> daily_signal(2026_07_16)
California's legislature stripped the browser-and-website expansion out of its new age-gating law, and the EFF dropped its opposition — sparing web users a fresh ID check just to get online.
PickBits Daily Signal · Thursday, July 16, 2026
1. California's legislature stripped the browser-and-website expansion out of its new age-gating law, and the EFF dropped its opposition — sparing web users a fresh ID check just to get online.
This is the lead because it is a rare reversal in a one-directional trend and it hits every US internet user's ability to browse without handing over identity. California's A.B. 1043 (2025) already requires operating systems and app stores to collect users' ages and bracket them; a follow-on bill, A.B. 1856 (Assemblymember Buffy Wicks), had been on track to push that same age-gating framework out to browsers and websites — the point at which age verification stops being an app-store setting and becomes an ID checkpoint on the open web. The legislature removed that expansion language, and an earlier amendment exempted open-source operating systems, prompting the Electronic Frontier Foundation to withdraw its opposition to A.B. 1856. The load-bearing detail for a policy-aware reader: EFF's retreat is narrow and conditional. It dropped opposition to the amended bill precisely because the browser/website expansion is gone, while stating plainly that the underlying A.B. 1043 remains a threat to online anonymity and privacy, because any age-verification regime that maps a real identity to a device or account creates a standing pool of sensitive data and a chilling effect on lawful speech. The signal is that the specific, worst-case escalation — verify-your-age-to-load-a-webpage — was beaten back in the largest US state, but the baseline age-gating machinery is still law, and the same expansion will be attempted elsewhere.
Key fact: IF YOU BUILD, OPERATE, OR SET COMPLIANCE FOR A CONSUMER WEB PRODUCT OR APP, RE-BASELINE YOUR CALIFORNIA AGE-VERIFICATION EXPOSURE NOW — THE FLOOR MOVED, BUT IT DID NOT DISAPPEAR. The concrete change is that A.B. 1856's push to require age verification at the browser/website layer was stripped, so you are NOT (for now) facing a mandate to ID-check every California visitor at page load. But A.B. 1043 still stands: operating systems and app stores must collect and bracket user ages, and your product likely consumes that age signal downstream. Two moves: (1) confirm whether your compliance plan was written against the expansion that just died (if so, you can narrow it) versus the A.B. 1043 baseline that survives (which you still must meet); (2) if you were preparing to collect identity documents or run third-party age-verification on your own web properties to get ahead of the expansion, pause that build — collecting that data creates exactly the standing breach-and-chilling-effect liability the EFF flags, and the legal driver for it in California just weakened. Read the amended bill text (https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1856) directly rather than relying on the headline.
eff.org · leginfo.legislature.ca.gov · primary source
2. A breach spilled Suno's source code and training manifests, showing the AI music generator scraped 2,013,545 YouTube Music clips plus Deezer and Genius — the concrete receipt the record industry's copyright suits have been demanding.
This is the AI-core story of the day for anyone who makes, licenses, or sues over creative work, because it converts a lawsuit allegation into a documented count. A security breach exposed the source code and training manifests behind Suno — described as one of the largest AI music generators on the internet — and the manifests enumerate exactly what went into the model: 2,013,545 clips from YouTube Music (roughly 113,879 hours), 12,287 hours from Deezer, and 17,615 hours from Genius, alongside Pond5, Jamendo, Freesound, the International Music Score Library Project, MuseScore, and podcast RSS feeds — 'at least decades worth of music.' The significance is evidentiary. Suno already faces several major lawsuits from the record industry and had previously admitted, in its own defense, that it trained on 'essentially all music files of reasonable quality that are accessible on the open internet' — tens of millions of recordings — while arguing the ingestion is fair use. What the breach adds is specificity the plaintiffs could not previously prove: named sources, per-platform hour counts, and in particular direct scraping of YouTube Music, which is the exact conduct the RIAA has accused Suno of and which YouTube's terms prohibit. For a policy/IT audience the throughline is that AI training-data provenance is moving from 'trust us, it's fair use' to a discoverable, quantified record — and that a leaked manifest can do to a fair-use defense what a leaked email does to an intent argument. The fair-use question is still open (one suit has reportedly settled), but the factual predicate underneath it just got a lot harder to contest.
Key fact: IF YOU LICENSE MUSIC, MANAGE RIGHTS, OR ADVISE CREATORS, TREAT THE SUNO MANIFEST AS DISCOVERY-GRADE EVIDENCE AND ACT ON THE PROVENANCE SHIFT. The single most useful fact for a rights-holder is that the training set is now enumerated by named source and hour count (YouTube Music ~113,879 hrs, Deezer 12,287 hrs, Genius 17,615 hrs), which is the specificity that turns a general 'they scraped everything' claim into a targeted one. Practical steps: (1) if you administer a catalog on YouTube, Deezer, or Genius, this is a signal to check whether your works plausibly fall inside those enumerated buckets and to coordinate with your PRO/label's legal team, which will now have a concrete factual basis to press; (2) if you evaluate or procure generative-AI music tools, add a training-data-provenance clause to your diligence — ask vendors for documented, licensable data lineage rather than a fair-use assertion, because the Suno leak shows how quickly an undocumented 'open internet' training story becomes a liability; (3) watch the settled-vs-open litigation split — one suit reportedly settling while others continue means the market price of a license is being set in real time.
404media.co · riaa.com · primary source
3. 23andMe reached an $18 million settlement with 42 state attorneys general over the 2023 breach that exposed genetic and ancestry data on 6.9 million people — and must now let customers delete their data and destroy their samples for good.
This is the day's clearest consumer-data story, and it earns a slot because it is the rare data-breach outcome that hands the affected person a concrete, exercisable right rather than a coupon. 23andMe agreed to an $18 million settlement with 42 state attorneys general to resolve investigations into an October 2023 breach that exposed the genetic ancestry data of 6.9 million individuals. The investigators' findings are the part that should shape how any org thinks about credential-based attacks: 23andMe had 'no protections against hacks relying on stolen credentials' and 'insufficient intrusion prevention measures,' and — the reputational core — the company 'initially denied that a breach had occurred and, after confirming it, blamed consumers for how their accounts were configured.' The settlement mandates new security requirements and, most importantly for individuals, preserves customers' right to delete their personal data indefinitely and to have their physical genetic samples destroyed. That right is doing real work against a live risk: 23andMe filed for bankruptcy in March 2025 and, after a $305 million asset sale in July 2025, the genetic data was transferred to the 23andMe Research Institute, a nonprofit founded by former CEO Anne Wojcicki — meaning the custodian of 6.9 million genomes changed hands during the very period the breach was being litigated. For a policy-aware reader the lesson is that genetic data is uniquely unrevocable (you cannot rotate your genome the way you rotate a password), so the deletion-and-destruction right is the only meaningful individual remedy, and it is now legally guaranteed for people who act on it.
Key fact: IF YOU OR YOUR FAMILY EVER USED 23ANDME, THE ACTIONABLE OUTCOME OF THIS SETTLEMENT IS A DELETION-AND-DESTRUCTION RIGHT — USE IT, BECAUSE A GENOME CAN'T BE ROTATED LIKE A PASSWORD. The settlement preserves your right to delete your personal data indefinitely and to have your physical saliva/genetic sample destroyed, and that right matters more than usual here for two reasons: the exposed data is genetic ancestry information that is permanent and shared with blood relatives, and the custodian changed hands (bankruptcy in March 2025, then the data moved to the nonprofit 23andMe Research Institute after a $305 million sale). Concrete steps: log into your account at https://www.23andme.com/, download anything you want to keep, then use the account settings to request full data deletion AND explicitly request destruction of your stored sample (they are separate actions); keep the confirmation. If you no longer have account access, contact 23andMe/the Research Institute in writing to exercise the same right, and check your state attorney general's site (e.g. https://oag.ca.gov/news) for any breach-notification or claims guidance specific to your state.
therecord.media · 23andme.com · primary source
4. Google signed the largest US solar-and-storage deal of its kind — the full 2.45-gigawatt output of Arkansas's Steel River Energy Center — to offset the data-center power its AI build-out is driving.
This is the constructive closer, and it earns the AI-for-good slot on the climate axis: the same AI demand that stresses the grid is now pulling record clean-energy capacity onto it. Google signed a long-term virtual power-purchase agreement with developer Cypress Creek for the Steel River Energy Center in Mississippi County, Arkansas — a project slated for three phases totaling 2.45 GW of solar and 2.9 GWh of battery storage, described as the largest solar development of its kind to break ground in the United States, with batteries supplied by LG Energy Solution. Google will take 100 percent of the initial output — 1.6 GW of solar and 2 GW of battery storage, enough to power roughly 315,000 homes — once it comes online in 2029. The honest framing a policy-aware reader deserves: this is a virtual PPA, so Google receives the environmental credits and a fixed price rather than the electrons directly, and it will keep drawing mixed grid power at its data centers; critics note the same solar farm could instead power those 315,000 homes. But the load-bearing fact is the demand signal — Google's electricity consumption rose 37 percent last year, driven largely by AI infrastructure — and that signal is now underwriting a record-scale US solar-plus-storage build that likely would not be financed without a creditworthy offtaker committing to the full output. The constructive read is not 'AI is green'; it is that AI's power appetite, correctly harnessed through long-term offtake, is becoming one of the largest private catalysts for new clean-energy capacity in the country — with the storage component (2.9 GWh) mattering as much as the panels, because firming solar is what makes it useful to a 24/7 data center and to the grid around it.
Key fact: IF YOU DO DATA-CENTER SITING, ENERGY PROCUREMENT, OR SUSTAINABILITY STRATEGY, STUDY THIS AS THE TEMPLATE FOR FINANCING NEW CAPACITY WITH AI DEMAND — AND KNOW WHERE THE ASTERISK IS. Read the deal structure directly (Canary Media: https://www.canarymedia.com/articles/corporate-procurement/google-solar-battery-site-arkansas) and compare it against your own procurement. The mechanism worth copying: a creditworthy hyperscaler committing to 100% of a project's initial output via a long-term vPPA is often what lets a record-scale solar-plus-storage build (here 2.45 GW / 2.9 GWh) get financed and break ground at all, so if you control large, steady electricity demand you can use it to ADD clean capacity rather than just buying from the existing pool. Two things to get right: (1) the storage is not a footnote — 2.9 GWh of batteries is what turns intermittent solar into something a 24/7 AI load (and the surrounding grid) can actually rely on, so pair generation with firming in your own deals; (2) be precise, internally and externally, about additionality vs offset — a virtual PPA that nets you environmental credits while you keep drawing mixed grid power is a legitimate financing tool but is NOT the same as running your data center on that solar, and conflating the two is where greenwashing claims land. Model both the emissions-accounting story and the physical-grid story separately.
engadget.com · canarymedia.com · primary source