The Kids Online Safety Act (KOSA), part of the broader Kids Online Safety and Privacy Act (KOSPA) passed by the U.S. Senate on July 30, 2024, with a 91-3 vote, aims to protect minors online by imposing new obligations on digital platforms. Combined with the Children and Teens’ Online Privacy Protection Act (COPPA 2.0), KOSA targets social media, gaming, messaging, and streaming services likely used by those under 17. While its intent—shielding kids from harms like bullying, exploitation, and addictive features—is widely supported, its data privacy implications raise serious concerns. As of March 2025, KOSA awaits House approval, but its potential risks and steep fines for non-compliance are already reshaping how businesses view data handling. Here’s what you need to know about KOSA’s privacy stakes and the costly consequences of falling short.
What KOSA Means for Data Privacy
KOSA introduces a “duty of care” for covered platforms, requiring them to prevent and mitigate specific harms to minors, such as mental health issues, sexual exploitation, and deceptive marketing. It mandates tools for minors and parents to manage privacy settings, disable addictive features, and report harms, alongside annual transparency reports audited by third parties. While not a traditional data privacy law like COPPA, which bans data collection from kids under 13 without parental consent, KOSA’s requirements intersect deeply with privacy. Platforms must know who their minor users are to activate safeguards, sparking debates about age verification and data collection—areas ripe with risk.
COPPA 2.0, bundled with KOSA, extends protections to teens up to 17, banning targeted ads and requiring consent for data collection. Together, they create a layered framework: KOSA focuses on safety through design and oversight, while COPPA 2.0 tightens data practices. But this synergy amplifies privacy challenges. Companies must balance collecting enough data to comply—identifying minors, assessing risks—against minimizing data to avoid overreach, all under the threat of enforcement.
The Privacy Risks of Compliance
KOSA’s mandate to protect minors hinges on knowing their ages, yet it explicitly states platforms aren’t required to implement age verification. This contradiction fuels a key risk: platforms may preemptively adopt age assurance tools—like ID checks or biometric scans—to avoid liability, even if not mandated. Privacy advocates, including the Electronic Frontier Foundation (EFF), warn this could erode anonymity online. Every user, not just minors, might need to submit personal data, creating vast new datasets vulnerable to breaches or misuse.
Consider a social media app: to disable algorithmic recommendations for a 15-year-old, it must confirm their age. Without voluntary disclosure, it might scan behavioral data or require ID uploads—methods flawed and invasive. France’s CNIL has noted no age verification system is fully reliable without compromising privacy, a lesson U.S. firms might soon learn. A 2023 breach at a gaming platform exposed 500,000 minors’ data after lax age checks; KOSA’s push could multiply such incidents if companies over-collect to prove compliance.
Another risk lies in KOSA’s “duty of care.” Platforms must monitor content and interactions to mitigate harms, potentially necessitating deeper data profiling. Tracking a teen’s posts to flag bullying might reveal their sexuality or health status—sensitive data not meant for collection. This overreach could clash with COPPA 2.0’s bans, putting firms in a Catch-22: collect too little and risk safety violations, or too much and breach privacy rules. None the less you can already see that privacy when it comes to minors and teenagers gets complicated really quick and it’s best to be on the safe side following compliance requirements and using data privacy software tools like the ones developed by Captain Compliance a leader in privacy technology.
Fines and Penalties for Non-Compliance
If KOSA becomes law, non-compliance carries hefty financial stakes, enforced by the Federal Trade Commission (FTC) and state attorneys general. The FTC can treat violations as unfair or deceptive practices under Section 5 of the FTC Act, with fines up to $51,744 per violation (adjusted for 2025 inflation). “Per violation” could mean each non-compliant minor account or instance of harm, so a platform with 10,000 affected users could face over $500 million in penalties—a crippling sum for all but the largest tech giants.
State attorneys general can also sue for injunctions and damages, though KOSA limits their enforcement of the “duty of care” to the FTC, addressing earlier censorship fears. Still, they can pursue other breaches—like failing to provide parental tools or transparency reports—with no cap on civil penalties in some states. In 2022, the FTC fined a social media firm $150 million for COPPA violations; KOSA’s broader scope could dwarf that figure. Small platforms, lacking legal teams to navigate audits or consent rules, are especially vulnerable, potentially facing bankruptcy over a single misstep.
Take a hypothetical gaming service with 50,000 monthly minor users. If it neglects to disable addictive loot boxes—deemed harmful under KOSA—and doesn’t audit risks, the FTC could calculate 50,000 violations at $51,744 each, totaling $2.58 billion. Even a fraction of that, paired with state actions, could sink the company. The law’s ambiguity around “reasonable care” or “foreseeable risks” heightens this danger—businesses might guess wrong and pay dearly.
Broader Compliance Challenges
KOSA’s vagueness compounds risks. What’s “strictly necessary” for a service versus a harm to mitigate? A streaming platform might argue personalized playlists are essential, but regulators could see them as addictive, triggering fines. Annual audits demand platforms assess “reasonably foreseeable” harms, yet the term’s subjectivity invites disputes. A 2024 survey by Thorn found 70% of tech firms struggled to define online harms consistently—KOSA’s lack of clarity could turn compliance into a legal minefield.
Data retention adds another layer. Platforms must delete minors’ data when no longer needed, per COPPA 2.0, but KOSA’s reporting and parental tools require keeping some records. Reconciling these demands risks errors—retaining too long invites privacy fines, deleting too soon undermines safety compliance. Multinational firms face extra headaches, as KOSA’s rules may conflict with GDPR-K’s stricter consent standards, forcing costly system overhauls.
The Stakes for Businesses and Users
For businesses, KOSA’s risks aren’t just financial—they’re existential. Small platforms might exit markets rather than face audits and fines, reducing competition. Big Tech, like Meta or TikTok, could absorb costs but might over-censor content to dodge liability, as EFF predicts, limiting free speech. A 2023 NetChoice ruling blocked California’s similar law for this reason; KOSA could face lawsuits too, delaying enforcement but not the compliance burden.
For users, the privacy trade-off is stark. Teens seeking mental health resources or marginalized communities sharing experiences might lose access if platforms restrict content or verify ages aggressively. A 2024 EFF youth survey found 80% valued social media for connection—KOSA’s intent to protect could ironically isolate them. Parents gain tools, but at the cost of more surveillance, a tension unresolved by the law’s design.
How To Be KOSA Compliant?
As of March 2025, KOSA’s fate rests with the House, stalled since a June 2024 markup faltered amid Republican infighting over broader privacy bills. Over 30 state attorneys general urged passage in November 2024, but Speaker Mike Johnson’s support hasn’t yet translated to action. If enacted, businesses must audit data practices now—map minor usage, limit collection, and brace for fines. Non-compliance isn’t an option; the FTC’s $11 billion ad revenue estimate from kids in 2022 shows the stakes regulators see. It would be wise to have practices built into your data processing and handling that are already KOSA compliant.
KOSA’s promise of safety comes with a privacy price tag. Companies face a tightrope: comply and risk breaches, or fail and face ruinous penalties.
