From TFB: First, there are some definitions: Section 1798.500

© “Application” means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.

There are no business threshold, network capabilities for the application (though there is one for the computer, sorta). It’s simply anything that may run on a computer. ‘ls’ definitely qualifies as an application per this definition. This is a pretty reasonable definition of ‘application’, even if it is a bit circular.

(e) (1) “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application. (2) “Covered application store” does not mean an online service or platform that distributes extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application.

PyPI, a Debian mirror, crates.io and GitHub qualify as a “covered application store”. Pip, cargo are an “software application” that “distributes and facilitates the download of applications from third-party developers to users of a computer” so they are as well. Depending on case law curl, rsync and scp might also, though the ‘distributes’ qualifier may exempt them. Oddly, browser add-ons are probably exempt due to (e)(2). And there may be a grey area around things like VMs. A purely personal website that only has software developed by that person probably doesn’t qualify due to the ‘third-party’ qualifier. Again, there is no business threshold listed.

(f) “Developer” means a person that owns, maintains, or controls an application.

Again, a fairly straightforward definition, that would apply to anyone who maintains any “software application that may be run or directed by a user on a computer, a mobile device” per 1798.500.c.

So, we’ve got that developer is a simple definition that basically matches what one would expect, as does application. Covered application store is probably broader than one would expect, and has an odd carve out, but covers most modern software distribution channels. I guess it might not cover sending CDs in the mail.

Then we get to a single simple sentence: Section 1798.501

(b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.

It’s a really simple sentence that can be really easy to gloss over. But read it again. Maybe you could argue that it only applies the first time an application is run. But it absolutely applies when it is downloaded. There are no exceptions listed, no threshold tests, no “social media applications only”. This applies to all applications, all developers, and all “covered application stores”. Now CA jurisdiction doesn’t cover downloads from outside of CA, but it does cover anyone downloading something inside of CA, or someone living in CA. So if a kid in CA downloads something from a outside of CA, the developer is in violation even if they are outside of CA. CA may not have the resources or desire to track down every developer outside of the state, but if they so choose they would be able to file a claim in the same way that CA can file claims on foreign people who violate other laws that involve CA victims, such as fraud.

Finally, there is this bit: 1798.504

(f) This title does not apply to any of the following: (3) The delivery or use of a physical product.

So, it looks like it doesn’t apply to CDs in the mail.