That is true, but unless they do not enforce the law, they will still need something to make sure such "relatively large sites" cannot be accessed. This is where the OP's comments come in.
The enforcement actions of the law are strictly limited to those listed in the law. AG is specially not authorized to use other enforcement mechanisms than what are listed.
This is not "by all means necessary" type issue. It the only enforcement is monetary penalties under civil law. AG has option to seek even more declaratory and injunctive reliefs if $500 per user is not enough.
Fair enough, though that would suggest it won't be enforced as it cannot be enforced. As long as it is about a software repository (aka "app store") under US jurisdiction they can still force them to take the application offline.
What do they do with foreign "app stores"? What do they do with websites?
