Utah Legislature Passes Completely Unworkable App Store ‘Age Verification’ Bill
from the bounty-law-but-for-kids dept
It’s not like we need any more of this sort of thing. COPPA (Children’s Online Privacy Protection Act) pretty much deters any app maker or social media service from catering to a very underage crowd. Compliance is difficult, if not impossible. But, all the same, it has deterred plenty of the worst developers in the world from exploiting the pre-teen demographic.
In Utah, that’s not enough. Now, it’s time to “protect” the age 13-18 group from their own actions. The bill [PDF], recently passed by the Utah legislature (and now headed for the governor’s desk), creates a private cause of action for parents of this subgroup of minors should app stores (and the developers of the apps they host) somehow fail to comply with a long list of impossibilities.
What I always find amusing to the point of nausea are things like this: the legislative presumption that it’s somehow possible to “verify” the ages of people who are too young to obtain legal forms of identification. But that’s what’s going on here, as the bill makes amply clear:
requires app store providers to:
● verify a user’s age category;
● obtain parental consent for minor accounts;
● notify users and parents of significant changes;
● share age category and consent data with developers; and
● protect age verification data
Some of this makes sense. Conscientious parents would appreciate any minor-affecting changes to terms of use agreements or further insight into how user data is collected/used. But it’s the first bullet point that’s a problem. You can’t verify “age category” without government documents that attest to a person’s age. And short of having every user upload a PDF of birth certificates, there’s no way to do this in a way that satisfies this bill’s vague demands for “verification.”
What this law is really about is giving parents leverage to sue app stores after their kid racks up $400 in Roblox purchases. That’s it. It serves no greater purpose than to alleviate parents of parental responsibility. While it does say things that sound like the sort of thing that should be said to the most exploitative of minor-targeting apps, most of this has already been said elsewhere in other laws.
There are some upsides, but they’re (excuse the pun) pretty minor when compared to the entirety of the bill. First, there’s a safe harbor provision for “compliant developers.” That this compliance will be defined by the same legislators that proposed this hot garbage isn’t exactly comforting, though.
Second, it does at least ensure the government doesn’t leave “compliance” completely up to the imaginations of app stores and developers. It does instruct the Division of Consumer Production to “establish standards for age verification methods.” That puts part of the compliance burden back on the government, where it definitely belongs. How can anyone “comply” when there are no specifications for “compliance?” Letting this law go into force before this guidance is in place is what’s commonly known as entrapment.
Back to the bad news:
…creates a private right of action for parents of harmed minors
This is all the bill does. In practice, that would mean awards of $1,000 per violation to any successful suing parent, along with legal fees. The bill does not allow the state to pursue legal action against app stores and developers. And if that last sentence sounds like adequate news, if not actual good news, it isn’t. It’s a dodge.
This makes it a “bounty” law. By doing so, it ensures the bill will have a much higher chance of surviving a legal challenge if it’s signed into law. This is the same playbook the Utah government used to keep its porn site age verification law from being blocked by federal courts. The argument — as weak as it is — appears to be working, so far. That argument is: if only private citizens can sue, it’s not really the government doing the enforcing of the law. And if the government isn’t enforcing it, suing the government doesn’t work because… well, it’s just private citizens taking private companies to court.
It’s bullshit. But it’s bullshit that works. And that sucks because the law, as written, is a vague, unworkable mess that requires minors to verify their age with documents they can’t possibly possess. And app stores shouldn’t be held responsible for purchases/contracts deployed by apps they host just because some kid has spent hundreds of their parents’ dollars on virtual goods. On top of that, app stores and developers have no way of knowing who’s using the devices accessing these apps. Plenty of minors use their parents’ devices to play games or access content. If the account has already been flagged (through whatever process) as belonging to an adult, app stores and developers aren’t going to restrict access and/or block purchases because they have no reason to believe a minor is utilizing that device or account.
This is stupid, performative crap that basically says parents who don’t pay attention to what their kids are doing can leverage their own negligence to extract money from tech companies. And all with the state’s blessing, even if the state is doing everything it can to pretend that passing laws that enable private legal actions is somehow not actually government imposition.
Filed Under: age verification, app stores, bounty law, utah
Comments on “Utah Legislature Passes Completely Unworkable App Store ‘Age Verification’ Bill”
If they’re serious about protecting the children of Utah, they could start actually doing some work investigating the many, MANY abuse cases being covered up by the Church of Latter Day Saints because everyone knows damn well religious institutions do more to harm children than any app.
It’s funny how the ‘If you did nothing wrong, you have nothing to hide’ ‘Blue lives matter’ and ‘Think of the children’ types always seem to side with their cult of choice and screech persecution when they’re investigates for the actual crimes they commit against them.
Re:
It’s probably just easier and cheaper to Geofence Utah and stop the app stores working there than to try to implement this.
Re: Re:
Except that many children know better than their parents how to install a VPN or using Tor.
You know, the kind of 14y “hacker” kids that are doing dodgy things on their bedroom at 3am, like watching a 10 minutes tutorial on YouTube about how to install Signal or Ad-blockers on their phone.
Utah please, protect the kids, damnit, and let them play MMORPG and watch porn like we used to at their age.
We seriously need a new constitutional amendment banning bounty laws. This shit is super way past getting out of hand. If the government isn’t allowed to do it, then it shouldn’t be allowed to bribe private citizens to do it on their behalf.
Re:
It’ll never happen so long as they can use it to circumvent the first amendment and stifle free speech that way. There’s just no winning against these stupid loopholes.
Re: Re:
They’ll just find a new one, as conservatives have always done.
Re: Re:
There are ways to win against the loopholes, don’t give up!
Re:
It should just take SCOTUS ruling in a case that bounty laws being passed by legislatures and enforced by courts that allow the lawsuits by private parties are in fact by those very deeds the government enforcing the laws. If the government can’t be sued because it’s not enforcing the law, then you can’t be sued in court using the law.
But of course the current SCOTUS isn’t capable of rendering good decisions except by accident or when good decisions happen to benefit wealthy and/or conservative groups.
Re: Re:
Didn’t we just go through this yesterday? (https://www.techdirt.com/2025/03/11/judge-uses-dds-failure-to-make-him-worship-satan-to-school-florida-on-social-media-moral-panics/ Judge Uses D&D’s Failure To Make Him Worship Satan…):
That bit about ‘everyone knows’, or ‘experts say’, or worse yet ‘scientific studies show’, that’s all hogwash as Judge Walker immediately recognized, and blatantly put Golumbiewski under the bus with a firm foot on the throttle.
But the real trouble I have here is that the State is essentially deputizing citizens to form a posse (a posse of one is doable) and go out and make like the sheriff. So here’s the rub; in every state’s Constitution, as they follow the country’s Constitution, no person shall be allowed to act as a deputy without direct authorization, and only upon taking an oath to both carry out his/her duties, and to take no other action than what was specified in that special deputization.
So, we have a law that criminalizes some action. We have ‘special’ deputies enforcing said law. And the law provides no method of levying a fine or jail time, only that a private party may be entitled to receive funds directly from the defendant(s). That last part sounds like a civil action to me, doesn’t it to you?
So why does Utah need a specific law to outline this objective? People can already sue one another as they might wish in a civil action, for any imaginable reason, no matter how outlandish. And the answer is, if the State attempts to enforce such a law, they’ll get shut down in a hot hurry; and they know it. Whereupon letting the citizenry know in a very public manner (big headlines) that they can make accusations and the State will cheer them on for doing so, that’s a matter of both gaining points with their base voters, and (so far) an end run around the federal courts. Or so they think.
My argument here has not yet been brought to bear in a federal court. But I’d lay long odds that a decent lawyer could make this stick – either a citizen is already entitled to bring suit over a civil matter, or they are acting as deputies of the state to enforce a criminal law. Can’t have it both ways. The fact that the State gets “nothing” out it is not a get-out-of-jail-free card, they put it writing, in bold print even.
And while it has been alluded to in these comments, let me point out that if one looks at points #4 and #5 – share data, and protect data – one can see why I’m at a loss for words, and can only shake my head.
Re: Re: Re:
People cannot actually sue each other for “any imaginable reason”. One of the major cornerstones of tort law is that the aggrieved party must suffer some kind of harm, and the value which is being sued for is supposed to be the amount necessary to “correct” the harm. If you destroy my fence, I can sue you for the amount it would require to replace it.
Bounty laws pervert this basic concept by creating a cause of action out of legislative thin air. Now instead of measuring how much harm one party has suffered at the hands of another, law has declared that anyone can be aggrieved by the wrong-doer, and the amount by which they are supposedly aggrieved is decided by statute.
Re: Re: Re:2
FYI, people can sue each other for “any imaginable reason”, or there wouldn’t be all these cases resulting in the Streisand Effect.
How does a minor spend $400 online without their parents enabling that in the first place?
You can’t take age verification information and protect said information. You can’t prove anything without retaining it and you can’t retain it without getting hacked or having it accessible to multiple people and systems.
'Put this target on your back. Now don't get shot, as that'll be YOUR fault.'
requires app store providers to:
– verify a user’s age category;
– obtain parental consent for minor accounts;
– notify users and parents of significant changes;
– share age category and consent data with developers; and
– protect age verification data
You know what the best way to keep private data relating to minors secure is? Not collecting it in the first place. The state is basically demanding that any app developer or store that offers service in utah create a treasure-trove of personal data on minors and then with a handwave telling those same companies to ‘protect’ it, a task doomed to failure given no security is perfect and a lot of people/groups are likely to be trying to grab such a juicy target.
Were I an app dev or in charge of running an app store I’d add in a ‘No minors may ever use this app, parental consent or not’ clause specific to utah users so that it’s clear that any minor caught using it is only doing so by violating the TOS and lying about their age, and if that’s not enough legal cover just geo-fence the entirety of utah to prevent anyone from the state from accessing the app/store with a message to users listing the contact details of who to blame.
And all this because parents are too lazy to do their gorram jobs and politicians are either too gutless to tell them to do so or are exploiting parental laziness by giving them someone to blame that isn’t themselves.
So..
Basically, now app stores are adults only…
Since minors generally won’t be able to verify their ages, app store are pretty much compelled not sell to minors, under any circumstance.
Hate to say it, but you do have one flaw in your argument here .
That’s not exactly true…
You do mention birth certificates.. so you didn’t completely blow it.
Minors can get passports too.
But the big one who’s omission I find baffling…
DRIVER’S LICENSE
That’s available at 16…
Re: Correction
FYI, Alaska, Arkansas, Idaho, Iowa, Kansas, Michigan, Montana, North Dakota, and South Dakota all allow teenagers under the age of fifteen to hold learner’s permits, and many more allow learner’s permits to drivers under the age of sixteen, and given how often kids will drive independently on a learner’s permit, hoping they don’t get pulled over…
Re: Re:
The problem there is that generally learner’s permits arn’t recognized as a government Id.
Re: Re: Re:
I don’t think AC was making the case they are, only that they’re available at younger ages than you claimed.
I like the last two bullet points.. As soon as a someone ages into a new category, you have to effectively give their date of birth to all app-developers but keep their (age-verification) data private!
/S
The more I think about these age verification laws, the more I think they are for advertisers. Here is a group of users that developers and ad companies are VERIFIED teenagers.
Birthday certificate
How is a birth certificate considered a legal proof of age on a website? It doesn’t have a photo on it, so anyone can upload anyone else’s birth certificate.
Sure, that might be against the rules of the website, but so what? This proof is to protect the website from getting sued, so it’s not like the website owners are going to complain.