Skip to Main Content

Keeping you informed

How the KIDS Act Debate Signals Where Privacy Law Is Heading

    Client Alerts
  • July 02, 2026

On June 29, 2026, the U.S. House passed the Kids Internet and Digital Safety (KIDS) Act, which followed House Energy and Commerce Committee Chairman Brett Guthrie (R-KY) and ranking member Frank Pallone (D-NJ) announcing a bipartisan deal combining the Kids Online Safety Act (KOSA), the Children and Teens’ Online Privacy Protection Act (COPPA 2.0), and a dozen other children’s safety bills into a single vehicle.

On preemption, provisions of the KIDS Act set a federal floor, not a ceiling: state laws providing greater protections than the federal baseline (including California’s and New York’s existing children’s privacy regimes) stay in effect. However, its prospects in the Senate are uncertain: KOSA’s Senate co-authors have declared the deal unacceptable because it does not contain a legally enforceable duty of care, the provision that would have given minors and parents a civil claim against platforms that failed to address known harms. 

Still, given the bill's momentum and the growing patchwork of similar state laws, businesses that collect data from minors or deploy AI-driven consumer products should begin assessing potential compliance obligations now.

Background

COPPA, the Children’s Online Privacy Protection Act of 1998, was overhauled in January 2024 for the first time since 2013, and the updates took full effect on April 22, 2026. Despite the overhaul, many advocacy groups are pushing for greater protections for children. In July 2024, the Senate passed a combined KOSA and COPPA 2.0 package on a 91-3 vote, but the House declined to act, with Republican leaders citing First Amendment concerns over KOSA’s duty of care standard. The duty of care standard would have required platforms to exercise reasonable care to prevent documented harms to minors that include promotion of eating disorders, self-harm, and sexual exploitation.

Rep. Gus Bilirakis (R-FL) introduced the KIDS Act framework in December 2025, folding KOSA and more than a dozen related bills into a single vehicle. The House Energy and Commerce Committee advanced the package on a 28-24 party-line vote in March 2026. The House deal announced in June reflects months of subsequent bipartisan staff negotiations aimed at securing the Democratic votes needed for a floor majority.

The Consolidated KIDS Act Requirements

COPPA 2.0. The COPPA 2.0 provisions raise the statutory age for “child” from under 13 to under 14, and define “teen” as an individual who is at least 14 but under the age of 18. The statute expressly covers mobile applications and online applications, codifying what the FTC had previously addressed only through rulemaking. Operators can no longer serve individual-specific advertising to both children and teens based on their personal information, a prohibition that previously applied only to children under 13. New obligations include data minimization, retention limits tied to what’s reasonably necessary, cross-border data transfer restrictions requiring parental or teen notice, and teen rights to access, correct, and delete their own personal information independent of parental controls. The COPPA 2.0 provisions further include an explicit rule of construction at 15 U.S.C. § 6505(f): nothing in the subtitle requires age gating or age verification, although age verification requirements exist in other portions of the KIDS Act, including the provisions of the Shielding Children’s Retinas from Egregious Exposure on the Net (SCREEN) Act.

KOSA. The KOSA provisions incorporated into the KIDS Act require platforms to set minor accounts to maximum privacy and safety defaults, including setting safeguards for users to, among other things, limit the ability for adults to message minors, disable addictive design features, prevent users from seeing an online/offline status, and restrict sharing of geolocation information. The KOSA provisions outline similar requirements for teen accounts, including the ability to manage a list of approved contacts for messaging. Applying those age-tiered protections requires knowing which users are minors, and the most commercially available method at scale is identity-based verification. The track record on that approach is poor: the AU10TIX breach exposed TikTok and X user IDs for over a year, and a Discord/Zendesk vendor breach in October 2025 compromised approximately 70,000 government ID photos. The bill doesn’t mandate a specific verification method, so companies will likely default to existing commercial infrastructure with those risks attached.

SAFE Bots Act. The SAFE Bots Act provisions, incorporated into the KIDS Act, require AI chatbot operators to disclose to minors in age-appropriate language that they’re interacting with artificial intelligence. Platforms must prohibit AI from impersonating licensed professionals, surface crisis hotline information when a minor raises self-harm or suicidal thoughts, and require take-a-break prompts after extended sessions lasting for three hours.

Senate Criticizes Lack of Duty of Care

KOSA’s Senate co-authors, Sen. Richard Blumenthal (D-CT) and Sen. Marsha Blackburn (R-TN), called the KIDS Act package dead on arrival, reflecting the ongoing debate between House and Senate lawmakers with regard to incorporation of a duty of care. Without it, platforms face audit and reporting obligations but no civil liability to a harmed minor when the platform knew of the harm and failed to act. Blackburn is separately negotiating a deal with the White House that would restore a full duty of care, meaning the Senate floor fight isn’t over.

What Companies Should Do Now

The bill's Senate path is far from clear. Companies with significant minor-user populations should treat the bill’s requirements as a near-term planning baseline, not a remote contingency, given the bipartisan deal, the legislative calendar, and the states already enacting comparable obligations.

  • Map the COPPA 2.0 gap now. Companies already complying with the April 2026 COPPA rule update need to identify how to operationalize what COPPA 2.0 adds: expanded age definitions covering under-14 children, the ban on individual-specific advertising to teens, new teen access and deletion rights, cross-border transfer restrictions, and the simplified “should have known” knowledge standard.
     
  • Review age verification vendor contracts. Any contract with a third-party identity verification provider should be checked for breach notification provisions, data minimization commitments, and indemnification terms. The AU10TIX and Discord/Zendesk breach record makes this a concrete, operational risk.
     
  • Audit AI chatbot products against the SAFE Bots Act requirements, specifically disclosure practices for minor users, prohibitions on professional impersonation, and the protocol for surfacing crisis resources when self-harm or suicide comes up.
     
  • Track the federal data broker registry provision. Registration and disclosure obligations modeled on California’s framework could apply on short notice if the bill advances.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.