The Kids Online Safety Act (KOSA) is a U.S. privacy bill created to protect kids as they navigate today's precarious online environment. It does this by imposing new child-related safety obligations on all applicable online platforms.

Having already passed in the Senate with strong bipartisan support, KOSA now awaits a decisive vote in the House of Representatives (as of September 5, 2024).

This article breaks down what KOSA entails, including who it applies to, its key requirements, compliance measures for businesses, and the penalties for violations. Let's get into it.


What is the Kids Online Safety Act (KOSA)?

The Kids Online Safety Act (KOSA) is U.S. federal privacy legislation designed to protect children and minors from harmful online experiences.

KOSA was first introduced in 2022 by Senators Marsha Blackburn and Richard Blumenthal to address growing concerns about children's safety on digital platforms, particularly regarding the following:

  • Substance abuse
  • Sexual exploitation
  • Social media addiction
  • Cyberbullying and online harassment
  • Mental health conditions like depression, self-harm, and eating disorders

Among other requirements, KOSA will impose a "duty of care" on all applicable online companies. This means companies must take reasonable steps to protect kids from exposure to content that could negatively affect their health, well-being, and development.

Like most newly proposed laws, KOSA garners praise and criticism alike. While some see it as a positive step toward creating a child-friendly online environment, others consider it a potential overreach, raising concerns about censorship and free speech online.

Short Background of the Kids Online Safety Act (KOSA)

KOSA's journey began in 2022 after several congressional hearings and investigations shone a light on the harmful effects of unregulated internet exposure on kids.

Since its introduction, KOSA has undergone multiple amendments to refine its scope and address concerns raised by civil liberties groups and tech industry stakeholders.

Its latest amendment in February 2024 resolved many of these concerns and even prompted additional support from other senators, bringing the total number of KOSA cosponsors to 72.

At the time of writing, KOSA has passed the Senate with overwhelming support. It will now proceed to the U.S. House of Representatives for further consideration by the Energy and Commerce Committee.

If eventually signed into law, KOSA is set to take effect 18 months after its date of enactment.

Key Definitions Under the Kids Online Safety Act (KOSA)

Like most laws, the Kids Online Safety Act (KOSA) offers its own specific meaning to certain terms used in its text. Let's briefly go through the most important ones.

Meaning of "Child" and "Minor"

While the terms "child" and "minor" are often used interchangeably, the Kids Online Safety Act (KOSA) draws a key distinction.

It defines a child as someone under the age of 13 years. This age threshold notably keeps KOSA aligned with the provisions of the Children's Online Privacy Protection Act (COPPA).

A minor under KOSA is an individual under the age of 17 years.

What is Personal Data?

The Kids Online Safety Act (KOSA) defines personal data as:

"information that identifies or is linked or reasonably linkable to a particular minor, including a consumer device identifier that is linked or reasonably linkable to a minor."

Typical examples of personal data include but aren't limited to names, usernames, email addresses, phone numbers, ID numbers, and mailing addresses.

What is an Online Platform?

Under the Kids Online Safety Act (KOSA), an online platform is defined as:

"any public-facing website, online service, online application, or mobile application that predominantly provides a community forum for user generated content, such as sharing videos, images, games, audio files, or other content, including a social media service, social network, or virtual reality environment."

In other words, any online community, network, or forum where kids can participate in free-flow activities and socialize with other people counts as an online platform.

Who Does the Kids Online Safety Act (KOSA) Apply to?

The Kids Online Safety Act (KOSA) primarily applies to "covered platforms." The bill defines a covered platform as:

"an online platform, online video game, messaging application, or video streaming service that connects to the internet and that is used, or is reasonably likely to be used, by a minor."

Going by this definition, any online service that connects to the internet and allows kids to interact with its features will fall under KOSA's scope.

In particular, social media networks, social messaging apps, multiplayer online video games, and video streaming platforms will all fall under the umbrella of KOSA.

Are There Exemptions to the Kids Online Safety Act (KOSA)?

While the Kids Online Safety Act (KOSA) primarily targets online platforms, it notably exempts blogs and personal websites from its scope. The following entities are also exempt:

  • Common carrier services (like telephone companies)
  • Broadband internet access providers
  • Email services
  • Teleconferencing and video conferencing services that only facilitate real-time communication via unique links and do not function as social media services
  • Direct messaging platforms, such as SMS or MMS services that aren't linked to a broader online platform, as long as they focus on private communication not public posting
  • Nonprofit organizations
  • Educational institutions and libraries
  • News websites or apps focused solely on news content
  • Business-to-business (B2B) software products
  • Services like virtual private networks (VPNs), which only route internet traffic between locations

How Does the Kids Online Safety Act (KOSA) Affect Children?

The Kids Online Safety Act (KOSA) aims to create a safer online environment for children without censoring, blocking, or limiting access to necessary information and support.

To that end, KOSA advocates for easy access to mental health services and resources like the National Suicide Hotline, substance abuse help, and LGBTQ+ youth centers.

For children under 13, KOSA builds on existing COPPA's provisions with parental permissions and stricter safeguards. Teens aged 13 to 16 retain control over their online experience but with optional parental tools, like monitoring usage.

Ultimately, KOSA works to equip both kids and parents with tools to ensure their safety online while respecting children's privacy and autonomy.

How Does the Kids Online Safety Act (KOSA) Affect Covered Platforms?

The Kids Online Safety Act (KOSA) will hold covered platforms accountable for situations where their algorithms or design choices actively contribute to harming kids online. But it won't hold them liable when kids deliberately seek help or information on these topics.

Instead, KOSA encourages covered platforms to adopt safer design practices and implement safeguards for both parents and kids, including tools to manage privacy settings, control screen time, and limit financial transactions.

To comply, online platforms will have to revise their policies, strengthen protection tools, and moderate child-related content to reflect KOSA's safety guidelines.

How Do You Comply With the Kids Online Safety Act (KOSA)?

If the Kids Online Safety Act (KOSA) becomes law, online platforms will have to comply with the following requirements:

  • Uphold the "duty of care"
  • Implement child-friendly safeguards by default
  • Provide parental control tools
  • Set up an effective reporting mechanism
  • Publish appropriate notices and disclosures
  • Observe transparency requirements

Let's take a closer look at what each requirement entails.

Uphold the "Duty of Care"

KOSA's "duty of care" requirement is all about proactive protection. As a covered platform, you'll have to implement reasonable measures to shield minors from specific harms.

In practice, this will involve the following:

  • Designing features to mitigate risks of mental health disorders like anxiety, depression, eating disorders, substance abuse, and suicidal behaviors
  • Preventing addictive behaviors by identifying and mitigating patterns of use that encourage compulsive tendencies
  • Protecting against physical violence, bullying, and harassment
  • Preventing sexual exploitation and abuse by restricting interaction with kids
  • Restricting harmful advertising of narcotic drugs, tobacco, gambling, and alcohol
  • Protecting kids against dark patterns and predatory practices like misleading ads and financial scams

It's worth noting that you aren't required to block content that minors specifically search for or request. You also don't have to restrict access to resources that help prevent or mitigate these harms.

Here's how the legal text explains these provisions:

Kids Online Safety Act: Duty of Care section

Implement Child-Friendly Safeguards By Default

KOSA puts child safety front and center by requiring covered platforms to set up readily accessible and easy-to-use safeguards when it comes to minors.

Here's what you'll need to take note of:

  • Limiting Communication: Provide options to control who can communicate with minors to curb unwanted interactions.
  • Protecting Personal Data: Restrict the visibility of children's personal data to prevent it from being accessed by others, especially publicly.
  • Controlling Addictive Features: Limit features that encourage excessive platform usage, like autoplay, rewards for time spent, or constant notifications.
  • Managing Recommendation Systems: Give minors the ability to exercise at least one of the following:

    • Opt out of personalized recommendations while still displaying content in a chronological format
    • Limit types or categories of suggested content
  • Restricting Geolocation Sharing: Restrict sharing a minor's geolocation data to other users on the platform and provide crystal clear notices about location tracking.
  • Easy Data and Account Management: Offer easily accessible options for minors to either:

    • Delete their accounts as well as any collected or shared personal data on the platform
    • Limit the amount of time spent on the platform

Importantly, you must enable these safety controls by default and place them in their most protective setting to ensure the highest protection standards.

In other words, you can't ask minors to proactively enable these features. The onus is on you (the covered platform) to prioritize child wellbeing from the onset.

Here's how KOSA's presents this requirement:

Kids Online Safety Act: Safeguards for Minors Section

Provide Parental Control Tools

Under KOSA, covered platforms must give parents (including legal guardians) easy-to-use tools that let them support minors when online. These tools should allow parents to:

  • View and control their children's privacy settings, including communication, data sharing, and usage limits
  • Restrict kids from making unauthorized purchases or financial transactions
  • View metrics of children's time spent on online platforms and set time limits as needed

Note that your platform must inform minors when parental controls are active and explain the settings applied to their accounts. And like all other safeguards, parental control tools must be enabled by default for all accounts that you know belong to minors.

Here's how KOSA's legal text highlights this requirement:

Kids Online Safety Act: Parental Tools Section

Set Up an Effective Reporting Mechanism

KOSA requires you to set up an easy-to-use reporting mechanism that allows parents, minors, and schools to report any potential harm.

This reporting mechanism must include an electronic point of contact, a confirmation system, and a way to track submitted reports. What's more, covered platforms must respond to submitted reports within these timeframes:

  • At most 10 days after receiving a report, if your platform recently averaged over 10 million active users monthly in the U.S.
  • At most 21 days after receiving a report, if your platform recently averaged less than 10 million active users monthly in the U.S., and
  • As quickly as possible if the report involves an imminent threat to a minor's safety

Here's how KOSA sets out these terms:

Kids Online Safety Act: Reporting Mechanism section

Publish Appropriate Notices and Disclosures

KOSA requires covered platforms to publish clear and conspicuous notices to minors and their parents about the platform's policies, practices, and safeguards.

Keep in mind that these notices must be easy to understand and available in the same language with which you offer services to minors and their parents.

That said, here's a rundown of key notices and disclosures to provide:

  • Pre-Registration Notices: You must inform minors about your data collection and retention policies, available safeguards, and any features that may pose risks before they register or make a purchase. This ensures minors and their guardians are fully aware of your platform's practices.
  • Parental Consent and Control: Once a child is involved, you must obtain verifiable parental consent and notify parents of available parental controls. If you already comply with the Children's Online Privacy Protection Act (COPPA), you're considered already compliant with this requirement.
  • Personalized Recommendations: If you use recommendation systems, you must explain how these systems work, how it uses minors' personal data, and how minors can opt out or control them. This information must be set out clearly in your Terms and Conditions.
  • Clear Advertising Labels: If you use ads aimed at minors, you must clearly state their nature, the reason they're shown, and how minors' data will be used. You must also disclose all endorsements on these ads.

If KOSA becomes law, you'll need to update your business notices and disclosures to reflect these notice requirements. Note that you can include most of these disclosures in a publicly available Privacy Policy and Terms and Conditions agreement.

As KOSA continues its legislative journey, the FTC and other relevant authorities will provide additional guidance to help covered platforms comply.

Observe Transparency Requirements

Before going into the specifics of KOSA's transparency requirements, note that this requirement only apply to you if:

  • Your platform recently averaged over 10 million active users in the U.S.
  • Your platform predominantly serve as community forums for user-generated content (e.g., social media sites and virtual reality environments)

Now, let's break down the transparency requirement.

KOSA requires covered platforms to issue a public report annually that describes "reasonable foreseeable risks of material harms to minors" along with recommended prevention and mitigation measures.

This report must be based on an independent, third-party audit that involves thorough inspections of the platform's systems, policies, and practices. In particular, the report must include the following details:

  • An assessment of the platform's likelihood of being accessed by minors
  • Descriptions of the platform's commercial interests regarding minors
  • Detailed user metrics, including number of minor users, time spent, and content access by language
  • Accounting of reports and prevalence of content related to specified harms (e.g., mental health, addiction, exploitation)
  • Any material breaches of parental tool commitments or data use assurances

How Will the Kids Online Safety Act (KOSA) Be Enforced?

The Kids Online Safety Act (KOSA) will primarily be enforced by the Federal Trade Commission (FTC). The FTC will have the authority to investigate and address violations, particularly when it comes to the "duty of care" provision.

Under earlier versions, enforcement of KOSA's "duty of care" was placed in the hands of state attorneys general, but this raised censorship concerns from LGBTQ+ groups and others. In response, KOSA was updated to grant primary enforcement powers to the FTC.

While state attorneys general still retain some enforcement responsibilities, they'll focus primarily on bringing civil actions on behalf of their state residents.

Penalties For Non-Compliance With the Kids Online Safety Act (KOSA)

A violation of the Kids Online Safety Act (KOSA) will be considered an unfair or deceptive trade practice under the Federal Trade Commission Act.

While KOSA's legal text doesn't specify any concrete penalty (yet), violators can expect fines, legal actions, and other corrective measures imposed by the FTC depending on the severity and frequency of violations.

Summary

The Kids Online Safety Act (KOSA) is a landmark U.S. privacy bill that's set to redefine how large tech companies handle children's safety on their platforms. If passed, KOSA will likely become one of the most significant and impactful child privacy laws to date.

As KOSA inches closer to becoming law, it's important to assess whether your business may fall under its scope and start preparing compliance measures.

Among other requirements, applicable platforms would have to:

  • Uphold KOSA's "duty of care"
  • Implement child-friendly safeguards by default
  • Provide parental control tools
  • Set up an effective reporting mechanism
  • Publish appropriate notices and disclosures
  • Observe transparency requirements

Ultimately, KOSA aims to ensure that online platforms don't exploit young users for engagement or profit at the expense of their safety.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy