
The KIDS Act quietly ends anonymous browsing
The KIDS Act's 'should have known' liability standard pushes platforms to verify every user's age, effectively ending anonymous browsing for adults too.
The landscape of the American internet is undergoing a structural transformation. The U.S. House of Representatives has passed the Kids Internet and Digital Safety Act (KIDS Act) in a bipartisan 267-117 vote. This legislation is not merely a specialized regulation for minors; it represents a fundamental shift in how digital identity is governed in the United States. By consolidating 14 pending legislative proposals - including the Kids Online Safety Act (KOSA) and COPPA 2.0 - the KIDS Act establishes a comprehensive regulatory framework that moves the internet away from its foundational principle of anonymity and toward a model of authenticated access.
The bill, formally H.R. 7757, was championed by House Energy and Commerce Chairman Brett Guthrie (R-Ky.) and Ranking Member Frank Pallone (D-N.J.), who spent months negotiating a text both parties could support. It now heads to the Senate, where the outlook is considerably less certain. Key senators, including KOSA co-authors Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.), have already signaled that the House version falls short of what they consider adequate protection - not because it goes too far, but because it doesn't go far enough in one specific respect, discussed below.
While the primary narrative surrounding the bill focuses on protecting children and teenagers, the legal mechanisms embedded within the text have profound implications for adult users and the future of free expression. The legislation expands privacy protections to cover teenagers up to age 17, bans targeted advertising to minors, and mandates default safety settings. However, the most consequential element - and the one drawing the sharpest criticism from civil liberties groups - lies in what's known as the "should have known" liability standard. This legal trigger creates a systemic incentive for platforms to implement age-checking practices across their entire user base to mitigate litigation risk, effectively ending the era of anonymous browsing as we've known it.

What actually changed in the House text
It's worth pausing on how the bill evolved, because the changes tell you what lawmakers were worried about. The version that cleared committee in March was criticized on three fronts: it preempted stronger state laws, it used a weak "actual knowledge" standard for identifying minors, and it dropped KOSA's "duty of care" requirement entirely. By the time the House voted at the end of June, two of those three complaints had been addressed.
The preemption language was rewritten so that the KIDS Act no longer overrides state laws that offer more protection than the federal floor - a meaningful concession to states like California and New York that have pushed further on child safety. The knowledge standard was also tightened, moving from "actual knowledge or willful disregard" to "know or should have known," which brings it closer to the stricter formulation the Senate had already passed in its own version of KOSA back in 2024.
What didn't survive is the duty of care provision - the requirement that platforms proactively design their products to avoid fostering compulsive use, self-harm, or exploitation, rather than simply reacting once harm is documented. Its absence is precisely why Senate Democrats, and some Republicans working with the White House on a broader AI package, say the House bill has been hollowed out. It's also, ironically, part of why the age-verification provisions loom so large: without a duty of care standard governing design choices, age-gating becomes the primary compliance lever platforms have left to reach for.
The 'should have known' liability trap
The architecture of the KIDS Act relies on a specific legal standard that fundamentally alters the risk calculus for online service providers. While the KOSA section of the bill explicitly claims not to require age verification, it simultaneously imposes strict obligations on platforms that "know or should have known" a user is a minor. This creates a classic regulatory double-bind. To avoid massive legal penalties, a platform must be able to prove it did not have reason to believe a user was a minor. The only technically and legally defensible way to achieve this is to verify the age of every individual who accesses the service.
As a result, a de facto age verification mandate is born. Under this regime, social media companies, gaming platforms, and even general-interest websites must transition from passive hosts to active identity gatekeepers. This requirement extends beyond pornographic content - where age verification is specifically and explicitly mandated - to include any consumer-facing service that might plausibly host content covered by the bill's broad definitions.
The Electronic Frontier Foundation has been blunt about the mechanics at play here. EFF senior policy analyst Joe Mullin described the legislation as "a mess, with different age-gating schemes for different services, using different standards," adding that the resulting complexity and legal exposure means many companies will conclude the safest compliance path is restrictive age-checking practices applied across their entire platforms, rather than narrowly targeted at content likely to reach minors.
This is the double-bind in a sentence: the bill's supporters can truthfully say it doesn't require age verification, while its practical effect nudges nearly every platform toward adopting it anyway. It's a distinction that matters legally and means almost nothing operationally.

Technical mechanisms of age assurance
To comply with the KIDS Act, platforms are likely to deploy a variety of technical mechanisms, each with distinct privacy and security profiles. These methods represent the new gatekeeping layer of the internet:
- Identification-based verification. Users upload government-issued IDs, such as driver's licenses or passports, which third-party services then verify against official databases. Robust for confirming identity, but it creates a massive repository of personally identifiable information that is highly attractive to cybercriminals.
- Biometric and facial age estimation. This method uses AI to analyze a live selfie or short video, estimating age from facial features, often paired with a "liveness check" to confirm the user isn't holding up a photograph. It introduces biometric surveillance into what used to be an anonymous act - clicking a link.
- Database checks. Platforms cross-reference names and birthdates against records held by credit bureaus or government agencies. This method inherits every flaw already present in commercial data broker files, which are notoriously riddled with errors and gaps, particularly for marginalized populations.
- Zero-knowledge proofs (ZKP). An emerging privacy-preserving technology that lets a user prove they're over a certain age without revealing their actual birthdate or identity. Promising in theory, but the infrastructure needed for widespread adoption isn't mature yet, and few mainstream platforms have implemented it at scale.
None of these methods is neutral. Each trades off differently between accuracy, privacy, and accessibility - and platforms racing to reduce legal exposure have little incentive to pick the option that protects users best rather than the one that's cheapest and fastest to deploy.

The erosion of digital anonymity
Digital civil liberties organizations, including EFF and the Center for Democracy and Technology, have voiced sustained alarm over the systemic erosion of anonymity embedded in this bill. For decades, the ability to browse the internet without a persistent link to one's legal identity has been treated as a cornerstone of digital freedom. The KIDS Act threatens to dismantle that protection at scale.
EFF put the mechanism plainly: age-verification mandates are not limited in their effect to children, since proving a user is old enough generally requires a site to check the age, and often the identity, of everyone who arrives, including adults. That, the organization argues, turns anonymous browsing into identified browsing and creates new pools of sensitive identity data vulnerable to breach or misuse.
Anonymity isn't merely a preference for those with something to hide. It's a critical safety tool for vulnerable populations:
- Domestic abuse survivors use anonymous accounts to seek help without alerting their abusers.
- Journalists rely on encrypted, anonymous communication to protect confidential sources.
- Activists in restrictive political environments use anonymity to organize and express dissent.
- Whistleblowers depend on the ability to disclose wrongdoing without immediately revealing who they are.

Press freedom advocates have raised this concern with particular urgency. Writing in The Intercept, Caitlin Vogus of the Freedom of the Press Foundation and Aliya Bhatia of the Center for Democracy and Technology's Free Expression Project warned that mandating age verification effectively hands a skeleton key to the identities of every whistleblower, dissident, and investigative reporter who uses online platforms - not just the children the law is meant to protect.
Furthermore, the collection of this data creates immense cybersecurity risk. Research out of Georgia Tech and UC Irvine has documented that third-party age verification services routinely leak metadata, including IP addresses and browser fingerprints. This data can be harvested by data brokers to track users across the web, effectively turning a child-safety measure into infrastructure for commercial or state surveillance. High-value databases containing the driver's licenses of millions of citizens become obvious, concentrated targets for state-sponsored hackers and identity thieves - a single breach away from becoming a mass identity-theft event.
Britain offers a preview of what this looks like once it's operational. Under the UK's Online Safety Act, users increasingly hand over government IDs or submit to face scans just to reach ordinary content, and the country's communications regulator, Ofcom, has already opened dozens of investigations into non-compliant platforms. It's the closest real-world analogue available for what a fully implemented "verify everyone" regime looks like day to day.
A global pattern, not an isolated bill
It's tempting to read the KIDS Act as a uniquely American story. It isn't. The same week the House voted, European Union negotiators sat down for what was billed as the final trilogue on Chat Control 2.0, the EU's long-running child-protection regulation targeting private messaging. Both efforts dropped their most invasive original provisions under pressure - the House stripped out KOSA's duty of care, and EU negotiators abandoned mandatory client-side scanning of encrypted messages. Both retained age verification largely intact.
The pattern is the same one playing out in roughly half of U.S. states that have already passed their own age-verification laws, and in the UK's rollout of facial age estimation, which the Home Office is now extending even to asylum-seeker processing. Each law is passed individually, often with genuine bipartisan or cross-party intent, and each is defensible in isolation. But stacked together, they describe a trajectory: identity verification is quietly becoming table stakes for using the internet at all, one sector-specific mandate at a time.
Demographic disparities and algorithmic bias
The implementation of age verification technologies is not a neutral process. Substantial evidence suggests these systems disproportionately burden marginalized groups, and in ways that go well beyond mere inconvenience.
For document-based systems, the barrier to entry is highest for those without traditional identification. Roughly 15 million adult U.S. citizens lack a driver's license, and Black and Hispanic Americans, people with disabilities, and lower-income individuals are significantly less likely to possess any form of government-issued photo ID. For this population, "just upload your ID" isn't a minor inconvenience - it's an outright barrier to participation.
Biometric systems introduce a different, arguably more insidious, set of inequities. Independent research on facial age estimation has repeatedly found accuracy gaps along racial and ethnic lines. A recent investigation into age-estimation software used in the UK asylum system - a comparable technology to what U.S. platforms may deploy - found the system predicted more than half of 16-year-old West Africans as being over 18, while classifying less than a quarter of 16-year-old Eastern Europeans as adults. That's not a marginal discrepancy; it's a systemic pattern of misclassification that tracks along racial lines rather than actual age.
Academic research backs this up more broadly. Studies of commercial facial recognition systems have found error rates for Asian and Black faces running many times higher than for white faces under comparable conditions, a disparity researchers generally attribute to poorly balanced training datasets rather than any inherent property of the technology itself. These systems also tend to perform less reliably for transgender individuals and people with non-binary gender expressions, whose faces may not map cleanly onto the demographic categories the underlying models were trained on.
There's also a more basic vulnerability. Professor Vir Phoha of Syracuse University has warned that facial recognition systems used for age checks are highly susceptible to spoofing through presentation attacks - think high-resolution printed photos or realistic masks - which calls into question how much genuine security these systems provide even when they're working as designed. A gatekeeping mechanism that both wrongly excludes legitimate adult users and can be fooled by a printed photograph is a poor trade for the privacy it costs everyone else.

Effectiveness and the migration of users
Legislators argue that the KIDS Act is necessary to reduce minors' exposure to harmful content and addictive design. Rep. Gus Bilirakis (R-Fla.), one of the bill's lead authors, has pointed to the scale of the problem directly, noting how much time teenagers now spend online. But historical data on comparable laws suggests age verification mandates often fail to achieve their stated goals, even when platforms comply in good faith.
A working paper published in the Journal of Law & Empirical Analysis examined Google Trends data in states that had already implemented age-verification laws for adult content. Researchers found a 51% drop in searches for Pornhub, which complied with the law - but they also found that users simply migrated to other, unregulated platforms or turned to VPNs to bypass the restriction entirely. The demand didn't disappear. It just moved somewhere less accountable.
That migration pattern shows up wherever age-gating has been tried at scale:
Evaluation by Australia's eSafety Office found that 41% of adolescents attempted to circumvent social media bans using alternative platforms, often increasing their exposure to more extreme content in the process.
In France, where a 2023 law mandates parental consent for users under 15, over half of affected adolescents reported successfully circumventing the requirement simply by falsifying their age. These findings, taken together, suggest that while age verification imposes real and durable privacy costs on law-abiding adults, its record of actually protecting the minors it targets is decidedly mixed.
As Santa Clara University law professor Eric Goldman has put it, every age-authentication mandate that goes into effect shrinks the internet somewhat - not necessarily for the people it's meant to stop, who route around it, but for everyone else who simply stops bothering.
Transparency and data broker regulation
One of the less-discussed but genuinely significant portions of the KIDS Act involves data broker transparency. The bill requires covered data brokers to register with the Federal Trade Commission within a set window after enactment, and tasks the FTC with building a publicly available registry of these companies. This is a real step toward shedding light on an industry that has operated largely in the shadows, collecting and selling the personal information of children and teenagers with minimal public scrutiny.
But the provision sits awkwardly alongside the rest of the bill. On one hand, the KIDS Act seeks to limit the exploitation of children's data by existing brokers. On the other, its age-verification mandates require the creation of new, even more sensitive datasets - biometric templates, government ID scans, facial video - that will inevitably pass through third-party verification companies. The regulatory framework effectively creates a new category of "identity broker" whose access to sensitive personal data may end up rivaling, or exceeding, the influence of the traditional data brokers the bill is trying to rein in.
If you want to understand how deep this contradiction runs across privacy law more broadly, it's worth reading our earlier piece on why privacy law keeps failing to deliver actual privacy - the same dynamic, of well-intentioned transparency rules coexisting with new large-scale data collection mandates, keeps recurring across nearly every major regulatory effort in this space.

Impact on free expression and access to information
The KIDS Act introduces broad categories of "harmful content" that platforms must mitigate under threat of liability. Critics worry this invites aggressive over-moderation. Platforms, wary of litigation, may preemptively restrict content related to mental health, reproductive health, or LGBTQ+ topics under the banner of "protecting" minors - even when that content is exactly what a struggling teenager most needs to find. For young people in restrictive home environments, the internet is often the only accessible source of objective information on these subjects, and mandatory age verification adds a real barrier: minors may be reluctant to seek sensitive resources if they know their identity and browsing habits could be tracked, logged, or shared with a parent or guardian.
The legislation also reaches into AI chatbot interactions, requiring bots to disclose their non-human status and steer clear of promoting harmful topics. That's a reasonable instinct on its face. But if AI chatbots are pushed into rigid, government-mandated conversational scripts, they risk losing the nuance that actually helps someone in a genuine mental health crisis - precisely the population the provision is meant to protect.
Preemption and the legal path ahead
As the KIDS Act moves to the Senate, its preemption framework remains one of the more consequential - if underdiscussed - points of the negotiation. The House-passed text uses a conflicts-based standard: it overrides state laws that are weaker or inconsistent, while explicitly preserving state laws that offer stronger protections. Pallone has said this was written with the deliberate intent of leaving states free to pass and enforce tougher rules, including their own duty-of-care requirements the federal bill lacks.
That's a meaningfully different posture than the earlier committee draft, which would have preempted similar state laws outright. It reflects an attempt to set a national floor for safety without foreclosing states like California or New York from going further. But for digital platforms operating nationally, it still produces a fragmented compliance landscape - a patchwork of overlapping and occasionally conflicting state and federal requirements, all of which have to be satisfied simultaneously.
Industry groups warn this incomplete preemption will produce "compliance chaos," pushing platforms toward the most restrictive verification methods available simply to ensure coverage across every jurisdiction they operate in. Legal uncertainty of this kind rarely produces cautious, proportionate compliance - it tends to produce the opposite: companies over-collecting data and over-verifying users because that's the only strategy that reliably satisfies every possible regulator at once.
The future of the anonymous web
The passage of the KIDS Act marks a genuine turning point in the governance of the digital commons. By shifting the burden of age assurance onto platforms through the "should have known" standard, the federal government is effectively outsourcing identity management to the private sector - without fully reckoning with what that outsourcing costs.
The result, if the bill survives the Senate in anything close to its current form, is an internet where the right to remain anonymous is traded for a promise of safety that the available research suggests is difficult to fulfill. The loss of anonymity, the creation of new security vulnerabilities, and the potential for algorithmic discrimination against marginalized users aren't minor side effects to be managed around the edges. They're fundamental changes to the social contract that has governed the internet since its earliest days.
Whether the KIDS Act ultimately protects the children it's named for, or simply produces a more surveilled and less accessible digital world for everyone, will depend on what happens next: how the Senate rewrites it, and how federal agencies choose to implement whatever eventually becomes law.
This article provides a legal and technical analysis of pending legislation and does not constitute legal advice. Individuals and organizations should consult with legal counsel regarding specific compliance obligations.
Key takeaways
- The KIDS Act (H.R. 7757) passed the House in a bipartisan 267-117 vote, consolidating 14 separate legislative proposals, including KOSA and COPPA 2.0.
- The bill's "know or should have known" liability standard pressures platforms to verify the age of all users, not just minors, to limit legal exposure.
- Supporters explicitly state the bill does not require age verification, even as its liability structure makes verification the only defensible compliance path.
- The House-passed text preserves stronger state laws rather than preempting them, using a conflicts-based standard - a change from the earlier committee draft.
- The bill dropped KOSA's "duty of care" provision, a change Senate Democrats and co-authors Richard Blumenthal and Marsha Blackburn say significantly weakens the legislation.
- Civil liberties groups, including the EFF and Center for Democracy and Technology, warn the bill would end anonymous browsing for adults as a side effect of protecting minors.
- Anonymity protects domestic abuse survivors, journalists, whistleblowers, and activists - all groups that rely on it for physical or professional safety.
- Roughly 15 million U.S. adults lack a driver's license, disproportionately affecting Black, Hispanic, and lower-income individuals who would face barriers under ID-based verification.
- Facial age estimation systems show significant racial bias; one comparable system misclassified over half of 16-year-old West Africans as adults, versus under a quarter of 16-year-old Eastern Europeans.
- Research shows facial recognition systems are highly susceptible to spoofing via printed photos or masks, undermining their reliability as a security measure.
- Historical data from state-level age-verification laws for adult content shows users often migrate to unregulated platforms or use VPNs rather than stop seeking the content.
- The bill also requires data brokers to register with the FTC, even as it creates new, more sensitive datasets - biometric templates and ID records - processed by third-party "identity brokers."
Sources
- Electronic Frontier Foundation https://www.eff.org/deeplinks/2026/06/kids-act-would-require-age-checks-get-online
- IAPP https://iapp.org/news/a/us-house-passes-the-kids-act
- Pillsbury Law https://www.pillsburylaw.com/en/news-and-insights/kids-act-house-ai-chatbot-safety.html
- Congress.gov (H.R. 7757 full text) https://www.congress.gov/bill/119th-congress/house-bill/7757/text
- Tech Policy Press https://www.techpolicy.press/bipartisan-smorgasbord-of-childrens-online-safety-legislation-passes-the-house/
- Published 2026-07-14 04:00
- Modified 2026-07-14 04:00

