April 23, 2026 · Business Affairs & Labor · 23,302 words · 15 speakers · 139 segments
Okay. We're about to start, guys. Business committee will come to order. Welcome to Thursday, April 23rd, 2026. We have two bills today, and our first bill sponsor, Vice Chair Camacho, is in front of us, and I believe that Rep. Joseph is online. Before we get started with that, let's call the roll.
Ms. Oroja, please call the roll.
Rep. Brooks.
English.
Excused.
Gonzalez.
Kelty.
Here.
Leader.
Present.
Mabry.
He's on the wall today.
Marshall.
Here.
Morrow.
Here.
Richardson.
Here.
Ryden.
Excused.
Zucla.
Here.
Camacho. Here. Madam Chair. Present.
Okay. Bill sponsor for HB 261319 is before us. Rep Camacho. Please take it away.
Thank you Madam Chair and members of the committee. First I want to express my deep gratitude to the stakeholders who have come to the table in good faith with us and shared commitment to getting this right. Thank you to CWA 7790, One Colorado, the Colorado Education Association, Rocky Mountain Equality, Colorado organizations responding to AIDS and HIV, your partnership, your advocacy, and your willingness to engage in thoughtful conversation have made this bill more thoughtful. Through these conversations, it has become clear that while the goal is urgent, the work deserves the time to be done right. We are committed to continuing that collaboration, and we are grateful for everyone's dedication to this effort. And with that in mind, today while we'll be moving to postpone this bill to a later date, this is not a step back from the values behind this bill, it's a step towards getting it right. Because the issues at heart in this legislation are too important to rush. It's too important to get wrong. This bill is about something fundamentally simple and profound and important. The right to be who you are at work without fear. Because no one should have to choose between their paycheck and their identity. No one should have to hide who they are just to feel safe in the workplace. And no one should face retaliation simply for asking to be called by their name, their pronouns or to be recognized for who they truly are. While Carl has long been a leader in non-discrimination protections, we know those protections are not always fully realized in people's day-to-day lives. Too many LGBTQ plus workers still face harassment, unequal treatment, and barriers to being seen and respected for who they are. This bill makes those rights real. It affirms that every worker has the right to be open about their sexual orientation, gender identity, and gender expression without fear of discrimination or retaliation. It ensures that workers are recognized as they identify and their names and pronouns are respected. And that workplace reflects the dignity of every person. Because recognition is not a courtesy, recognition is dignity. And dignity should never be optional in the workplace. This bill also is about the transgender community in Colorado. At a time when trans individuals are facing increasing hostility and erasure across the country, it is critical that Colorado continues to lead with clarity and courage. We are saying clearly and unequivocally, transgender workers belong in our workplaces, they belong in our communities and they deserve to be protected under the law Because when we protect the most vulnerable among us we strengthen the dignity for everyone And we build workplaces where people can show up fully as themselves We build a stronger, more inclusive economy for our entire state. At its core, this bill is about freedom. The freedom to live honestly, the freedom to work without fear, and the freedom to be recognized for who you are. And while we are moving to lay over this bill to a later date, the work is not over. We will continue working with stakeholders and we will continue refining this policy and we will continue fighting to ensure that every worker in Colorado is seen, respected, and protected. Thank you.
Thank you. And let the record reflect that we've been joined by Rep. Raiden and also our bill sponsor, Rep. Joseph, is here. Thank you. Rep. Joseph.
Thank you, Madam Chair. Thank you, members of the committee. I want to start by thanking Communications Workers of America for their leadership on this particular bill. And also, I want to thank Rep. Camacho for championing this bill with me as well. It has been a lot of work that we've put on this bill. And the reason why we're PI-ing today, it's based on stakeholding and communications that we've had. Sometimes we have to lay over bills, PI them, and come back. And that's what we intend to do, is to come back next year with a stronger bill that reflect the desires of all communities. Sometimes the role of this body is not to pass laws. but to name what is happening in our communities, to stand with people who are being targeted and to make it clear where we stand. This bill is about dignity. It is about the fundamental belief that every person, no matter who they are, deserves the right to show up to work as their full, authentic self without fear. But right now, that is not the reality for many LGBTQ plus Coloradans, especially transgender and non-binary individuals. Across the country, we are seeing an unprecedented wave of attacks on the trans community. In the last few years, hundreds of bills have been introduced to restrict basic rights, targeting health care, education, and the simple ability to exist openly in public life. And that climate doesn't stay contained. It follows people in their workplace, into their livelihoods, into the spaces where they should feel most secure. The data is clear. Nearly half of transgender individuals report experiencing discrimination or mistreatment at work. More than one in four have lost a job due to bias. And many report feeling forced to hide who they are just to keep their employment. Think about that. Imagine going to work every day knowing that being honest about who you are could cost you everything you've ever worked for. That is the reality this bill sought to confront. House Bill 261319 said that in Colorado you should not have to choose between your identity and your paycheck as you've heard from Rep Camacho it affirms that employees deserve to be called by their names it affirms that they deserve access to spaces that align with who they are It affirms that they deserve equal benefits equal treatment, and equal protection from retaliation. And just as importantly, it says that when those rights are violated, there has to be accountability. Now we are realistic about the path forward for this field today. But bringing it forward matters because for every person watching and listening to us today who feel unseen or unsafe or unwelcome in their workplace, this is, we see you. For every young person wondering if there is a place for them in this state, this bill say there is. And for every employer, every institution, every community, this is a reminder that inclusion is not optional. It is a responsibility. Colorado has always prided itself on being a place that values fairness, freedom, and opportunity. And even when the path is difficult, even when the votes are not there yet, we have a responsibility to lead, to speak clearly. to stand firmly, and to keep pushing forward. Because the arc of progress does not move on its own, it moves because people are willing to stand up and say, this is who we are, and this is what we value. Today, that is what we're doing. Thank you, members of the committee. Thank you, Madam Chair. Thank you for the opportunity to be here before you today. Thank you, bill sponsors. Vice Chair Camacho.
Thank you, Madam Chair and members of the committee.
While we are not PI-ing this bill today, we are asking that the committee lay it over until May 15, 2026. So I move House Bill 26, 13, 19 to be laid over until May 15, 2026.
Second. Okay, the bill has been moved and seconded. Please call the roll, Ms. Haroja.
Representative Brooks
Yes English Yes Kelsey Yes Leader Yes at the sponsor's request Mabry At the sponsor's request, yes Marshall Yes Morrow Yes Richardson Yes Bryden Yes Sucla Yes Camacho Yes Madam Chair At the sponsor's request, yes it passes 13-0 thank you bill sponsors okay we're going to do a quick transition for myself and Rep. Pasco to present our bill SB 51 Thank you. All right We here to hear Senate Bill 2651 We have our bill sponsors here Who would like to go first? Madam Chair. Thank you, Mr. Vice Chair and members of the committee. Thank you.
It's my pleasure to be here today to present SB 51. What this bill does is it creates a privacy-forward approach to protect kids online. Right now, companies can claim that they have no way of knowing for sure that a user is a minor, so they are free to collect and sell data on all users in defiance of the Colorado Privacy Act, which has strict protections for children. The age signal system created in this bill creates a legally binding method to keep these companies from collecting and selling children's data. It is an age expectation bill, not an age verification bill, and there's a difference. Modeled after the California AB 1043, this bill requires users to enter in their birthday or age or age bracket when setting up the devices. That information is then converted to an age bracket and is communicated to applications. Unlike legislation passed in Utah and Texas, which has faced legal challenges, this bill does not request pictures or photo IDs or government documents. With amendments brought forward today, adults may be able to simply document that they are an adult and opt out of the estatization system entirely. There are no content controls in the bill. It is entirely up to the app developers to determine who can and cannot access the apps. This simply puts in place an age expectation system for these apps to utilize as they see fit. This is a deliberately narrowly scoped bill meant to give parents a tool that doesn't require constant intrusions on the privacy of everyone who uses the Internet. And with that, I'll pass it on to Representative Paschal. I'm honored to be here with her today on this bill.
Representative Paschal. Thank you, Mr. Chair. I am grateful for the many conversations that we've had since this bill passed the Senate with the open source community and other developers and individual citizens from whom you may have received emails. The Strike Below Amendment, which is our first amendment, that we bring forward today will address the concerns they have raised, clarifying that the ecosystem that this bill applies to are hardware devices that have an operating system and an application store associated with it and an account that connects the two together. So that is the ecosystem. And that is the only ecosystem this applies to. It does not include your Roomba. It does not include your Raspberry Pi devices. and you can Google that if you don't know what it is. But those are emails I have received that people were worried it would be their Roomba. So we tried to make this much more clear than it originally was. And on the application side, this poll applies to applications that use personal data, which could be as simple as a login and password. So for instance, it does not include a calculator app, which is not going to collect any personal information. It's not, you know, it's rated G. No one's concerned about who uses it. That's not included. And we have explicitly taken open source systems like Linux and made them completely exempt. along with software sharing sites like GitHub and enterprise business applications. So regarding age verification systems, as my co-prime has told you, this is not age verification, it is age attestation. Right now, there is a company out there currently spending a lot of money across the country pushing for age verification bills. Such bills would require every user to upload personally identifiable information, like pictures of their face or government IDs, in order to use their systems. Their goal is to put the liability for age gating on the application store and not the apps themselves. Our bill, on the other hand, balances the liability between the application store or the OS and the applications. The liability and the responsibility, they're both together, making sure that that's a good system for users. And so we have, I urge an I vote on our bill, we do have a couple of applications that we are bringing forward. At least two, there may be one coming up during committee.
And just for clarity, when you said application, I assume you mean amendment?
Oh, yes. Sorry.
Community members, do we have any questions for our sponsors? Rev. Leader. Thank you, Mr. Chair. I'm looking at the strike below, and I was curious because if you, or Rep. Paschal or Rep. Ricks, If you turn to page 4 of L004, section 30-1023B IV, it reads, except as provided in subsections 3D2 and 3D3 of this section, a developer shall treat an age signal received to the article of the primary indicator of a user's age range. Now please, same page, look down to subsection 3D on the same page, and it contains the subsection I, it contains subsection 2, but there's not a subsection 3D3. So the cross-reference in your strike below points to a subsection that doesn't exist in your strike below. So can you explain how the committee can vote on when there's not that subsection there that contains the cross-reference?
Rep. Yes, that's an error. If you look at the Second Amendment, it fixes the reference. That's what this is? That's what the Second Amendment is for.
Good catch. Thank you. Just for clarity, we're not talking about the Second Amendment?
Not the Second Amendment of the U.S. Constitution. For my colleagues to the right of me.
We were talking about the bill.
Actually, sorry, we're talking about Amendment 5. Yeah. Amendment 5. Yeah, 4 and 5.
So this is L-0-0-5 that it corrects.
Yes.
Can any members, any more questions for our sponsors? Not at all. Red Brooks. Thank you. Sure thank you Can you walk me through just some of the things off the top of my head that come to whether there somebody fudging what their age is
There's really nothing to address that.
What about shared devices? And I don't see anything in here that addresses the ability to change the attestation, re-attestate, right? when people age out of different categories? Can you speak to those concerns?
Representative Paschal. Yes. So it's certainly not Fort Knox. The goal here really is to put the parent in control so the parent can set up the system for their child and to view them as being responsible to do that if they wish to. and that's sort of the trade-off versus you're going to upload like the kid's birth certificate or take a facial scan. That's the trade-off there. In terms of age brackets changing, so you can, there's a couple of different ways you can implement that and we have left it open to the vendors to implement that in software as they wish but typically, so for instance, what you would do is if you collect the birth date, then the operating system can calculate when that changes and send a signal to the application letting it know that the age bracket has changed. And that's pretty straightforward software. I've written it myself. So I know that can be done. If you enter in an age or an age bracket, then that's not going to work. And so then the system would need to have a means for the parent, for instance, to be able to go in and say, I need to update my kid's age bracket. Here's me updating their age or their age bracket now that they want to get into applications of a higher age bracket since they are in that bracket now.
Representative Brooks. Chair, thank you. Not to seem overly obstinate, just garden variety. You kind of laid it out there for me that if you're relying on accountability from parents, then wouldn't basic parental accountability supersede the need? If we have accountability, we don't necessarily have to have anything like this anyway. We kind of need to have parental accountability at some point.
Brett Paschal? Yeah, so where this comes into play, though, is that the laws that we have on the books, like, for instance, the Colorado Privacy Act, applications are required to treat data belonging to children differently than data belonging to an adult. And so if you have an application, how do you know as a parent that an application that you're going to let your kids use does that? But if we send, if you set their age up and it sends an aid signal to that app, then the app is now liable for handling their data as a minor. And they can't say, well, we didn't know, because they do know. And so that's where really the parent doesn't have the tool to be able to do that right now. And so this introduces a tool they can use to do that.
Rob Kelty. Thank you, Mr. Chair. So I'm just trying to wrap my head around this. So if you have an application that's, and I'm assuming this is all just for online applications. But when you're talking about operating systems, You have operating systems like my colleague had mentioned that are shared devices and things like that But if you have an operating system like my father used to have that was way out of date We're talking that his computer, everything was 10 years old. He played solitaire on it, solitaire on it, and by God, you better not touch it. But a lot of individuals, they can't afford new devices. They can't afford to pay for new operating systems. And so they have these old operating systems. How is this going to work if Microsoft or any of these OS providers, they're unable to be able to provide such a check on these operating systems that are so old, 5, 8, 10 years old. And I know a lot of daycare centers I used to support and build machines for daycare centers because they couldn't afford them. So they would have, like, the older machines, things that people got rid of. I would put old OSs on there back there, and it was, like, 98. You know, so it was stuff like that. So what happens with those guys?
Brad Paschal. So we require the operating systems and the applications to make the updates. However, if somebody has an older computer or they just are afraid of updating their operating system, we can't make them do it. So it may be that this doesn't work on their computer if they're operating with old data, unless they update their applications.
But then according to your bill, does that then hold Microsoft accountable then for not being able to provide that to an individual who has an old operating system? What protects them?
Pascal. Okay, well, I'm not a lawyer. But I would say that if you can't, if the user chooses not to update the software, Microsoft can't be held liable.
Rob Kelsey? Okay, I understand that. I understand that, but in here it's saying that they have to be able to provide it. So I guess I'm just, what's the point of the bill then? If it's not required, if they don't have to really do it, if the parents can choose not to have it. I mean, if an operating system or a company wants to provide this for their customers, couldn't they just do it anyways without legislation?
Rep. Haskell?
Oh, Madam Chair.
Thank you. So basically this law is going to take effect January 1st, 2027. Any operating system that is not updated... 28. 28. July 28. July 28. So any operating system that is not updated on or after January 1, 2027 is not held liable for if it's an outdated computer that's 10 years old operating system. Clearly, it won't be able to update because that feature is not already in that system at that point. So they can't be held accountable unless it's something after the date that this bill calls for.
Does that make sense? Last one up, Kelty. Thank you, Mr. Chair. So kind. You're welcome. So then if you have old equipment, and you know how old equipment can, sometimes it doesn't accept newer operating systems. So if I'm rebuilding my system after that date, and it can't take a newer operating system, I just want to make sure that Microsoft or a company is not held liable for something that's unable, a person can't sue them, saying oh you not providing this on my machine because their system can take the new operating system but the new operating system doesn work on their system but then they can offer it so they not being able to use it So I just make sure there no liability there Matt Paschal Thank you, Mr. Chair.
I don't think you can hold somebody liable for something that someone else chooses not to do. I mean, they've provided it, and it may be that the hardware won't take it, so they can't, but as is usual with software, is that you can't apply something retroactively. you can apply something going forward. So if their hardware is so old that it can't update the operating system or they choose not to, the company cannot be held liable for a feature that they did not apply when someone has a system so old that it couldn't be applied. That is currently reality of liability.
Representative Richardson. Thank you, Mr. Chair. Just as I look through this, I mean, the nature of operating systems as they're used globally, what are the impacts or implications if other states put in operating system level requirements in this arena, but they're different or conflict with our states?
Greg Paschal? Sure. So I think with this system where you use this age signal, if another state, for instance, a vendor wants to sell this product and they only want to make one version of it, right? So that's going to be their goal. And if they want to sell that here and they also want to sell it in another state that has like a more, like an age verification system, they don't conflict with each other. And there is language in here essentially that says if you, as an application, believe that you have better information than the age signal, then you can use that better information. So if there was a system that had both an age signal and age verification, and depending on how they implemented age verification, it might be more like Fort Knox in terms of the kid cannot get in, right? They're going to do a facial scan as they log in or whatever. That is more robust information than the age signal. And so there's a superseding of the age signal by a more robust system.
Repsukla, you're about 75% there, so that counts. Thank you, Mr. Chair. So I'm curious, who brought you this bill? Was it a lobbyist?
Who brought you the bill to run this bill? Rep. Pascal. Senator Ball. So it is modeled after a bill that was passed in California, and so that's where he got the bill from.
Rob Leder. I thought you had a big list. Thank you, Mr. Chair. So I'm looking at L004. It's quite extensive. So the legislative declaration added in L-004, Section 1, 1E, states that the bill, or Paschal, whoever, states that the bill enables compliance while minimizing the collection and retention of personal data. That is your language adopted in L-004. So now turn to 630.102.1. It requires operating systems, the OS, providers to obtain the birth date, the age, or age bracket of every user at account set up. So then the last sentence of the subsection says, This is a wonky one. Subsection says, operating systems providers may permit an account holder to select an age bracket without providing a birth date or age, but only when the user is 18 years older. So for every minor, you can read together, so every minor in Colorado, the account holder, typically a parent, must provide to the operating systems provider either the child's birth date or the child's age, but there is no age bracket only option for minors under this text. So the declaration promises minimization, but the operative text mandates collection for minors specifically. So my question is, can you reconcile those two provisions for the committee or for me? Maybe I'm the only one that don't understand it, but how does mandating the collection of birth, date, or age from every minor in Colorado while permitting age bracket only for adults constitute minimization.
Brad Paschal. So it minimizes it in the sense that you don't have to collect a birth date for every human. As the child, the parent also could, if they wanted to, they could set their child up as an adult if they wanted to. So if they don't want to use child protection tools, it's attestation. So we're taking their word for it, if that's how they deem best to go forward.
Any other questions from community members? Seeing none, all right, we'll move into the witness phase. We have 25 witnesses signed up. We will be doing two minutes of testimony per witness with eight minutes. 10-minute panels. Starting with, we give a preference to folks who are in the room, so I'm going to call up Mr. Feistad. Can we go with people who are, I guess, against the bill first, or kind of alternate between against and for? Sure. And with the for. You want to start with the for? No, let's start with against and with the for. Okay. Okay. So this panel will be against the bill. We'll start with Mr. Freisted, John Alwine, Mr. Burnett, Mr. Holland, and Mr. Macklin. Please come forward.
If you give them to Mr. Roja here, that would be fantastic.
Yes, please. We do. You'll just have to bring one chair up so we can have five, and you'll have to share one mic. So if you can do that, that would be fantastic. All right. Starting from my right, sir, please state your name, who you represent, and you have two minutes to give your testimony, so please proceed. Thank you. My name is John Alwine.
Before you begin, there's a small red button. Just make sure it goes green. There we go. Good afternoon. My name is John Allwine. Thank you, Madam Chair Ricks and members of the House and Business Affairs and Labor Committee. I live in Longmont, where I've been employed as a software engineer for the past four years, and I'm here today to oppose SB26-051, age attestation on computing devices My journey with computers started when I was just four years old My father My father had been a professional software engineer all my life And like many boys I wanted to be just like Dad When my dad brought home a new computer one evening I was captivated Back in those days computers had tutorial programs to teach you how to use them Through these programs, I was introduced to the concept of computer networks, and I remember very vividly one morning proclaiming something along the lines of, we now have two computers, we need to set up a network. That proclamation set off a chain of events that has led to me being here today. When I was a preteen, I began to experiment with installing free and open source operating systems such as minimal Linux distributions and what we called the old computer to revitalize it. It is also worth noting these open source projects, which have taught me a great deal about computing, would be the most likely to be intimidated by additional regulations, not the big players. Sorry. During my short time in Colorado, the career I owe my childhood computer usage to has already generated tens of thousands of dollars in state taxes and these would be in jeopardy if such regulations had existed in my childhood. The freedom to compute and connect, having my computer serve me as the user instead of being compelled by the state to produce signals that would restrict my access was essential to my development in our heavily online world. Outside of future technologists being stunted, the signal described in this bill establishes
infrastructure that could be further used to erode our digital privacy. As technology continues to evolve, future lawmakers could be tempted to leverage additional sources other than simple data entry. The reasoning would likely be along the lines that Americans are already subject to identity verification and know your customer laws more than ever, so nobody will mind one more. However, it doesn't make it right to tie additional burdens to something as important as the freedom to compute. Thank you for your testimony. Your time has expired. Sir, if you can say your name, who you represent, and you have two minutes.
Hello. My name is Brian Freestead, Mr. Chair, members of the committee. I think you have the opportunity to be here and testify today. On the matter of the amendment that was introduced today, I don't have access to it, and until the point at which it's approved by both chambers, I'm going to testify on the existing bill.
And if you could just state who you represent, if anyone.
My name is Brian Freestead. I'm a resident of Colorado House District 64, I represent myself. I'm also employed in Longmont, Colorado as a software engineer for a major tech company that specializes in data storage technology and is the primary supplier for companies like Google, Meta, Amazon, and Microsoft. With regards to the subject matter of this bill, I believe it is fair to consider myself an expert. On the matter of SB 26-51, I am opposed to the passing of this legislation. On the printout that you have received, eight primary complaints of this bill are outlined. Today I'll testify on one of them, that this bill does more to harm minors than it does to protect them. On this complaint, the logic is quite simple. We must look at what this bill does to protect minors, then compare that to what it does, which may be detrimental to minors. The bill does not prohibit developers from serving inappropriate content to minors. To achieve that behavior from developers, additional legislation would be required, but we should not take any future legislation for granted. Considering this, it is fair to say that this bill does nothing to protect minors. Instead, this bill does require that an operating system provide an age signal to any application that requests it. Besides the limitation on sharing with third parties, this bill makes no attempt to legislate what an application developer does once they have an age signal. A developer could alter the behavior of their application to monetize the knowledge that their user is a minor. For example, they could offer in-app purchases or other solicitations that children are more likely to act on than adults. Or they could choose to manipulate the randomness of a game to make it more addictive. You may believe this concern is unfounded I would point you towards the recent trial in New Mexico where the state found Meta platforms the owner of Facebook liable for endangering children According to the New Mexico Department of Justice the state brought evidence that demonstrated Meta quote intentionally designed its platforms to addict young people and, contrary to Meta's public commitments, exposed them to dangerous content, end quote. With that, I would bring the testimony back to my original argument that this bill does more to harm minors than it does to protect them. I have established that this bill does nothing to protect minors. In fact, it does the opposite. It forces operating systems to provide an aid signal which will be used by companies to manipulate and monetize minors in that regard for their safety. I urge you to vote against it.
Thank you for your testimony. Your time is quiet, sir. You're up. Please state your name, who you represent, and you have two minutes.
My name is Trevor Brunette. Thank you, Chair. I represent myself, and I live in Longmont, Colorado. I am a senior software engineer in a data storage company and a hobbyist programmer. I am testifying to respectfully oppose Senate Bill 26051. Primarily, I am concerned that this bill does not accomplish what it seeks to. It does not require the system to send the signal to websites and external services used by applications. Most harmful access is primarily done through websites and the Internet. For this reason, I have respectfully urged the committee to vote no on SB 26-051. Thank you, members of the committee, for your time and consideration.
I open the floor to any questions.
Thank you.
Sir, can you state your name and who you represent, if anyone?
Yes. My name is Joshua Holland, and I'm representing myself. I've been working in tech for over a decade and a half, most recently at a social media company. I'd like to start by thanking the committee members and the sponsors. Protecting children in the digital age is a laudable goal, but this technically ill-defined bill does not achieve it, and it does not pave a path toward a system that can. SB 51 promises a privacy-preserving method to expose age information to applications so they can make informed, appropriate decisions to protect younger users. It delivers neither privacy nor protection. The signal is not privacy-preserving. The bill calls this an age bracket signal, but it functionally reveals exact birthdays. An app that a child uses daily will know their exact birth date when they turn 13, 16, and 18. The transition between buckets establishes this fact. Then the bill requires those same developers to try to figure out when a signal is inaccurate, forcing them to try to discover the very information we are trying to keep private. The bill does not ensure appropriate decisions are made for children. Once presented with an age bracket, developers then decide what each age bracket may access, guided by existing law, but much of what is age-appropriate is a moral judgment, not a legal one. This bill outsources moral judgment to corporations, corporations whose financial incentives, like maximizing engagement, don't align with children's well-being. And now they have a standardized, guaranteed signal telling them exactly who their youngest, most vulnerable users are, which they are incentivized to exploit rather than protect. We don't require this level of privacy invasion in other places we need to protect children. and it's not necessary here. Device level and platform level parental controls exist. If these controls don't work, we should mandate that they do. If a platform invites children in, we should require that it give parents real enforceable power over their children's accounts. Any bill that claims to protect children should ask first, does this empower parents or does it displace them? Thank you for your time.
Mr. Macklin, please state your name, who you represent, and you have two minutes. Mr Vice chair members of the committee thank you for the opportunity to present to you today My name is Ben Macklin I a resident of Denver representing myself Other people on the panel have said a lot of what I was going to say better than I was going to say, so I won't repeat it. And I'll just stick to a couple unsaid things. one of my concerns is that even if this isn't verification it's just attestation many other states are enacting verification and other sorts of more strict laws and it's very easy to see how a company like microsoft for example wants to do the easiest thing to comply with all of this and even if our state is more lenient than others in terms of invasion of privacy for verification, soon you won't be able to use your Windows computer without uploading your ID. Not because it's illegal in Colorado, but because it would be illegal in another state, and that's just now what Windows is in the near future. So I think this contributes to that, even if it is trying not to. And I think that's my major concern, and I also urge everyone to not support this bill. Thank you. Thanks, everyone, for your testimony. Committee members, do we have any questions for this panel? Representative English?
No?
You've got to be careful when you raise your hand now. Representative Gonzalez.
Thank you, Mr. Chair. My question is for any of the engineers on the panel. So we heard that this policy was made from California. Do you know of any maybe implications or how, like, that law was implemented and kind of the after effects of kind of the people that were affected in that implementation of California policy or any other states that have policies like this, what's the aftermath, what are the effects, and what are you hearing from people who are affected by that specific policy over there?
Is it Mr. Burnett?
Yes, Chair. So far what we have heard, is this on?
Thank you.
So far we have not heard much from major corporations like Microsoft or Google. However, we have heard from more local, smaller businesses like System 76 that this will impact their business negatively. They are based in Denver, Colorado, I believe, and this will negatively impact them and is probably not a – let me check my notes.
Hold on a second.
um so colorado california's ab 1043 was enacted on october 13th and becomes effective january 1st 2027 and we have still not heard a response from google microsoft or amazon on what they intend to do uh because of this bill but there are still other smaller companies who believe that they wouldn't be negatively impacted by it. Thank you.
Would you like to answer?
In the open source committee, our community, the community is pretty divided. The open source community is global, and there are many operating systems that are refusing to participate in this. I would worry that this could result in mandating that access to such software is banned by nature of not complying with this law.
Thank you, Mr. Holland. Representative Leader. She doesn't have her head up now. Thank you, Mr. Chair. I have two questions. One, and I'm sorry, I don't remember your name. The gentleman in the tie, yellow and orange. That's Mr. Friedrich. Mr. Friesen. Friesen. Freestead? Freestead. Freestead, thank you. Okay, you stated in New Mexico about their trials in regards to their platforms and said that they change them now, then they can make them more addictive based upon the age. How are they making their platforms more addictive? Mr. Freestead?
Yeah, so the state did find them liable for that, and the state levied penalties of $375 million against Meta. and they demonstrated that Meta's development team intentionally engineered systems which were addictive and intentionally exposed miners to harmful content that was more engaging. So there's a few ways that developers can make things more engaging. I have some notes on them here. but at the end of the day it's really all about monetization so monetization they can do targeted ads that advertisers will pay premiums for because they know more about who the user is they can get advertisers to pay more for that they can users of different ages have different tolerances for addictively engaging content like infinitely scrolling like TikTok and YouTube shorts and Instagram reels all have infinitely scrolling things. Actually, it was Facebook who came up with that a long time ago. Let's see what else. So the developers can manipulate the random behavior of games. You know, when you're playing Candy Crush and you lose a level and then the first thing that shows up is they offer you an in-app purchase to buy a new life and try again. Well, what if you knew that the app developer was messing with the randomness of the game to make you more likely to lose, and then they offered you that purchase? That seems a little bit manipulative. Children are also, they have less persuasion literacy. They're more likely to be affected by social pressure. If their friends are buying a skin in Fortnite that is limited time, they might have a fear of missing out, and they might act on that. Or they might be influenced if a character in a game says, I'm going to be really sad if you don't buy these gems. It's going to save my family if you buy these gems. Blurring the line between the game and the advertisement. So those are some common tactics for engagement engineers. Thank you.
Representative Brooks.
Sure, thank you. We always assume good intent, and that's fine. Occasionally, though, I think that I've seen, I think we've probably all seen that occasionally downstream there tends to be some unintended consequences to some of the policies that we pass. So if you could speak to what you might foresee or what you're fearful of as being some of the unintended consequences of a policy like this.
Mr. Allwine, right?
Yes, Mr. Allwine. One of my big concerns was we kept talking about whether Microsoft would be liable or whether Google would be liable. But what if a site doesn't want to be in the business of determining if someone's just in an old operating system or an operating system that's willfully defined the state, or maybe the operating system is somehow misconfigured or experiencing a glitch? They may just take the safe option to just deny service. And at a time when computers are getting more expensive than ever for us consumers due to the explosion of data center build out I really don want to take that risk that someone freedom to compute or freedom to connect could just be turned off by a lazy service provider They wouldn't be in violation of the law by doing that. And in fact, the incentive structure, I don't know what I would do if I was running a site and I had to determine somehow if someone was trying to get me to break the law or someone was just not updating their computer. So I would be very cautious about assuming perfect implementation on service providers, especially when it comes to legacy computers.
Representative Leader. I know. I thought Kelty had her hand up. Thank you, Mr. Chair. So, should have wrote the names down, gentleman on the end. You had said that you suggested this to empower the parents more to help protect the children. One, how do you how can you help protect the children? So how do you see that to empower the parents to be able to protect their children is one part of the question and then do you see any of the responsibility of being the developers? Mr. Macklin. I think she meant me.
So I am pushing for mandating Mr. Holland.
Mr. Holland. I believe we should mandate
outcomes for device-level controls and platform-level controls that parents can control. I did have to cut a little bit of my speech. But device-level parental controls allow parents to decide which platforms their children engage with, and platform-level controls allow them to decide how they engage with that platform. This age signal pushes on developers the choice of what's appropriate for children to kind of lean into what Representative Kelty was saying, asking corporations will preemptively prevent access to information based on, say, a change in government. We've seen Facebook change what's allowed to be talked about on their platform. And so when they have access to an age signal like this, they also get to decide what information children can access, not the parents.
Rob Kelty? Thank you, Mr. Chair. And I don't remember anyone's name, so the gentleman in the yellow and red tie. Mr. Freestead.
Sorry about that.
So I want really actually anyone who wants to answer this. You know, in Colorado, we have overburdened our companies here with regulations upon regulations. Like we mentioned, we're sixth in the nation for overregulating our businesses. We see them shutting down all the time. Can you tell me, from a practical standpoint, what tradeoffs do businesses face when trying to comply with such regulations or requirements like these while maintaining security and user trust? And how do you feel, or anyone can answer this, how do you feel that this is actually enforceable? Okay.
Yeah, there's a few parts to that question. I think I might hone in on the relationship between security and user trust and how corporations will interact with that. Because that's actually really interesting. Because the burden of providing the age signal is falling onto the operating system and it happens, the application gets it at the time when the app is downloaded and installed or first launched. It happens in the background. So there's no pop-up when you open the app that says, what is your age? It happens way earlier when you first pull your phone out of the box The consequence of that is that the age verification or age attestation isn cohesive with the inappropriate content whatever that is. So there's no PR nightmare for all of the app developers. There's a couple of examples in the last year, in the last half year actually with YouTube and Discord where they've announced that they're going to do age verification options at the application level. YouTube said, we're going to use AI to determine what your age is. And if we guess wrong that you're a child, you have to appeal it by uploading a credit card or a government ID. Huge public nightmare for them. Major pushback. Those companies would absolutely love it if the burden fell on the operating systems and nobody had to think about, well, does this application have bad content for my child when they download it? It's just like there's an assumed exposure to bad content when using the device, according to this bill. All right.
We are three minutes over on this panel, so we will just move to our next panel. Witnesses, thank you very much for your testimony. Since we have only one panel of those for the bill, we will continue with against the bill, starting with Alex Martinez, Ryan Ray, Matthew French, Brandon Gidges, and Aaron Zimmerlin. All right, starting to my right, sir, can you please state your name, who you represent, and you have two minutes. It's the little gray button on where, right there.
Hi, my name is Alexander Martinez.
Hold on, Mr. Martinez, try it again.
Okay, hi, my name is Alexander Martinez. I am from Lakewood, and I'm representing myself, basically. I am a cybersecurity major from Red Rocks Community College. So my main concern that hasn't been mentioned already is that this requires some kind of software to be installed. And I have a lot of concerns with that because any software potentially opens up something called an attack surface. An attack surface is basically someone on a website could be like, oh, they're from Colorado. We could potentially use an exploit inside of an age-of-age attestation software to try and get more information than what the attestation software is. No programmer is perfect, as they're only human, so if they develop the software either lazily or incorrectly, it could potentially open up an attack surface, and then a bad actor or a website could exploit that attack surface and get even more information. I have other things to say, but pretty much the previous panel said it for me.
Okay. Mr. Ray, please state your name, who you represent, and you have two minutes.
I'm Ryan Ray. I represent myself. I'm from Longmont. I am a software developer who's been working in the industry for about five years, and I review features like this and design how we would implement them. The bill I had does not have the most recent amendment So what I'm saying might be a little bit out of date But based on the requirements Specifically that any operating system Who allowed harm to come to a minor Would be liable for a fine indicates to me as an implementer that this is enforcement and not that even if this is an enforcement enforcement is strongly recommended i should be protecting against a user who is a minor pretending to be an adult i think that this has potential consequences for our right to repair as consumers, operating systems may be more likely to lock down anything we can do with the system for fear that we will attempt to attack it and override these signals, making them liable for these fines. Particularly, I think the risk is even higher for open source, where it is trivially easy to bypass any sort of restrictions that are put in place if a user wants to. Those are my main concerns.
Thank you, Mr. Ray. I take it Matthew French. How about you, sir? Please state your name, who you represent. You have two minutes.
My name is Brandon Gagas. I'm representing myself. I'm from Westminster. I'm also a software engineer with 10 years experience. And while I agree we should take steps to project children online, this bill is absolutely not the way to do it. It will stifle innovation as the bill puts a huge burden on operating system software developers to implement age-checking software. OS developers could simply declare that their OS shall not be used in Colorado, which could have serious downstream effects. Foreshadowing of what could come happened in Mississippi after enacting their own age attestation law, where the Blue Sky social media site was forced to cut off access to Mississippians. Speaking from my professional experience, engineers like myself rely on certain Linux distributions to perform critical work. Enforcing these distributions to do business elsewhere would be costly for businesses in Colorado, especially for smaller tech businesses. This bill is also overreaching and restrictive. It requires users to share their age just to use the computer, which I think is going too far. It would enable restrictions and censorship of lawful content and as a violation of Colorado's civil liberties. It is noble to want to help to protect children online, but the responsibility of restricting harmful content on devices falls on parents only, not on the state or federal government. This bill also offers minimal protections. How are children protected if they can just falsify their age? While this bill does not require age verification, it does open the door to more invasive methods that would require actual verification of sensitive, personally identifiable information. This is a huge privacy concern to me. Thank you. I urge you to please vote against this.
Thank you very much, Mr. Gidges. Mr. French, you have two minutes. Please state your name, who you represent.
Hello, my name is Matthew French. I'm from Maravetta. I'm representing myself. I'm opposed to this bill basically because it looks to me like whoever wrote the model bill ignored 50 years of convergent evolution and consensus that led to the concepts that underlie how we manage everything about this. These definitions basically don't know what they're talking about, and they line up with versions of this bill in other places, including the versions of this bill that require verification of identity. They weren't written just for this bill. And the bill isn't particularly coherent as a result. It doesn't know what a user is. It says in page 4, line 21, I'm using the pre-amended version. I don't know what got added today. That a user is a minor, and that it is the primary person that uses a device. Page 3, line 20 says that apparently a user may be an adult, because there's a category for it. In page 5, line 1, where it talks about the user of the device in the singular, and then it implies that the signal applies to a particular user. And then in page 5, line 12, it implies that in order to run the application, must have a user about whom to inquire. This is the grade of legislation that we have all the way through. Instead of relying upon extant conventions in the field, Somebody who didn't know what was happening wrote new ones, and they have holes all over the place. They don't agree with themselves. It's bad.
Thank you for your time. Thank you, Mr. French. Your time has expired. So last witness on this panel is Mr. Zimmerlin.
Hi, my name is Aaron Zimmerlin, and I'm here today independently as a Colorado tech professional with over 20 years' experience. I'm in opposition to this bill, and I'd like to speak to you today about justice. I was going to speak about some more things, but I only have two minutes. We're all thinking about this bill today out of concern for Colorado's children, and we don't want them to have to seek justice rather than prevent the unjust things from happening to them. This is admirable, but I do not believe this bill accomplishes that and actually does the opposite. Among age attestation possibly being the weakest safeguard from access that's possible, the tech community have done extensive investigations since the similar bill was passed in California. There's been much discussion of the intent of such a thing and investigation by journalists and tech professionals alike into who might be backing such an effort. And these groups have arrived at a seemingly confusing conclusion. Meta, the company behind Facebook and Instagram, has its fingerprints and money all over the California bill. One of the largest companies on the Internet ought to know that aid attestation is a particularly weak measure at best and that moving that from the Internet onto an operating system won't protect much of anybody. This brings us to the primary justice issue. Companies like Meta and Alphabet are finally being held responsible for the damage they're doing to youth. You may have read about one of the cases in California where they were penalized $6 million for the impact they had on a young woman's mental health. They can't do anything about the damage they've already done, but they can prevent it from impacting them into the future, which is exactly what this bill does. By making it the operating system manufacturer's responsibility to track age, they effectively insulate themselves from the consequences of serving damaging content to youth by being able to say, we asked the responsible party and they said this person was an adult. With one swoop of the pen, we will undercut all the efforts to make them take responsibility for the harmful misinformation they serve our kids from a younger and younger age. Thank
you. Thank you, Mr. Zimmerman. Committee members, do we have any questions for this panel Rep Leader Take it back Go ahead Rep Leader Thank you Mr Chair So this question is for anyone Since it's such a bad bill, what would be your decision to protect our children? Who would like to take that one? Yes, sir. I see predators. So I think the main thing that I would like to see from this bill is that it emphasizes that the operating systems are responsible for forwarding the attestation from the users, essentially saying that – first off, saying this is what the user said. This is not necessarily that we're enforcing it, but the user wants you to know that they are in this age bracket. They expect you to comply like that. And then the other thing that I think would benefit is the option to opt out where users can send a signal that says, I could be any of the age brackets. I want you to just treat me like I'm the youngest one. And that would potentially allow people like the gentleman from the other panel who is concerned that this could be used to track the age of children over their progression to say, we don't want any of this. Also, it would help adults like me who potentially would want to be excluded from some of these addictive behaviors where, for things like infinite scrolling, if this is harmful to our children psychologically, I'd like to be able to opt out too. Mr. Zimmerman. So we have to hold the companies that are serving this content responsible for these things. So social media is a goldmine for these companies, and they have, as New Mexico said, they are making these things more and more addictive, and they're not really filtering who gets that content. In fact, when they're targeting children, they know they're targeting children because they have built algorithms that within a very fine degree determine someone's age, their sexual orientation, their political stances. They know these things and they're serving this harmful data anyway, this harmful content. We have to hold them responsible. We have to put the problem where it is. If there's enough of an incentive for them not to serve that kind of addicting content to people, they won't do it. But right now, they make a huge amount of money doing it, and that goes directly into the pockets of some not very nice people. Meta, in fact, fought a law in Brazil that would have held them responsible at a very low level for the content they serve and made a lot of the same arguments that they then rehashed into the California bill. to not be held responsible for that content. They say, other people are putting it up. We're just serving it. But how that information is served with their algorithms, how those determinations are made about what a user is and what is best to serve it is all in service of their bottom line. And there is very little incentive. The 300 and some odd million decision in New Mexico and the 6 million decision in California are not going to impact these multi-billion dollar companies even a little bit. Thank you. Thank you, Mr. Chair. So I guess anyone who's on the board that actually writes code and designs their own app software, can you tell me if by this bill would it then cause you to change your code design to comply? and the reason I ask that is I know that under the First Amendment co design is considered a form of art and it is protected by the First Amendment So I just want to verify if it does actually cause you to change your code design, your art, to comply. Who would like to take that one? Anyone? Mr. Martinez. Mr. Martinez. Okay. I don't quite write code. I'm familiar enough with it. But yeah, this would probably have someone change their code on a level. Either websites, and obviously operating systems would require to install software that you... I don't think you would be allowed to remove that software under this bill, and that's a concern. There's already a ton of bloatware on software, And so I think that, in a sense, yes, does change your code as it requires you to put yet another piece of software on the code, which could either be in the form of a script or something else like that. Representative Richardson. Thank you, Mr. Chair. I'm not quite sure who this would be for, but I think anybody developing in the portion of the bill that talks to enforcement and penalties, It begins with a person that violates the article. My read of the bill, and I'm curious about yours, is that person an application developer using the signal? Is it the operating system developer, distributor that causes the signal to go forward? And then it's at the top of page five on the amendment that we have. I don't have the original bill in front of me, sorry. But the other part is the fines are levied or against. There's got to be a violation. And then for each minor that's harmed, either through negligence or intentional violation, it just seems like could you talk to the burden of first having to defend what, you know, you could negligently do something and there be no harm. or how do you if you're going to go to court over this it seems like there's two pieces that have to be worked. One, was there a violation of the article either through negligence or intentionally and then was a minor harmed and then what does harm mean? Representative Rich, is there a question there? What does that penalty paragraph mean to you as developers or people that might fall under this bill? Would anyone like to take that one? Mr. French? I think it's a little sneakier than that in that it has a chilling effect on a lot of, well, especially old software in particular. and it... I'm sorry. I'm trying to read as I talk. It talks about technical limitations, but it doesn't talk about social limitations, which are the problem for free software. The problem with free software is you have to be able to tinker with your system. To tinker with your system, you need basically total power over it because you're developing every piece of it. Each piece is developed by a separate project that is made up of individuals And these projects may be located in different places And so as somebody developing this you have to be able to take it apart and put it back together And it can defend any of these values if you can do that. So that's one of the big chilling effects. And it doesn't require any penalty. It just requires people to look and see liability in a country they don't understand and go, nope. And the other thing is that for historical software, you have the exemptions that apply to this old stuff in the applicability limitations, is it? I'm sorry. I'm having to lag. Yeah, okay. So the limitations only apply to developers. And operating system providers are defined as anybody who licenses something. So for old software, most of this is gray market. A lot of it's either pirated or in some cases people have held on to these downloads and And then finally gotten permission from these companies to use them 10, 20 years in the future. And so these companies, even though they're not supporting them anymore, as long as they license it, they become liable for any of these violations. And because it's not making them any money, they'll look at it. Their lawyers will look at it and say, you know what? These nerds, tell them to lose our software. We don't want the liability. You don't want to worry about it. and your IRIX machine can go catch fire in a dump somewhere. Yeah, this whole thing is chilling. It doesn't require any of the stated liability to do that. All right, thank you very much. There are 30 seconds left for this panel, so Mr. Zimmerlin, do your best. In the chance that we're talking about individual developers, I think it presumes also U.S. residency, which is largely not true. A lot of the garbage that is targeting children is coming out of other countries. And so how do we control that here in the state of Colorado? I don't have a good answer for you. But I don't think for individual developers inside Colorado, yeah, this is scary. For everybody else, these fines are inadequate. All right. Thanks, everyone, for your testimony. We're going to move you to our next set of witnesses, and these are remote witnesses. This is going to be a mixed panel of against and amend, and we are going to call Antonio Merzin, Melissa Paddock, Michael Neal, Nancy Rumpfeld, and Corey Blair. All right, let's, I see Ms. Merzon on, so why don't we start with you. Ms. Merzon, please unmute. Tell us your name, who you represent, and you have two minutes. Thank you to the chair and the committee. I'm Antonia Merzon, the senior policy advisor for Blue Rising and an attorney. While this bill is described as improving online safety for kids, the bill in its current form will end up having the opposite effect. Here's the problem. Self-attestation is an honor system that can be easily manipulated. Anyone can simply enter a fake age. As we've all seen with this system on social media platforms, both minors and adults routinely input false ages. Kids so they can gain access to adult content and features, predatory adults so they can pretend to be kids in order to sexually exploit children. The most dangerous part of this bill is that it directs platforms to use this age signal as the primary indicator of a user's age, even though it's based on information that everyone in this room knows is likely to be false. The only way the bill allows platforms to override the age signal is if they have clear and convincing evidence a user is a different age. That standard's so high a bar that it effectively directs covered applications to only use the age signal and to ignore any internal data it may have indicating a user's true age. A social media platform, for example, may know a user is a kid because of the content they look at and the friends they communicate with. But the bill says if there's any conflicting information, like a kid looking at adult content sometimes, which we all know they do, the platform can ignore what it knows because it's not clear and convincing and go with the false age signal. The group the system benefits is the covered applications, as we heard from the last panel, who get to avoid responsibility for knowing the age of their users when they treat kids as adults. California should not be our guide on this. In that state, several kid-online safety laws require full-fledged age verification that have been signed into law. So when California passed their version of this last year, it was an add-on in an environment where age verification was already the law. If this bill passes, SB 51 and self-attestation will be the only law in Colorado regarding platform requirements for identifying minor users. Thank you, Ms. Morizan. I appreciate it. Unfortunately, your time has expired. The other person registered in an amend position is Melissa Paddock. Melissa Paddock, are you on the line? Yes, I am. Thank you very much. Please state your name. Tell us who you represent. You have two minutes. Yes, thank you, Chair and Vice Chair and members of the committee. My name is Melissa Patak. I'm here on behalf of the Motion Picture Association. Our member companies are the leading producers and distributors of motion pictures, television and streaming companies. They include Amazon Studios, Netflix, Paramount, NBC Universal, Sony Pictures, Walt Disney Studios and Warner Brothers. We we share the committee and the authors concerns about support and support the goal of providing children with a safe, age appropriate online experience. We believe we have something to contribute to this discussion based on our efforts, our member company's efforts over many, many years, almost 50 years in providing parents with information about proper information about the motion pictures they want to share with their children through our trusted classification and rating system. You know it as G, PG, PG-13, R, and NC-17. We understand that amendments we have provided regarding a family account are under consideration to be added to the bill. We appreciate that consideration. We'd like the opportunity to review that language, make sure it works within the context of the whole bill. This will allow those streaming services that have a primary account user, but then also have sub accounts within that app, and allow the primary user to designate age bracket and appropriate content within those sub accounts. This amendment will allow the companies to continue that business practice We see it as a parallel track to what this bill is creating We'd also like to point out that the California law is being amended this year. We're working with the author there. And one of the amendments that has already been accepted is about single age being applied across all platforms and all applications. we hope that that correction gets the author and the committee's attention as well. These amendments, I just want to say, are not a carve-out. Thank you, Mr. Thank you very much for your consideration. Patak, your time has expired. I appreciate it. The first two witnesses were in the amend position. The next three are against the bill, and we will start with Dr. Neal. Dr. Neal, please state your name. You have two minutes and tell us who you represent. Thank you, Mr. Chair. Thank you, business affairs and labor as well. My name is Michael Neal. I am going to actually testify, yes, in opposition, but I think in a different way than you've heard before. I am not a coder or a programmer or anyone of the sort. And maybe my opposition leans towards an amend. I just didn't sign up that way because I feared you would ask me, what should we amend? And I wouldn't be able to give you a good answer. And my concern is really that this bill is built on a few assumptions that I think are not terribly realistic. And one is that folks that are setting up their machines, their computers, and their software, operating systems are not going to necessarily be the parents. In fact, I think in this day and age, it's actually far more likely that, you know, mid teenagers are going to be setting up their own accounts than parents who may or may not have those technological skills. And, you know, folks that have relatively libertarian parenting styles like mine did. I saw Pulp Fiction at 14. Did it harm me? I don't think so. But, you know, I think we're I think we're trying to figure out what may be a good bill for someone who is trying to block an eight year old from accessing adult sites is not going to be the same good bill that's trying to stop a 15 year old from accessing adult entertainment, just like going up to the attic and sneaking one's father's playboys. I think that that's something that, you know, I don't want to go to an age verification system. I'm an ACLU, Electronic Freedom Foundation sort of guy. You guys know me. Thank you, Dr. Neal. I'm sorry, but your time has expired. If you could please hold for questions. Our next witness is Nancy Rumfeld. Ms. Rumfeld, you have two minutes. Please tell us your name, who you represent, and you may begin. Mr. Rumpfeld, can you hear us? We can see you. You appear to be frozen in the committee room. All right, we'll give you a minute to work through some systems, and we'll move to our next witness, Corey Blair. Corey Blair, please tell us your name, who you represent, and you have two minutes. Please begin. Thank you for taking my time. Hello, Chair, members of the committee. My name is Corey Blair. I represent myself I a resident of Arvada Colorado I come to you as a father as a native of Colorado I am a parent of a teenage boy and I am sitting here telling you that teenagers and children younger up until the age of 18, they will find ways around your legislation. They will find ways around the apps and the systems in place to age attestate. We heard it earlier in the preliminary talks of this bill. Older devices, older computers, older models, things that are not modernized to accept these apps, yeah, they just won't have them. Well, then what's the point of even passing this bill? I mean, that alone makes this bill superfluous, unnecessary, and it's just another example of an Orwellian-style technocratic state system implementation for a larger expansion of a digital dragnet. And this is laying the groundwork. This is laying the digital groundwork to that. The entire scheme depends on self-attestation. Parents or account holders simply put in an age bracket that then broadcasts via API to every single app. Any child who wants to can fabricate this in data in seconds. Tech-savvy kids already lie to their ages every day online, and this bill creates the illusion of protection while delivering zero real safeguards. Parents, not bureaucrats in Denver or executives making these apps in California, should be deciding what is appropriate for their children. Colorado families already have parental controls, monitoring tools. I think we need to leave it up to the parents and build a better morality and society and be more active in our parental decision making rather than giving the power to the government and to the state. I urge this committee to reject this bill outright, protect parental rights, and reject the creeping surveillance state. I am here for any questions as well. Thank you for your time. Thank you, Mr. Blair. We're going to try one more time for Ms. Nancy Rumfeldt. Ms. Rumfeldt, are you online? All right, we appear to have lost Ms. Rumpfeld. We'll try to get you in on another panel. Community members, do we have any questions for this panel? No questions. All right, witnesses, thank you very much for your time. We appreciate it. Moving to our fourth panel, we will, again, remote. These are all persons who have registered against the bill. Let's start with Allison Spink, Ian Corby, Mitchell Hoppe, Brandon Wark, and Matthew Logan. But I do believe Matthew Logan may be in person, so Mr. Logan, if you could come forward. And for all our witnesses, apologies, but we do have a preference in this committee to give folks who are in person the first right to testify. So we will be starting with Mr. Logan. Mr. Logan, please tell us your name, who you represent, and you have two minutes. Thank you, Mr. Chair and members of the committee for the opportunity to speak today. My name is Matthew Logan, and I serve as the Senior Policy Manager at New Era Colorado, a leader and enduring champion in tackling the challenges and inequities young people face throughout our state. We thank the sponsors for their thoughtful approach to this bill. New Era Colorado has historically been opposed to all age verification mechanisms and pass bills. However, we are in a neutral position today because we do not have the same concerns with this particular legislation. New Area Colorado is generally against age verification policies because it can lead to the restriction of content that serve as vital resources to the issues we advocate on We also had constitutionality concerns as it relates to data collection We strongly believe young people should have freedom and safety while online and that their data privacy must be protected. Now when it comes to our devices, our focus must be on regulating corporations, not the users themselves, most of which are, of course, young people. This bill, however, is clear and constructive. In this bill, we appreciate that users have the ability to opt out, that it limits the collection of personal data, and ultimately reduces the risk of harmful age verification policies being introduced or enacted in the future. This issue is, of course, a new frontier, and while no data privacy bill is perfect, New Era is committed to working in the data privacy space as long as it's needed, and as long as young people are online finding community with each other. Thank you again to the sponsors for bringing this bill forward. We look forward to working with you more in this space in the future. All right. Thank you very much, Mr. O'Login. Next up we have Mr. Wark. Please tell us your name, who you represent, and you have two minutes. Well, hello, committee members and people of Colorado. My name is Brandon Wark, and I am representing myself. This bill is an authoritarian attempt to restrict the software that Coloradans have access to. The state has no right to tell we the people what kind of software we can use or how we can use it. At its core, this bill restricts technology by creating legal requirements for technology to be sold in Colorado. Operating systems and applications should be available to Coloradans without restrictions. This bill requires Coloradans to indicate their birth date or age. Applications will be required to use this information. This is government-mandated age identification. Now, age verification is required for buying alcohol, cigarettes, or marijuana, but to make it a requirement just to use a computer is egregious overreach. There is no justification for the state to require that we, the people of Colorado, submit identification information just to use a computer or a phone, and yes, even just to give a birth date or our age. Now, make no mistake, this bill does nothing to protect kids, but instead creates a state-regulated system of digital identification just to use computers that we as individuals privately own. This bill is a violation of our property rights, our right to technology, and puts Colorado on the path to digital ID. This bill sets up a system in which Coloradans won't have access to computer software that doesn't meet the requirements of the state. The path to full digital identification for access to computer technology is being laid out in front of us. I urge the committee members to reject this path to tyranny, recognize the reality of what is happening here, and vote no on this horrible bill. Thank you so much. Thank you, Mr. Wark. Next up, we have Mitchell Hoppe. If you could please state your name, who you represent, and you have two minutes. Please begin. Hi, I'm Mitchell Hoppe. I'm a software developer here in Fort Collins, Colorado. I build apps and websites for a living, and I'm a big advocate of privacy and open source software. I appreciate the exemptions made to open source software like Linux. I am acutely aware of the harms of social media, especially to children, but I still oppose SB 2651. I have a number of concerns that, in my view, disqualify it and poison the well for future legislation. The bill says that the data collected cannot be sold to third parties or shared, but Google and Meta are their own first parties for their advertising platforms. So I don't see how they could not use this information for their advertising purposes. I see no reason why the attestation has to be at the operating systems level and not at the platform level. or the apps and the websites that are regulated. So Instagram and Facebook. As a previous panelist mentioned, Meta has spent $2 billion lobbying for age verification bills across the country. And for this bill in particular, Google is one of the biggest lobbyists for this bill, according to Colorado's own data on data.colorado.gov. so this age attestation bill is not being pushed by citizens of colorado but rather lobbying groups special interests and trillion dollar companies all these reasons and more is why you should vote no thank you mr hoppy miss ronfield i see we have you back if you could please tell us your name who you represent and you have two minutes please begin Good afternoon, Chair and members of the committee. When considering any bill, I believe there are two fundamental questions that should always be asked. Is the legislation solving a clearly defined problem, and is it a problem that government should be responsible for solving? With this bill, the answer to both of these questions is no. Each year, hundreds of new statutes are added, increasing complexity, compliance burdens, and costs for the very people we represent. At some point, we must ask whether more regulation is improving outcomes or adding to the affordability crisis facing families, workers, and small businesses in our state. This bill raises serious concerns. It proposes that the state directs how software developers design and modify their products. That is a significant expansion of government authority into private enterprise and innovation. It also places new burdens on individuals regarding how they use their own personal devices. These devices are private property, and this bill raises broader constitutional concerns concerns as the Fourth Amendment was intended to protect citizens from government intrusion into their private lives and property. There are also practical concerns. Compliance with the mandates like these is not cost free. Those costs will ultimately be borne by the consumer through higher prices for devices, software and services. Yet the fiscal note reflects no cost to the state and does not address the financial impact on citizens. protecting children and addressing harmful content is we should be cautious about defaulting to government mandates, especially when those mandates shift responsibility away from parents and individuals and towards the state. For these reasons, I urge the committee to vote no on SB 26 051. Thank you very much, Ms. Romfeldt. Next up we have Ian Corby. Mr. Corby, you have two minutes. Please tell us your name, who you represent and feel free to begin. Thank you, Chair. I'm Ian Corby, the Executive Director of the Age Verification Providers Association. So we're the Global Trade Association for Independent Companies who provide age checks online accurately and privately. We do about a billion checks around the year, around the world every year. Now, given I flew from London to Denver just a year ago to speak on an age verification bill, you might assume I would be in favor. I really do have to oppose this novel and risky proposal. And I judge it will harm kids because it going to be delaying more effective measures that will actually protect them I mean my main concern is it going to give big tech much more user data and adds to their market monopolies because it requires apps to query Apple and Google for an age signal at key points of use. That's going to create a centralized gatekeeper for age across the entire app ecosystem. Now, the bill does limit what's shared with developers, but it doesn't limit what is shared with those big tech platforms. And I'm sure the committee cares about the amount of data those companies are gathering on Coloradans. To me, the bill seems to give them the infrastructure to do to do that, particularly because they have to cryptographically co-sign that proof of age. And that gives them an insight as to where it's being sent and how often. Secondly, on enforcement, it provides a very broad, safe harbor. There was a big judgment in New Mexico recently because social media platforms were ignoring obvious signs that users were minors. this bill creates a risk that the platforms are going to rely on this bill as a defense in that exact situation so once apple or google told them tell them they're over 18 they're off the hook and i think it would be much harder to hold those platforms accountable with this bill in place you know parental controls haven't worked we know that over the last 20 years but there's a much better way of doing this with reusable interoperable age verification where the social media platforms or the chatbots or the AI are actually themselves responsible for doing age checks and liable if it goes wrong. So please send this bill back to Silicon Valley where I'm pretty sure it was written. And do talk to us about this dangerous approach. Thank you very much for your testimony. Our last witness in this panel is Alison Spink remotely. Ms. Spink, are you online? Ms. Spink, one more time. Can you hear us? If you're here, please unmute yourself. All right. We'll see if we can come back to you later. So committee members, do we have any questions for this panel? Representative Kelty. Thank you, Mr. Chair. I think that my question is for Mr. Wark. Going off of what you know about different softwares and that, I want to know, like, for open source operating systems, like Ubuntu, Fedora, Davian, Haiku, FreeDOS, and on and on and on. You know, there's freeware, there's shareware. How do you feel that this would work with any of those systems? Mr. Work. Well, thank you, Representative, for the question. I think that's a very valid concern or question. And I think this bill could have an unintended consequence of pushing more people towards those open source and freeware type solutions. Because if it's going to be Microsoft and Google and TikTok and these other companies that are really pushing for this, that are going to require this age verification, or we're just at the beginning of it, I guess, is part of it too. This is age attestation is just kind of the start of people having to give their information and then it can go further from there. Of course, that's one of the valid concerns. But having people having the opportunity to go to an open source system, go to Linux, go to some other system where this requirement wouldn't necessarily be there, I think is going to be become much more. It's going to be lead to more incentives for people to go in that direction. But of course, the other component of this bill is not just the operating system component, but also the applications and the software, right? So the operating system will collect your age, and then it has to send that age signal to software companies, to developers, to apps for you to use the app. So of course it going to lock certain people out because if you not using a system that collects that age data system the age signal if it not collecting say you are on Linux and it not collecting that age signal then when you go to log into Facebook, for example, or you go to log into some other application, maybe on your phone, because you could use, you know, Graphene OS on your phone, you could de-Google it and do all of that. Well, you might not be able to have access, as one of the earlier panelists said, you might not have access to these types of systems because there's going to be no age signal generated from Linux. So we're basically going to be creating a system in which people are going to be siloed and really through force of law now with Senate Bill 51 being pushed into a situation where there's legal requirements, where people are going to be, hey, if you want to, you have to follow the law, if you want to use Facebook, you have to follow this law if you want to use TikTok. And that's pushing us into a dangerous place for sure. So I think the open source freeware kind of solutions are there and are important, but we have to recognize the majority of Coloradans, the majority of people don't use those, right? I mean, the majority of people are using Windows, they're using Apple, they're using these different systems, and they're going to have to go along with this. And it'll be very interesting to see, but I really appreciate the question. Thank you. Representative Kelty. Thank you, Mr. Chair. And to follow up, Mr. Work, thank you for that. I appreciate that. And, you know, in the age of hackers, you know, nowadays being smarter than ever, being more devious than ever. Do you believe that by individuals now going to open source, freeware, shareware, all of that, do you believe or could you see this being a cybersecurity nightmare with them being able to steal even more data and doing even more harm, not just to adults, but also to the children? Mr. Work? Yeah, I appreciate the question. Definitely. You know, as previous panelists have pointed out, when you're collecting this data, sure, There's requirements that it can't be just given out to anybody, right? It's a signal. It doesn't have any more information than that. But nonetheless, that is information that people can use to determine who you are. You know, they can determine, say, okay, this person is under 18, and maybe they can be targeted for horrible purposes. But just knowing also, hey, this is an elderly person. They're more likely to vote, right? You can start narrowing it down. When you get somebody's age signal plus other information that you can collect through other apps, through Internet use, Now, all of a sudden, you're building a profile and you're building an idea of who these people are. And companies are already doing this. We know this, of course. This was discussed before where we all have kind of this digital footprint and this digital portfolio that's being created around us just by using the Internet, right? Just by getting on social media platforms. They have so much information and we can be marketed to in so many different ways. But, yeah, just giving more information out there and really creating a situation in which all our data is going to be potentially centralized on a system, at least having to do with age. So if somebody finds an exploit, somebody finds a way to get into the system and say, hey, we can leak everybody's age data based on all their usernames on some sort of a social media platform or some sort of app. If the app is collecting that age signal, somebody can create an app that's just going to collect that age signal data and then, you know, put it out there. I mean, or it gets hacked or it gets stolen. And all of a sudden, you know, this is it's just another step in the direction of less privacy, less of our data being protected and moving us in the wrong direction, I would say. Thank you very much. Mr. Corby, I have a question for you. We have seen in the UK adopt an age verification system, and we are seeing, at least from my viewpoint, that we are seeing a lot of people try to bypass the system by logging into jurisdictions that don't have age verification through VPN or otherwise. this age verification team seems to be the next step and this is just age attestation. Why isn this a better solution given the context of my understanding Mr. Corby. Two parts to your question. First of all, the evidence from the regulator here, Ofcom, is that there was a very small increase in the use of virtual private networks at the time of the age verification for pornography. and the evidence from two major charities is that children are not using virtual private networks anymore so there are there are some adults who don't want to do age checks who are using vpns slightly more than before i think about 250 000 from the top of my head so however you can always spot vpn traffic and the platforms should be applying age verification uh to traffic which is obviously coming from the uk um even if they're coming via a vpn there's a lot of other clues particularly when we're talking about people who use social media you know the way they interact what they post about what they talk about who their friends are gives you a pretty good idea if they're in shall we say colorado or not um so i i'm not going to try and advocate for the way we're doing it in the uk europe australia many other parts of the world 25 us states for for pornography um that's tried and tested my real concern with this bill is the unintended consequences people haven't thought through the issue around the way the device has to sign the age signal to make sure that the platform can believe it's true and not spoofed. And that process of signing that signal is opening up a whole new vulnerability in terms of the ability for big tech to be tracking what we're doing online, frankly. I have written to the committee. There's a lot of detail in our letter. Thank you, Mr. Corby, representative leader. Thank you, Mr. Chair. And this is also for Mr. Corby. You had mentioned that Google was a big supporter of this and wrote this. Can you expound on that? I didn't say that Google had particularly, but big tech is very keen, obviously, on the effectively the safe harbor that this gives them. Yeah. At the moment, they are vulnerable. If any any social media platform or any of the large tech companies, you know, allows children to come to harm, then people. We've seen that in New Mexico and in California. I'll be giving expert evidence in the New Mexico case myself shortly. And they desperately want this safe harbor. They are. This is what is driving everything in this this technology right now. It's and there's a lot of, you know, well-paid lobbyists, I'm sure, who are arguing in Washington, D.C. to try and get federal legislation that will will give the same sort of protections that 230 has given these these platforms for many years. any other questions seeing none thank you very much witnesses for your time and your testimony we'll be calling our next panel this will be let's see the panel for four okay let's start with Carl Richel or Richel Ben Thievin Jack Rosenthal Daniel Hollis and then we do have two other ones so this might be a little bit larger panel Catching Valentinas and Kira Hatton and Jeffrey Sturr if you are in the room alright so we have three in the room two online and we all We'll start with our witnesses in the room with Mr. Richel. I'm Carl Rochelle. I am the CEO and founder of System76. We are a local computer manufacturer specializing in Linux computers, and we have a factory in Denver, Office 70, and Peoria, where we manufacture computers. I'm here to testify as a participant in the open source community and in support of SB51 as amended. As much as I would like to say I'm speaking on behalf of the community, that is not really possible. The open source community is a distributed group of individuals and companies building software together. We all have different perspectives, but what binds us together is a shared belief that software should be free to copy, free to modify, and free to redistribute. People arrive at that belief for different reasons. For me, it's because the computer is the most powerful and versatile technology we've ever created. It is foundational, accelerating innovation across industries, from agriculture to energy to healthcare. Nearly every modern breakthrough builds on computing. Because of that, everyone should have access to the ability to create with a computer. Open source software makes that possible. It ensures that anyone, regardless of age or background, can learn, experiment, and build at the most fundamental level. With the rise of iOS and Android, we've come to think of operating systems primarily as platforms for consuming apps. But there is another world of computing, one centered on creation, where people build and share free software, collaborate openly, and drive innovation that ultimately benefits everyone. The original language of SB51 unintentionally swept that world into its scope. The bill's authors listened to feedback from the community and created a collaborative process to improve it. The result is a much stronger policy direction that focuses on commercial app ecosystems, reduces unnecessary data collection, and protects open innovation. Specifically, the amendments focus the bill on commercial application stores rather than open computing platforms, limit age-related data collection, and it's... Thank you, Mr. Rochelle. Your time has expired. All right. Mr. Teevan, you have two minutes. Please tell us who you represent and please proceed. Mr. Chair, members of the committee, I'm Benjamin Teevan. I'm here today representing TICTOK-USCS Joint Venture. We believe Senate Bill 51 threads the very careful needle between child safety, civil liberties, and cross-jurisdictional platform operability. we thank Senator Ball, Senator Liston and representatives Ricks and Paschal for their leadership on this and we urge the committee to vote yes. Thank you. Mr. Reister, please tell us your name, who you represent and you have two minutes. Please begin. Thank you Mr. Chair and members of the committee my name is Jeffrey Reister. I'm here on behalf of the Department of Law to speak in support of Senate Bill 51. Our office has been involved in social media legislation policies for the last four or five years since our office did a report related to fentanyl and the impacts on social media and the access that can can happen on social media platforms um age gating and age verification or age attestation or whatever you want to call it has been an issue that has very much been on our minds over the last few years we're excited to see a policy moving forward that can set a strong foundation to build additional protections operating signals is something that we have found to be a consistent measure easier than instead of going from platform to platform site to site where as people have said individuals can change their age provide confusing information, and ultimately muddy the water even more by having one signal that provides this information to those software platforms can ensure more certainty. If additional information is found, then that company can obviously treat that age different than what that signal is. I know there have been some concerns and questions around clear and convincing standards as far as the knowledge for those companies. I'll note that we would have no concerns if that was lowered to ensure that the companies that hold so much data about you have enough information to reasonably know or to understand based on data that they have access to or available to them or is actually used by those companies. So that's something that is for this committee and the sponsors to discuss. But I wanted to note that that's something that we would be very open to. it would not change their support if that change was not made. Other than that, I'm very happy to answer any of the questions that you all have. Thank you so much. Thank you, Mr. Reister. And then before we move on to our remote witnesses, is Kira Hatton in the room when she's online? All right. Ms. Hatton, since I've called your name because I thought you were in person, but you may go ahead first for our online witnesses. Please tell us your name, who you represent. You have two minutes. Okay, great. Thank you so much. I wanted to thank you for this opportunity to testify and also thank the bill sponsors because they have been really thoughtful and consistent in their engagement with stakeholders over the past several months. Ms. Hatton, I'm sorry, could you tell us who you represent? Oh, my apologies. Kira Hatton-Sennett, the political director at Cobalt Advocates. Thank you very much. Please proceed. Okay. I did want to start by thanking the bill sponsors for their thoughtful and really consistent engagement with stakeholders over the past several months. We've appreciated being a part of this conversation since December, and it shows in the amendment that you brought that is coming forward. We also want to thank them specifically because we have had major concerns with data privacy over the last several years. And we find that this particular effort has allowed us to give great input and maybe we can head towards a better direction because we do support the goal of creating a safer online environment for young people. while minimizing the collection and sharing of personally identifiable data. We really appreciate the shift towards the age bracket data rather than dates of birth and clear intent to limit unnecessary data collection and sharing. These are really important privacy forward choices. We also want to offer a brief perspective from our work on healthcare access. While this bill is not about healthcare, it does create a new system for transmitting user data across platforms. As the system is built, it's important to ensure that it cannot be used directly or indirectly to infer or restrict access to legally protected health care, including reproductive and gender affirming care, known here in Colorado as legally protected health care. We also want to encourage this continued attention on how this framework impacts minors' ability to access accurate health information. Ensuring that young people can safely seek information without unintended barriers is critical to the success of this policy. And we offer these comments in the spirit of partnership and with appreciation for this work that has gone into this bill. Thank you, Ms. Hatton. I'm sorry, but you're... We will never take that position. Thank you so much. Thank you, Ms. Hatton. Appreciate your testimony. Since this is a mixed panel, we're going to go remotely to Catching Valentinas, who's registered in the against position. catching Valentinius please unmute Tell us your name who you represent and you have two minutes Thank you Mr Chair members of the committee My name is Catching Valentinus representing myself in strong opposition to Senate Bill 51 As with most overreaches of privacy, this bill is premised on protecting children. But this bill does not yet do up front or what this bill does not yet do up front is require individuals to provide their legal identity. But yet, Senate Bill 51's attempt to protect children creates one of the worst threats to children in the modern age. But how? Popular applications have taken lengths to age gate underage users into appropriate digital spaces where they can interact without risk of exposure to adults. This bill is designed to directly support and reinforce this age-gate model so that it may be applied more conveniently on a wider scale to allow applications to protect more children. Doing what we can in society while preserving civil rights is noble, and yet the vision Senate Bill 51 communicates is misinformed because this age-gated online experience is certain to do more harm to modern children than good. Modern children are more likely to be unsupervised users of technology than in the past. Senate Bill 51 will provide dangerous predators with a tool endorsed by our General Assembly, which allows them to shop for victims by age bracket. Predators would now be able to maliciously disguise themselves with an age signal to gain access to restricted spaces online with no adults present where they may victimize supervised children. Unsupervised children. What has been sold to parents as a path to child safety will become a new convenient way for evil people to identify, contact, and coerce children into trafficking. and digital space is guaranteed by industry standard systems to restrict law-abiding parents. For the sake of Colorado's children, this bill must not be allowed to pass. I urge this committee to vote no on Senate Bill 51. Thank you, Mr. Valentinas. Our last witness is registered for the bill, Jack Rosenthal. Please unmute yourself to see who you represent, and you have two minutes. Good afternoon, Chair and members of the committee. Thank you for allowing me to speak today. My name is Jack Rosenthal. I am representing myself as an open source software developer and somebody who has contributed over 5,000 commits to the open source Chromium OS project, as well as to the Linux kernel. I had initially testified against this bill in the Senate committee. There was a lot of issues with it at first, a lot of things which I think you've heard from people previous to me, issues that are brought forward to the open source community and what we can do as small hobbyist software developers. I believe L004 fixes all these issues. It makes a blanket exemption for software which is distributed under an open source license, one which is free to redistribute without any restriction. And this model represents every single open source license, which is respected by the opensource.org definition of open source software. I believe this resolves my concerns at this point and that we ought to see that this ought to have no effect on Linux or any of the other open source operating systems. Thank you very much. Thank you, Mr. Rosenthal. Committee members, we do have one other witness, Daniel Hollis, who is registered for questions only and is remote. So, committee members, do we have any questions for this panel? Representative Kelty Thank you Mr Chair I think my question is for Mr Valentines Mr. Valentines, can you expound on what harm could be done with just age data collection? Sure. Mr. Valentines. Thank you, Mr. Chair. Representative, so this bill is asking for users to disclose an age when they're using a device. Particularly, the parent is supposed to select the appropriate age bracket for their child. And so we're going to assume that most users of this technology are going to use it in good faith. Seeing that this bill does not currently overreach and require, or even further, and require that you validate your age through some sort of legal means, predators have the ability to now shop for whichever age they're looking to target. Platforms such as Roblox and Discord have age-gated programs where they want to keep adults out of spaces where these younger age brackets are, which they have already had terrible rollouts of. They've had so many problems with being able to or in their attempt to protect children where what they're doing is they're creating a space where children are set in these digital spaces with themselves, if they've been set up, had the space set up by their parent. And then there are no well-intentioned adults in there because they've also designated their devices according to the intention of the policies of these companies. And then predators have been able to infiltrate these spaces. What this bill will do is give a general assembly approved process by which a predator can lie about their age and where a developer is. is told to take this signal at face value and then place predators without any other form of verification in the spaces with children according to the predator's preference and target. Committee members, are there any other questions for this panel? Representative Richardson. If you have a follow-up. I have a follow-up. You have a follow-up. Okay, if you have a follow-up, Rep. Kelty. Thank you, Mr. Chair. And Mr. Valentino, thank you for that. And can you see how if a developer, someone who creates the software or writes the code, how they may be able, if they were a predator themselves, be able to use this data against a child? Mr. Valentino? Thank you, Mr. Chair. Madam Representative, this data can most certainly be weaponized. The barrier of entry into, let's say, the Apple App Store or the Google Play Store or these other marketplaces, which the bill is targeting, is dramatically low. There's no residency requirement for apps to distribute. distributed to parents in Colorado who would be downloading applications designed by predators across the world, designed for children, which will now be required to be shared this child's birth date or age bracket by state law. Representative Richardson, you have a question now? Thank you, Mr. Chair. This is for the AG's office. I asked this of an earlier panel, but under the penalties portion, where it reads that the Attorney General shall assess and recover the penalty in civil action, it's predicated by a person violating either knowingly or unknowingly in different fine levels, but it's applied against each minor that's then harmed. Could you kind of lay out how something like that would be approached? Because it seems like there's no de facto harm that I see in the bill from just accessing something that didn't properly use the age signal. So would the proving of harm be difficult and based on the previous testimony where that harm could potentially accumulate months or years down the road based on information that could have been collected, how do you approach that? Mr. Easter. Thank you, Mr. Chair. Representative Richardson, it's a great question. At a high level, what has to start or generally starts with a complaint, and so that's where we first really identify that harm. But we also work with federal partners, other state partners, where activities might be more impactful or more direct to their constituency versus ours. But that company might be operating here. The harm here is not necessarily what an individual is accessing, depending on the age that they provide. There are other laws and potential civil liabilities, potentially even criminal liabilities, depending on what they're ultimately accessing. The harm that we're talking about here is ultimately is a company operating by the rules of the road as defined by the legislature. So there are companies who are going to make investments into their systems, into their software, in order to have this system to ensure that someone is properly routed through, is appropriately age bracketed or however they ultimately decide to do it. Whereas a company that doesn't do this essentially has an unfair advantage because they didn't do those same compliance efforts. They didn't do those same software coding efforts. And so the harm is really ultimately to other companies who have made this investment. And the idea here is that we want to be able to have civil liability to ensure that everyone has that level playing field, fair competition. And ultimately, any user that is accessing any platform has the same experience and the appropriate level of access to whatever content is on the other side of that age bracketing or standards. Just a quick follow-up. And thank you for the explanation. The wording is, though, that minor is harmed, so that doesn't seem like it would impact harm to those that are playing by the rules, but it's harmed to the specific minor. It seems to be the way it's written. Mr. Easter. Thank you, Mr. Chair. Representative Richardson, yes, the harm to the users is ultimately that they are not going through the proper channels. So it's not, again, necessarily what the content is because there can be, I think as someone said earlier, there's age verification for cigarettes and alcohol. You can buy it but not drink it or smoke it, right? The harm is ultimately the purchase of the access. And so if it is not properly verified in order to get them to that site the harm is that they went through a system that was not appropriate whether that security standards or something else Okay, thank you. So you know, for the questions from committee members, witnesses, thank you for your testimony. Before we close the witness testimony phase, is there anyone in the room who has not had an opportunity to sign up who would like to testify? Going once, going twice, the witness testimony phase is closed. Sponsors, can we come back up so we can get to our amendments? Madam Chair. Yes, we have three amendments today, committee, that we'll be moving. I move L005 to SB051. That's a proper motion, seconded by Rep Morrow. Madam Chair, please explain Amendment 5. Or Rep Paschal, please explain Amendment 5. Hang on one second. Sorry, we have an ordering problem. Mr. Sweetman, OLS. Thank you, Mr. Chair, members of the committee. The base amendment before you is amendment four, and five and six amend four. So I was suggesting that four should be moved before five is passed. So, Madam Chair, if I could have you withdraw your motion. I withdraw the motion of L005 to SB051. Amendment 5 has been withdrawn. Madam Chair? I move L4 to SB051. That's a proper motion. L4 has been moved and seconded by Rep. Morrow. Rep. Pascal? So now we've got move 5 and 6 and vote on 5 and 6. Okay, I move, and now I move L-005 to SB-051. That's proper motions. Amendment L-5 has been moved, seconded by Rep. Marl. Representative. I move L-0. Okay, go ahead and talk about 5. Okay, sorry about this, guys. Okay, so L-005, as I mentioned earlier, when a rep leader asked the question, L-005 fixes the references in L-004 that were incorrect. I move, oh sorry, Mr. Chair. Do we vote on this? Yes. Okay. Any questions on Amendment L-5? Any objection to L-5? L-5 passes. I move, thank you Mr. Chair, I move L-006 to SB 051. That is proper motion L has been moved seconded by Rep Paschal Thank you Mr Chair So L is an amendment that we are bringing on behalf of the Motion Picture Association and it is to address their concerns about how this impacts streaming platforms like Netflix, et cetera. And it describes a different kind of account that is not included in the bill, and it's what we're calling family accounts. And so that is an account where you have like a prime owner and then you have subaccounts for the children. And the subaccounts will have their own parental controls on them and the system will just see the parental account. So we're making sure that we are viewing this as the parental account when they're being checked and that the parental controls on the system will take the highest precedence on that system. Is there any questions about Amendment L-006? Is there any objection to Amendment L-006? Amendment L-006 passes. Sponsors, do we have any other amendments? No. But would you like to talk about another amendment? Yes. Madam Chair. Thank you. We would like to talk about L-004. Rob Pascal. Thank you, Mr. Chair. Okay. So L-004, as you've heard some folks speak on, It's our strike below amendment. This has come out of a lot of conversations with different organizations that have come forth with concern after the bill was passed in the Senate. And this was spoken on by Carl Rochelle. We had conversations with the open source community. The intent was never to include them. So we added language to make it clear that we were not including the open source community. We also, hang on one second, we also added on further restrictions about the applications in that the application has to be something that is processing some kind of personal information information about the user. And we also increased the options on entering the original data about how old the user is to include the possibility of including an age bracket if that is appropriate under the circumstances where potentially someone could say, I'm an adult. Or they could say, I'm the lowest age bracket if that's what they want. As someone who testified mentioned that would be their preference, they could still do that. So that's the content of that bill. And I think that's a gist of it. And I will make some further comments in my wrap-up. So before we ask any questions on Amendment 4 as amended or take an objection, Madam Chair, could you please move Amendment 4 as amended? I move L004 as amended to SB 26051. That's proper motion. L004 as amended has been moved and seconded by Rep Morrow. Is there any objection to amendment L004 as amended? Seeing none, amendment L004 as amended is passed. Sponsors, any more amendments? No. Committee members, any more amendments? Seeing no amendments, the amendment phase is closed. Wrap up. Who would like to go first? I'll go first. Madam Chair. Thank you, Mr. Chair, and thank you, members of the committee. You know when it comes to privacy I think we can all agree that we want to limit access to software companies And whenever you go online you already feel like you being invaded because people can still chase you online They know who you are because they already offering you things and there so much data that's already been collected. But in this case, this bill we think is threading the right balance between privacy and how much information you're given. You don't want to go online and have to offer like a blood sample in order to use the software. And we think that by doing age brackets for attestation versus, you know, putting in an ID or doing a facial recognition type security is better. And we think that this is something that provides that safeguard. Currently in Colorado, there is the Privacy Act, Colorado's existing Privacy Act that companies have to abide by. But there are no legal obligations to protect minors. There's no clear standardized way for them to actually know who is a minor, and this bill creates a simple, consistent process for age information to flow from devices to app. And again, this is pretty straightforward. When you set up a new phone or computer, the operating system is going to ask the user's date of birth. That's it. At that moment, you're already setting up your device. The age attestation input happens upon setup, and it's not something that can be changed in settings by a user without a hard factory reset. And so, again, it's very minimal information, but it strikes a balance to try to protect Colorado's children. We heard a lot about people using this information to groom kids and to do all these things, but right now there's nothing out there that protects our kids here in Colorado. We're not asking for facial recognition. We're not uploading a government ID. There's no sensitive data that's been given except for you can say the person's 16. You can say there's an age bracket, and you have those choices. The strength of this bill is that it's shared across the entire ecosystem. No single party carries all the burden. We have exempted open source corporations, and there is still a privacy aspect of it. We really think that in this digital world, our children are growing up in, it looks nothing like what it was when we grew up with apps. And apps are designed deliberately to capture attention, to engage or retain people. And far too often, children most at risk are the ones that companies profit from the most. this bill doesn't ask for much it asks that when a parent sets a device up for their child that information actually means something it travels with the children now of course people if somebody wants to lie and say that they're a certain age you can't prevent that we're not in every home we're not you know going to be looking in every place but this is something where currently nothing exists. We urge for your yes vote to protect Colorado's kids because they're worth it. Thank you. Representative Paschal.
Thank you, Mr. Chair. I wanted to go through and address some of the things that we heard during testimony. Firstly, we did hear a lot of testimony from people who are experts, meaning their developers. so I wanted to make sure that y'all know that I have a master's and a bachelor's in computer science a master's was in operating systems I worked in the software industry for over 20 years doing development. And so I think I do bring some expertise here. And one of the reasons why this bill, I don't know if anybody noticed, but it got out of the Senate and it didn't get introduced in the House for some time. Like, I think it was almost a month. And that's because I wanted to address some of these concerns that have been raised today because I did see them in the bill. I did not, I was not one of the original, I wasn't the original author, like Senator Ball wrote it, and I didn't come in until after it was introduced. So I wanted to make sure that some of these issues were addressed. And one of which, of course, was open source, because I worked in that industry. And I realized that that is something that you really can't track the owner of open source software. And so it just doesn't even work doesn't make sense. So that was one of the things that I wanted to make sure that we exempted. I also want to just address some of the things that were stated. Some of the arguments against this bill were viewing it as the meta bill. There is a bill out there that meta is behind that has been passed in several states. It is not that bill. That bill is about age verification, not age attestation. And again, age verification requires proof. It requires uploading some kind of documentation as to how old you are, be it your birth certificate, be it facial scan, be it following your behavior and guessing how old you are. Those are all kinds of different things that can be used for age verification. As you heard, there are companies that are in the business of age verification. This is not about that. And in fact, Metta opposed the bill that was in California that this is based on. So just clarifying that. I also want to clarify that the liability for protecting the kids is not just on the apps, it's not just on the OS or the application store, however they implement it. It's a shared responsibility between both, and that's I think where it should be. I don't think we should let all the app developers off the hook for having some kind of responsibility for the content that they serve up. And certainly I know there's a move by some applications such as Facebook to try to avoid having to take responsibility for the users, I am not in favor of that. And that is not what this bill does. Some folks have argued the bill doesn't do enough. And you could certainly make that argument. This bill, for instance, this talking about the addictive algorithms used on children, and I know that's absolutely a thing. And this bill does not preclude doing that sort of thing in the future. That's just not what this bill is about. You could still do that. It doesn't preclude a particular application that definitely has a strong reason to keep children out, such as a pornography site or a site that sells liquor. Those kinds of systems or any other app could have stronger verifications of the age. You could require to upload your driver's license or whatever you want someone to prove. means that you want to use to prove that that person is adult, you can still do that. This bill does not stop that from being done It also does not request an app to go beyond the information and the age signal So we're not asking the app to go out and try to figure out and verify further how old the kid is. You could do it. It may be required in a particular situation, but it is not being asked for in this bill. Sorry. One person spoke about the idea of using more device level or platform level controls. This bill doesn't preclude that either. That could be done. The bill does not mandate content level control. It could certainly be done. But right now Colorado law doesn't mandate that. We have the mandate of privacy controls. The data of the minor needs to be handled in a different way than the data of an adult. And this bill does mandate that you follow that law. If we were in the future to decide that we wanted more content controls passed in legislation, we could and this could be a way to gate that type of content. But this bill itself does not ask for that. And also, just going back to the concept of older software, software moves forward. It doesn't move backward. We never require backwards compatibility. That's sort of a standard thing in the software industry. Because if software was written before and it's no longer being used, it's not going to get updated. And that is a well-known fact of software, is that if you're using older software that doesn't get updated or you're choosing not to update it, you're not going to get the latest version. And that's just how software works. So in short, I think, as Rep. Rick said, I think this bill finds the right balance between collecting a lot of information and keeping our kids safe by making sure that apps know that they are a child and can't claim they didn't know. So I think it strikes the right balance there. But as I said, if it's determined in the future that we want to go further, this does not preclude that. So I hope you agree that this is a good balance, and I ask for your aye vote.
Kim, are there any closing comments about Presenter Brooks?
Sure, thank you There's a lot that I appreciate about what was just said for a few reasons one, because it shows that you were paying attention to, yeah, not just paying attention, but you were listening actively listening to the witness testimony, which I found interesting myself and compelling and I appreciate you taking notes and in your closing comments, modifying those from what may have been presumably a prepared speech and instead speaking directly to the concerns that you heard. Also appreciate the time that you spent in the industry. So anything that I say after this, do not perceive that as me glossing over the fact that you have experience in that area and I would go so far as to call you an expert in that area. However we heard from a number of others that are in that field and the concerns that they expressed I find relevant I don't know if it's necessarily just kind of the porous nature of the architecture of this bill itself that you can't really get into this area without it opening up another area, You know, where by the age verification, we're giving the very bait for the social media companies or other apps to be able to use to be able to identify the age and then specify the ads or specify whatever they need specifically to that age group to be able to get the wanted outcome, right, the desired outcome. We know you mentioned it, that it's proven that this has been done and continues. That's the reason there's a like button, right? It's like, oh, what is going to keep people more engaged? And the more information that we give to those developers, honestly, it can be used for sinister intent. And I believe it will be used for sinister intent. So the intent that you have, I think, is strong. You know, we're trying to put up a shield for kids. However, I've heard other bills and other testimony that may or may not have been presented by people on this very committee about, you know, testimony or bills that you're trying to shield from AI chatbots and things like this. And so if we're truly trying to protect kids, I think we need to be a little bit more complete in the approach that we're taking here. And I feel like this just has too many back doors and too many ways that still allow for the very nature of the things that we're trying to avoid to get right in there. So I'm a no on this, although I really respect the work that you've put into it and your willingness to bring a strike below on a Senate bill to be able to address some of the things that you personally have seen as the weaknesses in it. However, I think there's still too many weaknesses in it for me to be able to support. Thank you, Mr. Chair.
And thank you for bringing this forward. I like the conversation. It's kind of my field. I've been in IT since 1998. So if that doesn't age me, I'm not sure what does. But, you know, and I know this comes from the right place. It comes from your heart. I understand what you're trying to do. We all want to protect our kids. I'm a mama bear like none other. But there's a lot of things in the bill that I think maybe there's a different bill that we can come up with, but I don't think this is the bill that's going to do it. And first and foremost, aside of what it's trying to do, and I don't believe people realize what all the First Amendment protects, but it protects code. And it protects because it is a written code. is seen as not quite an art form, but it is protected. It's speech in a way. It's a language. And this very much would violate the First Amendment going through the entire bill. Software code is considered protective speech, meaning that it's protected, again, by the First Amendment, and I do believe it violates it. I think it also compels speech which again is a violation by force of the design and the communication in a specific way That would be the compelled speech that it would violate which is, again, protected by the First Amendment. And I don't see how going through the bill and what's intended with it through the companies, how it's even enforceable, especially with those companies who are outside the country, which we see many of the apps and the softwares that the kids are using are from. I don't believe it addresses shared devices like in a public library, public computer resource centers, which many people who don't have the money to own their own computer, they have to use. And I can see a problem with that. And there's no ability to uninstall or even toggle or anything like that. So I can see that being an issue. And aside from being unconstitutional and also unable to enforce it across country lines, the fact that it will increase data collection. And I'm very much against the collection of data. We harp on the usage of the data and people buying the data and using the data. I believe that the head of the snake is in the collection. And if we could do something about that, that would be a great thing in my world. And I know a lot of my constituents are, they stand on the same lines. It's the collection of the data that seems to be the issue. I believe that this would give with the developers, and we see predators all over the world and many factions in every corner, and I believe it gives them an even easier list of minors. I mean, it's like, here you go. Here's a whole list of people who are underage, which we know those are the ones they target. And predators are so devious in the ways that they try to get at our kids. They'll do anything. And by handing them a list, I can't agree with that. And I believe that, as was said earlier, that larger companies are perfectly fine with this because, again, it gives them more data to collect. And I believe it gives them an even more legal road to do the collection of data, not just on our kids, but also us as parents, as adults. We don't know who's able to, once they collect that, who's able to get their hands on that data and how will they use it. you know, a smart predator who could hack themselves into these devices, after obtaining that type of data, they could target kids even more and more precisely. So many people, as we know, a lot of people don't even update, you know, their software updates. They don't do their security updates. And they have huge gaping holes in their home security systems on their IT security. And I just see a lot of things happening with this that could actually be more harmful than good. But I know that you mean only good. And it gives me great pause. And in the end, I believe that it's not really the responsibility of the operating system companies. I don't believe it's the main responsibility of the app owners. I believe it's the responsibility of the parents. And if parents are engaged in their child's life and they need to make sure that they keep them safe themselves, and that's, I think, where the main responsibility lands. So thank you for bringing this. I understand why you're bringing it. I understand your heart's in this, but because of all of that, plus more, which I know you're probably tired of hearing me talk, I will have to be a note today. Thank you.
Thank you, Mr. Chair. Thank you for bringing the bill, because we know our children definitely need to be protected because they are not. We are wide open. I would love to see the laws of the U.K. here. Thanks for the amendments, L4 and fixing L5, and then L6. I was kind of curious as to why the motion pitchers were opposing the bill. And I also know IOTI, the labor union, does represent people in the motion pitcher organization, so I didn't see where there was any stakeholding with them. I don't know. Maybe you just didn't mention it. But I would like to know if you'd be willing, if you haven't already, to reach out to IATSE and to see where they stand with this as they represent people in the motion pictures as well and theatrics and everywhere. So I would like to see you be willing to do that. I am struggling with this. I hate data privacy. I hate them collecting our information. I shouldn't say I hate data privacy. I like data privacy. I don't like them collecting our information. As you know I brought a bill here for homeowner insurance but a lot of people didn see fit because you know insurance companies they have a lot of money just like the AI people do And I don like homeowners insurance companies selling my information my personal information like driver license social security number And so I definitely want to make sure that we have something out there to protect our children. As long as you know, keep working on this. I'll be a yes for today with it, but I do want to see more discussions happening with this because there's got to be something that protects our children because I would never support an ID verification. But thank you. Rob Sucla.
Thank you, Mr. Chair, and thank you, Bill Sponsors. So the only question I asked actually is where the bill came from. And somebody that was in testimony, a witness, said that you need to send this bill back to Silicon Valley. And I really believe that that's where the bill originated from. We said that it started in California, but somebody gave it to those California legislators, and I believe that's where it originated from. And the testimony was very ironic that there was a lot of people against it. And the three that really stuck out that was for the testimony triggered me because in this building, somebody always wants to get something out of something. And so the person for TikTok they going to get cover for the bad actors in my opinion with this bill The AG is going to get a pop for every violation so they going to be enriched by the a pop And then open source is going to get more traffic. And the only people that are left out, in my opinion, are the children that this bill is trying to protect. So it's very disheartening when we have these experts that know more about this subject than probably everybody in this room tell us that they don't think it's a good bill. I'm going to have to rely on those witnesses. They were very compelling, and I'm going to have to be a no because of those witnesses. Thank you.
Any other committee members?
I would just like to say thank you to the sponsors for bringing this, and thank you to the witnesses who testified. I think they gave all of us a lot to think about, and I just wanted to push back on one thing I heard. that software code isn't a First Amendment thing. It is a First Amendment thing, correct? You do have the right with your software in that space. But that's the one pushback I have. But otherwise, fantastic job, everyone, sharing your thoughts. And this is your government at work. So we appreciate that.
And Ms. Erosia? Oh, wait. Madam Chair, it is your motion to move.
Thank you, Mr. Vice Chair. I move SB 051 to the as amended to the Committee of the Whole to the Committee of the Whole with a favorable recommendation Second that a proper motion second by Brett Morrow Ms Arroja please call the roll Representative Brooks No English Yes, for today.
Gonzalez. No.
Kelty. No.
Leader. Yes, for today.
Mabry. Yes.
Marshall. No.
Morrow. Yes.
Richardson. No.
Raiden. Yes.
Sukla. No.
Briggs. Yes. Mr. Chair. Yes, for today. That passes seven to six. Thank you, committee. That will conclude Business and Labor Committee for today. See everyone later this week or next week or whenever we meet. Have a great evening. Thank you.