Hashed & Salted | A Privacy and Data Security Update
In our children’s privacy update in Hashed & Salted last year, we pondered what the change in administration might mean for children and teen’s privacy regulation. Very little, it turns out. The federal government is clearly focused on children’s privacy. The Federal Trade Commission (FTC) has declared it one of its “top priorities,” held workshops on it and issued statements about its approach to enforcement. To date, however, the agency’s enforcement actions have been somewhat routine. At the same time, Congress has continued to introduce more children’s privacy legislation (some new and some repeats of previously introduced legislation) but has still failed to pass any, leaving states to fill the gap with new children’s online privacy, app store and social media legislation. (Read our recap of significant state children’s privacy developments and predictions about what’s to come in 2026 here.)
Federal Legislative Actions
Several different children’s privacy bills have been introduced in Congress. They range from updates to the Children’s Online Privacy Protection Act (COPPA) to age verification laws to regulations on chatbots. Below is a recap of some of the outstanding bills over the past year:
- COPPA 2.0 – The Children and Teens’ Online Privacy Protection Act would broaden COPPA-type privacy protections from children under 13 to minors under 17. The bill passed the Senate unanimously on March 5 but is now stalled in the House.
- Kids Online Safety Act (KOSA) – A new version of KOSA was introduced May 14, 2025, in the Senate, with over 75 co-sponsors. The law includes numerous protections for children, including protecting minors from online harms, default-by-design privacy settings and restrictions on sharing of personal information of minors. The Senate bill is stalled in committee despite broad bipartisan support. In the House, KOSA was incorporated into the Kids Internet and Digital Safety (KIDS) Act, an amended version of which was fast-tracked for debate and passed June 29.
- Parents Over Platforms Act (HR 6333) – The Parents Over Platforms Act is similar to the state app store accountability acts. The bill was introduced in December 2025 and has stalled in committee. In the Senate, the bill was read and referred to committee on April 20. (This is one of several bills related to app store age verification introduced in Congress, including the App Store Accountability Act, HR 3149 and S 1586.)
- AI Chatbot Laws – Congress has introduced several laws related to protecting children from the harms of AI chatbots. None of them have had any significant progression. (Safeguarding Adolescents from Exploitative BOTs Act or SAFE BOTs Act, HR 6489; Youth AI Privacy Act S 4199; GUARD Act S 3062)
- Protections From Social Media – Both the Shielding Children’s Retinas from Egregious Exposure on the Net Act (SCREEN Act) and the Stop the Scroll Act are intended to protect children from the harms of social media. Both are stalled.
In addition to these children’s privacy acts, Rep. John Joyce, R-Pa., introduced the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act, HR 8413) in April. The SECURE Data Act is a comprehensive consumer privacy bill that would establish a national framework for consumer privacy that would preempt related state privacy laws. Given the status of all the other privacy legislation in Congress, this bill also is unlikely to pass. However, if it does somehow garner enough support, its passage is expected to be a long road with several bumps and the need for significant amendments.
Federal Trade Commission
FTC officials have repeatedly emphasized that both the FTC and the Trump administration are committed to protecting children online. At the recent International Association of Privacy Professionals Global Privacy Summit, the FTC laid out a road map of how it intends to approach children’s privacy cases, which closely follows the path of the recent social media addiction cases in New Mexico and California. (Read our article on the social media cases here.) The FTC appears to be asking the following three questions in addressing online services directed to children:
- Does the design of the online service harm children?
- What is the cause of the harm?
- Can the FTC address the cause of the harm?
Whether the FTC can address the cause of the harm will depend on whether the cause of the harm falls within the FTC’s Section 5 powers. In particular, the FTC will look at whether the online service is making false statements about its children’s privacy practices or whether the online service has failed to be transparent about its privacy practices. Based on the social media addiction case in New Mexico, which argued that advertising for an online service provider violated New Mexico’s unfair competition laws, the FTC may be able to make similar arguments for other online services.
In addition to this enforcement road map, the FTC has taken several notable actions in the children’s privacy space:
- Amended COPPA Rule – The FTC’s 2025 amendments to the COPPA Rule became enforceable on April 22 (read our client alert here). These are the first amendments to the COPPA Rule since 2013.
- Age Verification Policy Statement – On Feb. 25, the FTC issued a policy statement announcing that it will not bring a COPPA Rule enforcement action against operators of general-audience or mixed-audience sites that collect, use or disclose personal information solely for the purpose of determining a user’s age via age verification technologies, provided they comply with certain conditions, including not using the data for any other purpose, employing reasonable security safeguards and deleting the data once age verification is complete (read our Quick Take here). This followed the FTC’s Jan. 28 Protecting American Children workshop examining age verification technologies (read our Quick Take here).
-
-
Associate