The California bill isn't just about adding OS signals, it is about a larger addition to an ecosystem of age verification; and we're all getting tripped up on the tip of the iceberg and no one seems to be talking about the rest of the bill.
I just read the CA bill and I think it is far worse than people have realized. Part of the problem is the ambiguity of the language used which makes it unclear at times if something if covered/required by the bill or not. The bigger issue is, as so often the case, lawmakers are ignorant of what they are passing laws on and haven't gathered adequate feedback before voting into law.
Claiming that restricting use by people of CA or CO violates the GPL and isn't FOSS is short sighted thinking. The entire purpose of these age brackets is to deny the use of certain software to certain people based on their age. That doesn't violate the GPL and FOSS principles? The OS developers get to blithely push the FOSS violation problem to the app and app store developers.
Section 1798.500 defines pkg, apt, pacman, ports, snap, flatpak, and any GUI front end to these as a “Covered application store”. That means each of these tools needs to implement age verification using these new "signals" and must deny the installation of FOSS software when prohibited by age restrictions. What this means is that everyone one of these "stores" must implement a system to check age bracket of user against age restrictions of software packages. How do you add this capability to these "stores" without violating the GPL and FOSS principles my dear principled OS developer?
Section 1798.501 is what everyone is all fussed about and requires an OS to implement an age bracket "signal". It isn't clear if an OS must ask for both age and DOB or can choose to use either. I would suggest that an OS take only age and do not increment this age estimation annually. A random age between 30 and 100 should be the default value if none is provided when the account is created. The user can manually set their age at any time to reflect their new age bracket. This prevents the data stored by the OS from leaking DOB. This section also clarifies that age verification must be done both during install by the "store" (eg. sudo pkg install foo) and by the app at time of launching (eg. ./foo).
Section 1798.502 is very, very nasty and and don't think anyone has really thought this through. My read of the bill is that System76 and every other OS and "store" developer has until 1 July 2027 to add age verification to every OS and "store" that they have ever released since the dawn of time (possibly escapable using the good faith liability exception). Software developers the world over have until 1 July 2027 to add this "signals" age verification to every piece of software released or updated in 2026 if covered by CA Title 1.81 (specifically 1.81.47). The writers of the bill ignorantly thought that all software is distributed via a central store like the Apple store so the wording of the bill requires that you, dear covered app developer, update every instance of your software (if covered by CA Title 1.81) updated in 2026 to add age verification on every distro out there that includes your software. If someone grabbed a copy from your website using wget you still have to update that software or be liable (because they assumed that all software comes from a small number of centralized "stores" they don't give you any mercy).
Section 1798.503 thankfully gives the OS and the "store" an out for good faith implementations. The developer gets no good faith escape from liability. This might allow OS and "store" developers to not have to update EOL releases.
I live one state up from California so we are accustomed to seeing "CA" versions of things, especially when it comes to small engines. My Honda generator says "Not for sale in California" on the box. At one time there were CA compliant cars and 49 state cars, I think they're all the same now due to stricter federal mandates. I suggest we redefine FOSS and create a GPLv4 that clarifies that any features added for the end purposes of denying certain peoples from using the software are themselves a violation of FOSS principles and provide a field within the GPLv4 license to list jurisdictions in which the software cannot be used due to legal requirements which violate FOSS principles. Developers could also release a CA version and an everyone else version. I think that would be covered under the "good faith" clause. You would also need to officially EOL all prior OS releases that are not viable to update with these "signals".
