2A just says that if the e.g. client request headers say the age bracket, the server (dev) can trust the reported age, but also shall not ignore it on purpose. No "just ignore the do-not-track flag" escape hatch here. "A bartender can't willfully refuse to check someone's ID if they are presented with it."
For incorrect OS answers, keep reading. 3B covers what happens if there's clear and convincing evidence that the age covered in 2A is inaccurate. (Reported profile birthday, for instance)
This is "if someone shows a bartender a valid drinking-age ID but says they're celebrating their 17th birthday, this can't be ignored".
Nothing there responds to the question. If my 17 year old answers “I'm 23”, what exactly prevents them from posting to /r/nsfw? What constitutes “clear and convincing evidence”? If there's no answer here, then there appears to be no purpose to this law as this sort of thing is precisely what it's supposed to be preventing.
The difference is a bartender has a handy thing called a human brain that can integrate every evidence and prior without explicit handling. Which a computer program can not. Now we have another "legitimate interest", potentially _forcing_ us to collect biometric and behavioural data we definitely wouldn't monetize to just cover its cost.
For incorrect OS answers, keep reading. 3B covers what happens if there's clear and convincing evidence that the age covered in 2A is inaccurate. (Reported profile birthday, for instance) This is "if someone shows a bartender a valid drinking-age ID but says they're celebrating their 17th birthday, this can't be ignored".