302 comments

[ 0.23 ms ] story [ 287 ms ] thread
Has anyone figured out if this will literally impact the entire internet, or will it only impact people in the US or just people hosting servers in California? If hosting in California is it enough to not utilize a hosting providers presence in California, or must everyone migrate to providers that do not have a presence in California?
Does the GDPR only impact people hosting in Europe?
For some websites, yes, but on one hand the EU is a lot bigger, while on the other hand California is home to Google and facebook.
> Existing law, the Parent’s Accountability and Child Protection Act, requires a person or business that conducts business in California and that seeks to sell specified products or services to take reasonable steps to ensure that the purchaser is of legal age at the time of purchase or delivery, including verifying the age of the purchaser.

My understanding is that the bill applies to the same businesses that the mentioned law does. Considering California has 40M people, that's not a cohort businesses can shut off from the internet.

40M is not a lot on a global scale actually. For many websites that target a global audience that would not be a big number to lose out.

Many US websites now block Europeans because they don't want to bother with the GDPR and I would not be surprised if the opposite starts happening too.

California nearly has the GDP of Germany and among the highest GDP per capita figures for any major population (~$85,000 - just below Switzerland). That's the difference.

"For many websites that target a global audience that would not be a big number to lose out."

Now replace that with India, Germany, Japan, France, or Britain; because California is in the same economic tier as those countries.

The GP argues that people are willing to cut off all of Europe. You try to refute their claim by saying that California is smaller than Europe. I don't understand your logic and am not persuaded. Did I miss something?
Indeed, I'm in the EU myself and I've seen several instances of "this site is not available to you due to GDPR".

I'm sure sites that are not specifically targeting the US will consider this too if it becomes too much of a burden.

LOL. California is the 5th largest market in the world. Let sites decide they don't want to be browsed from CA - nothing of value would be lost.
> Considering California has 40M people, that's not a cohort businesses can shut off from the internet.

As someone who lives in a 447-million European Union and who keeps on getting HTTP 451 responses from various US-based services and websites after GDPR has gone into effect, I can't help but chuckle at your comment.

The most common users of "We're sorry but we can't be bothered to figure out how to comply with GDPR" notices I've seen are for smaller US-based media organizations. The newspapers like the Ft. Worth Star Telegram or the St. Louis Post Dispatch (random examples, not sure if they actually block EU traffic) have (probably correctly IMO) concluded that the cost to comply with GDPR is likely to be more the than the revenue that could be gained by allowing the occasional EU reader and so have concluded that the most rational choice of action is to block access from the EU.

This is a very different proposition than saying that Tik Tok, Youtube and Facebook would block CA-based users. In addition to the obvious fact that they all have hundreds or thousands of employees in CA, they would be forgoing one of their most important markets in terms of advertising. Furthermore, a lot of the top creators on these platforms live in greater LA.

It's a non-starter. If you're doing anything social for anything that's not an domestic only market (e.g. VKontakte, WeChat) then you need California.

  > have concluded that the cost to comply with GDPR is likely to be more
  > the than the revenue that could be gained by allowing the occasional EU reader
Why would anybody read the news from a source whose prime motivation is anything other than dissemination of information? Not to excuse the profit motivation, but simply not setting any cookies is as simple a "fix" as is blocking access, unless one were to argue for the marginal cost of serving the occasional additional webpage.
There may very well be 0 web developers on the staffs of these newspapers. They could have bought 3rd party software, or they could have paid a consulting company to build a custom news site. In either case, your simple fix is not so simple. Even knowing that not setting cookies for EU users could be a high bar, and actually implementing is far out of reach. Say they go to the original consultant, who tells them they can pay $xx,000 to have GDPR compliance, or $x,000 to block EU users. Hopefully this starts making more sense.

GDPR looks easy to comply with if you imagine you work for the newspaper. Instead, imagine that you literally are the person who currently works for the newspaper and it will become a bit more clear why they've made the decisions they've made.

I love how easy it is to comply with GDPR. It's like actually sort of a boon to not have to keep stupid amounts of data on my users.

I almost don't mind the idea of just 451'ing California and telling them "Sorry, your politicians are REALLY fucking dumb". It would be waaaaaaaaaaay easier than putting up with this absolute walnut-brained moment.

The craziest thing about the lack of data protection laws in the USA is just how EASY it is to glean WAY TOO MUCH INFO on any American. I need to know two data points about you (say your last name and phone number) and from that it costs me like a few dollars or maybe more for more info (on pipl they jacked up the rates really hard), and I can tell you stuff like "Oh yeah your grandpa died in the holocaust" - All this barely knowing who you are, and getting access to these APIs is like a written test away in many states for a PI license. It's completely fucked.

A popup on the homepage that says "are you over the age of 21?" for every site should work then, right? Or at least if you detect that the traffic is coming from California.
A lot of the time the choice is

A: follow Californian law to get ads and income, even though you're in some other part of the world, or

B: Don't follow Californian law,get no ads, thus no income and no site.

The reason for this is that the companies that can give you ads on your website are mostly in California and needs to follow Californian law. If you want their ads, you'll need to follow Californian law too.

Based on many of the "unknown reach" statements the author identified, it is impossible to say.

One potential outcome, at least for US businesses where their legal teams believe they have some nexus to California, will be either:

1) apply these rules to any incoming California IP address;

or

2) apply these rules to everyone, no matter where they are located.

Naturally, the easier route above is to just do #2, which means these changes could, much like the EU's GDPR resulted in paranoid legal teams adding "cookie banners" everywhere, impact all sites that have any US presence at all.

(1) is tricky.

Laws like this do not apply to IP addresses AFAICT, they apply to people. Someone CA law applies to can access your server using a non-CA IP address and someone not restricted by this law can access your server using a CA address. I'd be surprised if you'd be "off the hook" for a child covered under this law accessing your service via a VPN. And, as a user, I'd be upset if I couldn't access your site using mullvad.

I wonder if banning CA users in your ToS is sufficient for passing the burden of this law down to CA residents?

We may need an `X-Applicable-Laws` HTTP header.
Eh. If this passed, most internet based firms will just bail on California. That legalese will invite thousands of law suites.
Authors will just move content out of jurisdiction and stop caring. It's really hard to imagine that (say) France will extradite someone to California because their website didn't check your ID.

See also: GDPR compliance by US websites.

Well GDPR did succeed in making most US websites badger me about cookies.
AFAIK in all of California there are only two real upstream providers for "residential Internet" and every - single - subscriber must pass through their gates. Think of the airport or a modern busy toll bridge in California.. you will be tagged, watched and recorded.. some people really believe this is the way society ought to be run.

To respond to the question: yes, it will.. it will polarize and strengthen the darknet, first. Your ordinary Calif. consumer will have to buy more things, second. Fines and lengthy, pointless court action, third.

Society needs anonymous dissent. This is basic.
While I do personally believe this, society having anonymous dissent is quite a new concept.
Anonymous pamphlets and the like were a tool in motivating support for the Revolutionary War.
Not that it was "dissent", per se, but The Federalist Papers were published under the pseudonym "Publius", and I'd say there has been a long tradition of anonymous or pseudonymous dissent.
I meant ideas that diverge from the norm. If you fear cancelling, lowering your social credit score, risking employment you probably won't publish ideas that stray.
Depends on how you define new. The Federalist and Anti-Federalist were anonymous. Rosicrucianism And other such philosophies come from anonymous sources (they dissented to the religious norms of their time). Basically since the printing press Western societies have had anonymous dissent.
Not really. Publishing anonymously goes way back. Thomas Paine's Common Sense was published anonymously.
I'm not sure about that, I think the main difference is that in the past the concept of identity was not as rigid and well-documented as it is today. Additionally there were way fewer ways to identify someone, either in real life or through their writing. I don't quite want to say 'security through obscurity', though.
(comment deleted)
> society having anonymous dissent is quite a new concept.

Quite the opposite. Most dissent since the time of print has been anonymous, and plenty before then. Society feeling that every utterance or bit of expression has to be assigned to a specific identity is quite a new concept, especially because it's only begun to become technically feasible.

Needs? As in: twitter and facebook fucked up social structures and we need it?
As in this forum for example.
HN is not anonymous. It's pseudonymous at best.
The two don't oppose each other. Throwaway accounts are plentiful for those who want to use them, people who want to stick with a name can do that, and those who want to use (or otherwise make clear) their real name can do that.
HN doesn't even request a mail. For all intends and purposes it is synonymous with anonymity. Sure, there are platforms that don't even use a user handle. Given, you are free to reveal anything about you.
Now show me how that scales to 8B people ranting away. HN is only decent because of its strict moderation. Twitter and facebook, two examples I didn't name accidentally, don't do that, have a much larger audience, and did sow division, largely because they are anonymous.
The problem with anonymous dissent is that it's cheap and easy to DDOS into irrelevance with the "firehose of falsehood." Just spam the public square with endless amounts of anonymous bullshit and no anonymous comment will be believed. Since it's anonymous there is no way to verify its provenance.

AI is automating this process at scale.

You can do this with non-anonymous discourse too but anonymity just makes it easier.

The future is private forums, channels, Discord/Slack instances, invite-only private networks, etc. The public web and public social media are entering their twilight.

Anonymous dissent does not, of course, require anonymous comment directly on any and all websites. There are many other venues for dissent. Most of those aren't run by or paid by other people.

This bill sucks, but it's no real threat to "anonymous dissent".

https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headline...

The author is right that:

1. Every single website and app regardless of whether it is specifically built for kids or not is covered by this bill, and

2. It is virtually impossible to identify and segment your user base and apply the bill's protections to only those you can 100% confirm are under 18.

So, the likely outcome is that this bill becomes an enhanced CCPA and something businesses have to generally comply with for every user.

Looking at the actual contents of the bill though, my response to that is – great! I do want to be treated like a child online. I want sites to present terms of service in a language I can understand. I want them to set my account's privacy settings to the highest offered by default. I want apps to remove dark patterns that get me to spend money. I don't want them to store my data unless using it to provide a service. I want them to tell me up front if my browsing is being monitored by someone else. I want actual consequences if a company decides to leak all my personal data. (All of these are provisions that will be enforced).

The author is critical of the bill as a whole but I don't see any argument against any of the individual provisions. I also don't get where the "eliminate anonymous web browsing" in the title comes from. If anything it will make it less likely for sites to track you.

The collection of identifying information for every user on your website is antithetical to the goals of CCPA and anyone that values any resemblance of privacy.

Further, business do not want to be in charge of validating PII information, nor do they want to place roadblocks to casual users. The darn cookies and GDPR popups are already annoying enough. Are we trying to make the web unusable?

This is just insanity, and will lead to a bunch of ecommerce businesses and website companies leaving CA. ie, no one will comply unless they have absolutely zero other choices.

Where is the need to do that specified in the actual bill? https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...

the majority of the bill is restrictions on collecting personal information in general

I'm not sure most ecommerce sites would meet the criteria as something marketed and targeted at children

I agree that 'likely visited by children' is nebulous but this seems to be heavily aimed at live streaming/recording services(twitch, tiktok .. etc), large public social forums (discord) and things like youtube kids

It's spelled out everywhere in the bill. They make it so scary to serve content to children (knowingly or not, since it's so vaguely defined) that you'll either have to A) Verify age (which requires identity) or B) Lock it down for everyone.

Making a person/business predict someone's age over the internet is just absurd... and fallible... so you will have verify identity.

Is it correct to say that even my personal blog is covered by this?
Here's who it applies to directly from the bill[1]:

    A business that provides an online service, product, or feature likely to be accessed by children.
Child is being defined as[1]:

    "Child" or "children," unless otherwise specified, means a consumer or consumers who is are under 18 years of age.
Meaning all websites, including your blog. No one will be capable of making a bullet-proof argument their site is unlikely to be accessed by a child.

[1] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...

> "A business that provides an online service, product, or feature likely to be accessed by children"

This seems stupidly vague.

As with many of these types of laws in California, I suspect they are deliberately vague.

If people/businesses have to guess at what's compliant, then they will often choose the most restrictive form of compliance out of an abundance of legal caution.

Possibly even unconstitutionally vague.[0] If a law requires someone to accurately predict the future actions of large numbers of people they've never met, then that seems (to my non-expert understanding) like an unreasonable burden on citizens.

[0] https://en.wikipedia.org/wiki/Vagueness_doctrine

Frankly put, and regardless of your personal views on the subject - if the California Pro-2nd Amendment folks haven't been able to get anywhere with this "Vagueness Doctrine", then neither will website operators.
You should also quote the following section:

  (4) “Likely to be accessed by children” means it is reasonable to expect, based on the following indicators, that the online service, product, or feature would be accessed by children:
    (A) The online service, product, or feature is directed to children as defined by the Children’s Online Privacy Protection Act (15 U.S.C. Sec. 6501 et seq.).
    (B) The online service, product, or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children.
    (C) An online service, product, or feature with advertisements marketed to children.
    (D) An online service, product, or feature that is substantially similar or the same as an online service, product, or feature subject to subparagraph (B).
    (E) An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.
    (F) A significant amount of the audience of the online service, product, or feature is determined, based on internal company research, to be children.
I can't speak for the GP poster, but my own personal blog meets none of these criteria.
I didn't quote it because I provided the direct link to the original bill, and felt it would be too messy to quote directly.

None-the-less, the above applies to all websites unless you want to chance being a test case (and no one does). Child is defined as anyone from 0-18 years old, which is an incredibly broad category.

Ever once talk about music on your blog? Talk about food? Cars? Games? Math? School? Clothing? Programming? TV Shows? Upcoming movies? Flying airplanes?

All of these things are of interest to folks 18 and under too... you don't have to have a blog about Blue's Clues to fall under this deliberately vague, ultra-wide net.

It's very unclear to me which specific paragraph A-E would be triggered by the act of publishing writing about food or music on a personal blog. Perhaps if I kept detailed metrics about my users and discovered a significant number were children, it would be different, but I certainly don't do that. Based on that data, I'm pretty comfortable not changing any piece of my own personal website in response to this legislation.

Don't get me wrong, this looks like a garbage law and I truly hope every California resident is writing or calling their elected representatives to complain about it in specific and excruciating detail, but acting like every nerd's low traffic weblog is putting them at risk of civil action from the State of California strikes me as somewhat hyperbolic and misleading.

C, D, and E are killers.

    (C) An online service, product, or feature with advertisements marketed to children.
Run ads on your site? Dead...

    (D) An online service, product, or feature that is substantially similar or the same as an online service, product, or feature subject to subparagraph (B).
Have some element on you site that is similar to any other site that might target children? Dead...

    (E) An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.
This literally covers anything in the world you might talk about. Remember, "Child" is defined as someone 18 or younger... which is a huge and broad category that encompasses all interests and topics.

Take a look at Michael Dominick's SE blog: https://dominickm.com/

The home page alone violates all of the above.

Lastly, "Business" is not defined here, which is odd since these consumer protection laws always define explicitly who they apply to.

I have extensive experience with P65 and ADA compliance - so vague laws like this one really scare me. The only saving grace here is there is no Citizen Enforcement provision - ie. the AG has to bring suit. Which also means voluntary compliance will be low until the AG makes an example of a few unlucky website operators...

> An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.

So if you write an extremely technical blog that happens to include a cartoon avatar, is your blog directed at children? Example: everything on this blog https://gankra.github.io/blah/deinitialize-me-maybe/

I'm not an content segmentation expert, but this does not look like it's child-related content at all. The legislation clauses may seem fuzzy but if this were my blog I wouldn't be worried.
> does not look like it's child-related content at all

If you're defining "child" to mean 5 year olds, I completely agree. But I'm almost certain that there are 17 year olds out there who are world-class Rust programmers who are reading that blog.

Ever seen a kid post a question to Stack Overflow because they're learning programming and have a question, and they make the mistake of mentioning their age?

"Sorry kid. We're deleting your question and banning you."

Yeah, maybe. I certainly hope that, given how great Gankra's writing is, the business that is running their blog does not end up fined many thousands of dollars due to some stupid California law.
I think it's unclear from the text of this bill whether your own personal blog continues to meet none of these criteria if you become a schoolyard meme and children flock to your site of their own volition.
You're going to fall under (B), if nothing else.

Kids are curious. They go places to see what's there. Kids visit your blog, whether you intend for them to or not. (They may not come back for a second visit, but a number have come for a first...)

It's very unclear to me who, exactly, is going to be able to determine that significant numbers of children are accessing my website if I'm not tracking any sort of analytics beyond hits/day. Even taking into account section (D), it's hard to imagine the California AG, even if acting in bad faith, is going to be able to find a blog that is "substantially similar" to mine which has analytics data pointing to traffic showing those sorts of demographics.

Also, to be clear, I'm not trying to be pedantic or split hairs here, I'm trying to explain my own actual thought process in reading the law and considering my own risk/exposure. As I mentioned in a reply to a sibling comment, this law looks genuinely awful, but I'm not going to lose any sleep over the likelihood of getting sued by the state of California for a personal website where I mainly make a half-assed effort to write about the nerdiest shit possible (i.e. computer programming and board games that are best played with the aid of a spreadsheet).

I’m not personally a business, so a plain reading of the line you posted pretty clearly wouldn’t cover my blog if I had one.
Also of note is "Business" is not defined here, which is odd since these types of laws always do.

Deliberately vague...

Does your personal blog collect information about users? If so, then maybe?
and, do you have settings that limit such collection that you have enabled by default?
Personal information like IP address, that is used to enforce troll bans?
Only if you have a nexus in California.
If you are collecting and storing personal identifying information about users (who may happen to be under 18) then yes.
Any legislation that is known up-front to affect all websites on the Internet associated with any business is, to me, bad legislation. I'm surprised you can support any kind of regulation that is consistent with your #1. Fundamentally any kind of regulation of internet websites ought to be at least partially directed by the counterfactuals. In other words, big sites and small sites are different things, and should be regulated differently in almost all cases. Otherwise you will eventually stop having small sites, since the regulated needed for big sites will be imposed on them too, until it is too burdensome for them to exist. This would effectively kill the Internet/WWW as it is today.
Yeah, I think people underestimate that risk and what it means long-term. Do we want to solidify the web as purely just an access point for one of a dozen huge platforms?

There are several web forums I’ve visited that allow anonymous accounts to be created and allow commenting. They are well-moderated. Some were also very niche and run by like one person. Making a law like this is a one-way street that could potentially destroy that capability, some of the best parts of the web.

This will force you to log into every single web site that has commenting. So much for privacy. Privacy will go out the window. Discussion and commenting will go out the window. This bill is deeply undemocratic and very much against a free and open society.

I hope your comment was just being sarcastic.

> This will force you to log into every single web site that has commenting

Says who? You just made up a random scenario.

That's the sense of the bill, essentially. If sites are required to confirm you aren't children before you're allowed into adult conversations, they have to be able to authenticate and authorize you.
What is the practical implication of this anywhere beside eg 4chan? Almost every place with any quality of discussion requires logging in.

In theory anonymous and instantaneous commenting is an ideal of free speech. In practice it repeatably seems to just become wasteland.

Are you suggesting the lack of it is a preferable alternative?
I'm suggesting that it's utterly irrelevant.
Logging in and verifying age are very different. See the new account creation process for the comment you typed, as an example.
Actually this won't really affect 4chan either; while it's speculated the servers reside in California there's no critical dependency that they actually stay there, and once the physical servers leave all ties are severed with the state and California looses any reasonable way to enforce the new law.

It's kinda the same reason the site is accessible in Germany/UK/whatever despite violating every hate speech law in there jurisdiction

> This will force you to log into every single web site that has commenting.

which website doesn't? I can only imagine the high quality discussions that such a site encourages.

You're literally on one. Do you want to upload your driver's license to Hacker News? Does Hacker News want to be in the business of storing those driver's licenses securely?
I wouldn't use hackernews if they required that. So, maybe they shouldn't store my IP address and location by default.
If this bill passes it will be illegal for Hacker News to not do that.
(comment deleted)
How many different websites is any one person really commenting on these days anyway? It’s not like 1) independent blogs and forums are really a thing any more, 2) the blogs and forums that do barely exist have comments any more, 3) the major news and media companies have comments on their websites any more, or 4) you’d ever want to read them even if they did (let alone post your own!).
(comment deleted)
Can you qualify any part of your statement? I'm trying to understand where you're coming from, but none of it follows at face value.
This fear is completely disconnected from reality.

Privacy already doesn't exist online. And discussion and commenting (anonymous or otherwise) have been absolute net negatives for "free and open" society.

I guess you never consume content that is considered adult. I suspect those who do will feel differently about the issue.
I guess you never consume content that is considered adult.

This law doesn't appear to cover content, just what information you are supposed to collect about your users.

I guess I made a leap in assuming that if a site assumed for data collection purposes, that a person was a minor, they'd have trouble justifying showing adult content to that person. Looking back on the article, I see I read something into it that was not there. Ironically, I posted another comment pointing out that a poster had missed something in the article. Guess I better remove the mote from my eye before I post more such comments!
Does this include collecting or displaying their real name? Is that considered PII as it pertains to this law? I ask because if I run a forum it will be difficult to force people to use fake names unless I generate names for them. Some people would be upset if I force them to use a randomly generated name, though some would be happy to be anonymous.
> I also don't get where the "eliminate anonymous web browsing" in the title comes from. If anything it will make it less likely for sites to track you.

Presumably the author is assuming that websites would prefer to offer no functionality at all to age-unverified visitors than to offer the child experience. In such a world, every website would presumably require you to login (to prove your age) before offering even basic functionality.

With such a system, private/incognito browsing would be obsolete.

Which is a weird thought process. Would a site rather get rid of 99% of its user base overnight (by making them go through identity/age verification) or change some basic privacy policies to be compliant with the law?
I think I’d really enjoy competing with those who force logging in for viewing a website.
In the usual submarine fashion the actual text of the bill includes "privacy, safety, and well-being". So its rather unlikely that political censorship will be enforced via the privacy clause, but everyone wants to "save the children" so there will be massive government censorship via the "safety and well-being" clause.
We had the same complaints when GDPR was starting to gain steam: "Surely websites would rather just 'go Galt' and shut down than lift a finger to comply with any regulation!" In fact, that's a pretty standard (and IMO ridiculous) talking point from all kinds of businesses when it comes to regulation. We'd rather stop making money than comply with new laws!

I mean, 1. if respecting user privacy means you actually have to shut your doors, well... bye. The web is probably a better place without such a site. And, 2. that's almost never the case. As soon as the regulation takes effect, companies all of a sudden find ways to comply and go about their business making money. It's all knee-jerk complaining.

This has been california's strategy for about the past 30 years, trying to write laws so it is too onerous for businesses to only comply with them in CA. It's a violation of the principles of federalism and should be smacked down, and california should be harshly penalized for doing so.
> It's a violation of the principles of federalism and should be smacked down

I see your point, but smacking down a state for having different principles is a violation of the principles of federalism. If federalism means anything, it includes the freedom for a state to make its own experiments in democracy as long as they don't cross enumerated federal powers.

If this bill treats people from different states differently then it is vulnerable to the commerce clause, but that isn't clearly the case.

Right, but a state can't e.g. cut off a river to do something with the water then be like "lmao it's an experiment in democracy, cry about it". The internet is an interstate "thing" where we can't even 100% say who is where so this kind of regulation absolutely violates federalist principles.
> The internet is an interstate "thing" where we can't even 100% say who is where so this kind of regulation absolutely violates federalist principles.

California regulation has affected people outside of the state since long before the internet. If that's enough to toss out federalist principles and to handcuff a state beyond constitutional justification, then federalism is quite weak.

Your argument seems to be that federalism should be ignored here in order to protect the integrity of federalism. I'm not understanding how that works.

BTW, I very much disagree with California's direction here. I moved out of the state after growing up and living there for 37 years because of this kind of policy making. But as a federalist I value their independence more than their correctness.

> It's a violation of the principles of federalism

Quite the opposite. This is exactly the definition of federalism.

This impacts the entire world. Commerce clause is applicable here.
There is a tension between a State government's right to regulate activity within the state, and the Federal government's right to regulate activity between States.

Here the key question regarding interstate commerce should be about who must comply with this law (if it becomes law). California wants it to be "businesses" with a "nexus" in California, but that seems like rather expansive. But finding a more limited way to specify "California businesses" that isn't also de-fanged is very difficult in today's world.

Still, now, suppose that Texas or Florida had conflicting laws? Then what?

reading the bill it seems fairly pro-privacy and generally contains things I'd imagine most folks want like limitations on collection childrens data, notifications if you're use is being monitored and controls over how childrens information is stored
The article makes a decent point: Websites will have an incentive to prove their visitors are not children.

> It is virtually impossible to identify and segment your user base and apply the bill's protections to only those you can 100% confirm are under 18.

Doing this might be(come) possible by completely destroying anonymous web browsing.

How? Idk and it wasn't mentioned, but you could imagine Credit card checking, Electronic IDs, post-ident maybe backed into the browser for a one-click identification.

Though it's all a hypothetical on unwanted side-effects. I don't think it too concerning as people value random websites less than their personal data and I'd expect websites using the "everyone is a child" approach to have the advantage.

It could be done by requiring client side certificates and creating issuing authorities for them.
This is a fascinating idea. The only way to preserve a modicum of privacy would be if the certificates are issued by a privacy-regulated authority, are not directly attached to your identity, and are trivial to renew / replace, but seems doable
Yeah I agree, but doubt the senate's ability to understand the concept, much less draft regulations that enact it.
The how isn’t the point - the point is that the what means the end of anonymous casual web browsing.

No more firing up incognito mode to view some YouTube video you’d rather not feed your algorithm. No more browsing the ‘other side’ on twitter privately. No googling for information about embarrassing rashes without Google and webmd knowing exactly who you are.

This is not cool.

In my humble opinion, children should be prevented from browsing much of the horrific content and/or pornographic content on the internet, and I think it is worth thinking about how to prevent it.
> No more firing up incognito mode to view some YouTube video you’d rather not feed your algorithm. No more browsing the ‘other side’ on twitter privately. No googling for information about embarrassing rashes without Google and webmd knowing exactly who you are.

I agree with you on principal and don’t mean to sound dismissive but they’re all doing this already.

When I’m trying to look at anything on Twitter it shortly launches a full screen thing demanding I login (I refuse to sign up).

YouTube requires sign-in for age restricted content.

Google, most annoyingly, makes me complete several captchas for using incognito+private relay

Instagram won’t open in safari with incognito+private relay; I have a throwaway account for just looking at the odd link someone sends me in a meme group-chat; I have to use another browser.

I often have to replace “www.whatever.reddit” to “old.reddit” on my phone to be able to see an “age restricted” post, most of the time they aren’t anything a kid shouldn’t be see either, not sure how they’re determining that.

It could also be done by requiring you to submit a photograph of yourself and your state-issued ID with intact image metadata. I wonder which would be less expensive to implement, and which would be simpler for a customer base to adopt.
> people value random websites less than their personal data

That's debatable. People would balk at the friction and invasiveness of typing in their cc details on every search result, but an automatic tool integrated into a browser could see wide adoption. Virtually everyone just accepts whatever privacy policy and cookie notice is blocking the content on random websites.

But the result of this is only big companies will be able to comply, in which case you'll be faced with a worse privacy future than if this bill had never passed
That argument is used for every new law that is ever considered. Did GDPR kill startups? Did CCPA? COPPA? They will survive this one as well.
GDPR made the web noticeably worse than Before.
They all certainly made the web a worse experience for those using it. Wether that was avoidable or not is moot compared to what happened in practice.
Well that's because it's the trade off for new regulation; the bar of entry will be raised ever so slightly, and a small percentage of struggling/hobby companies will not be able to compete. Eventually with enough regulation the regulated industry becomes effectively an oligopoly. I mean this bill is being pushed in the home state of Facebook, Apple, and other tech giants where they donate the most money. This is not in spite of them but because of them that a bill like this is being pushed through, and I bet if you checked up on who's donated to 5rights or the bills authors you'd see people bought with big tech money https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
> ...great! I do want to be treated like a child online. I want sites to present terms of service in a language I can understand. I want ...

That's what you want, but you may not get it.

What you might get instead is:

  - no service unless you "prove" you're over 18
then, to add insult to injury:

  - privacy-invasive age proof
Also, you might instead get:

  - no service at all if you're in CA
Being cynical for a moment, I'd say: you'll never get what you want.
If a service wants to place these restrictions then sure, a competing one will pop up to take its place the next day. I will happily build one myself.
This becomes an issue when ad companies put unverified users on a lower tier.

And, the user experience will be restricted (no commenting, video uploads, and who knows what "safe" means).

It's worth mentioning that there was also a very controversial post on HN about Chinese game companies having to do exactly this. There were discussions about things like using cameras and machine learning to verify someone's age but that also is putting a camera into the room of a child (nothing can go wrong here...). There are people condoning as well as advocating for these systems. But I think we're coming to a turning point in our society where we are going to either abandon privacy all together or shift away from surveillance capitalism. Either option will have dramatic changes on our society.

https://news.ycombinator.com/item?id=28356141

Unfortunately your list of benefits is not in the bill, and the bill uses language like "safety, and well-being" in section 1798.99.29

I suspect this will be used for selective political censorship.

Just want to chime in that ads-based network effects are a huge boon to the economy and ability to be innovating and build business on the internet. It's important to recognize that with "privacy" regulation like this will likely come an unexpected chilling of the online economy. I wouldn't be surprised if regulation like this reduced PPP growth for Americans by around 1-2% on average in the long term.
If the choice were really all ads going away and all ad supported websites going with them, or pervasive tracking, I'd gladly give up the minority of ad supported sites that provide value to rid the Internet of the scourge of the remaining ad supported trash.

The truth is that there is no such dichotomy. Ads do not need tracking/"personalization", and if tracking/data collection were made illegal, there would be no commercial advantage for the scummiest "ad tech" company.

(I'm not commenting on the California legislation, but just generally in response to parent)

>I do want to be treated like a child online.

Many of us don't want to be treated like children, much less have the government mandate that we treat everyone has children. We already have a mechanism for protecting children and filtering what they are exposed to, this mechanism is called parents. If this mechanism is broken, then we should work on ways to fix the mechanism instead of deciding that we will simply treat everyone as children and absolve parents from their parental responsibilities.

> I don't want them to store my data unless using it to provide a service

Isn't providing a server you can access "providing a service"?

(comment deleted)
I wish people would stop asking the government to raise their children. I am a parent. If you are a parent, start acting like one and watch your kids a lot more closely. Or better yet, actually spend time with them and stop using iPads as a baby sitter. I know this is harsh and may get downvoted but pared really need to start taking more responsibility on these matters
The problem is, that in today's world, more and more time has been taken away from people because they have to work much more in order to survive the same way. Putting a kid on an iPad or the TV for an hour while you have a meeting is almost necessary. Not as many people live in a close-knit neighborhood, either, so help is non-existent for many. I know my wife and I struggle to find time to spend with our son since we both have to work. The only good thing for us is we both work from home, so we don't have an additional requirement to commute for several more hours or have to find a sitter or daycare too often. We still sometimes have to hire help to watch him when we both have busy days/weeks.

You folks (not specific to the OP here) have to stop assuming everyone has the same amount of free time as you do, or perhaps some of you folks don't have kids and don't realize just how much time and effort they are!

Yeah but why do kids need to be online at all? For millions of years kids never had computers and they grew up just fine. In fact they grew up with fewer cases of depression etc. I’ve got a kid and I don’t let them online unless I’m there interacting with them, doing stuff together. Maybe I’ll let them watch for 15min for a job well done but not for hours on end
Kids need to be doing what other kids the same age are doing. What that is has obviously changed throughout history with technology etc. Which doesn't mean I think it's perfectly fine to let them spend hours online or doing anything sedentary (even reading books) for extended periods every day, but stopping your kids from taking part in activities all their friends/classmates do isn't likely to be good for them either.
I hear you, when I was a kid I was outside a ton.

Here's what I think, but every parent needs to decide for themselves: like it or not, the Internet is an integral part to socializing today. Not allowing your children to socialize this way will hinder their social development, especially when you have no control over them in 0-18 years from now. They need to be able to learn about how to behave on the 'net from a young age, with good supervision and guidance. Sometimes it's good to prevent a child from doing something harmful, and perhaps limiting their screen time in certain ways is necessary, however an extreme version of what you say (15 minutes) is definitely going to hobble their social lives at some point.

> For millions of years kids never had computers and they grew up just fine. In fact they grew up with fewer cases of depression etc. I’ve got a kid and I don’t let them online unless I’m there interacting with them, doing stuff together. Maybe I’ll let them watch for 15min for a job well done but not for hours on end

For millions of years kids never had running water in the home and they grew up just fine. In fact they grew up with fewer cases of depression etc. I’ve got a kid and I don’t let them use a sink, bathtub, or toilet unless I’m there interacting with them, doing stuff together. Maybe I’ll let them watch for 15min for a job well done but not for hours on end.

(comment deleted)
That sounds like a fairly mainstream opinion, particularly on this website
This site loves authoritarianism. Look at how quickly comments get flagged if they go against popular thing. Heck this comment, if not already shadow banned, will be removed within 3 hours of its posting, provided your comment rises high enough.
You aren't shadowbanned yet at least.

I think shadow bans are applied to accounts rather than comments on this site.

TBH "this site loves authoritarianism" seems a bit over-dramatic. But I guess we'll see what happens...

(comment deleted)
There are parental control options on about every popular platform. There is no water in the “protect the kids” argument here, all that can be done on the client side for parents that want to limit what their kids see.
I’d wager that most support for bills like these doesn’t come from people worrying for their own kids so much as wanting to have control over how other people’s kids are parented.

Charitably, they want to protect neglected kids. Uncharitably, they think they know what’s right for everyone and want to institutionalize it.

But most of supporters probably either have no kids, adult kids, or kids who they think they parent well enough to not be in danger.

I understand your ideals... but in-practice many many children don't have engaged, or even present parents. The older I get the more I believe people conflate having kids as raising kids.

I don't believe we're on a path for this to get better either.

This is why I'm generally in support over codified + regulated child protection acts, especially the online ones.

Am I correct to say that you're literally advocating for a nanny-state then? A state that is charged entirely with taking care of children (and by extension adults)?
You're being hyperbolic.

I said "This is why I'm generally in support over codified + regulated child protection acts, especially the online ones." This is clearly not advocating for a "nanny-state." I'll rephrase in case I was misunderstood: I am generally in support of online child protection acts.

> Am I correct to say

I think it's clear you've already made your mind up by pushing what I said to such extreme examples: "nanny-state," and claiming I'm advocating for the government to fully take care of children/adults.

I really like the idea of significant mandatory family education prior to a marriage license being issued.

We need to move beyond the “it’s a melting pot, everyone has their own way” and realize that people are making babies with little understanding of how to do more than keep them alive.

There is a whole field of early childhood development and another in early childhood education and none of it is taught except to specialists.

edit: I realize this is imperfect but I believe it is better than doing nothing or regulating actual reproduction (however you propose to do that).

No one in the history of the internet has ever gotten downvoted for criticizing modern parenting.

I do not, in any way, support this bill. It's idiotic. I do, however, have some sympathy for parent who are not technically savvy, do not know how to block unpleasant content from the internet, and do not watch their kids all the time. If they did watch their kids all the time they'd be called helicopter parents so there's really no winning.

When my daughter watches stuff online. I watch with her so we can discuss and interact with each other, aka quality time. That’s not helicopter parenting
You're quite right. There's a huge difference between coddling and teaching valuable life skills (like critical thought).
When your daughter is 14 or 15 years old, are you still going to watch all her online stuff with her? Or are you going to give her some privacy? And are you confident she'll be mature enough at 14 to handle all online content?
At a certain point you’ll have to trust your youngster to make their own decisions on online content , mid teens seems like A good time to do that
You watch everything she watches and then discuss everything she watches? Sheesh, if I was your kid I'd find that pretty overbearing. How about letting her have her own headspace?

I'd be more motivated to sneak around my internet activity just so I could watch something embarrassing like Smurf cartoons.

At age 7 you should be watching everything with your kid. If that’s too much then they’re watching too much video content.
You've mentioned two extremes - 7 year olds should be completely supervised, 14/15 year olds can make their own decisions.

Do you think there ages between 7 and 14 when kids should be allowed to watch videos unsupervised and kids should have some form of filtering they don't see inappropriate content? If so, who will provide that filtering? You probably can because you post to HN but not every parent will have that skillset

There is a huge difference between a 7 year old and a 15 year old. Massive difference in maturity
> I do, however, have some sympathy for parent who are not technically savvy, do not know how to block unpleasant content from the internet, and do not watch their kids all the time.

The parent ostensibly purchased that device from a business. That's where you apply the fix, not to the internet in general. This is like trying to put the cat back in the bag by legislative fiat.. I expect the same results.

So you'd be fine with a shop set up next to your kids' school specifically to sell alcohol to them? Because that's essentially how social media works right now.
Unless I'm reading this wrong - this bills attempts to give children privacy from their parents?

"Provide an “obvious signal” if parents can monitor their kids’ activities online. How does this intersect with COPPA?"

Are they saying they are going to warn the kids that their parents can check up on them?

Are they utterly insane, or did I read this wrong?

(comment deleted)
Didn’t Britain recently pass a similar law? What was the name?
It's mentioned in the article, along with why that should not be a model for California.
AFAIK it didn't pass, it was still in the planning phase, and then because of the governmental mess they have, it still yet to pass.
If you're betting on California doing something stupid, you always want to go long.
(comment deleted)
This seems universally good. If you can’t determine that your user is an adult, don’t collect or store personal information on them beyond what is necessary to provide the service.
As universally good as GDPR maybe, where the actual results will be largely worse for everyone.
If you mean the cookie banners, it's the result of GDPR not being enforced strictly enough, so companies can use the banner to pretend they're not breaking the law.
This has been driving me nuts. So what's going on is bad actors just continue to violate the GDPR but throw up cookie banners purely as a formality?

I suppose this raises the question how will California enforce this?

With disparate laws in every legislation, it will I think become increasingly burdensome to own a website. If you can't reliably determine where your user is, you must satisfy all of the laws simultaneously - until even that becomes impossible.
Only if you do business in that jurisdiction.

I'm pretty sure some of the websites I'm running are breaking laws in about fifty countries, but I don't care because I don't live or do business there.

I have a website to host some basic static content and maybe a few pieces of text. I don't feel like this makes my life any more burdensome. Do you maybe mean that it will become increasingly burdensome to own a website that collects analytics on users, or something similar?
An enthusiast web forum that captures IP address, often used for helping to enforce troll bans.
They're also not businesses, usually. I didn't read the entirety of the bill, but does an IP address alone constitute PII here?
Yes, IPs are PII given they can be linked across websites. In addition, many ISPs in the US do dynamic IP assignment but will let you keep your ipv4 for years if you don't go offline for too long (i've gone 24 hours without the router connected to the internet on ATT without losing my IP).

And the 'business' requirement is more about "doing business" in the state and not "the service provider is a legally registered business", so individuals also must comply.

(comment deleted)
> Do you maybe mean that it will become increasingly burdensome to own a website that collects analytics on users, or something similar?

I think you are underestimating the impact. Anything that stores account names or emails (forms, comment sections, commerce sites, ...) is a very broad list.

Even if none of this is true and you ONLY serve static content without analytics delivered to the user you are not guaranteed to be safe. Apache by default logs IP addresses [1].

[1] https://www.ptr.co.uk/blog/which-ip-addresses-have-accessed-...

Does your static webserver log IP addresses of requests? Most do by default.
My static site sits behind cloudflare and logs to /dev/null. It's possible (actually pretty easy) to configure things like this.
It does look like you'd be required to perform a data protection impact assessment every two years and submit a report on it. Likely your report won't be complicated because there will be very little impact, but you'll still have to file the paperwork and maintain records to be able to prove that you did the work and that the required updates were performed on schedule without fail.
At some point it'll be easier to run it as TOR hidden service, on Freenet or I2P and stop caring about the bullshit legislation.
Shortly thereafter (if not before), governments will make it illegal to go online with a device that doesn't do a remote attestation with Secure Boot, and they'll require that the OS has a system like Gatekeeper[0] which checks a centrally-managed blacklist every time you try to run an application.

[0] https://www.howtogeek.com/701176/does-apple-track-every-mac-...

Most of us will have illegal, unregistered phones then, running hacked firmware. Just look at Russia, China or all the illegal satellite dishes on Saudi rooftops.

It's an arms race all the way to the collapse of the system (or revolution). Rinse, repeat.

> Most of us will have illegal, unregistered phones then, running hacked firmware.

How easy is it to hack an iPhone to make it run unsigned code, which reports to a remote server that it is running the latest iOS version (with the correct cryptographic proofs)?

Maybe other phones are more hackable right now, but I'm sure Apple wouldn't mind lobbying for a law that requires phones to meet the same standard as them, and that makes ISPs / mobile networks refuse access to any device whose Secure Boot implementation has been circumvented by "independent researchers".

Five years from now, the only people inconvenienced by such a draconian law will be 1) those whose phones run on completely Free Software, and 2) those who illegally import devices that use unpublished zero-days in order to commit highly profitable crimes online. Both groups will probably end up paying thousands of dollars per device, but governments will not care about the desires of either of them.

The technocrat champions of wrapping the Internet up in the nanny state and its regulatory requirements, will inevitably be the ones lamenting the burden in 10-15 years as the Internet (as we used to know it) is fully choked off. To be clear, the Internet barely exists as it is, the Western Europeans (along with China and Russia) are way out in front when it comes to destroying it - however the US, starting primarily from California, will mimic their authoritarian spirit as always.

But but but, we gotta protect the children.

But but but, we gotta stop people from saying bad things that could hurt the feelings. Free speech bad. Must regulate speech.

Cycle forward a decade: the government is going too far! This is outrageous! Too much surveillance! Muh privacy. Who gave them all of this power?!?

Yeah, gee, who indeed.

My gut reaction is that this should be up to each country to enforce in its borders. If someone in CountryA wants to send a request to my web server in CountryB, in some sense that’s similar to someone buying something in CountryB and bringing it into CountryA. That’s obviously up to CountryA’s customs authority to enforce, not whatever shop in CountryB the item was purchased from.

But at the same time I’m very much not into great firewalls.

I've never heard someone argue that a packet crossing a border is considered an "import" but it makes a lot of sense to me!
Have you built a website lately? Forget an alt tag on some graphic on your homepage that has nothing to do with your content like to some stock photos. You're going to get an accessibility lawsuit threat. Page could be simple one pager of your restaurant with all the important content in text like location and hours but forget one alt tag on a photo of you restaurant.

Not to mention all the patent trolls. Have login functionality, there's another lawsuit threat you're going to have to settle for $10k.

(comment deleted)
This reminds me of a conversation I had with an owner of a bbq restaurant who said he was struggling to meet new laws required stainless steel tables for food preparation, which was going to cost him $25,000 to install. This legislation, according to him, was heavily pushed by McDonalds corporation with the intention of driving out small business competition.

Whether this is accurate or not, I think it's clear the deluge of privacy legislation will have the opposite of the intended effect in terms of empowering the facebooks, googles, etc who can afford an army of lawyers, privacy engineers, privacy ops people, etc.

I have a solution for my websites: I don't track people. They are just platforms for text and links. The desire to do tons of invasive tracking is what got us into this situation in the first place, and states like California (and the EU for that matter) want to throw the baby out with the bathwater. There's a lot of bathwater, so I can't say I blame them.
This is all great. I havn't read the entire thing but it's basically saying that if your website is likely to be visited by a child, you have to provide the highest level of privacy.

> require a business that provides an online service, product, or feature likely to be accessed by children to comply with specified requirements, including configuring a requirement to configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy

I'll take that as an adult. I hate having to go through the settings of a newly installed application to disable all privacy violating settings.

Also, if someone can point it out, where does it say that it'll require every website to authenticate the users age?

(comment deleted)
Here is the text of the bill: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...

Section 1-5: (5) Children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access. In order to help support the design of online products, services, and features, businesses should take into account the unique needs of different age ranges, including the following developmental stages: 0 to 5 years of age or “preliterate and early literacy”; 6 to 9 years of age or “core primary school years”; 10 to 12 years of age or “transition years”; 13 to 15 years of age or “early teens”; and 16 to 17 years of age or “approaching adulthood”. adulthood.”

I don't know if I fully agree with it being required on every website but the arguments claiming that typically seem to say: Who gets to define "likely access"? If a website link gets posted on a kids forum or social media does that not mean the site will likely be accessed by children?

The bill (now) has a section defining "likely to be accessed by children" that provides 5 ways for that to be satisfied: 1) it is directed at children as defined by some other law (which I haven't looked up but I believe is why YouTube now asks you constantly if your content is directed at children and then limits certain player features if it is), 2) someone does research showing it to be true (which is probably the most important one as it isn't clear how this state gets tripped in a way which notifies the business), 3) there are ads on the site clearly marketing towards children (which might be weird if you are an ad marketplace), 4) your website is similar in scope to a website someone already did the research for (in #2) to show that it is being used by children, or 5) if the company internally keeps statistics and realizes "oh no it is being accessed by children" (which to me is an argument to not keep statistics).

I don't like this bill and think it is at best an example of the politicians' syllogism and at worst a trash fire of regulatory inefficiency, but it would be good to analyze and complain about the actual indicators mentioned in the bill now that they exist as otherwise the people working on this bill can (and in my experience will) discount your complaint as "we already fixed that".

It amazes me how often the HN crowd calls for the government to regulate the Internet and then every time that a law is proposed to pass regulation on the internet it is universally derided.

But still somehow, there is this feeling that giving the government more power is good.

"They are not blocking/regulating the right websites [i.e., the websites I do not like]."
Maybe the HN crowd isn't homogenous.
The HN crowd is quite homogenous about wanting the government to regulate technology companies in the abstract.

When the government actually does get involved it’s a different thing.

Umm wait lol this blog is from June. This bill passed yesterday. It's the law now.
Not to be pedantic, but it still needs to be rubber stamped by Newsom. I am sorry did I say rubber stampted? I meant signed with a significant amount of internal deliberation of the effect of this bill on wellbeing of California as a state.
Newsom vetoed 66 bills last year, 56 of which had passed the legislature with "veto-proof" majorities.
Thanks for the clarification jeffbee. My sarcasm was unwarranted. I just dislike our governor, even though he does, sometimes, make the call that is more aligned with my values.
(comment deleted)
tl;dr making it harder to exploit your users can lower the (already absurdly high) profits

Of course because this doesn't profit companies like Google or Facebook, they'll do anything they can to promote voices opposed to it. And because they control what most people are shown as "the Internet", they might succeed.

A properly working, democratic government is the only thing that can protect the society from corporations. If you trust the government less than corporations, it's probably because your government is shit.

Why would a government be non-shit?

Corporations need to make something useful to someone to get their profits and they are also kept in check by their competitors (unless they have a government-granted monopoly, of course).

Governments only need to fool enough voters to get re-elected. That is easily done these days with media, propaganda, and plenty of populism (vote me and I’ll steal from creators and throw some your way). Most governments on the planet are shit, both historically and presently.

The fact that corporation does something useful for _someone_ doesn't mean they don't do it by exploiting everyone else. And in many markets monopolies form naturally, eg due to network effect. Facebook is a good example.
Eagerly awaiting for some examples of corporations exploiting everyone without alternatives. Meanwhile my government is taking 50% of my monthly income giving me in return the shittiest services, services I would gladly buy from the free market instead.

Facebook is indeed an excellent example of an often vilified corporation which is:

1. not a monopoly (plenty of competition around, from twitter to tiktok and even this very site)

2. providing its services to users happy to give their attention and privacy in return

3. easily replaced - my kids don't even use it and escaping it is simply... not using it really

>Meanwhile my government is taking 50% of my monthly income giving me in return the shittiest services, services I would gladly buy from the free market instead.

Good luck buying law enforcement, roads, or healthcare, on a free market.

Once again - consider moving to a country that’s not shit.

> Will California Eliminate Anonymous Web Browsing?

tldr; no.

California is following the WEF Agenda on Digital Identity:

https://www.weforum.org/agenda/digital-identity/

The goal is to de-anonymize all dissent, and unperson anyone who dares criticize the regime. See: Canadian truckers, Australian anti-lockdowns moms, etc.

If you want to protect children from adult content, just require ISPs to block a list of explicit websites unless the service owner opts-in.

The Clinton admin tried an "ID everyone to access the site" law federally back in the 90s as part of Clinton/Gore's attempt to censor the internet and it got knocked down for constitutionality concerns.

Is CA just relying on the crunchy state politics plus the right-biased SCOTUS to pass this with no challenge?

https://en.wikipedia.org/wiki/Child_Online_Protection_Act

Why wouldn't a left-biased SCOTUS also bless things a left-biased legislature wants? I'm inclined to believe that the makeup of the SCOTUS wouldn't make that much difference in a case about this.
Scalia, while genuinely a bad person, would never have gone for this, and he was certainly on the right.
That's almost certainly true of Scalia. He who spearheaded the "federalism revolution" right up until a case about drugs came up, then he did an abrupt 180 on that in Raich.

But it's likely not true of Thomas. Is it true of the rest? Who knows. The liberals might well side with California's liberal government. Hard to say. Even if that would surprise you, Scalia's turn in Raich surprised many. It's hard to predict the SCOTUS' decisions.

You can't really compare the 90s to today. Kids weren't online 24/7 through smartphones. Cyber bullying and sexting were unknowns.
(comment deleted)
The answer to any question posed in a title is no.

Try it sometime. If you see a title question mentally just say “no”.

The reasons for this law of media are manifold but boil down to 1) if there was evidence that the thing would happen they would state it. I.e. this title would read California will eliminate..

2) there is no 2

What’s left is for you the reader to try and figure out why the author is trying to scare people by posing a question even they know can only be answered in the negative.

(comment deleted)
SCOTUS is going to smack down California eventually on the extra-territorial impact of its laws.

There's a case pending about the impact of their recent legislation on humane livestock handling for meat sold in California. Regardless, of how people feel about the livestock issue, single states should not be able create legislation that forces entire national and international industries to re-tool.

If you want to do that you should be a country, not a state.

Nobody is "forcing" anything, here. Obviously.

California has substantial market power. It is entirely within its rights to dictate how things will be done within California. If that means that some companies then feel some financial inventive to do it that way in general because it's easier, then that's just too bad.

Brush up on the history of the Commerce Clause in the Constitution. It's likely that it will be in the news when SCOTUS considers the pork case next year.
Brush up on California's emission standards for cars. And the history of its standards for gasoline. BTW, arguing that the current joke of a SCOTUS might rule against California isn't a real argument.
Be careful what you wish for. Extra-territoriality is a useful concept for Blue states defending themselves from commercial effects of laws passed in Red states too. You can have federalism while being a good neighbor.
Funny how fascists only care about this when it's California doing it, and not Texas.
The fun thing about California laws is that the people that pass them really don't fucking care about dissent to their goals. left or right
As a parent and also a startup guy and big fan of the anonymous web, my preferred solution would be a requirement for major operating system and browser makers to allow me to set an age linked to my child's account that gets sent as an HTTP header on every web request. That way the provider does not have to force adults to login or reveal their identity to access unmoderated content, the provider just needs to be legally required to not serve minors certain content if they see the HTTP header.
This would create an impossible moderation burden on any website with user-posted content.
Any site that is used by children and has user-posted content should spend enough on moderation to keep that user-posted content safe, and they should charge whatever they need to charge to be able to afford the moderation. Children don't need access to unmoderated, advertising supported forums. If I really trusted my teenager to be able to handle unmoderated user-posted content, I, the parent, could remove the age restrictions on their accounts myself.
Every website is used by children. Law of large numbers, Murphy’s law means if any website is accessible online and children have internet access, eventually a child will visit it.

I don’t think we should have books moderate their content for children. The library, parents, teachers and everyone else responsible for children should take the responsibility to restrict these children’s access to material deemed inappropriate. This is how things have worked for countless years, and worked reasonably well. I don’t think controversial shoehorn legislation is going to work any better, but it will come with some downsides.

This is how things have worked for countless years, and worked reasonably well.

Things have never worked that way for any other medium. Mass internet access has only been around 15 to 30 years, depending on how you count it and arguably it has had disastrous impact on the well-being and mental health of children.

Yes, parents shouldn't be leaving their kids alone with the internet, but:

1. Many parents are going to a bad job at monitoring their kid's internet and if we can create rules that will leave their children less messed up, we should do so. We all pay a price when parents raise messed up kids.

2. Even for strict parents and well meaning children, it is so, so much easier to access poisonous things on the internet than on other mediums. It is hard to keep it out 24/7, it needs to be harder to access bad things.

3. As a strict parent, it sucks being stricter than all the other parents, sucks having to battle with kids about why their peers can do something they can't. Without common norms and common rules, their is an incentive for parents to defect by being the "cool" parent. And the reality of life is that no matter what parents do, teenagers are in large part "raised" by their peers. Teenagers view their peers as a source of authority because they have to live with their peers of the rest of their lives, peers represent the new generation. So what indulgent parents allow their children to do matters for my ability to parent my own child.

> Things have never worked that way for any other medium.

they've been working that way for every other medium. Some movies are good for kids, some are full of sex and gore. Parents have the responsibility to keep their kids from watching movies with content they don't want their kids to see. It's the same with TV shows and video games and books and music and plays and puppet shows. All of those mediums exist, and some content will be good for kids and other content is not intended for them. It has always been the job of parents to make sure they aren't sitting in their kids in front of things they don't want them to see/hear.

>Many parents are going to a bad job at monitoring their kid's internet... As a strict parent, it sucks being stricter than all the other parents,

"Being a parent is hard and some people do it better than others" is not a valid reason to censor content for everyone regardless of their age, or for forcing everyone to hand over personal information and identify themselves to access uncensored content.

All of your examples are situations where the law in many countries does require content providers to safeguard children from consuming adult content regardless of the intervention of their parents.
I can't speak to non-US countries, but there is no law in the US that requires a bookstore, a used video game store, or a cable TV provider to prevent children from seeing things their parents don't want them exposed to.

Neither Comcast or HBO are going around checking IDs before airing Game of Thrones. I'm curious about which countries would require such a thing.

V-CHIP and ratings information in broadcasts are required by law. Comcast and HBO refuse to sell their services to minors, and their products all support parental controls. Brick and mortar stores open to children do not display pornography, and those that do, prohibit entry to children. Providing this material to them is a crime. Some places in the US did have laws regarding ESRB ratings on video games until SCOTUS recently overturned them. etc.
> V-CHIP and ratings information in broadcasts are required by law.

Ratings and V-chip use aren't enforced by law however. Ratings are intended to help parents decide what to allow their kids to watch, not to make the choice for adults or require adults to prove they are over a certain age to access content. V-chips give parents a tool to help block some things when and if they decide to, but most people never use it.

> Comcast and HBO refuse to sell their services to minors

ISPs don't sell their services to minors either. Adults sign up for services and it's their job to decide what their own children see on those services.

> Brick and mortar stores open to children do not display pornography

They do in the US. Any child can walk into Barnes & Noble and see porn on the shelves for sale, or open a book and read graphic descriptions of any number of sexual and violent acts. At the Barnes & Noble near me, porn is kept closer to the children's books than bibles are. Actually, any kid can walk into the store and open a bible and read descriptions of sexual and violent acts.

Libraries also do not police what content children can access within their walls.

> Providing this material to them is a crime.

Not at all, as shown above.

> Some places in the US did have laws regarding ESRB ratings on video games until SCOTUS recently overturned them. etc.

Another example of an overbroad and dangerous California law designed to "protect the children" and it's a damn good thing it was struck down by the courts. The government has no business policing what media I can see as an adult or in policing what media I can show to my own children.

> they've been working that way for every other medium. Some movies are good, some are full of sex and gore. Parents have the responsibility to keep their kids from watching movies with content they don't want their kids to see.

Movie theaters and video rental places tend to refuse to serve minors for X or R material, and (if they look quite young) even PG-13 films. Stores may and often do refuse to sell R-rated films to minors. It may require active parental assistance for a minor to see those kinds of things (before the Internet, anyway—which is kinda the point of this whole discussion) and, even if enforcement is imperfect, surely serves to limit how much of that material even a very motivated kid can practically see (again, pre Internet, I mean). Also, kids have to get to those kinds of places, which can be pretty damn hard for them to do without a parent at least knowing they're out doing something, if not specifically what.

Broadcast TV stations risk FCC action if they show anything too outrageous when kids may be around, and have further restrictions even in night-time hours.

These behaviors are due to a combination of actual government regulation, and ongoing or historical credible threats of regulation if these industries didn't police themselves well-enough, which prompted the creation and enforcement of things like the MPAA's rating system (plus some now-defunct frameworks like the Comic Books Code or the Hays Code, both of which were much stricter than anything we'd likely accept these days—but for the "what's historically been within the Overton window of the freedom-loving United States?" perspective, those aren't that old and did co-exist with and apply to modern mass media, so still have some relevance).

The closest analog we have that I can think of is cable TV, since it's in the home and offers a whole lot of content, and even that tends to self-censor to a substantial degree and doesn't offer many of the worst things the Internet does at all—even on premium channels, which are another thing an adult has to actively work to bring into their house, totally separable from the rest of what cable offers.

Libraries are less-restricted and librarians seem to enjoy providing things a bit subversive (which is great) but I bet even lots of librarians would ask to talk to a parent before lending out certain books, let alone R-rated films, to young kids.

Support from outside entities—including, and largely, due to government action or threat of same—for parents to control what their kids see and hear is, as far as I can tell, the norm since fairly early in the days of modern mass media.

It's the Internet's model that's an aberration, requiring parents to take active steps to keep prevent kids from seeing hardcore porn or extreme violence or whatever on the same device they have to use to do homework, rather than having to take active steps to enable seeing those things, as they'd have to in most other contexts. Isn't it? Which doesn't necessarily mean these kinds of measures are a good idea, but I don't think "parents have always had to actively work to keep their kids from being exposed to awful stuff without substantial help from government and the private sector" really holds up, unless I'm missing something.

The Internet's unprecedented in its reach and being something that's basically required in a modern household, and required to allow kids some access to (again, it's not really optional for school anymore), but even other far less necessary media have had effective, if not perfectly iron-clad and universal, age restrictions imposed by businesses and the government. Right?

> Movie theaters and video rental places tend to refuse to serve minors for X or R material, and (if they look quite young) even PG-13 films.

that isn't a law, movie ratings are a voluntary system designed to help parents make smarter choices about what they will allow their kids to see. It is not intended to police the actions of adults so that parents don't have to do their job. That's the extent of "Support from outside entities" that exists in all other mediums (with the exception of FCC regulations on broadcast TV and radio which were themselves commonly seen as a mistake which is why we didn't see them applied to cable TV, satellite TV/radio, or the internet)

> t's the Internet's model that's an aberration, requiring parents to take active steps to keep prevent kids from seeing hardcore porn or extreme violence or whatever on the same device they have to use to do homework, rather than having to take active steps to enable seeing those things, as they'd have to in most other contexts. Isn't it?

Nope. The same TV that shows sesame street shows porn, HBO shows both kid's movies and Game of Thrones, the same theater that shows G rated movies shows R rated movies, the same car radio that plays disney songs plays howard stern. It has always been the job of parents to monitor how children consume media. Always.

> I don't think "parents have always had to actively work to keep their kids from being exposed to awful stuff without substantial help from government and the private sector" really holds up, unless I'm missing something.

Having "help from government and the private sector" isn't the problem. There are lots of things the government and the private sector can do to help parents which would be perfectly acceptable. The rating system on movies is a good example. Requiring adults to scan their faces every time they want to access a website isn't one of them. Requiring adults to scan their IDs to every website they visit isn't either.

> that isn't a law, movie ratings are a voluntary system designed to help parents make smarter choices about what they will allow their kids to see.

As I covered, most (all?) "voluntary" mass media industry regulation schemes have been much more of an outcome of "sort your shit out to our satisfaction or we'll regulate you into the Earth's core" grumbling from government, than actually voluntary.

Part of the trouble here is there's just nothing comparable to the Internet. The default before was "parents will have to work to enable their kids to access questionable material", not "parents will have to work (really, really hard) to keep their kids from accessing questionable material, including possibly by accident, and maybe stuff pushed on them by some god-awful 'algorithm' trying to radicalize them or push them into some other harmful rabbit-hole because it helps with 'engagement' or some other dumb-assed metric".

Again, the closest thing I can think of is cable, and that had a much more limited set of content and kept the adult stuff mostly opt-in (so, again, active effort required to enable it), plus cable TV was never 1% as valuable for getting by in modern society as Internet access is—the easy answer of "just don't pay for cable" doesn't apply to the Internet, and hasn't for more than a decade.

However, even with media that are far easier to keep out of the home, government pushes for regulation, and effective imposition of such regulation—de jure or, in fear of what de jure might look like, de facto—has been the norm. Much of this absolutely applied to what adults could access (see, again, the Hays or CCA regulatory regimes). As for "scanning their face every time they access a website"—in earlier situations in which a kid might access some piece of media a parent hadn't deliberately invited into their home, and in which some business was involved, everyone did get a face-scan, by the flesh-and-blood clerk, and since 1990 or so those situations almost certainly also involve being recorded on multiple CCTV cameras (and these days, having all that uploaded to god-knows-where and maybe even having face recognition applied to it—ugh, the Internet was such a bad idea)

Again, part of the trouble with these analogies is there's nothing comparable to the Internet. How do you have a clerk judge whether a person's face looks old enough, at "web scale" and before your web server sends a 200 response? You can't, really, but that doesn't mean something of that sort isn't typical practically everywhere but the Internet. The closest thing you can realistically do is automate that process, instead, to bring it back into something resembling the past norms.

This is, I repeat, not necessarily a defense of this kind of legislation as a good idea–I just don't think it actually is a deviation from what was the overwhelming norm for how society operated in most of the 20th century. The Internet free-for-all model is what's the odd-man-out.

> Again, part of the trouble with these analogies is there's nothing comparable to the Internet.

I'll agree that the internet comes with it's own set of challenges, however computers enable unique sets of solutions. There is parental control software you can install, logging you can put in place, you can even screen-record and keylog everything that takes place on a device. Access can be restricted with passwords and devices can be set up to automatically disconnect the internet at certain times.

It takes some work to set those kinds of things up, but parenting has always required work. The internet has a ton of free resources to assist parents in that work. Nothing is perfect, but thankfully no kid ever died from seeing a boob either so mostly things tend to work out. My generation was online long before any parental control software or porn filers existed and we survived after all. Parents today have more tools at their disposal than ever.

Sure, and that approach may be the right one in this new world. I do reject the idea that policing kids' Internet usage is anything like what parents have always had to do, though—it's a totally new challenge on top of all the ones that already existed.

Before, the usual way to keep your kids from seeing (very much, anyway—no system is fool-proof) porn or brutal violence or from encountering any excessively-weird or dangerous subcultures was basically do nothing—if you didn't try to bring that stuff into contact with your kids, odds were they'd encounter very little of it, and likely none unless they were themselves trying to find it. The Internet's flipped that around, so the default is all kinds of horrible stuff being not just available, but possibly pushed at people in your household, including kids, unless you actively work to avoid it.

The norm in earlier cases when others have some say in whether your kids can access such material, is that they're either prohibited by law from providing it, or else are following some prodded-into-existence-by-government industry guidelines that largely prevent access to it by kids. Parents didn't need to spend much time or attention policing that kind of thing, previously.

> Internet usage is anything like what parents have always had to do, though—it's a totally new challenge on top of all the ones that already existed.

Not entirely all the ones that have already existed. Parents used to have to worry about what their kids would rent on their own from video rental stores, or who they were communicating with on teen party lines (look it up if that was long before your time) or the local BBS scene, or going back even farther if they were viewing lewd content in penny arcades or by sneaking into drive-in theaters or sideshows.

> Before, the usual way to keep your kids from seeing...porn or brutal violence or from encountering any excessively-weird or dangerous subcultures was basically do nothing

I'm afraid that's never been true. Arguably, it was much harder in past decades to monitor what your kids were doing because children were far more autonomous than they are today where many are tracked by GPS 24/7. If I were a teenager I think it'd be much easier to hide compromising polaroids and skin mags than to try to hide sexting and visits to pornhub from tech savvy parents. Really though the challenge is simply constantly evolving as old media dies off and new forms pop-up.

> The norm in earlier cases when others have some say in whether your kids can access such material, is that they're either prohibited by law from providing it, or else are following some prodded-into-existence-by-government industry guidelines that largely prevent access to it by kids.

I can say from experience that libraries don't care what you're reading and only occasionally care when you try checking the materials out. As a kid I was never told I couldn't purchase any book I brought to the counter in bookstores and many of them were not remotely appropriate for my age by most people's standards.

When video rentals were a thing the clerks would also routinely rent R rated materials to us as small children (although not 100% of the time). Record stores had zero issues selling music with 'scandalous' lyrics to kids even after parental warning stickers became a thing. Actually getting into an R rated movie as a kid was hit and miss if you bought the ticket, but most people I knew would buy tickets for a kid show and just enter the R rated show once inside (now that theaters have assigned seating that might not work as well today). I do think video game stores have been more strict comparatively because of all the attention on them from parents and media, but they've also been the most tame in terms of sexual content for the same reason.

Generally kids have never had much of an issue finding ways to get into trouble and there's nothing more appealing than the forbidden. I think every generation's parents had to stay on their toes and put in genuine effort to restrict what their kids were seeing and doing and usually with only very limited success.

> Many parents are going to a bad job at monitoring their kid's internet and if we can create rules that will leave their children less messed up, we should do so.

Then we should make a law that holds parents responsible for poor decision making. It's not incumbent on anyone else to make the world a "less messed up" place for them, I had zero say in whether you got to have children or not.. you just decided to do it one day.

Further, most of us don't believe that this law as written or any law in general stands a chance at actually addressing your claim. This law does a really good job of protecting entrenched entrants and denying new startups access to the internet by creating unnecessary technical barriers that cost a lot to erect but don't actually protect children.

It's the worst of all outcomes, if you actually care about "messed up" children.

> it is so, so much easier to access poisonous things on the internet than on other mediums

Is "two children talking to each other" a medium or not? If so, I don't think the internet holds a candle to this.

> it sucks being stricter than all the other parents, sucks having to battle with kids about why their peers can do something they can't.

So.. because some parents find it hard to be strict, we have to force all parents to be strict. And if they aren't? Should we take their children away? I mean, if they're too tempted to be "cool" then we shouldn't even allow that to occur under any circumstance, should we?

Technologically, why should that be a big challenge? In the simplest model, the HTML would require a privacy tag/flag that would need to be matched against an incoming HTTPS request's attribute.

If done right, it might actually be seamless, much unlike the GDPR pop-up which needs to be manually cleared.

I would default to calling all content adult-only, to be safe legally. Then, the moderation burden is deciding which ones are child-safe, which is probably a lower hurdle. But still, to be on the safe side legally, I wouldn’t want to mark any user content child-safe. And so we’d end up with the same system we have today.
If a site cannot moderate their content to a level that is appropriate for children, it is not appropriate for children.

Sites for children typically have strict moderation, or more often, do not have user-generated content.

Why would it be impossible? Twitter for years has allowed people to mark content, including their whole account, with a content warning. Current categories are: Nudity, Violence, Sensitive

That puts most of the burden on the poster, and checking the occasional box is not much of a burden. And these days it also acts as a great tagging system for automated ML filters. Combine that with good tools for users to report violations, and the burden seems pretty manageable.

And honestly, it might lower site burdens. If people only see what they want to see, it could reduce user friction and incoming reports.

I would do it the other way around:

Create a standard header with a "Parental Advisory" PG kind of label. Then let the consumer decide what to do with it. The web is "content", and it is up to the parents to decide how to police their kid's content consumption (same as with music, video, etc).

Then we can start talking about Operating Systems, Browsers or Access points features allowing parents to block pages with specific PG ratings.

Hmm, that would work too. Under this kind of system, the laws protecting children wouldn't ban serving possibly-adult content, or require age checking, but would mandate that you must label certain content with the correct and appropriate age label.
No.

Lack of label should be equated to UNRATED, just like for movies. By _default_ the Internet should be for Adults who have their own right to choose what they see or don't see.

Let the OS / browser / etc WHITELIST things based on a claim something is safe for children, or rated in an academic context (E.G. Wikipedia / medical / etc).

Right. I'm just saying that there would have to be laws punishing providers who falsely label porn as PG-13 or something. Or punishing providers who label their open, unmoderated forums as PG when in fact it has lots of obscene content on it.
That's a good solution for data that is being sent to users, but doesn't help when it comes to data being collected by sites and services.
Require sites that collect data to announce an adults-only rating of sorts?
What would be left? They wouldn't be able to access social media or google. That might not sound so bad to me, but I doubt most children or parents would be happy with that. Not if they want some way for kids to have meaningful access to the internet and also prevent companies from collecting their kid's data. Not that California's law would even do that, but it's how they're selling it to people.
Google is wealthy enough to create a G-rated version of its service that doesn't have the privacy issues. Or a startup could tackle the problem.
Every site that complies with COPPA today.
Ooh, that's good. I'd be most helpful if there were standardized content warnings so that parents could select what they're ok with. E.g., here's one list: https://thetvdb.com/taxonomy/movie/22

Also interesting is this site: https://www.doesthedogdie.com/

Maybe this could go beyond parents. There are whole classes of image that I'd like to have to choose to see. E.g., if I'm eating breakfast and scrolling through Twitter, I don't need to see, say, mangled flesh in an accident photo. If there were standardized content tags, then parents could tell browsers to block outright and adults could make it click-to-view.

That would also likely be better from a fingerprinting perspective.
As a non-parent and a tech guy who believes in freedom, my preferred solution is parents doing their jobs properly and restricting their children's access to devices and content that is harmful and not meant for children. If the burden of responsible parenthood is too much for someone to handle, they don't have to have children. It shouldn't be incumbent on the rest of us to childproof the world because parents are unwilling or unable to monitor and control their children.
> As a non-parents and a tech guy who believes in freedom, my preferred solution is parents doing their jobs properly and restricting their children's access to devices and content that is harmful and not meant for children.

As a parent, I wholeheartedly agree. It's not the government's job, or anyone else's job besides mine, to determine what content my children see or do not see.

Doesn't this just end up putting your children in a vulnerable position? You're specifically announcing that they are a child. I mean there have been tons of issues with Reddit's r/teenagers and predators specifically targeting that subreddit (and some laughable/revealing moments when other subs tried to ban underage users from their own subreddits and so blocked anyone participating in r/teenagers).
You have just handed every website operator the capability to home in on your child's birth date. Age, combined with sampling over time, leaks birth date. If you add an X-jurisdiction-advise header (presumably so we can do lookups to figure out what laws are in force that we'd have to respect), you'd leak uour zipcode eventually. Creating a bunch of sites to do marketing shenanigans and demographic analysis via matching your traffic with other fingerprint data leaks, can lead to a reasonable approximation of gender over time.

Congratulations, you've now managed to leak enough datapoints to be deanonymized.

Do not do this.

It is also a super terrible user experience, since now, changing the driver of the web browser requires what amounts to a login.

I repeat, do not go down this road, there are bad things there.

How can it be anonymous if the "major operating system and browser makers" manage an account tied to a paticular person? My OS (linux) never asks me for such, and certainly not my browsers. Safety and anonymity require that corporations and governments be kept as blind as possible.
what is the difference between this and just install "nanny" software to block stuff?
Microsoft would immediately require you to upload your ID. Governments want it because they consist of lawyers and corporations like MS want it for government contracts.

I think a header field that classifies the content could help. The client needs to do the filtering.

I will never use a OS account synced at the OS provider.

(comment deleted)
The more that breaks the internet as we know it, the better.
Have your website block visitors from California. Problem solved.