not required to discard this more reliable source in favor of the OS-provided signal.
If you aren't already scanning ID or similar then you don't have clear and convincing reasoning to believe the user is underage.
This section targets spyware companies like Facebook, who already know damn well if the user is underage and this section forbids them from pretending they don't know.
It doesn't say you have to go and become Facebook.
How does a website know if the age signal from a client is authentic? That seems unworkable.
How do you know all this before any court decided upon it?
> if they have reason to believe users are underage
The law requires "clear and convincing information", not merely "reason to believe". And since the law requires developers to rely on the provide age signal as the primary indicator of the user's age, developers are not incentivized to create a system that uses sophisticated data mining to derive an estimated age. If someone posts a comment on a YouTube video saying "I'm twelve years old and what is this?", that would absolutely not require YouTube to immediately start treating that account as an under-13 account.