So a FOSS app running a device local diffusion model specifically for porn would be free of age checks. From a technical perspective that's not all that different from, say, an ansible playbook or bash script or whatever to download a model from HF and configure a local inference stack yet I feel like it must be an unintended loophole.
(5)(a) "COVERED APPLICATION" MEANS A CONSUMER SOFTWARE APPLICATION THAT IS ACCESSED THROUGH A COVERED APPLICATION STORE AND THAT MAY BE RUN OR DIRECTED BY A USER ON A DEVICE.
(b) "COVERED APPLICATION" DOES NOT INCLUDE:
(I) A SOFTWARE APPLICATION THAT DOES NOT PROCESS USERS' PERSONAL DATA; OR
(II) AN APPLICATION FROM A FREE, PUBLICLY AVAILABLE CODE REPOSITORY.
On the one hand, I'm absolutely against blanket age verification laws like this one, think there are better ways to solve the stated problem, and believe that the current crop of legislation is being pushed by bad actors for nefarious purposes by means of pandering to public mania.
On the other hand, I do appreciate that a possible unintended consequence of the out provided by (5)(b)(I) could be that PII (along with user generated content in general) becomes similarly radioactive to if the US had passed a GDPR equivalent. Either that or it's used as a justification for every single online service to require government ID in order to interact with it "because liability". Unfortunately I assume the latter is somewhat more likely at this point.
Also is it defined precisely what it means to "process users' personal data"?
> there are better ways to solve the stated problem
Call your representatives. There is overwhelming demand for age gating social media (based on, honestly, good evidence). This will be implemented based on who calls in. If the status quo of technical people being hopelessly nihilistic continues, it will be written in the stupidest ways possible.
TL;DR We need age verification laws to prevent minors from accessing the addictive stream of toxic sludge rather than outlawing its manufacture and distribution.
It's always written in the most midwit way possible, then, once predicted failure happens it's patched up to be slightly better. That's the default assumption for most of the things.
Can't say I agree. Notice that the proposed legislation isn't specific to social media. Rather it's explicitly advanced in support of Colorado's data privacy laws as they apply to minors.
There's evidence of lots of different issues, a few age related but most not. Adults certainly aren't immune to adversarial algorithms and dark patterns and the practical need for privacy isn't limited to children. It's more that we only seem to be able to achieve broad consensus to add additional regulations where it concerns children.
That wording could be interesting, because it's ambiguous if free is applicable to the repository or the project. Presumably, the latter. This means you could absolutely do source-open but not open-source and still get around it.
Well it says code repository not artifact repository. But it doesn't prohibit obfuscation or transpilation and more generally doesn't appear to specify anything beyond "free and publicly available". I really get the feeling that the people who wrote the law don't have a clear idea of what they're trying to say here and that any court decision is going to be a roll of the dice.
"It's only for porn sites" to "its only for social media" to "its doesn't include open source projects" to "its only when you need an internet connection".
That's how politics works actually. Something has to be done but also not upset X, Y, Z because they will be loud. It's quite okay situation when it happens I think.
Yeah. I think a lot of us just look at computers and operating systems differently than these legislators. But we need to more effectively communicate our needs and side effects of their policies. And elect younger folk sheesh.
As someone working on an open source project in CO, this is a welcome fit of common sense. How do these laws typically work in other jurisdictions, do they block non-conforming sites? Or does it open you up to lawsuits?
Edit: It looks like these laws will be enforced by app stores primarily, because they have more significant liability. I'm guessing they won't take the effort to provide exemptions to jurisdictions with the open source carveout unless it is common.
Of course you do. And farmers like subsidies for corn. That's a general idea for them too. And of course you're going to say the public benefits from open source projects and the farmer will say starving no good. Middle class see, middle class do but think they no do.
What for? That's kind of strange. Maybe if its a critical project, but for random projects that aren't like apache web server, nginx, or Linux Kernel, I don't care, heck I would argue if its a very very small change, and it has been scrutinized I don't care who it came from.
(b) "COVERED APPLICATION" DOES NOT INCLUDE:
(I) A SOFTWARE APPLICATION THAT DOES NOT PROCESS USERS' PERSONAL DATA; OR
(II) AN APPLICATION FROM A FREE, PUBLICLY AVAILABLE CODE REPOSITORY.
On the other hand, I do appreciate that a possible unintended consequence of the out provided by (5)(b)(I) could be that PII (along with user generated content in general) becomes similarly radioactive to if the US had passed a GDPR equivalent. Either that or it's used as a justification for every single online service to require government ID in order to interact with it "because liability". Unfortunately I assume the latter is somewhat more likely at this point.
Also is it defined precisely what it means to "process users' personal data"?
Call your representatives. There is overwhelming demand for age gating social media (based on, honestly, good evidence). This will be implemented based on who calls in. If the status quo of technical people being hopelessly nihilistic continues, it will be written in the stupidest ways possible.
Nah. Can’t stop the money. Let make brain destroying scams and ad spam legal as long as you’re over 18.
Can't say I agree. Notice that the proposed legislation isn't specific to social media. Rather it's explicitly advanced in support of Colorado's data privacy laws as they apply to minors.
There's evidence of lots of different issues, a few age related but most not. Adults certainly aren't immune to adversarial algorithms and dark patterns and the practical need for privacy isn't limited to children. It's more that we only seem to be able to achieve broad consensus to add additional regulations where it concerns children.
"It's only for porn sites" to "its only for social media" to "its doesn't include open source projects" to "its only when you need an internet connection".
A colleague is hosting a virtual session on these and other similar bills around the world in two days https://maintainermonth.github.com/schedule/2026-05-22-age-a...
Or, now slightly out of date, read https://github.blog/news-insights/policy-news-and-insights/w... Added: I had not scrolled far enough on the front page, https://news.ycombinator.com/item?id=48214215 is on this blog.
Edit: It looks like these laws will be enforced by app stores primarily, because they have more significant liability. I'm guessing they won't take the effort to provide exemptions to jurisdictions with the open source carveout unless it is common.
Annoyed by the age gating, or feel it to be commercially burdensome? Open your source, and poof, no more mandate!
Just trying to build and maintain a cool thing, and share it with the world? Never mind the compliance burden.