The KIDS Act Passed the House — and It Quietly Points Toward ID Checks for Everyone
The KIDS Act (H.R. 7757) cleared the House 267–117. The "protect kids online" headline hides the real story.
What we cover
On Monday, 29 June 2026, the U.S. House passed H.R. 7757, the Kids Internet and Digital Safety Act, by 267–117. The pitch you'll hear is simple: protect kids online, bipartisan win, hold Big Tech accountable. Nobody's against that. But the headline and the actual statutory text are not telling the same story — and the part that should concern every adult has nothing to do with children.
The one-sentence version: This isn't one bill — it's roughly twelve stitched together, and because three of them use three different legal tests for "who is a minor," the rational move for every covered platform is to stop guessing and just verify everyone's age. Age verification is identity verification. That's the story.
Why I'm covering a "kids safety" bill on a privacy show
Because this is how mass age-and-identity verification gets built for all of us — under a banner nobody wants to argue with. Almost everything we talk about here (encrypted messaging, anonymity, threat modeling for ordinary people) runs straight into the machinery this bill sets in motion. If platforms respond the way the incentives push them to, "just stay anonymous online" stops being simple advice, because the law nudges every major service toward tying your real identity to your account before you can use it.
None of what follows requires bad faith from anyone who voted yes. It just requires understanding how the incentives work once the statute leaves the House floor and lands on a compliance team's desk.
What actually happened on the floor
An earlier, Republican-only version of this package advanced out of committee on a party-line 28–24 vote back in March, then stalled. It preempted stricter state laws and used a weaker "actual knowledge or willful disregard" standard for spotting minors, and it couldn't get Democratic buy-in.
What changed things was a June negotiation between Energy and Commerce Chair Brett Guthrie (R-KY) and Ranking Member Frank Pallone (D-NJ). The revised text dropped KOSA's preemption of stricter state laws, tightened the knowledge standard, folded in COPPA 2.0 and a federal data-broker registry, and picked up enough Democratic votes to pass under suspension of the rules — a fast-track that skips markup and amendments but needs a two-thirds majority. Clearing 267 votes under that threshold isn't a squeaker. It means a large bloc of Democrats who'd long opposed KOSA's "duty of care" language voted yes once that language was gone.
That detail matters more than it looks. The Senate's version of KOSA, which passed 91–3 in July 2024, still contains a duty of care — a requirement that platforms exercise "reasonable care" in designing features to prevent harm. The House version strips that out and swaps in a requirement to "establish, implement, maintain, and enforce reasonable policies, practices, and procedures." The difference, in lawyer terms, is the difference between being liable for what your product does and being liable for whether you wrote a document saying you'd handle it. Senate co-sponsors Marsha Blackburn (R-TN) and Richard Blumenthal (D-CT) have both called the House version unacceptable.
The part that is the whole story: three definitions of "minor"
Three titles in this same bill use three different legal standards for deciding who counts as a minor:
- The revised KOSA — "knows or should have known."
- The SCREEN Act (the obscenity title) — "more likely than not," and it's the one part that explicitly requires age verification.
- The SPY Kids Act — the much narrower "actual knowledge or willful disregard." (This is actually the well-drafted one.)
Now picture a company that operates across all of them — which describes basically every social network, game, and AI chatbot. To avoid worst-case exposure on any single title, it has to satisfy the strictest standard among them. That's the SCREEN Act's affirmative "go verify ages" requirement. And once you've built that verification infrastructure, there's no reason to limit it to porn sites — the same system resolves your "should have known" exposure under KOSA for free.
That's the trap the EFF flagged: a bill that technically avoids mandating age verification in most of its titles, while structurally guaranteeing companies build it anyway. The cost of guessing a user's age wrong is unbounded. The cost of just checking everyone is a fixed, predictable engineering line item. Businesses pick the predictable cost every time.
Why age verification is a privacy problem, not a fix
This is the point I keep coming back to on the show: there is no age-verification system that isn't also a deanonymization system. NetChoice has made this argument in court across eight states, and it holds up technically. Government ID upload, facial age estimation, behavioral inference — the mechanism differs, the result doesn't. Some third party now holds a verified link between your real identity and your online account, and that link is a target. A breach waiting to happen.
The SCREEN Act does add data-minimization and retention limits on verification data, which sounds protective — until you remember you can't leak data you never collected. Forcing the collection in the first place is the risk, not just what happens to it afterward. And the facial-estimation tools have documented accuracy problems that fall hardest on people of color, disabled users, and trans and nonbinary users. So a law meant to protect a vulnerable population leans on tech most likely to misfire against the most vulnerable people inside it.
The track record isn't hypothetical. NetChoice and the CCIA have spent three years litigating near-identical state laws in Arkansas, Florida, Georgia, Louisiana, Mississippi, Ohio, Texas and Utah, with genuinely mixed results — injunctions won in Louisiana and Texas, ground lost in the Eleventh Circuit on Florida and Georgia, and an outright loss at the Supreme Court in Free Speech Coalition v. Paxton (June 2025), which upheld Texas's porn-site age check under intermediate scrutiny. H.R. 7757's SCREEN Act is essentially a federalized version of exactly those laws.
Read the encryption carve-out very carefully
Buried in the messaging title (the Safe Messaging for Kids Act) is a ban on disappearing messages for under-17s and a ban on direct messaging for under-13s. Section 236 is the encryption language, and the wording does a lot of quiet work. Platforms must comply:
"…to the maximum extent technically feasible, through means that do not compromise the integrity of strong encryption."
That sounds reassuring. It isn't a protection — it's a feasibility qualifier. In a true end-to-end encrypted system, the provider cannot read your messages; that's the entire point. So the provider physically cannot tell whether a banned conversation or a disappearing-message feature is in play without doing one of three things: client-side scanning on your device, metadata analysis, or holding your keys. "To the maximum extent technically feasible" doesn't forbid breaking encryption — it just asks providers to try not to while complying with rules that are mathematically impossible to enforce without seeing content. This is the identical structural problem dogging the UK's Online Safety Act and the EU's Chat Control fight: you can't order a platform to police content it deliberately engineered itself unable to see, without weakening that engineering or bolting detection onto the edges of it.
The over-removal problem nobody's talking about
KOSA's reasonable-policies requirement covers a list of topics — drugs, tobacco, cannabis, gambling, alcohol, plus financial fraud. Not illegal conduct. Topics. So a 16-year-old in a recovery community, a teenager asking how to handle a parent's gambling addiction, a harm-reduction account explaining fentanyl test strips — all lawful, some of it genuinely protective — now sits inside a category platforms are under legal pressure to police. The bill doesn't ban any of it. It just makes leaving it up riskier than taking it down, for any platform without the resources to fight an FTC inquiry or a state AG suit. That's the same mechanism that produced the speech-chilling effects of FOSTA-SESTA in 2018: raise the liability around a content category, and platforms over-remove rather than risk being wrong.
The titles, quickly
- Title I — SCREEN Act: explicit age verification for sites where more than a third of content is "harmful to minors."
- Title II — revised KOSA: most-protective settings on by default for anyone a platform "knows or should have known" is a minor (under 13; 13–16 for teens). This is the backdoor verification driver.
- Title II-B — Safe Messaging for Kids: the disappearing-message / DM bans and the Section 236 encryption carve-out.
- Title II-C — SPY Kids Act: bars research on known minors using the narrow standard. Privacy advocates praised this one.
- Title III — GAMING Act: default-on parental controls for games and social gaming platforms like Roblox.
- Title IV — SAFE BOTs Act: consumer AI chatbots must disclose they're AI, surface crisis resources, and prompt a break after ~3 hours. Notably does not require age verification.
- Plus: COPPA 2.0 (extends protections to 17, bans targeted ads to minors, adds an "eraser button" and a new FTC Youth Marketing & Privacy Division), a federal data-broker registry, and several study-and-report titles.
Enforcement — and who's holding the gavel
Enforcement runs mainly through the FTC under its Section 5 authority — the same mechanism behind past COPPA penalties as high as $53,088 per violation and a $150M settlement in 2022. State AGs keep authority over most provisions but are barred from enforcing KOSA's core reasonable-policies requirement while an FTC action against the same defendant is pending. That concentrates the most consequential lever in a single federal agency — which is precisely why some advocacy groups have flagged the risk of "protect the children" framing being used for ideologically selective enforcement, regardless of which administration is doing the selecting.
Where it goes next
The bill now sits in the Senate. Commerce Chair Ted Cruz has been coordinating with the House on parts of the package, while Blackburn negotiates separately with the White House over a deal that may bundle Senate KOSA with federal preemption of state AI laws — and possibly the App Store Accountability Act and the NO FAKES Act. Blumenthal has signaled the Senate won't accept the House's gutted duty-of-care language as-is. So one of three things happens: the Senate passes its own stricter version and the chambers go to conference; the Senate amends H.R. 7757 and sends it back; or the whole effort stalls the way KOSA has since 2022, while individual states keep filling the vacuum with their own increasingly varied laws, litigated to conflicting conclusions.
The takeaway
Whatever the final shape, the technical reality underneath doesn't change. A single statute with three different definitions of "minor" pushes every covered platform toward the most invasive compliance posture available. Encryption promises written as "to the maximum extent technically feasible" don't survive contact with systems built so the provider can't read the content. And liability built around topic categories instead of illegal conduct produces over-removal of lawful speech as a predictable, mechanical outcome — not an edge case.
If you care about staying anonymous online as an adult, understand that "protect the kids" bills like this one are, in practice, how mass age-and-identity verification gets normalized for all of us. Watch the Senate — and watch whether age verification and AI preemption get quietly welded together in the deal.
Sources & further reading
- The CyberSec Guru — full breakdown of H.R. 7757: https://thecybersecguru.com/news/kids-act-explained-hr-7757-full-breakdown/
- EFF — on KOSA and the "knows or should have known" standard: https://www.eff.org/issues/kosa
- Free Speech Coalition v. Paxton (U.S. Supreme Court, June 2025)
- NetChoice — state age-verification litigation: https://netchoice.org/
- Public Knowledge — analysis of the package's titles: https://publicknowledge.org/
If you want the fast version in your ears, this is a segment on the latest episode of Closed Network — audio below.
— Simon