Washington’s online safety push collides with big tech and fracturing Congress

The sprint to reassert control over children’s online safety entered a volatile new phase this week. Lawmakers advanced a sweeping package of bills while tech executives came to town to shape the details and regulators prepared to intervene in the growing fight over age verification.

In a single morning, the House Subcommittee on Commerce, Manufacturing, and Trade voted to advance eighteen online safety and children’s privacy bills – including controversial age verification and app store mandates – while Apple CEO Tim Cook met privately with lawmakers to warn that parts of the legislative package could erode user privacy and force platforms to collect sensitive identity data on millions of Americans.

These developments converged with a string of revelations that included court filings accusing Meta of enabling sex trafficking and suppressing research on teen mental-health harms, the Federal Trade Commission (FTC) warning that softening encryption to satisfy foreign governments may violate U.S. law, and the unraveling of the bipartisan alignment that once anchored the Kids Online Safety Act (KOSA) and the Children’s Online Privacy Protection Act 2.0 (COPPA).

With the Senate insisting on a strong duty-of-care standard and the House pushing to weaken it, Congress is heading toward a decisive showdown that will determine whether the United States builds real protections or accepts a fractured mix of state measures and voluntary industry pledges.

On December 8, the FTC formally announced it will hold an age verification technologies workshop on January 28, 2026, at its Constitution Center headquarters in Washington, D.C., with both in-person and online participation.

The event will bring together researchers, academics, industry representatives, consumer advocates, and government regulators to examine why age verification matters, what age verification and estimation tools exist, how companies can navigate the regulatory landscape, how to deploy these systems at scale, and how they intersect with the COPPA rule.

On its face, the workshop is a technical convening, but it lands in a year when age-assurance technologies ranging from device-based checks and document verification to facial age estimation and behavioral profiling are being hard-wired into online safety laws in Europe, the UK, and a growing number of U.S. states.

Analysts say biometric and age assurance vendors are likely to treat the FTC event as an early waypoint in shaping U.S. norms for how far platforms can go in scanning faces, IDs, and behavioral patterns to guess who is a child.

The workshop also arrives as FTC under Chair Andrew Ferguson has signaled a willingness to act as a counterweight to European and British regulators on both encryption and speech.

In August, Ferguson sent a detailed letter to major tech companies warning that weakening encryption or other security protections to comply with foreign regimes – including the EU’s Digital Services Act, the UK Online Safety Act, and demands under the UK Investigatory Powers Act – could amount to deceptive or unfair practices under Section 5 of the FTC Act.

Ferguson argued that companies promising secure or encrypted services cannot quietly downgrade protections because foreign governments want easier access to user data, and that restricting or removing content for Americans to appease foreign regulators could also be an unfair or deceptive act if not clearly disclosed.

This is a striking posture. While European and British regulators are leaning on platforms to detect harmful content, including material that targets children, the FTC is warning that bending too far to foreign demands may itself violate American law.

That tension is playing out in real time. When the UK’s Information Commissioner’s Office informed MediaLab’s image sharing site Imgur that it faced a likely enforcement action under the Children’s Code, the company withdrew from the UK market entirely as of September 30, cutting off access for British users.

Regulators responded that exiting the country would not shield Imgur from potential penalties for past violations.

Inside Congress, the stakes are no less fraught. Thursday, the House Subcommittee on Commerce, Manufacturing, and Trade advanced eighteen bills aimed at protecting children and teens online, forwarding them to the full House Energy and Commerce Committee by voice vote.

The package includes measures addressing social media harms, fentanyl sales, AI-driven grooming risks, algorithmic transparency, app store age verification, bot disclosures, and children’s data sales. It also contains updated House versions of KOSA and COPPA 2.0.

The markup represents a rapid acceleration, as just a week earlier subcommittee chair Gus Bilirakis had suggested markup would slip into the new year.

But moments after the markup, the limits of the coalition were on display. Apple CEO Tim Cook met with lawmakers – many of them the same members overseeing the markup – to lobby for changes to the App Store Accountability Act, a cornerstone of the House’s age-assurance approach.

Cook warned that requiring app stores to verify user ages could force Apple to collect highly sensitive personal data, including government IDs or birth records, on millions of Americans.

Apple’s global privacy team argued that such mandates could weaken user privacy and that a parent-driven model, where adults disclose ages rather than platforms ingesting identity documents, would reduce risk.

Some lawmakers found Cook’s warnings persuasive, while others questioned whether the company’s privacy concerns were compatible with the long-running failures of tech giants to protect minors.

The debate over the App Store Accountability Act goes to the heart of the emerging U.S. model for age assurance. Texas and Utah already require app stores to verify users’ ages and link minors to verified parents.

The House version would scale that model nationwide, requiring Apple, Google, and other app store operators to determine a user’s age category and convey an “age-range signal” to all installed apps.

Advocates say this relieves individual apps from collecting biometric or identity data. Critics warn that it centralizes enormous volumes of sensitive information in just two companies and risks creating a de-facto digital identity system.

The House’s internal divisions extend far beyond the app store debate. During the December 2 hearing on legislative solutions to protect children and teens online, key Democratic lawmakers accused committee leadership of gutting the House versions of KOSA and COPPA 2.0 to satisfy Big Tech.

The reworked House discussion draft of KOSA removed the bill’s central “duty-of-care” requirement, an enforceable standard obligating platform to mitigate foreseeable harms such as suicide content, sexual exploitation, eating disorder promotion, and predatory recommendation algorithms.

The new draft replaces that standard with an obligation to maintain “policies, practices, and procedures,” language critics describe as a compliance mirage that would allow platforms to simply document safety protocols rather than redesign harmful features.

The House draft also introduces sweeping federal preemption, barring states from enacting or enforcing any law that “relates to” the bill’s provisions. This could erase hard won state efforts to regulate social media design, data minimization, and age-appropriate systems.

Groups that once championed KOSA – from the National Center on Sexual Exploitation to ParentSOS – now warn that the House bill, with aggressive preemption and no duty-of-care, could be “worse than doing nothing.”

COPPA 2.0 is undergoing a similar ideological rewrite. While the Senate version would significantly expand children’s privacy rights and ban targeted advertising for users under 17, the House draft leans heavily on an “actual knowledge” standard that critics say invites platforms to turn a blind eye to underage users to avoid compliance.

In contrast, the Senate continues to solidify around a stronger posture. In May, Senators Marsha Blackburn and Richard Blumenthal reintroduced KOSA with bipartisan backing from Majority Leader John Thune and Minority Leader Chuck Schumer.

As of early December, the Senate version had 69 co-sponsors, enough to overcome a veto, and Blackburn has insisted that the duty-of-care standard is non-negotiable.

Newly unsealed filings in a massive multidistrict litigation against Meta strengthened her case. The plaintiffs in the suit allege Meta buried internal research linking Instagram and Facebook to worsening depression, anxiety, eating disorders, and suicidal ideation among teens; maintained an effective “17-strike” policy for sex-trafficking accounts; and allowed algorithms to connect minors to predators through follow-suggestion tools.

A separate Reuters investigation revealed that Meta’s AI chatbots engaged in romantic or sexual role-play with minors until policy changes were implemented.

Blackburn has repeatedly invoked these findings to argue that voluntary reforms are no longer credible. In a December 3 floor speech and a TIME op-ed, she warned that the House draft – with no duty-of-care, a narrow knowledge standard, and broad preemption – would protect Big Tech at the expense of children.

Across all these debates, age verification has become the hinge issue. Its promise is also its threat.

Lawmakers see age assurance as a powerful tool for reducing harms, but civil rights groups warn that poorly designed mandates could normalize biometric surveillance, expose sensitive data, chill anonymous speech, and create sprawling databases irresistible to hackers, law enforcement, and commercial brokers.

LGBTQ+ advocates worry that vague “harmful content” provisions, enforced by empowered state attorneys general, could be weaponized to restrict access to mental health and reproductive health resources, especially once paired with invasive age checks.

That is the unresolved problem standing before Congress, the FTC, and the courts. Age assurance is increasingly unavoidable in any comprehensive children’s safety framework. But how to build it, without creating a national digital identity apparatus, remains the defining challenge.

What is clear is that 2026 will not be a quiet year. With the House advancing a narrowed and heavily preemptive KOSA and COPPA 2.0, the Senate holding the line on duty of care, and Big Tech executives lobbying to shape the details, a bruising conference committee clash is all but guaranteed.

And if Congress deadlocks, the burden will shift to the FTC, state attorneys general, and judges – institutions already struggling to navigate the collision of children’s safety, free expression, privacy, surveillance, and platform power.

Article Topics

age verification  |  app store age verification  |  biometric age estimation  |  children  |  COPPA 2.0  |  FTC  |  Kids Online Safety Act (KOSA)  |  legislation  |  U.S. Government  |  United States