Bold of you to assume that lawmakers have any common sense when it comes to technology legislation. It could have taken 3 interns 3 hours at each browser company to implement a cookie consent standard 15 years ago, yet here we are in cookie banner hell.

I think the header/metatag is designed poorly. The RTA proposal is that every operator of every site must verify the content and add the header to mark the site as "safe" or "unsafe". This is unnecessary burden that they have to bear if this proposal is given a green light and this is wrong.

Instead, the default should be, that if there is no header or it cannot be parsed, then the content is unsafe. And if there is a header, it describes the page rating, like what kind of dangerous content it may contain. The header may be added to any displayable content like HTML, text, images, audio or videos, but not to machine-readable content like JS files or AJAX responses.

So only those who wants their site to be accessible by minors, have to add headers. For social networks, the user might have an option to mark his content as "safe".

This means that with my proposal existing site operators need not to do anything to mark their sites as "unsafe" - all sites are "unsafe" by default. This means that millions of site operators need to spend 0 dollars to adapt their sites. How great is that?

The browser on a device with parent mode, should not allow displaying any content which doesn't have a header or that is marked as unsafe, or that contains header with invalid value. The parents may whitelist some sites.

There should be a reponsibility for intentionally marking unsafe content as "safe". We should also think what to do with foreign operators, intentionally putting invalid headers for unsafe content. Maybe they should be added to some kind of blacklist that the browsers would periodically update.

Search engines like Google could work by default in "safe" mode, but add "unsafe" header if the user wants to turn off restrictions.

> If a site is not adding the RTA header then progressively fine them into oblivion.

I think my proposal is better because it requires only fining those who intentionally misrepresent content safety.

No such mandates should take place at all.

Has this idea been discussed when drafting legislation? I mean are they aware of it but dismissed it for any reason or no stated reasons?

> If they are enabled and the person logged in is on a regular account (not admin or power user of sorts) then the base installation of web clients must check for an RTA header [1].

Your cite is an earlier post of yours which says

> The one and only method I will participate in is server operators setting a RTA header [1]

and that cites a still earlier post of yours

> I stand by my repeated statements of how this could have been solved simply using an RTA header [1]

which finally actually cites¹ something that explains what the heck on RTA header is.

It would be quite a bit more reader friendly to cite https://www.rtalabel.org/page.php rather than make the reader traverse a linked list of comments to get there.

¹https://www.rtalabel.org/page.php

I largely agree, but the RTA header doesn't seem to be good enough for most websites to use. When a website wants to block browsers with parental controls on, but it isn't porn and it shouldn't be blocked by SafeSearch, what do they do?

https://webmasters.stackexchange.com/questions/140733/how-to...

> The only device mandates that should be taking place is for the default installations of web clients should be checking to see if parental controls are enabled. This only impacts the major browsers. An intern at each browser company could add this check in minutes. If they are enabled and the person logged in is on a regular account (not admin or power user of sorts) then the base installation of web clients must check for an RTA header [1]. If present, prompt for a override password and also give the option for the admin to approve-list the domain at that time. That's it. Not perfect, nothing is or will be.

It's useful to contrast this with the various device-based mandates that have been created in order to get a sense of what legislators seem to be trying to do. With that in mind, a few points:

* What you are proposing allows parents to opt in via parental controls, but age assurance mandates (both device-side and server-side) tend to require positive action to enter unrestricted modes. In some cases (CA AB 1043, for instance), this is just a matter of entering your age. In others, you actually need to demonstrate your age via some technical mechanism.

* While many age assurance mandates focus on adult content, which is primarily consumed via the Web, others (e.g., Australia's Social Media Minimum Age) focus on social networking, which is primarily consumed via apps, so anything that is Web only will not be effective.

* Site-level granularity isn't really fine enough in some cases. For example, the New York SAFE for Kids act prohibits certain behaviors such as algorithmic recommendations when a user is a minor, but doesn't require blocking minor usage entirely. It's potentially possible to implement this with something like RTA, but it would have to at minimum be at much finer granularity.

Section VI of https://kgi.georgetown.edu/wp-content/uploads/2026/01/Age_As... goes into quite a bit more detail about various architectures (disclaimer, I'm an author).

None of this is an endorsement of age assurance techniques; I'm just trying to help flesh out the situation.

> All legislation regarding age verification must revolve around this otherwise people must reject it as an abusive form of tracking and privacy invasion.

It's a bit late for that, given that around half of US states already have some kind of age assurance mandate.

A) Aren't you targeting a completely different problem than this law? It's my understanding that this law targets the collection of the age from the user. What the user agent does with that signal is a different problem, and seems to already be solved, except for the definition of "actual knowledge" which they are trying to establish here.

B) How would your RTA header intersect with content rating in different jurisdictions? What if the content is illegal for children in Turkey but legal for children in Kentucky?

> An intern at each browser company could add this check in minutes.

An intern could also just delete the product which would also "solve" this "issue". The fact that it's easy or cheap is not significant to the problem at hand.

> should be doing is setting an RTA header

Many sites will just set the header by default. Now you've created a problem.

> then progressively fine them into oblivion.

This does nothing. See: Ofcom vs 4chan.

> device mandates

Mandate that the device provide an API for child protection software. Then it's up to individual parents to decide to install that software or not. Then we also get competition in this market rather than relying on whatever solution an intern cooked up one day.

Absolutely trivial and totally comprehensive solution, enabling adult content blocking at the account level, device level, network level, and the ISP level. Could even be expanded to any sort of content blocking, if you want to allow households to restrict access to vaccine critique or criticism of the king without violating the First Amendment or rooting everyone's devices.

The problem is that the point is to root everyone's devices. Anyone explaining how easy this is would be pushed out of the conversation as fast as if they were advocating for single-payer healthcare.

edit: I've been advocating the nearly identical but opposite solution - restricted access sites shouldn't respond to requests that lack an appropriate age/content restriction header. If they do, jail them.

They're literally going to have to do this anyway. Rooting people's devices to force them to lie about their age when they install their operating system is an absolutely fake pretendy solution; the only way it works is if you have to verify your age with some government agency when you install an operating system, in order to make that OS age official. The point is the identification.

Thats crazy talk, how are we gonna build a database of computers tied to physical identification of users by which we can monitor, control, and monetize… you’re saying parents should be responsible for their children? How is the state going to be able to exert more control if it doesn’t have ubiquitous surveillance of it’s population!? /s