Compliance

KIDS Act Passes House: Rules for Platforms, Games, and AI

KIDS Act Passes House: Rules for Platforms, Games, and AI

On June 29, 2026, the US House of Representatives passed the Kids Internet and Digital Safety Act (H.R. 7757, or the KIDS Act) by a vote of 267 to 117. The bill combines multiple child online safety and privacy proposals in a single text. It covers online platforms, certain adult-content platforms, connected video games, consumer-facing AI chatbots, and amendments to COPPA.

I. Legislative Process

On March 3, 2026, House Energy and Commerce Committee Chairman Brett Guthrie introduced the initial text of H.R. 7757. The bill was referred that day to the House Committees on Energy and Commerce and the Judiciary. Subsequent committee materials state that the Energy and Commerce Committee held a full committee markup of related child online safety proposals in March, followed by further bipartisan negotiations on a comprehensive package.

On June 22, 2026, Chairman Brett Guthrie and Ranking Member Frank Pallone announced a bipartisan agreement on a child online safety package and released revised KIDS Act text. The revised package incorporates portions of 13 bipartisan proposals, including the SCREEN Act, Kids Online Safety Act, SPY Kids Act, Safer GAMING Act, SAFE BOTs Act, and COPPA 2.0.

On June 29, 2026, the House considered H.R. 7757 under suspension of the rules. After 40 minutes of debate, the House passed the amended bill by a vote of 267 to 117. On July 13, 2026, H.R. 7757 was received in the Senate, read twice, and referred to the Senate Committee on Commerce, Science, and Transportation.

The bill has passed only the House. It must still pass the Senate, and both chambers must complete the legislative process on an identical text before it can be signed by the President or otherwise become federal law. The House-passed text therefore does not create obligations that are currently in force, and its provisions, scope, and implementation timelines may still change. It nevertheless indicates a clear regulatory direction: child online protection is moving beyond privacy notices to cover default account settings, recommendation systems, interactive features, parental tools, advertising and data use, and the full AI interaction process. The sections below explain these areas in turn.

II. Core Provisions

(1) Protections for Minors on Online Platforms

For this part of the bill, a “covered platform” is a platform that is publicly available to consumers, allows user identities to be searched or followed, primarily facilitates access to and sharing of user-generated content, uses engagement-promoting design features, and uses personal information for advertising, marketing, or content recommendations. The protected group includes children under 13 and teens aged 13 through 16.

The KIDS Act would require covered platforms to establish, implement, and maintain reasonable policies, practices, and procedures addressing four categories of harm to minors: threats of physical violence severe enough to affect a major life activity; sexual exploitation and abuse; the distribution, sale, or use of narcotic drugs, tobacco, cannabis, gambling, or alcohol; and financial harm caused by deceptive practices. The measures must reflect the platform’s size, complexity, and technical feasibility. The bill also states that this provision does not create a general duty of care and may not prevent minors from deliberately searching for content or accessing harm-prevention information.

For users whom a platform knows or should have known are minors, the bill would require readily accessible and easy-to-use safeguards. These include limiting contact through direct or disappearing messages; preventing a minor’s profile or personal information from being recommended to users known to be adults; hiding online status; limiting design features that lead to compulsive use; controlling geolocation sharing; and prominently offering options to opt out of personalized recommendations or limit recommendation categories. These safeguards generally must default to the highest level of privacy and safety protection available on the platform. Platforms must also offer a way to limit time spent on the service.

Parental tools must allow parents to view a minor’s privacy and account settings, restrict purchases and transactions, view and limit time spent, and receive notice of first-time messaging requests. For users known to be children, parents may also manage account settings and disable direct or disappearing messages. Platforms must notify parents that these tools are available and notify minors when parental controls and settings are in effect. Covered platforms would also face requirements concerning reports of harm to minors, independent audits, advertising disclosures, and restrictions on advertising certain regulated products to known minors.

The SPY Kids Act provisions would also restrict market or product-focused research involving minors. A platform that actually knows, or acts in willful disregard of the fact, that a user is a minor may conduct such research only if it is used solely to improve privacy, security, transparency, or safety tools, or is necessary to comply with federal or state law.

(2) Age Verification for Certain Adult-Content Platforms

The SCREEN Act provisions apply to publicly accessible websites or online platforms where more than one-third of the available material is sexual material harmful to minors and the operator knowingly makes that material available. If the bill is enacted, those platforms would have to adopt commercially available technical verification measures one year after enactment to identify minors and prevent them from accessing the covered material. A user’s self-attestation that they are not a minor would not be sufficient.

Platforms would also have to provide clear information about their verification measures and related data practices and take reasonable steps to address circumvention. The text does not require collection of government-issued identification. Data used for age verification may be collected, used, retained, or disclosed only to the extent strictly necessary to perform the verification. Age verification therefore involves access control, data minimization, third-party verification service management, and security safeguards.

The SCREEN Act applies only to the specific adult-content platforms described above. The bill expressly states that its general online-platform protections for minors should not be interpreted to require covered platforms to deploy age gates or age-verification functionality.

(3) Protections for Minors in Connected Games

The Safer GAMING Act provisions cover video games that connect to the internet and allow players to exchange written, verbal, visual, or other messages. They also cover providers that give consumers access to those games through digital storefronts, console networks, mobile or cloud gaming platforms, or similar services.

For users under 17 whom a provider knows or should have known are minors, parents must be able to limit communications with other players. Communication safeguards must be enabled by default at the most restrictive setting, and only a parent may select a less restrictive setting. Providers must also offer easy-to-use tools that prevent a minor’s profile or personal information from being recommended to users known to be adults and allow limits on purchases, financial transactions, and play time. Minors must receive clear notice when these safeguards are in effect.

(4) Specific Requirements for AI Chatbots

The SAFE BOTs Act provisions apply to providers that offer chatbots directly to consumers. A provider is not treated as a chatbot provider solely because its website, application, or online service includes a chat function incidental to its primary purpose. For users whom a provider knows or should have known are minors, the principal requirements include:

(1) Disclosure of AI identity. At the beginning of the first interaction, the chatbot must clearly state that it is an artificial intelligence system, not a natural person. It must repeat that disclosure when a minor asks whether it is an AI system.

(2) Crisis-intervention resources. When a minor prompts the chatbot about suicide or suicidal ideation, the service must provide resources for contacting a suicide and crisis intervention hotline. The AI-identity disclosure and crisis-resource information must use clear, age-appropriate language that a minor can reasonably understand.

(3) Restrictions on misleading professional claims. A chatbot may not tell a minor that it is a licensed professional unless that statement is true.

(4) Continuous-use reminders. When a minor has interacted with a chatbot continuously and without interruption for three hours, the system must advise the user to take a break.

(5) Policies addressing harmful content. Providers must maintain reasonable policies, practices, and procedures addressing sexual exploitation and abuse and the promotion to minors of gambling, narcotic drugs, tobacco, and alcohol. Those measures may not prevent minors from accessing information about preventing or mitigating these harms.

(5) Main COPPA 2.0 Amendments

The COPPA 2.0 provisions would redefine a child under COPPA as an individual under 14 and add a new category of teen, meaning an individual aged 14 through 17. Notice, consent, access, correction, deletion, and data-protection mechanisms would be extended to teens. Verifiable consent for a teen would generally be provided by the teen.

For data use, the text would prohibit operators from collecting, using, disclosing to third parties, or maintaining a child’s or teen’s personal information for individual-specific advertising directed at children or teens. The definition excludes responses to search requests, purely contextual advertising, advertising performance measurement, and advertising directed to an adult profile on a shared household device. Age-appropriate advertising that uses no personal information other than whether the user is under 18 would also remain permitted.

The text would also expand knowledge to include what an operator actually knew or should have known and add data-minimization and retention requirements. Personal information of children or teens generally could be collected only when consistent with the context of a transaction, service, or relationship, or when authorized or required by law. It could not be retained beyond the period reasonably necessary. Before storing or transferring personal information outside the United States, an operator would have to provide direct notice to the child’s parent or to the teen. This is a notice requirement, not a blanket prohibition on cross-border storage or transfers.

III. Key Issues for Companies

The bill has not completed the legislative process, so companies should not treat the House-passed text as a final remediation checklist. Kaamel recommends four areas for early assessment:

First, map scope and age-knowledge scenarios. Distinguish among general online platforms, specified adult-content platforms, connected games, chatbots, and COPPA operators. Record when a product has actual knowledge, should have known, or acts in willful disregard of a user’s status as a minor. A single age-determination logic will not satisfy every part of the bill. Second, review minor account settings and parental tools. Check the defaults for direct and disappearing messages, profile recommendations, online status, geolocation, personalized recommendations, time limits, purchase restrictions, and parental notices. Confirm the differences between controls for children and those for teens. Third, examine data, advertising, and research uses. Build an inventory of children’s and teens’ data and review targeted advertising, profiling, product research, cross-border storage and transfers, retention periods, and third-party provider arrangements. Confirm that purposes, notices, and data-minimization mechanisms can be demonstrated. Fourth, test gaming and AI workflows. Review communication safeguards and parental controls for connected games, as well as AI-chatbot identity disclosures, crisis-resource triggers, professional-identity claims, continuous-use reminders, and harmful-content controls.

Companies should continue to monitor the Senate committee process, any substitute text, reconciliation between the two chambers, final effective-date provisions, and implementing FTC rules. Under the House-passed text, most provisions would take effect one year after enactment unless otherwise specified. The SPY Kids Act provisions would take effect after 90 days, while the first independent audit for a covered platform would be due 18 months after enactment. Preparatory work should leave room for changes in the final text.

References

Start Your Compliance Journey !

Contact security and privacy veterans at Kaamel

https://kaamel.com
info@kaamel.com
340 E Middlefield Rd, Mountain View, CA 94043
AICPA Drata
© 2024 Kaamel Inc. All rights reserved.