5/20/2026 at 8:52:45 PM
(5)(a) "COVERED APPLICATION" MEANS A CONSUMER SOFTWARE APPLICATION THAT IS ACCESSED THROUGH A COVERED APPLICATION STORE AND THAT MAY BE RUN OR DIRECTED BY A USER ON A DEVICE.(b) "COVERED APPLICATION" DOES NOT INCLUDE:
(I) A SOFTWARE APPLICATION THAT DOES NOT PROCESS USERS' PERSONAL DATA; OR
(II) AN APPLICATION FROM A FREE, PUBLICLY AVAILABLE CODE REPOSITORY.
by floxy
5/21/2026 at 1:10:20 AM
So if your service is proprietary, but your client is open source, it looks like your're free to go.As someone that relies on third-party clients to get usable interfaces, if this gets widely adopted it would be great news. It would end the cat-and-mouse game from companies trying to force users onto first-party clients.
by dlcarrier
5/21/2026 at 4:29:30 AM
But only if the user is not getting the app through an app store but from a "code repository"? I'm not sure if I interpret that correctly, but at first glance it seems confusing and ambiguous.Does that mean I need to download the Android apk from a git repository? Would a clever lawyer be able to argue that the release section on GitHub is outside the repository and therefore not fulfilling this clause?
Would F-Droid still not be exempt because it is structured like a store and offers pre-built binaries?
by gmueckl
5/21/2026 at 4:06:28 AM
Most proprietary services would process user data.It's also naive to believe that a fraction of open source in a companies pipeline would give them a free pass for everything.
by Yokohiii
5/21/2026 at 4:20:57 AM
But the text says "or," not "and." So by my interpretation if you process user data but are available via "free, public" repo, you're not covered. I presume "free" is defined elsewhere in the text, and that it approximates "open-source."by KAMSPioneer
5/21/2026 at 5:06:09 AM
>(3) THIS ARTICLE 30 DOES NOT APPLY TO:(e) AN OPERATING SYSTEM PROVIDER OR DEVELOPER THAT DISTRIBUTES AN OPERATING SYSTEM OR APPLICATION UNDER LICENSE TERMS THAT PERMIT A RECIPIENT TO COPY, REDISTRIBUTE, AND MODIFY THE SOFTWARE WITHOUT ANY PLATFORM-IMPOSED TECHNICAL OR CONTRACTUAL RESTRICTIONS IMPOSED BY THE PROVIDER OR DEVELOPER ON INSTALLING ALL MODIFIED VERSIONS.
by floxy
5/21/2026 at 7:15:47 AM
Aha, thanks! So I think that raises the question of whether e.g. RHEL is affected. Technically it could be argued that they don't add any additional restrictions, but I wonder if Colorado will see it that way.by KAMSPioneer
5/20/2026 at 10:48:18 PM
On the one hand, I'm absolutely against blanket age verification laws like this one, think there are better ways to solve the stated problem, and believe that the current crop of legislation is being pushed by bad actors for nefarious purposes by means of pandering to public mania.On the other hand, I do appreciate that a possible unintended consequence of the out provided by (5)(b)(I) could be that PII (along with user generated content in general) becomes similarly radioactive to if the US had passed a GDPR equivalent. Either that or it's used as a justification for every single online service to require government ID in order to interact with it "because liability". Unfortunately I assume the latter is somewhat more likely at this point.
Also is it defined precisely what it means to "process users' personal data"?
by fc417fc802
5/21/2026 at 1:25:21 PM
Wondering if providing a reference implementation of a safer age verification/gate would be one way to defeat these laws.by rickydroll
5/20/2026 at 11:35:36 PM
> there are better ways to solve the stated problemCall your representatives. There is overwhelming demand for age gating social media (based on, honestly, good evidence). This will be implemented based on who calls in. If the status quo of technical people being hopelessly nihilistic continues, it will be written in the stupidest ways possible.
by JumpCrisscross
5/21/2026 at 12:16:52 AM
> based on, honestly, good evidenceCan't say I agree. Notice that the proposed legislation isn't specific to social media. Rather it's explicitly advanced in support of Colorado's data privacy laws as they apply to minors.
There's evidence of lots of different issues, a few age related but most not. Adults certainly aren't immune to adversarial algorithms and dark patterns and the practical need for privacy isn't limited to children. It's more that we only seem to be able to achieve broad consensus to add additional regulations where it concerns children.
by fc417fc802
5/21/2026 at 12:20:19 AM
It's always written in the most midwit way possible, then, once predicted failure happens it's patched up to be slightly better. That's the default assumption for most of the things.by Muromec
5/21/2026 at 3:30:01 AM
What do you expect? American politics selects for mediocrity. Being a world-class expert on something is a career disadvantage. Most of the electorate wants wants bullshit artists and cartoon characters.by anigbrowl
5/21/2026 at 12:12:44 AM
Of course we could make predatory algorithms illegal. Or just algorithmic timelines/discovery algorithms.Nah. Can’t stop the money. Let make brain destroying scams and ad spam legal as long as you’re over 18.
by MBCook
5/21/2026 at 12:21:21 AM
TL;DR We need age verification laws to prevent minors from accessing the addictive stream of toxic sludge rather than outlawing its manufacture and distribution.by fc417fc802
5/21/2026 at 1:51:43 AM
How exactly would you do this without, you know, violating the first amendment? Algorithmic feeds are nothing without the content. People get toxic sludge because they signal to the algorithm that they like that.by ethin
5/21/2026 at 3:45:16 AM
It’s just the algorithms promoting things I want banned.You may choose to sign up to see all the toxic sludge you wish, as is our constitutional rights as Americans.
You say “they signal to the algorithm”, but how? How did they see it in the first place to be able to provide that signal? It was suggested to them.
Often because that kind of content is really sticky for the site. Whether because you like it or it outrages you or scares you it’s manipulative in a way that is symbiotic with the platform’s goals.
It provides perverse incentives for creators and companies.
by MBCook
5/21/2026 at 4:37:44 AM
> It’s just the algorithms promoting things I want banned.And again: the only reason the algorithm promotes things is because that person signaled that they were interested in it. They might've gotten it recommended by a friend, acquaintance, whatever, but the point is that if nobody had recommended anything to them the algorithm would have no data.
And again: how do you propose to get this to survive the first amendment? Algorithms are a form of speech under law.
by ethin
5/21/2026 at 4:16:52 PM
But that’s not how algorithms work. Start an account. You don’t have friends. It recommends stuff. And it can get weird fast.You can watch a popular video on benign topic A and somehow that leads you to it being more likely to recommend extreme topic Q.
I’ll say it again: no algorithm. recommendations based on anything involving you are algorithmic.
If you follow a friend, and a friend shares a post, that’s not an algorithm picking what you see. It’s just a post like RSS. You can go choose to follow that new person to see more.
If I follow my friend Bob and his friend likes UFO conspiracies that shouldn’t lead to me seeing UFO conspiracy stuff unless Bob promotes it manually.
by MBCook
5/21/2026 at 5:17:13 PM
Okay, so let's say we decide to go through with "banning the algorithm" (whatever that is). Let's say this is actually implemented, as naively as everybody seems to think this issue is. What happens to:* The homepage of Reddit * The YouTube homepage * The federated timeline of my Mastodon instance * The algorithmic feed that Bluesky uses (which is more customizable than Facebooks)
I could sit here and go on and on. All of these, in one way or another, are algorithmic, in the strict definition of an algorithm. So, are you also saying that the federated timeline of my Mastodon instance shouldn't exist? I mean, in a sense, that's an "algorithmic feed". How am I supposed to find interesting users who I should follow then? By word of Mouth? Because that's not going to work. By forums or awesome lists? Now you've just created yet another kind of echo chamber because what I find depends on what forums or awesome lists I frequent, and that leads to me only seeing what I want to see. Which... Doesn't really solve the root problem that "banning the algorithm" would try to solve. If anything, it makes it worse. Instead of everyone being able to look at alternate viewpoints/ideas, they are suddenly restricted to only those viewpoints/ideas which they want to see/read/hear/whatever. In something like Email that's fine: I only want to see emails for mailing lists and such I've subscribed to for example. On something that is supposed to be a social network, federated or no, that... Kind of destroys the "social network" part.
Like maybe I'm just misunderstanding what everybody means when they talk about "banning the algorithm" and "getting rid of the toxic sludge" but the law (the first amendment) prohibits viewpoint discrimination. Being "content neutral" isn't possible (everything is biased in some manner). So I guess what trips me up is: how exactly would you word the law and thread the needle fine enough that you would only ban the kind of feeds Facebook uses for example, without also causing a ton of second, third, fourth, and maybe even fifth-order effects far beyond what anybody intended to do? And how do you do that without violating the first amendment in the process? Maybe I'm missing something critical here or something, but from all the studies I've looked at that indicate that screen time and such is not actually as harmful as the narrative would like you to think, this looks to me like a solution in search of a problem, and a solution that would have consequences that people haven't thought about.
by ethin
5/21/2026 at 6:25:07 AM
By that logic no product regulation could ever exist because it restricts in some way the free expression of any corporation subject to it.Obviously that's nonsense. Government bodies in the US are permitted to regulate the products traded on the market, at least within reason.
> the only reason the algorithm promotes things is because that person signaled that they were interested in it.
What point do you believe yourself to be making here? The only reason anyone shoots up heroin is because they want to. Or alternatively, someone can want a particular product without appreciating the toxic chemicals it happens to expose him to.
by fc417fc802
5/21/2026 at 1:46:40 PM
> By that logic no product regulation could ever exist because it restricts in some way the free expression of any corporation subject to it.Except that this is case law, not something I'm pulling out of my ass. See Moody v. NetChoice, LLC, 603 U.S. ___ (2024), in which the court ruled that compiling and curating user-generated content into "a distinctive expressive offering" is protected editorial discretion, and that "the First Amendment offers protection when an entity engaging in expressive activity, including compiling and curating others' speech, is directed to accommodate messages it would prefer to exclude." The court did not rule on whether the same First Amendment protection extends to personalized curation decisions made algorithmically solely based on user behavior online without any reference to a site's own standards or guidelines. However, we cannot definitively say that the algorithms Facebook and co. use are not making decisions based on standards or guidelines of some kind, whether those be the community guidelines FB publishes or something else, because we don't know how they work internally, and they very well could be AI-driven with community guidelines in the prompt or something. Or they could be generic off-the-shelf recommender algorithms. Or something totally different. This bit TikTok in Anderson v. TikTok, where the third circuit court ruled that TikTok's "for you" feed was first-party expression and therefore not shielded by section 230, which is itself a massively misunderstood law of it's own.
Literally the only thing I am trying to illustrate is that "ban all the algorithmic feeds" is not as easy as you suggest, and the definitive research proving that they are harmful has yet to actually be found when meta-analysis is conducted[0][1]. The (far more) harmful thing is these platforms extremely lax moderation. Granted, moderation is impossible to truly do competently at scale, but still.
[0]: https://www.techdirt.com/2023/12/18/yet-another-massive-stud... (this one links to 6 other studies)
[1]: https://www.techdirt.com/2026/01/21/two-major-studies-125000...
by ethin
5/21/2026 at 7:33:56 PM
I don't think the case law you're citing says what you claim it does.> is directed to accommodate messages it would prefer to exclude.
That says speech can't be compeled, which is consistent with lots of past case law. That doesn't mean various forms of expression can't be incidentally restricted by regulation that exists for some other legitimate purpose.
Of course the court could decide that algorithmic feeds are a protected form of expression that product regulations can't directly target. But in doing so they would (IIUC) be recognizing them as a form of intentional editorial expression and thus their output would no longer (again IIUC) receive section 230 protection. That would presumably constitute a de facto ban due to the imposed liability.
by fc417fc802
5/21/2026 at 2:22:45 AM
Presumably by outlawing the types of algorithms used with the legislation carefully limited to a particular context rather than anything being authored by an individual. Right to express oneself preserved, government regulates a harmful product, business as usual.As far as this specific Colorado legislation goes (which is concerned with the ability to comply with their previously passed data privacy law) I think it's not entirely bad but I have two issues with it.
First, it reverses the problem. Services should be sending an age-appropriateness (or even just general content classification) signal to the device for local processing, not the other way around. If you're going to mandate that OS creators do anything it should be to implement a certain baseline level of (interoperable!) functionality as far as parental controls are concerned.
Second, the entire thing should be predicated on some metric such as MAU or revenue or combination thereof not on the exceedingly vague idea of a "free, publicly available code repository".
by fc417fc802
5/21/2026 at 4:38:30 AM
> First, it reverses the problem. Services should be sending an age-appropriateness (or even just general content classification) signal to the device for local processing, not the other way around.OK, so say the device receives a signal that say that an app is not appropriate for children under 13. How would the device find out if the user trying to run the app is under 13?
by tzs
5/21/2026 at 6:33:57 AM
The question itself (ie if the user is under 13) doesn't matter. Already for the current legislation there's nothing stopping the device owner from intentionally lying about the age. So really this entire exercise is about providing a standardized means of control over filtering, thus my observation that the proposed measure is both backwards and overly limited in scope.The software on the device can do whatever it would like with the signal it receives, including consulting the user account metadata for declared age if the device owner so desires.
by fc417fc802
5/21/2026 at 2:29:19 AM
I definitely agree with those. Age verification laws in general I have lots of beef with because they're so nonsensical.by ethin
5/21/2026 at 1:50:14 AM
No, the mania is based on extremely bad/cherry picked evidence. There are at least 6 studies alone (some including meta-analysis) which has found absolutely no link to prove social media is addictive or harmful to children. If anything, they've found the opposite, and one even suggests that calling it addictive might be causing the very problem we're pretending to solveby ethin
5/20/2026 at 9:52:18 PM
That wording could be interesting, because it's ambiguous if free is applicable to the repository or the project. Presumably, the latter. This means you could absolutely do source-open but not open-source and still get around it.by vegadw
5/20/2026 at 11:06:08 PM
Well it says code repository not artifact repository. But it doesn't prohibit obfuscation or transpilation and more generally doesn't appear to specify anything beyond "free and publicly available". I really get the feeling that the people who wrote the law don't have a clear idea of what they're trying to say here and that any court decision is going to be a roll of the dice.by fc417fc802