← Articles

What the KIDS Act Would Change Online

The US House passed the KIDS Act on June 29, 2026 by a vote of 267 to 117. It is not law. Congress.gov lists H.R. 7757 as Passed House, with no Senate vote recorded.

The bill joins several proposals into one package. It covers age checks for some sites with sexual material, privacy defaults for minors, parental controls, direct messages, content policies, advertising, AI chatbots, data brokers, and updates to children's privacy law. That breadth makes short descriptions unreliable. The actual rules differ by service and by section.

One distinction matters throughout: some age checks are explicit. Others are a likely response to duties that apply only when a platform knows a user is a minor. The House text also contains limits on new age-data collection. The bill creates pressure in both directions.

The House vote did not make these rules active. The Senate can reject the bill, pass a different version, or take no action.

Age checks are explicit for a narrow group of sites

Title I applies to a covered platform where more than one-third of the material available on the service meets the bill's definition of sexual material harmful to minors. Those services would have to use commercially available technology to identify minors and block their access to that material.

A checkbox or typed birthday would not satisfy this section. The House-passed text says confirming that a user is not a minor is not enough. It also says the section does not require government-issued ID.

That leaves the verification method to the service. A provider could use a third-party age vendor. The bill requires services and vendors to limit collection, use, disclosure, and retention to what is strictly necessary for the check. It also requires security practices for the resulting data.

Those clauses reduce what a compliant service may do with age-check data. They do not remove the data from the process. Different methods expose different information. The bill does not select one method or guarantee that every user can complete it without sharing an identifier.

Other sections create a harder age question

The online-platform rules apply when a provider knows a user is a minor. Covered platforms would have to set protective defaults, limit contact from other users, restrict geolocation sharing, offer recommendation controls, and provide time controls. Parents would get tools to view or manage settings in defined cases.

The House text says the act does not require a service to collect age information that it does not already collect in the normal course of business. It also says the Kids Online Safety section may not be read to require age verification.

The practical question remains: how does a service apply special rules to minors without deciding who is a minor? EFF argues that the package would pressure services to introduce age gates. The Center for Democracy & Technology made a similar argument in its March committee letter: duties tied to a user's age can push providers toward age assurance even when the text does not name a required method.

That is an implementation risk, not a settled outcome. A Senate version could change the duties or the limits. Platforms could also use existing account data rather than demand a new check from every visitor. The current text does not support the claim that every American would have to upload ID to browse the web.

The current messaging text is narrower than earlier criticism

The House-passed text defines children as users under 13 and teens as users aged 13 through 16 for its online-platform section. It requires covered platforms to give minors controls over direct and disappearing messages. Teens must be able to approve or deny a request from an unapproved contact before messaging starts, block contacts, disable messaging features, and hide their profiles.

Parents must receive tools and notices. For a child under 13, the parent can disable direct or disappearing messages. The text also requires notice to the minor when parental controls are active.

CDT's March letter criticized an earlier version that would have banned disappearing messages for minors. The House-passed text uses user and parental controls instead of the blanket ban described in that letter. The source dates matter because the bill changed before the House vote.

The online-platform section says providers must implement messaging controls, to the maximum extent technically feasible, without compromising the integrity of strong encryption. The general provisions also say the act may not require decryption or preclude end-to-end encryption. Services would still need to fit the required account and contact controls around encrypted conversations.

Content rules could affect lawful posts

The bill would require covered platforms to maintain policies that address severe threats of violence, sexual exploitation and abuse, the distribution, sale, or use of narcotic drugs, tobacco, cannabis, gambling, or alcohol, and financial harm caused by deceptive practices. The text says this section does not impose a duty of care. It also protects a minor's ability to search deliberately for content or request it directly.

EFF argues that broad policy enforcement could catch a teen seeking substance-abuse recovery information. CDT points to game-related threats and statements made in jest as examples that can lose their context. A provider facing enforcement risk may remove uncertain cases rather than wait for a legal dispute.

That concern is plausible, but the amount of removal cannot be known before services write their policies and courts interpret the law. The bill text, advocacy analysis, and future platform behavior are three different kinds of evidence.

Privacy clauses limit collection but do not erase exposure

The House amendment includes data minimization, deletion, security, and purpose limits in several sections. It bars the act from being read to require indefinite retention. It also adds children and teens to privacy rules and creates a federal registry for covered data brokers.

Enforcement would sit with the Federal Trade Commission and state attorneys general. A written limit matters only if providers, vendors, regulators, and courts apply it as written. Users will still need to know which company performs a check, what input it receives, what result it returns, and when each copy is deleted.

What to watch next

Check the Congress.gov status before treating any requirement as final. If the Senate takes up H.R. 7757, compare its text with the House engrossed text from June 29. Do not rely on summaries of the March draft for messaging rules or other provisions that changed.

If a service introduces an age check, look for a method that returns an age band without sending the service a document or face image. Read the retention policy for both the service and its verification vendor. A claim that the law requires an ID is not enough. The House text does not require one.

Age gates already exist under state and foreign laws, so a new prompt will not prove that the KIDS Act caused it. The federal bill remains pending.

Sources

Frequently Asked Questions

Is the KIDS Act law?

No. The House passed H.R. 7757 on June 29, 2026 by a vote of 267 to 117. Congress.gov lists it as Passed House. The Senate has not passed it, and its requirements are not in force.

Would the KIDS Act require every website to verify age?

No. Title I explicitly requires age checks for covered platforms where more than one-third of the available material meets the bill definition of sexual material harmful to minors. Other parts of the bill apply duties when a platform knows a user is a minor. EFF and CDT argue those duties could still push services toward broader age assurance.

Would the KIDS Act require a government ID?

The House-passed text says its age-check provision may not be read to require government-issued ID. It still requires commercially available technology that determines whether a user is more likely than not a minor. A user declaration alone would not be enough. Depending on the method a service chooses, users could still be asked for personal or biometric data.

Would the KIDS Act ban encrypted messaging?

The House-passed text says the act may not be read to require decryption or preclude encryption. Its online-platform section says messaging controls must be implemented, to the maximum extent technically feasible, without compromising the integrity of strong encryption. It would require privacy, parental, and messaging controls for users known to be minors.