Kids Online Safety — Federal Efforts to Protect Children on the Internet

Protecting children online has become one of the most urgent bipartisan policy priorities in Congress — driven by growing evidence that social media platforms cause measurable harm to children and teens, including increased rates of depression, anxiety, eating disorders, self-harm, and suicidal ideation. The U.S. Surgeon General issued an advisory in 2023 declaring social media a public health crisis for youth. The existing federal framework — COPPA (Children's Online Privacy Protection Act, 1998, covering children under 13) — is widely seen as inadequate: it focuses on data collection (requiring parental consent before collecting personal information from children under 13) but doesn't address platform design, algorithmic recommendations, or the broader mental health impacts of social media. The Kids Online Safety Act (KOSA) passed the Senate with overwhelming bipartisan support (91-3) in 2024 but stalled in the House. KOSA would impose a duty of care on covered platforms — requiring them to take reasonable steps to prevent and mitigate harms to minors, including bullying, exploitation, promotion of self-harm, and addictive design features. It would also give parents tools to control their children's online experience and empower the FTC to enforce violations. In parallel, the COPPA 2.0 (Children and Teens' Online Privacy Protection Act) would extend COPPA protections from under-13 to under-17 and ban targeted advertising to minors. At the state level, several states have enacted their own children's online safety laws — California's Age-Appropriate Design Code Act, Utah's Social Media Regulation Act, and others — creating a patchwork that platforms and federal legislators are racing to address.

Current Law (2026)

Legal Authority

• 15 U.S.C. §§ 6501–6506 — Children's Online Privacy Protection Act (COPPA, 1998)
• 16 C.F.R. Part 312 — FTC COPPA Rule (implementing regulations — consent mechanisms, safe harbor programs)
• Proposed: Kids Online Safety Act (KOSA) — S. 1409, passed Senate 2024
• Proposed: COPPA 2.0 — Children and Teens' Online Privacy Protection Act
• State laws: California Age-Appropriate Design Code Act (AB 2273, 2022), Utah Social Media Regulation Act (2023)

How It Works

COPPA (1998, 15 U.S.C. § 6502) requires operators of websites and online services directed to children under 13 — or that have actual knowledge they're collecting information from children under 13 — to post a clear privacy policy, obtain verifiable parental consent before collecting personal information, give parents access and deletion rights over their child's data, and maintain reasonable data security. COPPA has been effective at its narrow goal: most major platforms officially prohibit under-13 accounts. But it's widely circumvented through falsified birth dates, and its focus on data collection doesn't address the broader harms of platform design, algorithmic amplification, and content exposure that fuel the youth mental health debate. The proposed Kids Online Safety Act (KOSA) would go substantially further: covered platforms (social media, video sharing, and messaging services with 50 million or more users) would be required to exercise a duty of care — taking reasonable steps to prevent and mitigate harms to minors including suicide promotion, self-harm, eating disorders, substance abuse, bullying, and addictive design — and to provide default safeguards for minor accounts (algorithmic recommendations off, limited notifications, contact restrictions from unknown adults), parent supervision tools, researcher data access, and FTC enforcement authority. KOSA passed the Senate 91-3 in July 2024 — the strongest bipartisan tech vote in years — but the House did not act before the session ended and it was reintroduced in the 119th Congress.

Every approach to children's online safety runs into the same implementation wall: age verification. Self-reported birth dates are trivially circumvented; government ID verification raises First Amendment anonymous-speech and privacy concerns; AI-based age estimation has documented racial and gender bias; device-level parental controls (Apple Screen Time, Google Family Link) are effective but opt-in. That tension — effective protection versus privacy and free speech — is the central challenge for any children's online safety framework. At the state level, California's Age-Appropriate Design Code Act (2022), modeled on the UK's Children's Code, requires data protection impact assessments and default high-privacy settings for services accessible to children — partially enjoined on First Amendment grounds in NetChoice v. Bonta (2023). Utah enacted age verification and parental consent mandates for social media, facing similar legal challenges. Texas, Ohio, Arkansas, and Louisiana have enacted or proposed age verification requirements for adult content sites. In Free Speech Coalition, Inc. v. Paxton, decided June 27, 2025 (6-3, Thomas), the Supreme Court upheld Texas's HB 1181 age-verification requirement for sites with substantial sexually explicit material under intermediate scrutiny, clearing the path for similar state laws.

How It Affects You

If you're a parent of a child under 13: COPPA gives you enforceable rights over your child's data today — no legislation needed. Under 15 U.S.C. § 6502, any website or app directed to children under 13 must obtain verifiable parental consent before collecting personal information, and must give you access to your child's data and the ability to delete it. In practice, most major platforms officially prohibit under-13 accounts — but children routinely bypass this by entering a fake birthday. If you believe a platform has collected your under-13 child's data without consent, you can:

• Request access to and deletion of your child's data by contacting the platform's privacy or parental controls page directly
• File a complaint with the FTC at reportfraud.ftc.gov — COPPA enforcement (including the $5.7M TikTok settlement in 2019 and the $170M YouTube settlement in 2019) has come from FTC action
• Use device-level controls now: Apple Screen Time (Settings → Screen Time → Family Sharing) and Google Family Link (families.google.com) give you content restrictions and app approval that exist regardless of what platforms do

For platforms your child actually uses, check the specific parental or family controls:

• Instagram: Teen Accounts (auto-applied to under-16 users, adds content filters, turns off DMs from non-followers) — parent supervision at Instagram Family Center
• TikTok: Family Pairing (tiktok.com → Settings → Family Pairing) — restricts content, DMs, screen time for under-18 accounts
• YouTube: Supervised Experience (families.google.com) — filters content appropriate to child's age
• Snapchat: Family Center (snapchat.com → Safety → Family Center) — see who your child is friends with, restrict content

If you're a parent of a teenager (13–17): This is the current gap in federal law — COPPA's protections end at 13, and there's no enacted federal equivalent for teens. What exists today:

• KOSA (if enacted) would impose a duty of care on platforms covering minors up to 17, require default safety settings, and give parents supervision tools — but as of 2026 it has not been enacted
• Voluntarily from platforms: Instagram's Teen Accounts (launched Sept. 2024) apply default restrictions on explicit content, limited messaging, and nighttime notifications to under-16 users; TikTok limits under-18 users to 60 minutes/day by default and restricts who can message them; YouTube restricts recommendations for users who identify as under-18

What you can do now: Talk with your teen about the content they're seeing — especially recommendation-driven content around body image, suicide, self-harm, or substance use. If your teen is struggling, the Crisis Text Line (Text HOME to 741741) and 988 Suicide & Crisis Lifeline are direct resources. For media literacy, Common Sense Media (commonsensemedia.org) has age-specific guides for teens and parents.

If you're a social media platform with minor users: Your compliance obligations under existing law — and your risk exposure under pending legislation — are substantial:

Under COPPA today: If your platform is directed to children under 13 or if you have "actual knowledge" of a user under 13 (from a birthday entered during registration, self-disclosure, or parental report), you must comply with 16 CFR Part 312 — verifiable parental consent before collecting any personal information. FTC enforcement can reach $51,744 per violation per day. The major precedents: YouTube/Google ($170M, 2019), TikTok ($5.7M, 2019) — both for knowingly collecting under-13 data without parental consent. The YouTube settlement also required a new "Made for Kids" content categorization system that disabled behavioral advertising and comments on children's content.

Under KOSA if enacted: A duty of care requiring demonstrable steps to prevent harm — annual third-party safety audits, researcher data access, default safety settings for minors. The FTC enforcement mechanism would be civil penalties per violation.

On age verification: No technically reliable and legally safe age verification solution currently exists at scale. Self-reported birth dates are trivially circumvented; government ID verification raises First Amendment (anonymous speech) and privacy concerns; AI age estimation has documented racial and gender bias. Your best defense is robust Terms of Service enforcement combined with responsive parental reporting mechanisms — and a documented record of enforcement action.

If you're a school administrator or educator: Two distinct legal obligations govern digital safety at school:

CIPA compliance for E-Rate: If your school uses E-Rate funded internet (the federal program that subsidizes school and library internet), the Children's Internet Protection Act (47 U.S.C. § 254) requires you to have a technology protection measure (content filter) blocking visual depictions that are obscene, contain child pornography, or are harmful to minors — and a comprehensive internet safety policy covering education about online behavior, cyberbullying, and appropriate interactions. Annual CIPA compliance documentation is required.

CSAM reporting: If school staff discover child sexual abuse material (CSAM) on school-issued devices or networks, federal law (18 U.S.C. § 2258A) requires electronic service providers to report it to the NCMEC CyberTipline at cybertipline.org — failure to report is a federal crime. Train your IT and counseling staff on this obligation.

Cyberbullying and Title IX: Cyberbullying that creates a hostile educational environment based on sex (including gender-based harassment) triggers Title IX obligations — investigate and respond as you would to in-person harassment. The DOE Office for Civil Rights (ocrportal.hhs.gov) receives Title IX complaints.

State Variations

Children's online safety is a rapidly evolving state-level issue:

• California: Age-Appropriate Design Code Act (2022) — comprehensive but partially enjoined
• Utah: Social Media Regulation Act — age verification, parental consent, curfew hours
• Texas, Ohio, Arkansas, Louisiana: Age verification requirements for adult content sites
• New York: Proposed SAFE for Kids Act — restricting algorithmic feeds for minors
• Federal preemption: Any federal law (KOSA, COPPA 2.0) would need to address whether it preempts stronger or weaker state laws

Implementing Regulations

• 16 CFR Part 312 — FTC Children's Online Privacy Protection Rule (COPPA Rule — verifiable parental consent requirements, notice and disclosure obligations, data retention and security standards, safe harbor programs for industry self-regulation, and enforcement mechanisms for platforms collecting data from children under 13)
• Note: The Kids Online Safety Act (KOSA) was not enacted as of 2026; if passed, it would require FTC rulemaking establishing duty-of-care standards and platform design requirements for minors
• 47 CFR Part 73.670–73.673 — FCC children's television programming requirements (minimum educational programming requirements, limits on commercial advertising during children's programming — related content safety framework)

Pending Legislation

The Kids Online Safety Act (KOSA) and COPPA 2.0 have been introduced in the 119th Congress with bipartisan support. See Technology Regulation and Privacy Law for related legislative activity.

Recent Developments

The Surgeon General's 2023 advisory on social media and youth mental health gave political momentum to children's online safety legislation. KOSA's 91-3 Senate passage (2024) demonstrated extraordinary bipartisan support. Major platforms have implemented voluntary changes — Instagram added teen-specific protections, TikTok added screen time limits for under-18 users, YouTube restricted recommendations for teen accounts — but critics argue these voluntary measures are insufficient. State-level litigation over age verification and design code requirements is creating a complex legal landscape. The First Amendment tension — between protecting children and restricting access to lawful speech — remains the central legal and policy challenge. The debate also intersects with Section 230 platform liability protections, AI policy on algorithmic recommendations, and the older Children's Television Act framework for broadcast media.

• KOSA status in 119th Congress (2025-2026): The Kids Online Safety Act, which passed the Senate 91-3 in August 2024, was not enacted in the 118th Congress as the House did not take it up before the session ended. The 119th Congress has seen KOSA reintroduced with bipartisan support — its provisions requiring platforms to minimize harm to minors, give parents controls, and conduct independent audits continue to have broad political support. However, ACLU and tech industry opposition citing First Amendment concerns has slowed House action. The Trump administration has not publicly opposed KOSA; some conservatives view platform-design restrictions on children as consistent with parental rights values.
• Surgeon General mental health warning labels: Then-Surgeon General Vivek Murthy's June 2024 NYT op-ed call for Congress to require warning labels on social media platforms — similar to tobacco warning labels — for mental health risks to youth generated significant attention. Murthy left office at the end of the Biden administration; the Trump administration has not pursued the warning-label proposal. The proposal faces First Amendment challenges: compelling platforms to carry warning labels constitutes compelled speech, which requires at least intermediate scrutiny. Historical precedent for warning labels (tobacco, alcohol) involves products, not speech platforms. The proposal has not advanced legislatively but has increased public pressure on platforms.
• State age verification laws reach Supreme Court: States including Texas, Florida, and Arkansas enacted laws requiring age verification for social media platforms and/or adult content sites. In Free Speech Coalition, Inc. v. Paxton (June 27, 2025, 6-3, Thomas), the Supreme Court upheld Texas's HB 1181 age-verification requirement for sexually explicit content sites under intermediate scrutiny — the first Supreme Court guidance affirming that age verification requirements for adult content can survive First Amendment review. Social media age verification laws remain on a separate track and have not yet reached the Court.
• Platform voluntary reforms: Under congressional and regulatory pressure, Meta (Instagram), TikTok, YouTube, and Snapchat have implemented teen account features with default content restrictions, screen time tools, and parental visibility options. Instagram's "Teen Accounts" (launched September 2024) apply default restrictions on adult content, messaging from non-followers, and nighttime use to under-16 users automatically. These voluntary measures give platforms arguments against mandatory regulation while providing partial protection that advocates say falls short of what legislation would require.