The US House passed the Kids Internet and Digital Safety Act on Monday by a wide bipartisan margin, advancing the most significant federal children's online safety package in years. The bill covers a lot of ground: bans on targeted advertising to minors, age verification requirements, AI chatbot safety rules, and parental controls. It now moves to the Senate, where debate is expected to continue.
The bill is a milestone. But it also crystallizes one of the most persistent tensions in children's privacy policy: meaningful safety protections for minors tend to require platforms to know more about their users, not less. Privacy advocacy groups like the Electronic Frontier Foundation, and those concerns aren’t abstract—any robust age verification system needs to verify something, and the most reliable inputs are the same data points privacy advocates have spent years trying to keep off the internet: government IDs, biometrics, or persistent account identifiers. Every user, minor or not, would need to hand over extra data to verify their age.
That's not an argument against children's safety legislation per se, but it’s a good reason to be cautious. Historically, congress has been stellar at creating data collection obligations. At creating data minimization obligations? Less so.
Best,
Arlo
Highlights From OsanoNew From Osano
Blog: What Is CIPA, and Why Is Your Website Getting Sued?
A law firm just audited your website. There wasn’t any advance notice, you didn’t know there was anything to audit. Nevertheless, now there's a demand letter in your inbox. What now?
On-Demand Webinar: Privacy Enforcement 2026: Regulators’ Focus and Compliance Priorities
2026 is more than halfway through, but it feels like a year’s worth of data privacy developments have already transpired—and there’s already more on the horizon. Join Osano’s Senior Privacy Program Manager Ashley Fowler and Red Clover Advisors’ Jodi Daniels for a webinar that’ll clarify the complexity of 2026’s privacy enforcement and compliance.
Events
Opted Out. Still Tracked. — The Marketing & Consent Webinar Series
A three-part series exploring the practically universal problem of marketing data trackers continuing to fire even after consumer opt outs. Learn why 79% of websites have broken opt-outs in part one, “Your Consent Banner Is Lying to You” on July 16; how to fix broken opt-outs in part two, “A Blueprint for Simple, Compliant Data Collection” on July 23, and see how it all comes together in part three, “A Real-World Audit of Consent Gone Wrong/Right” on July 30.
Top Privacy Stories of the Week
AI Search Features Are Telling Users the President Died of Rabies
A Reddit community called r/poisonai spent months flooding the internet with deliberately fabricated stories—including an elaborate fake narrative about a rabies outbreak among senior government officials—and watched as DuckDuckGo's and Brave’s AI search engine consumed the misinformation and served it back to users as fact. Brave's AI made the same error.
US House Passes the KIDS Act
The US House passed the Kids Internet and Digital Safety Act, advancing the most significant federal children's online safety package in years. The bill combines provisions from 14 proposals: bans on targeted advertising to minors, age verification requirements, AI chatbot disclosure and safety rules, and expanded parental controls. The Electronic Frontier Foundation and several Democratic senators raised concerns that meaningful age verification would require all users—not just minors—to submit sensitive personal data to access restricted platforms, creating a privacy cost borne by everyone. The bill now heads to the Senate.
Supreme Court Limits Geofence Warrants in Landmark Location Privacy Ruling
The US Supreme Court ruled 6-3 in Chatrie v. United States to suppress evidence obtained through a geofence warrant—a surveillance technique that compels tech companies to identify every device present in a given area during a specific time window. Unlike a traditional warrant targeting a known suspect, geofence warrants cast a net over everyone who was nearby, often without their knowledge.
Connecticut Becomes First State to Require LLM Training Data Disclosure
Connecticut's updated data privacy law took effect July 1 with a requirement no other state has enacted: companies must disclose in their privacy notices whether personal data they collect is used—by them or their vendors—to train large language models. The disclosure is required whether the answer is yes or no. The amendments also lower Connecticut's applicability threshold from 100,000 to 35,000 consumers, bringing a larger set of organizations into scope. For many compliance teams, the harder challenge won't be making the disclosure—it'll be knowing whether it's accurate, which requires a clear picture of what vendor agreements actually permit.
FTC Finalizes Kochava Settlement, Banning Sale of Sensitive Location Data Without Consent
The FTC concluded its nearly four-year enforcement action against data broker Kochava, finalizing a settlement that bars the company from selling sensitive location data without affirmative consumer consent. The prohibition covers location signals linked to reproductive health clinics, places of worship, addiction treatment centers, and similar venues—data that may not include a name but can identify individuals in practice.
Like What You See in the Privacy Insider newsletter?
There's more to explore:
🎙️The Privacy Insider Podcast
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
📱 The Osano Subreddit
Join our official subreddit to stay up to date on the latest news, analysis, guidance, and content from Osano!
đź“– The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!
Arlo Gilbert
Arlo Gilbert
Arlo Gilbert is the CIO & co-founder of Osano. A native of Austin, Texas, he has been building software companies for more than 25 years in categories including telecom, payments, procurement, and compliance. In 2005 Arlo invented voice commerce, he has testified before congress on technology issues, and is a frequent speaker on data privacy rights.
