On June 29, 2026, the U.S. House passed the Kids Internet and Digital Safety Act (H.R. 7757) by 267-117 — a bipartisan margin that reflects genuine, cross-party alarm about children's online exposure. The bill is not a single law. It's a legislative omnibus bundling more than a dozen previously stalled proposals: a revised Kids Online Safety Act (KOSA), COPPA 2.0, the SAFE Bots Act, the SPY Kids Act, the Safer GAMING Act, the Safe Messaging for Kids Act, and several others. House Energy and Commerce Chair Brett Guthrie (R-KY) and ranking member Frank Pallone Jr. (D-NJ) made deliberate compromises to assemble the votes — most notably stripping out KOSA's original "duty of care" standard, which would have created an enforceable legal obligation for platforms to prevent design-driven harm.
The Case for Acting Is Real
The concern behind this legislation is not hypothetical. A December 2025 Pew Research survey found that 64% of U.S. teens ages 13–17 now use AI chatbots, with roughly three in ten doing so daily. Regulators and researchers have documented instances of chatbots encouraging self-harm and providing drug instructions to minors. A separate Pew survey found nearly half of U.S. teens describe themselves as online "almost constantly" — and court dockets are filled with cases of algorithmic exploitation, financial fraud targeting adolescents, and sexual grooming conducted through platform features designed to maximise engagement.
Some provisions in the KIDS Act are well-targeted responses to these documented harms. COPPA 2.0's modernisation is long overdue: the original 1998 Children's Online Privacy Protection Act only protected children under 13; the KIDS Act extends data protections to teenagers under 17, bans targeted advertising to minors, and gives parents and teens enforceable deletion rights. The SAFE Bots Act requires AI chatbots to identify themselves as non-human, provide crisis resources when a user mentions suicide or suicidal ideation, and advise users to take breaks after three consecutive hours — light-touch safeguards that address documented risks without restricting lawful speech. These are proportionate measures.
The Age-Verification Mechanism Is the Problem
The bill's most consequential and contested provision is its age-verification architecture. The legislation requires platforms to adopt "commercially available technology verification measures" to identify minors, and explicitly states that a user simply affirming they are not a minor is not sufficient. The controlling legal standard is "knows or should have known."
That phrase does a lot of work. Under it, platforms facing legal liability don't need an explicit mandate to implement facial-recognition age estimation or government-ID checks — they have every incentive to do so voluntarily, simply to reduce legal exposure. The Electronic Frontier Foundation identified this incentive structure directly in its analysis of the bill, noting that the standard "creates pressure to collect age data" even without a formal requirement, and that age data collection necessarily breaks internet anonymity. Age verification systems require either government-issued documents or biometric data. Users unwilling to provide either face effective exclusion from major platforms — a chilling effect that extends to adults accessing entirely lawful content, not just to minors browsing restricted material.
This concern has fresh constitutional weight. In Free Speech Coalition, Inc. v. Paxton (decided June 27, 2025), the Supreme Court upheld a Texas age-verification law for sexually explicit websites, applying intermediate scrutiny rather than the strict scrutiny that had previously governed online speech regulation under Ashcroft v. ACLU (2004). That doctrinal shift opened the door to broader legislative expansion — but it did not resolve the underlying tension between identity verification and the anonymity the First Amendment has historically protected. As the Foundation for Individual Rights and Expression observed, the right to speak anonymously is constitutionally recognised and especially vital for marginalised users, whistleblowers, and anyone discussing sensitive topics in contexts where identification could cause real-world harm.
A mandatory ID layer on general-purpose social media — where the overwhelming majority of traffic is lawful adult speech — is categorically different from age verification at a pornography site. Treating them identically in law will produce a surveillance infrastructure far larger than the harm it targets.
Senate Fault Lines
The bill now moves to the Senate, where it faces significant resistance. The Senate version of KOSA, co-authored by Senators Richard Blumenthal and Marsha Blackburn, retains a duty of care provision the House abandoned. Both sponsors have called the House version inadequate. Senator Maria Cantwell raised additional concerns that the bill's preemption language could undercut ongoing state-level litigation against technology companies — litigation that has so far been the most effective check on platform design practices.
Senate Commerce Committee Chair Ted Cruz has not announced a markup date, though industry sources expect action before the August recess. The White House has expressed interest in a reconciled package, but the sticking points — duty of care, state preemption, and the scope of AI chatbot liability — are substantial. The gap between chambers may not close before Congress recesses.
What Proportionate Regulation Looks Like
The Senate should preserve what works: COPPA 2.0's data rights, the SAFE Bots Act's disclosure requirements, the ban on targeted advertising to minors. These are narrowly drawn, enforceable, and proportionate to the documented harm.
What it should reconsider is the age-verification mechanism for general social platforms. The UK's Age Appropriate Design Code (2021) offers a tested alternative: it mandates privacy-protective default settings and prohibits specific harmful design features — compulsive-use nudges, default geolocation sharing, profiling-based recommendations — without requiring platforms to build an identity database. The target is the harmful behaviour, not the user's credentials.
Where Congress does mandate age verification — for pornography sites, where the Paxton ruling provides clearer constitutional ground — it should at minimum require data minimisation, prohibit government access to verification databases without a warrant, and mandate deletion of identity records after verification is complete. The KIDS Act currently contains none of these safeguards.
The bill's 267-117 margin reflects political momentum, not technical or constitutional consensus. The Senate's job is to distinguish the reforms that are proportionate from those that are not — and to resist the temptation to treat a large vote count as a substitute for that analysis.