The House voted Monday night to build the machinery of online identity checks into federal law, packaging the mandate inside a bundle of kids online safety bills that cleared the chamber 267-117, with 47 members not voting.
It marks the first time any version of the Kids Online Safety Act, known as KOSA, has escaped the lower chamber, and the version that survived carries a structure that pushes platforms to figure out who you are before you can use them.
The legislation, called the Kids Internet and Digital Safety Act, or KIDS Act (H.R. 7757), stitches together more than a dozen separate bills, including KOSA, the SCREEN Act, the SAFE BOTs Act, COPPA 2.0, and the SPY Kids Act, plus data broker rules and research initiatives.
House leaders rushed it to the floor under suspension of the rules, a fast-track path requiring a two-thirds majority. Committee Chairman Brett Guthrie and ranking Democrat Frank Pallone, who announced their agreement a week earlier, said the bill would “hold Big Tech accountable” and described months of cross-aisle work toward what Guthrie called a “workable compromise.”
If you’ve been following our updates, you’ll know the accountability positioning hides the actual design. The bill defines “know” or “knows” to mean “to know or should have known,” and that phrase runs through sections covering platforms, AI chatbots, and gaming services.
A company that fails to spot a minor faces legal exposure, which gives every platform a reason to gather more information about everyone who shows up. The text tries to defuse this, stating that nothing in it may be construed “to require the provider of a covered platform to implement an age gating or age verification functionality on the covered platform.”
The reassurance collapses on contact. A platform forbidden from ignoring a user’s age, yet liable the moment it “should have known” someone was a minor, has one move left. It starts checking ages, deploying age-estimation tools, demanding ID, or watching behavior closely enough to guess. The law does not order surveillance outright, it engineers the incentive and lets companies build the rest.
That is the First Amendment problem dressed as a child-safety provision. Verifying age means verifying identity, and identity checks sit between a person and ordinary protected activity, whether that is reading, watching, posting, or speaking. Adult websites would face explicit age-verification requirements under the package, which functionally means every visitor proves who they are before viewing lawful content. Anonymous and pseudonymous speech, the kind the Supreme Court has shielded for decades, gets harder to find the more platforms lean on identity to limit their liability.
The bill tightens how data brokers handle children’s information and updates the Children’s Online Privacy Protection Act to widen its reach.
But, to do that, it would require platforms that know a user is a minor to offer controls that limit communications, restrict geolocation sharing, cut compulsive-use features, and let users opt out of personalized recommendation systems, with default settings for minors set to what the bill calls “the most protective level of control with respect to privacy and safety.”
These are strong protections on paper and would be good if they applied evenly to all users, but they all depend on the platform identifying minors first, which loops straight back to the same question of how much data gets pulled from users, adult or not, to sort out who the children are.
The encryption language carries the same gap. The bill says platform requirements may not override encrypted communications and that companies must comply in ways that “do not compromise the integrity of strong encryption.” That could read as a shield until you notice that regulatory pressure to monitor behavior or flag certain users can hollow out encryption without ever formally banning it. Compliance routes around the protection the text claims to offer.
Getting the package across the floor cost the duty of care provision, the piece many child-safety groups and KOSA’s Senate authors consider the heart of the bill. The text now states that nothing in it may be construed to “impose a duty of care on a provider of a covered platform.”
Sen. Richard Blumenthal (D-Conn.), a KOSA co-author, wrote that “KOSA without a duty of care isn’t KOSA,” and said last week that the House version is “dead in the Senate.” Sen. Marsha Blackburn (R-Tenn.), the other co-author, agrees the provision was central. Sen. Ted Cruz (R-Texas), who chairs the Senate Commerce Committee, told reporters he stays open to negotiating with the House.
That stalemate is the most encouraging thing about this whole fight.
The Senate’s standalone KOSA (S.1748) keeps the duty of care, which would legally require platforms to “exercise reasonable care” to prevent broad categories of harm to minors. On the free speech axis, that is the more dangerous of the two bills, not the safer one. A duty of care over vaguely defined harms compels companies to police or re-engineer recommendation algorithms for lawful, constitutionally protected content, under threat of liability so open-ended that the rational corporate response is to over-remove anything that might draw a lawsuit.
So neither chamber holds the civil-liberties high ground. The Senate bill compels platforms to suppress protected speech, while the House bill conscripts them into identity verification, and a conference committee tasked with reconciling the two could just as easily graft the worst of each onto a single law as split the difference.
The good news for anyone who values either anonymity or free expression is that the two chambers, each representing a different type of civil liberties disaster, do not appear close to agreement.
Blumenthal and Blackburn have written off the House version, House Republicans spent four years refusing the Senate’s duty of care over censorship fears, and nothing in the current standoff suggests that gap is about to close. Gridlock, in this case, is the protection the bills themselves do not provide.
Guthrie defended the result from the floor. “While no single bill will solve every challenge facing families online, this legislation represents a significant and long-overdue step forward in establishing meaningful safeguards,” he said. “It is an important milestone, not a finish line, in the effort to better protect children online and hold bad actors accountable.”
Blackburn is running a separate track in the Senate, negotiating with the White House over a deal that could carry the Senate version of KOSA. Two sources familiar with those talks said the White House told several tech and policy organizations this month that the package might also fold in the House’s version of the App Store Accountability Act, along with language preempting some state laws, which would override the stronger protections states have written into their own books.
The agreement still needs Senate approval and President Trump’s signature, neither of which looks imminent. What it offers, if it ever gets there, is a federal blueprint for the same identity-gated internet other countries have spent the past few years assembling, sold under the banner of protecting children and built to make proving who you are the price of going online.
