For years, the US age verification landscape was defined by state-level fragmentation. That era is ending. In March 2026, Congress advanced multiple federal children’s safety bills simultaneously — KOSA through the Senate, the KIDS Act through the House Energy and Commerce subcommittee, and COPPA 2.0 toward passage. Together with the App Store Accountability Act and at least 15 other pending federal proposals, these bills represent the most significant shift in US online platform regulation since Section 230.
If you operate a platform that serves US users — social media, e-commerce, gaming, content, SaaS, or anything with user accounts — federal age verification requirements are no longer a hypothetical. They’re in active legislative motion with 12-to-18-month compliance windows once enacted.
This post breaks down what’s actually in these bills, how they interact, what they require technically, and what your engineering and compliance teams should be building now.
The Three Bills That Matter Most
KOSA (Kids Online Safety Act)
KOSA has been reintroduced as S.1748 in the 119th Congress. It passed the Senate in the prior session and is now advancing again with bipartisan support. The core requirements:
- Duty of care: Platforms must implement “reasonable policies” to prevent physical threats, sexual exploitation, drug distribution, and financial harm to known minors.
- Safeguard mandates: Platforms must provide readily accessible controls limiting communication from strangers, reducing compulsive usage features, and restricting algorithmic recommendations for minor accounts.
- Risk assessments: Annual audits evaluating how the platform’s design and features affect minors, with reports available to the FTC.
- Default restrictions: Accounts for users under 17 must have privacy and safety settings enabled by default. Parents must have meaningful oversight tools.
Critically, KOSA does not explicitly mandate age verification. It uses a “knowledge” standard — obligations kick in when the platform has “actual knowledge” that a user is a minor. But here’s the catch: if your platform takes no steps to determine user age, you’re gambling that “we didn’t know” will hold up against an FTC enforcement action after a harm event involving a 14-year-old.
The practical result is that KOSA creates a strong incentive to implement age verification, even if it doesn’t require it by statute. Platforms that verify age can confidently apply the right safeguards. Platforms that don’t are flying blind on compliance.
Compliance window: 18 months after enactment.
KIDS Act (Kids Internet and Digital Safety Act)
The KIDS Act, introduced by Representative Gus Bilirakis in December 2025, packages KOSA provisions with more prescriptive requirements. It passed the House Energy and Commerce subcommittee in March 2026. Key additions beyond KOSA:
- Explicit age verification for mature content: Platforms hosting content rated as sexual, violent, or otherwise age-restricted must verify user age before granting access.
- Tiered knowledge standard: Smaller platforms use an “actual knowledge” standard. Larger platforms (those meeting a revenue or user threshold) must comply if they “willfully disregarded information that would lead a reasonable and prudent person” to determine a user is a minor. This is a significantly lower bar.
- Algorithm opt-out: Minors must be able to opt out of recommendation algorithms entirely.
- Stranger contact restrictions: Platforms must limit unsolicited contact between unconnected adults and minor accounts.
The tiered knowledge standard is the key development for larger platforms. “Willful disregard” means ignoring available signals — age-indicative behavioral data, registration information, device signals — that suggest a user is underage. For any platform at scale, this effectively mandates some form of age determination.
Compliance window: 12 months after enactment.
COPPA 2.0
COPPA 2.0 extends the original Children’s Online Privacy Protection Act from under-13 to under-17. The Senate passed its version unanimously in March 2026. Core changes:
- Age expansion: All privacy protections now apply to users under 17, not just under 13.
- Advertising ban: Targeted advertising to minors is prohibited entirely. This is not a consent requirement — it’s a flat ban.
- Knowledge standard shift: The standard moves from “actual knowledge” to “actual knowledge or knowledge fairly implied on the basis of objective circumstances.” If a reasonable person would infer that a user is a minor based on available data, you’re on the hook.
- Eraser button: Minors (or their parents) can demand deletion of all personal information at any time.
- Data minimization: Personal data may only be processed “for the purpose of age verification” and must be deleted immediately afterward when used for that purpose.
- FTC enforcement division: A dedicated FTC division for children’s online privacy enforcement, signaling sustained regulatory focus.
The “knowledge fairly implied” standard is the most consequential change in COPPA 2.0. It closes the loophole that allowed platforms to claim ignorance. If your user base skews young, if your content appeals to minors, if your registration flow doesn’t ask for age — the FTC can argue you should have known.
Compliance window: Varies by provision, generally 12 months.
The Compound Effect: Why These Bills Together Change Everything
Each bill individually creates significant obligations. Together, they create a compliance environment where age verification shifts from “nice to have” to “operational necessity” for any platform at scale.
Here’s the interaction model:
COPPA 2.0 expands the age threshold to 17 and lowers the knowledge standard. This means you need to know (or should know) whether users are minors.
KOSA imposes a duty of care for minor users. This means once you know (or should know), you must apply specific safeguards, restrict defaults, and enable parental controls.
The KIDS Act adds explicit age verification for mature content and introduces the “willful disregard” standard for larger platforms. This means you can’t credibly claim ignorance if you haven’t implemented age determination.
The compound message from Congress is clear: determine user age, apply appropriate protections, and be prepared to demonstrate compliance. The specific method isn’t prescribed, but the obligation is inescapable.
What These Bills Require Technically
Strip away the legal language, and these bills require four technical capabilities:
1. Age Determination at Account Creation
You need a mechanism to classify users into age tiers: under 13, 13-16, and 17+. The App Store Accountability Act makes this explicit with three tiers. COPPA 2.0’s expanded scope and KOSA’s safeguard requirements both depend on it.
The method doesn’t need to be invasive. The legislation permits “commercially available” age verification methods. AI-based age estimation from a selfie — the approach Xident uses — satisfies this requirement without requiring government ID upload. It’s fast, privacy-preserving (no document data stored), and meets the “reasonable method” standard referenced across these bills.
2. Parental Consent Workflows
For users identified as minors, multiple bills require verifiable parental consent before account creation or certain feature access. This means your platform needs:
- A mechanism to contact and verify the parent or guardian
- Consent capture and storage
- The ability to revoke consent and delete the minor’s data
- Audit trails demonstrating consent was obtained before data processing began
This is not a one-time UX flow. COPPA 2.0’s “eraser button” and KOSA’s parental oversight tools mean you need ongoing consent management, not just an initial gate.
3. Tiered Feature Access
KOSA’s safeguard mandates and the KIDS Act’s algorithm opt-out requirement mean your platform must support differentiated experiences based on age tier:
- Under 13: Maximum restrictions. No targeted ads. No algorithmic recommendations. Limited contact features. Parental controls enabled by default.
- 13-16: Reduced restrictions with parental oversight available. No targeted ads. Algorithm opt-out available. Default privacy settings maximized.
- 17+: Full platform access.
This has architecture implications. Your user model needs an age tier attribute that propagates across your recommendation engine, ad serving, messaging system, and privacy settings. Retrofitting this into an existing platform is non-trivial — which is exactly why starting now matters.
4. Data Handling for Verification
COPPA 2.0 explicitly addresses the privacy concern around age verification itself: data collected for the purpose of age verification must be used only for that purpose and deleted immediately afterward. This means your verification flow cannot:
- Retain selfie images after age estimation is complete
- Store government ID data beyond the verification moment
- Use verification data for profiling, advertising, or analytics
- Share verification data with third parties
This is where the choice of verification provider matters significantly. Xident’s architecture is designed for exactly this constraint: age estimation runs in real-time, returns only the age classification result, and does not persist biometric data. The platform never sees the selfie — only the verification outcome.
The Privacy-Safety Tension (And How to Resolve It)
The central criticism of age verification legislation — articulated by the EFF, ACLU, and privacy advocates — is that verifying age necessarily creates surveillance infrastructure. If every user must prove their age, you’ve built a system that knows who’s accessing what content, when, and from where.
This criticism is valid when age verification is implemented badly. Government ID upload, face-to-database matching, persistent biometric storage — these approaches do create surveillance risks. They also create honeypot databases that attract breaches.
But the criticism doesn’t apply to all verification architectures. Privacy-preserving approaches exist and are specifically anticipated by the legislation:
- AI age estimation: A selfie is analyzed in real-time to estimate age range. No image is stored. No identity is linked. The platform receives only a binary signal: “meets age threshold” or “does not meet age threshold.”
- Reusable credentials: Verify once, prove everywhere. A user completes verification once and receives a cryptographic credential (via passkey or similar mechanism) that can be presented to any participating platform without re-verification. No data leaves the user’s device.
- Zero-knowledge proofs: The user proves they meet an age requirement without revealing their actual age, identity, or any other attribute. The verifier learns only the boolean result.
- On-device processing: Age estimation runs on the user’s device using WebAssembly or native ML models. The raw biometric data never leaves the device. Only the result is transmitted.
Xident implements all four of these approaches. The architecture was designed from the ground up to satisfy verification requirements without creating the surveillance infrastructure that privacy advocates rightly warn about.
The legislation accommodates this. COPPA 2.0’s data minimization requirements and the KIDS Act’s “commercially available methods” language both point toward privacy-preserving verification as the intended compliance path. The bills don’t want platforms building identity databases — they want platforms knowing whether users are old enough.
The Timeline Is Shorter Than You Think
Here’s the realistic timeline for federal age verification requirements:
Now (Q1 2026): KOSA, KIDS Act, and COPPA 2.0 are all advancing through Congress with bipartisan support. The Senate passed its COPPA 2.0 bill unanimously.
Mid-2026: If the legislative pace holds, at least one (likely two) of these bills will reach the President’s desk. The political dynamics favor passage — children’s online safety has overwhelming public support and bipartisan congressional backing.
Late 2026 to early 2027: Enactment triggers compliance clocks. The shortest window is 12 months (KIDS Act, App Store Accountability Act). The longest is 24 months (Parents Over Platforms Act).
2027-2028: Compliance deadlines hit. FTC enforcement begins. Platforms without age verification face regulatory action under the new standards.
But here’s what most platforms miss: the compliance clock isn’t the real deadline. The engineering timeline is. Building age-tiered user management, parental consent workflows, algorithmic controls, and verification integration into an existing platform takes months of engineering work. If you wait for enactment to start building, you’ll be scrambling to ship under deadline pressure with a new FTC enforcement division watching.
The platforms that will handle this transition smoothly are the ones that start building now — integrating verification, designing tiered experiences, and implementing consent management before the legal requirement is finalized.
What to Build Now
If you’re an engineering or product leader at a platform that serves US users, here’s the practical preparation list:
Integrate age verification at sign-up. Choose a provider that supports privacy-preserving methods (AI age estimation, not just document upload). Xident’s SDK can be integrated in under 5 minutes and supports both client-side and server-side liveness detection. Start with optional verification and make it mandatory when legislation requires it.
Build age-tiered user states. Add an age tier attribute to your user model. Define three tiers (under 13, 13-16, 17+). Propagate this attribute to your recommendation engine, ad platform, messaging system, and privacy settings. This is the hardest part to retrofit — start early.
Implement parental consent flows. Build the mechanism for minors to link a parent account, for parents to grant and revoke consent, and for the platform to demonstrate consent was obtained. This needs to work across web and mobile.
Audit your recommendation algorithms. KOSA requires safeguards against compulsive usage patterns and the KIDS Act requires algorithm opt-out for minors. Review your recommendation engine for features that would need to be disabled or modified for minor accounts.
Set up verification data handling. Ensure your age verification flow does not persist biometric data. If you’re using a third-party provider, verify their data retention policies comply with COPPA 2.0’s requirements. With Xident, this is handled by default — no biometric data is stored.
Document everything. KOSA requires annual risk assessments. The KIDS Act requires compliance reporting. Start documenting your age-safety practices, verification methods, and safeguard implementations now. When the FTC asks, you want to show a mature, proactive compliance posture — not a hasty retrofit.
The Bigger Picture
The federal push toward age verification isn’t happening in isolation. The UK’s Online Safety Act is already in enforcement. The EU’s Digital Services Act mandates age assurance across member states. France is enforcing ARCOM standards for age verification on social media and adult content. Australia’s eSafety Commissioner is implementing mandatory age verification for specific platforms.
What Congress is doing in 2026 is joining a global trend that has already reached enforcement stage in other major markets. For platforms with international users, federal US age verification requirements will simply extend an obligation they should already be building toward.
The platforms that will navigate this transition successfully are the ones that treat age verification as a product feature, not a compliance checkbox — an investment in user trust and safety that also satisfies regulatory requirements.
That’s what Xident was built for. Privacy-preserving age estimation. Reusable verification credentials. Zero-knowledge proof support. On-device processing. All designed to help platforms comply with exactly the kind of requirements that KOSA, the KIDS Act, and COPPA 2.0 are about to mandate.
The legislation is coming. The compliance clocks will start. The question isn’t whether to build age verification into your platform — it’s whether you’ll be ready when the deadline hits.
Ready to integrate age verification before the federal deadline? Get started with Xident — privacy-preserving age estimation that meets the requirements Congress is about to mandate. Integration takes less than 5 minutes.
