There is a version of online child safety that almost everyone supports and a mechanism for achieving it that should make everyone nervous, and the two are increasingly difficult to separate. A House subcommittee on Commerce, Manufacturing, and Trade recently took up 19 new federal digital-media bills, including a revised Kids Online Safety Act, updates to the Children’s Online Privacy Protection Act, and an App Store Accountability Act establishing a sweeping age-verification and parental-consent regime for content available through app stores. The intentions are sympathetic. The architecture is the problem.
The two bills at the center
The Kids Online Safety Act, in its current form, would require companies to conduct risk assessments, restrict default settings on minors’ accounts up to age 17, disclose how their recommendation algorithms work, and give parents oversight tools. Much of this is design regulation — it changes how platforms build products for young users, which is a legitimate and arguably overdue intervention.
The App Store Accountability Act takes a different and more invasive approach. Rather than regulating individual app behavior, it tries to stop the problem before a child opens an app at all: age verification at the account level, parental consent for each minor’s download, and linking a child’s device to a parent or guardian. The logic is upstream control — make the app store the chokepoint where age is established once and enforced everywhere.
That upstream design is exactly what makes it a mass-surveillance proposal in child-safety clothing.
Why “verify the kids” means “verify everyone”
Here is the inescapable logic that civil-liberties advocates keep pointing to. To reliably keep minors out of something, a system has to determine the age of everyone who tries to access it. You cannot check whether a user is a child without, in the same act, checking whether each adult is an adult. Age verification is, by construction, identity verification applied to the entire user base.
That means the price of keeping children out is requiring every adult to prove who they are — typically by presenting a government ID, a face scan, or other identity documentation — to do things they previously did anonymously. The anonymity that has always been a feature of much online activity does not survive a universal age gate. And it disappears not just for the harmful content the laws target, but increasingly for ordinary social media, app downloads, and general internet use, as the verification requirement expands. Twenty-six states already require age verification to access adult websites, and the scope has crept steadily outward from there into social media design, app stores, and AI chatbots.
The honeypot problem
The deeper danger is what happens to all that identity data once it is collected. Age verification at scale requires verification vendors — a relatively small number of companies that process IDs, face scans, and identity documents for everyone else. Concentrating the identity data of an entire population into a handful of vendors creates exactly the asset that attackers and governments most want.
Civil-liberties advocates warn that this concentration creates attractive targets for hackers and for government demands. A breach of a major age-verification vendor would not leak a password; it would leak the verified, document-backed real identities of millions of people, linked to the specific services they accessed. And a database of “who is verified to use what” is a surveillance dataset by default — a map of identity to activity that did not exist before the law required it.
The TAKE IT DOWN Act experience and the broader 2026 enforcement landscape both show how fast new identity-collection infrastructure gets built once a legal mandate exists. The age-verification regime would create a standing identity layer over large parts of the internet — and standing infrastructure, as the FBI’s own breached wiretap systems demonstrated this same week, is standing risk.
The FTC’s partial accommodation
The FTC has tried to ease one piece of this. It issued a policy statement announcing it will not bring COPPA enforcement actions against operators who collect personal information solely for the purpose of determining a user’s age via age-verification technologies. The aim is to remove a catch-22 — companies feared that collecting data to verify age would itself violate children’s privacy rules.
But this accommodation reveals the underlying tension rather than resolving it. The fix for “age verification might violate privacy law” is to carve out an exception so the verification can proceed. That is privacy law bending to accommodate the surveillance the age-verification regime requires, not the other way around. The data still gets collected. The honeypot still forms. The exception just clears the legal path to building it.
The trade nobody actually chose
The frustrating thing about this debate is that the goal is genuinely good. Children face real harms online, recommendation systems do exploit young users, and parents have legitimate cause to want tools and protections. The design-regulation parts of KOSA engage those harms directly without requiring everyone to surrender anonymity.
But the age-verification architecture asks the entire adult population to be continuously identified as the cost of protecting children — and it does so largely without the public ever explicitly weighing that trade. Few people, asked plainly, would choose to make government-ID identity checks a precondition for everyday internet use. Yet that is the practical endpoint of universal age verification, arrived at one well-intentioned bill at a time.
Protecting kids is the easy part to agree on. The question Congress is not asking clearly enough is whether the chosen mechanism protects them at an acceptable price — or whether it quietly builds the identity-surveillance layer that privacy advocates have spent decades trying to keep off the internet. On current trajectory, the answer is arriving by default.
