But in trying to make the Internet safer for children, they are advancing a patchwork of bills that some experts say, taken together, could require platforms to verify users’ ages, monitor activity and collect more data than ever before. While Congress’ intent is to secure a safer digital future, the sheer volume of overlapping proposals is creating a complex new reality for platforms and schools alike.
THE LEGISLATIVE LANDSCAPE
There are two anchor bills regarding student privacy now moving through the halls of Congress, according to attorney Reg Leichty, an expert in education, children’s privacy, and technology law and policy. One is the Kids Online Safety Act (KOSA), which would impose a “duty of care” on platforms, making them legally responsible for protecting minors from various harms caused by their product, such as addictive design features or harmful content, Leichty said. It has already passed the Senate but remains stalled in the House, where it is currently undergoing revisions.
Second of the anchor bills is the Children and Teens’ Online Privacy Protection Act, sometimes referred to as COPPA 2.0, which seeks to expand existing data privacy protections to include teenagers up to age 16 or 17, Leichty said, noting that those safeguards already apply to children under 13.
According to a letter in March by the nonprofit Center for Democracy and Technology, a series of more targeted bills have also gained traction: Sammy’s Law would require social media companies to allow third-party safety software to monitor the accounts of users under 17; the Safe Messaging for Kids Act would require direct messaging to be disabled for users under 13 and mandate parental approval for contact requests involving teens under 17; and the App Store Accountability Act would mandate age verification and parental consent for minors to use app stores.
But while these bills individually target specific digital harms toward children, CDT argued that, collectively, they point to reshaping the Internet entirely. CDT highlighted a pattern forming across the proposed student privacy legislation: To protect kids, platforms must figure out who is a minor through age verification, then monitor users’ online behavior and share or store data as a means of compliance and oversight. According to the CDT, this additional data collection means greater surveillance and a higher risk of breaches and misuse.
“If you are going to be a champion for the use of data, you also really need to be thoughtful about how to protect it,” Leichty said.
SAFETY VS. SURVEILLANCE IN PRACTICE
In their letter, CDT flagged age verification as the primary flashpoint of concern, and other data privacy experts concurred.
Linnette Attai, a data consultant and project director at the Consortium for School Networking (CoSN), said that verifying the age of every user often requires the collection of highly sensitive information, such as government-issued IDs or biometric data, the latter of which she deemed “fairly intrusive information.”
“We’re talking about things like a driver’s license or passport, biometric services to do face scans and estimate age based on appearance,” she said. “It’s collecting more personal information than we previously had in order to determine age with more certainty than we would if we simply asked for a date of birth.”
According to Attai, this means of data collection creates a paradox where a law intended to protect children’s privacy actually forces them — and often the adults around them — to hand over more personal information to private companies than ever before.
Furthermore, CDT noted that the collection of student data allowed by these bills has implications as stark as those regarding the surveillance of young people.
“Few interventions suggested in policy proposals have been tested with the people who will be impacted by them or people that these policies intend to protect,” CDT wrote in a 2025 report. “Without adequate empirical grounding, well-intentioned policies proposed in law may not have the intended effect of helping users, backfire, and even do more harm than good.”
Leichty too expressed concern that if monitoring becomes normalized through third-party software and parental oversight tools, there could be chilling effects on free speech and access to information as citizens self-censor or refrain from exercising their rights. If every communication is monitored, he said, both minors and adults may be discouraged from seeking out lawful but sensitive content, particularly in communities that rely on digital anonymity.
“The idea of this all being about the potential regulation of speech, I think, is real for both segments on the right and the left, with concerns raised. Especially, I think, really valid concerns from the LGBTQ community that there could be limitations placed in certain states on access to health information,” Leichty said. “But, as with any policymaking, there’s a balance to be struck between some of the other non-speech problems that that we know to be true for kids in these spaces that have to be addressed.”
WHAT THIS MEANS FOR SCHOOLS AND ED TECH
Attai noted that these bills may not create new, direct legal obligations for school districts, but their impact will primarily be felt through contracts and vendor relationships. In particular, she highlighted that smaller-sized vendors will face the brunt of the laws’ impact.
“Not only is the lift of implementing some sort of age-verification methodology and technology difficult, you’re also then tasked with ensuring that you’re properly processing and securing the data that comes with it, and getting rid of it,” Attai said. “Especially for a small or midsized company, it’s doubly disruptive because the infrastructure needed to do this is not a small lift.”
However, Leichty said that while there may be very real risks associated with these pieces of student privacy legislation, the problems the bills seek to solve must be addressed. To him, the debate centers on the tension between the necessity of data for educational progress, for example to personalize learning and inform instructional improvements, and the need to protect that data.
“They are imposing obligations on companies that will help in the school setting. If you’re a small district, or even a large one, you often don’t have the economic leverage to drive change by your private technology partners,” he said. “You need policymakers at the congressional level, at the state legislative level or wherever, to force these changes that, in many instances, are addressing concerns that schools have.”
Ultimately Leichty explained that the current legislative landscape reflects a sticking point in education policy regarding technology and the constant monitoring of human beings: Schools are seemingly forced to choose between mitigating potential risks to students and giving them a reasonable degree of privacy. He said the main question is not just how to protect kids online, but whether lawmakers can do so without creating a system that reshapes privacy, data use and digital access for everyone.
And, he added, policymakers do not yet appear to have a unified view for how to address these problems.
“I do think it is probably a stretch to imagine that they will be able to send anything to the president’s desk this year,” he said.
