The US House passed the Kids Internet and Digital Safety Act on Monday by a wide bipartisan margin, advancing the most significant federal children's online safety package in years. The bill covers a lot of ground: bans on targeted advertising to minors, age verification requirements, AI chatbot safety rules, and parental controls. It now moves to the Senate, where debate is expected to continue.
The bill is a milestone. But it also crystallizes one of the most persistent tensions in children's privacy policy: meaningful safety protections for minors tend to require platforms to know more about their users, not less. Privacy advocacy groups like the Electronic Frontier Foundation, and those concerns aren’t abstract—any robust age verification system needs to verify something, and the most reliable inputs are the same data points privacy advocates have spent years trying to keep off the internet: government IDs, biometrics, or persistent account identifiers. Every user, minor or not, would need to hand over extra data to verify their age.
That's not an argument against children's safety legislation per se, but it’s a good reason to be cautious. Historically, congress has been stellar at creating data collection obligations. At creating data minimization obligations? Less so.
Best,
Arlo
Highlights From OsanoBlog: What Is CIPA, and Why Is Your Website Getting Sued?
A law firm just audited your website. There wasn’t any advance notice, you didn’t know there was anything to audit. Nevertheless, now there's a demand letter in your inbox. What now?
On-Demand Webinar: Privacy Enforcement 2026: Regulators’ Focus and Compliance Priorities
2026 is more than halfway through, but it feels like a year’s worth of data privacy developments have already transpired—and there’s already more on the horizon. Join Osano’s Senior Privacy Program Manager Ashley Fowler and Red Clover Advisors’ Jodi Daniels for a webinar that’ll clarify the complexity of 2026’s privacy enforcement and compliance.
Opted Out. Still Tracked. — The Marketing & Consent Webinar Series
A three-part series exploring the practically universal problem of marketing data trackers continuing to fire even after consumer opt outs. Learn why 79% of websites have broken opt-outs in part one, “Your Consent Banner Is Lying to You” on July 16; how to fix broken opt-outs in part two, “A Blueprint for Simple, Compliant Data Collection” on July 23, and see how it all comes together in part three, “A Real-World Audit of Consent Gone Wrong/Right” on July 30.
A Reddit community called r/poisonai spent months flooding the internet with deliberately fabricated stories—including an elaborate fake narrative about a rabies outbreak among senior government officials—and watched as DuckDuckGo's and Brave’s AI search engine consumed the misinformation and served it back to users as fact. Brave's AI made the same error.
The US House passed the Kids Internet and Digital Safety Act, advancing the most significant federal children's online safety package in years. The bill combines provisions from 14 proposals: bans on targeted advertising to minors, age verification requirements, AI chatbot disclosure and safety rules, and expanded parental controls. The Electronic Frontier Foundation and several Democratic senators raised concerns that meaningful age verification would require all users—not just minors—to submit sensitive personal data to access restricted platforms, creating a privacy cost borne by everyone. The bill now heads to the Senate.
The US Supreme Court ruled 6-3 in Chatrie v. United States to suppress evidence obtained through a geofence warrant—a surveillance technique that compels tech companies to identify every device present in a given area during a specific time window. Unlike a traditional warrant targeting a known suspect, geofence warrants cast a net over everyone who was nearby, often without their knowledge.
Connecticut's updated data privacy law took effect July 1 with a requirement no other state has enacted: companies must disclose in their privacy notices whether personal data they collect is used—by them or their vendors—to train large language models. The disclosure is required whether the answer is yes or no. The amendments also lower Connecticut's applicability threshold from 100,000 to 35,000 consumers, bringing a larger set of organizations into scope. For many compliance teams, the harder challenge won't be making the disclosure—it'll be knowing whether it's accurate, which requires a clear picture of what vendor agreements actually permit.
The FTC concluded its nearly four-year enforcement action against data broker Kochava, finalizing a settlement that bars the company from selling sensitive location data without affirmative consumer consent. The prohibition covers location signals linked to reproductive health clinics, places of worship, addiction treatment centers, and similar venues—data that may not include a name but can identify individuals in practice.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
Join our official subreddit to stay up to date on the latest news, analysis, guidance, and content from Osano!
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!