Takeaways

House Energy and Commerce Committee leaders released revised legislative text for a bipartisan Kids Internet and Digital Safety Act, or KIDS Act, that combines a broad set of youth online safety, privacy, AI, gaming, messaging, age verification and data broker measures into one package.
The House-passed COPPA 2.0 provisions would significantly expand federal children’s privacy obligations by bringing 13-year-olds into COPPA’s “child” category, creating teen protections through age 17, adding a “should have known” knowledge standard, imposing restrictions on individual-specific advertising to children and teens, and imposing new data access, deletion, correction, retention and consent obligations.
The package narrows some earlier state-law preemption concerns by using a conflicts-based standard and preserving state laws that provide greater protection, but companies should not assume the bill would create a single national compliance standard. Differences with the Senate version of KOSA, particularly around duty of care, remain a key issue to watch.

On June 22, 2026, House Energy and Commerce Committee Chairman Brett Guthrie and Ranking Member Frank Pallone released revised legislative text for the Kids Internet and Digital Safety Act (“KIDS Act” or “H.R. 7757”), following a bipartisan agreement on the package. The revised text follows months of negotiation after the bill advanced out of committee in March and marks a significant renewed effort to move federal children’s online safety legislation through Congress.

On June 29, 2026, the House passed H.R. 7757, as amended, under suspension of the rules by a 267-117 vote. The bill now moves to the Senate, where lawmakers will need to resolve differences with Senate proposals addressing youth privacy, platform design, online safety and AI.

The package is notable not only for its bipartisan support, but also for its breadth. It combines portions of the Kids Online Safety Act, COPPA 2.0, the Safe Messaging for Kids Act, the SPY Kids Act, the Safer GAMING Act, the SAFE Bots Act, data broker disclosure provisions, online safety education and research measures, and other youth safety proposals. For companies, compliance obligations under the bill would not be limited to traditional children’s privacy, but would reach platform design, recommendation systems, advertising, data brokerage, AI chatbot interactions, gaming, messaging features, age-related controls and data governance.

For companies, the immediate significance is not whether every provision survives unchanged, but the larger compliance themes now driving the federal child-safety debate: broader age bands, a constructive knowledge standard, youth advertising limits, chatbot safeguards, data-transfer transparency and a preemption structure that may preserve significant state-law obligations.

A Broader Federal Package, Not Just KOSA
The revised KIDS Act reflects a legislative strategy that attempts to address online safety through multiple targeted obligations rather than a single comprehensive privacy law. The bill would create or amend requirements for covered online platforms, online video game providers, chatbot providers, data brokers and operators subject to COPPA.

For covered platforms, the bill would require safeguards for users known to be minors, including tools to limit communications from other users, restrict profile and personal information recommendations, control online status visibility, limit design features that allegedly result in compulsive usage, restrict geolocation sharing and provide controls for personalized recommendation systems. The bill would also require these safeguards to default to the most protective available privacy and safety setting for minors.

At the same time, the House version continues to differ from the Senate’s KOSA framework in an important respect: It expressly states that the relevant provision should not be construed to impose a duty of care on covered platforms. The Senate version of KOSA has treated duty of care as a central feature, requiring platforms to prevent and mitigate specified harms to minors. That difference is not merely technical. It may determine whether a final federal bill is framed primarily around tools, defaults, disclosures and specific prohibited practices, or whether it creates a broader design-based obligation to prevent and mitigate categories of harm to minors. That difference is likely to remain one of the most important issues in House-Senate negotiation.

COPPA 2.0 Would Expand the Age Bands and Compliance Model
For privacy and compliance teams, COPPA 2.0 may be the most immediately operationally significant part of the package. Existing COPPA compliance programs are typically built around children under 13. The revised text would define (1) “child” as an individual under 14, meaning 13-year-olds would be brought into the parental-consent COPPA framework; and (2) “teen” as an individual who is at least 14 and under 18.

Companies that currently treat 13-year-olds as outside COPPA would need to revisit notice, consent, data minimization, deletion, retention, advertising and vendor controls. Companies would also need to build or update processes for teen-facing rights and consent, including mechanisms for teens to learn about the personal information collected from them, request deletion, challenge accuracy and obtain their personal information where available.

The revised text also adopts a constructive knowledge standard for age. Under COPPA 2.0, “knowledge” would mean that an operator has actual knowledge or should have known that a user is a child or teen. This is not the same formulation as the Senate’s “knowledge fairly implied based on objective circumstances” language, but it uses the same sort of constructive knowledge approach increasingly seen in state youth privacy laws. As a practical matter, companies should expect regulators to look at age signals, product design, audience composition, marketing, account data, platform context and other facts that may indicate a service is being used by children or teens.

Advertising, Retention and Data Transfers Come Into Focus
The revised COPPA 2.0 language would prohibit operators with covered knowledge from collecting, using, disclosing to third parties or maintaining personal information of a child or teen for purposes of “individual-specific advertising to children or teens.” At the same time, the text would retain exceptions for certain practices, including contextual advertising, advertising in response to a specific request such as a search query, measurement and reporting of advertising or content performance, and age-appropriate marketing intended for child or teen audiences if the operator does not use personal information other than whether the user is under 18.

This structure is important because it does not categorically ban all advertising to minors. Instead, it targets advertising and marketing directed to a specific child or teen, or a linked device, based on personal information, profiling or unique identifiers. Companies should therefore be prepared to distinguish contextual advertising, measurement, audience segmentation, personalization, recommendation systems, profiling and cross-device identifiers with far more precision than many current compliance programs require.

The bill would also add data minimization and retention limits, including restrictions on retaining personal information of a child or teen for longer than reasonably necessary to fulfill the transaction or provide the service requested, unless otherwise authorized or required by law. It also would require direct notice before storing or transferring personal information of a child or teen outside the United States. The remaining notice obligation would require companies to understand where children’s and teens’ data is hosted, processed and transferred.

AI Chatbots Are Treated as a Youth Safety Issue
The package also reflects the growing federal focus on AI systems used by or made available to minors. The SAFE Bots Act provisions would apply to chatbot providers for users the provider knows are minors, with “knows” defined to include “should have known.”

Those provisions would prohibit a chatbot from telling a covered minor user that it is a licensed professional unless that statement is true. They would also require clear and conspicuous disclosures that the chatbot is an AI system and not a natural person, and require crisis-resource disclosures when a covered user prompts the chatbot about suicide or suicidal ideation. Chatbot providers would also need to advise covered minor users to take a break after a continuous three-hour interaction and to implement reasonable policies, practices and procedures to address risks involving sexual exploitation and abuse, gambling, narcotic drugs, tobacco and alcohol.

For companies deploying conversational AI, the bill underscores that youth safety governance will need to extend beyond privacy notices and model cards. Relevant controls may include age-signal assessments, chatbot disclosures, escalation paths, crisis-response logic, safety testing, prompt-response monitoring, professional-services disclaimers and policies for high-risk conversations involving minors.

Data Brokers and the Youth Data Ecosystem
The KIDS Act would also add data broker disclosure requirements focused on minors’ personal data. Covered data brokers would be required to register with the FTC within 12 months after enactment and annually thereafter. The registration statement would need to include contact information, categories of personal data sold, whether the broker uses purchaser credentialing, and certain information about unauthorized access incidents reported to federal or state government entities.

The bill would also require the FTC to create a publicly available, searchable central registry of covered data brokers within 18 months after enactment. Importantly, the bill states that compliance with the federal data broker registration requirement would not relieve covered data brokers of obligations to register with state covered data broker registries.

Companies that buy, sell, license, transfer or receive youth-related data should assess whether their data flows could be implicated directly or indirectly. Even companies that do not view themselves as data brokers should review vendor, advertising, analytics, identity resolution, audience enrichment and lead-generation arrangements involving minors’ data.

State Preemption Is Narrower, But Not Simple
One of the most significant changes in the compromise package is the approach to state-law preemption. Earlier House drafts drew substantial criticism for potentially overriding stronger state privacy and online safety laws. The revised text generally uses a conflicts-based preemption standard and provides that states and political subdivisions may enact or enforce laws that provide greater protection to minors, children or teens.

That shift suggests the House compromise is less likely to operate as a broad ceiling on state youth privacy and safety regulation. It also means companies should not expect this package, if enacted in its current form, to eliminate the need to track state requirements in California, New York, Maryland and other states that have enacted or are considering youth privacy, addictive design, age-appropriate design or social media laws.

The AI provisions are also important in this respect. The chatbot title has its own relationship-to-state-laws provision, but it follows the same general conflicts-based approach and preserves state laws that provide greater protection to minors. That language does not appear to broadly preempt all state AI laws. However, state AI preemption remains a politically significant issue in parallel federal negotiations, and companies should continue to monitor whether any final congressional package changes this balance.

Operational Impact: What Comes Next
The House vote is a meaningful development in the long-running debate over children’s online safety, privacy and platform accountability. The package now moves to the Senate, where lawmakers continue to focus on KOSA and related youth online safety measures, including provisions that differ from the House approach. As a result, the passing of the House package may create momentum, but it does not resolve the major policy questions that have slowed federal legislation in this area, including duty of care, state-law preemption, age assurance, AI regulation and the allocation of responsibility among platforms, app stores, parents and minors.

For companies that operate child- or teen-facing services or process minors’ personal information, the package serves as a reminder that youth privacy and online safety obligations are increasingly converging across federal and state law.

Practical Steps for Companies
Although the KIDS Act remains proposed legislation, companies should begin evaluating where it would create the most operational impact if enacted. In particular, companies should be prepared to:

  • Map child and teen data flows and age signals. Companies should identify where they collect, use, disclose, retain, transfer or monetize data from users under 18, with particular attention to 13-year-olds and teens ages 14 through 17. They should also assess what age-related signals they collect or observe, including profile information, product context, audience composition, marketing, parental controls, school use, behavioral signals and platform-specific age representations.
  • Review advertising, personalization and recommendation systems. Companies should distinguish contextual advertising, measurement, frequency capping, profiling, personalized recommendations, lookalike audiences, cross-device identifiers and individual-specific advertising involving minors.
  • Evaluate default settings and platform design. Covered platforms should consider whether minor-facing defaults, recommendation controls, geolocation sharing, messaging settings, profile visibility, time-management tools and design features could satisfy the bill’s safety-by-default expectations.
  • Update AI chatbot governance. Companies offering AI chatbots should review guardrails, disclosures, crisis-resource triggers, professional-services claims, safety policies, long-session interventions and escalation processes for users who are known or reasonably understood to be minors.
  • Review vendors, data brokers and overlapping state-law obligations. Companies should identify whether minor data is sold, licensed, rented, traded, transferred, released, disclosed or otherwise made available through third-party data ecosystems. Because the compromise bill preserves stronger state protections and state data broker registration obligations, companies should prepare for a layered compliance environment rather than a single federal standard.

Companies should use this period to pressure-test their minor and teen data maps, age-signal practices, advertising logic, chatbot disclosures, crisis-response workflows, data-broker relationships and cross-border data-transfer notices. Even if the package changes, these are the areas most likely to remain under congressional, FTC, state attorney general and plaintiffs’ counsel scrutiny. Companies with child- or teen-facing services should also identify where House and Senate proposals would require materially different product, privacy, engineering and trust-and-safety controls.

Pillsbury’s privacy, cybersecurity and AI teams are continuing to monitor the KIDS Act, related Senate proposals and state youth privacy and online safety laws, and are advising companies on how these proposals may affect age assurance, advertising, chatbot governance, data mapping, vendor oversight, product-design controls and enforcement readiness.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.