KOSA Implementation Timeline 2026: When Will New Online Safety Rules Actually Take Effect?

The Kids Online Safety Act (KOSA) implementation timeline dictates that initial compliance audits for platforms with over 10 million U.S. users are due by December 31, 2026. Following its passage in the 119th Congress, the law's substantive "duty of care" requirements---mandating that platforms take reasonable steps to mitigate algorithmic harms to minors---take effect 180 days after enactment. Furthermore, the Federal Trade Commission (FTC) has an 18-month window to issue critical guidance on how platforms must verify or infer user age without violating privacy norms.

As part of the broader shift in The Complete Guide to U.S. AI Legislation in 2026, KOSA introduces penalties of up to $50,000 per violation, forcing social media and gaming companies to redesign their compliance architectures well before the end of the year to avoid catastrophic federal and state-level enforcement actions.

**Current Legislative

As of April 2026, KOSA exists in legislative limbo. The Senate passed an earlier version 91-3 in July 2024, only to watch it die without a House floor vote when Speaker Mike Johnson declined to bring it to the chamber. Senators Marsha Blackburn, Richard Blumenthal, John Thune, and Chuck Schumer reintroduced the measure in May 2025 as S.1748, claiming the text mirrored what the Senate had already approved.

Then things got complicated. House Republicans responded with the Kids Internet and Digital Safety Act (KIDS Act, H.R. 7757), which advanced out of the Energy and Commerce Committee in March 2026. The House version stripped out what legal scholars call the "duty of care" provision---the heart of KOSA's enforcement mechanism that would have required platforms to take reasonable steps to prevent foreseeable harms to minors.

"We kept the KOSA label but fundamentally changed what the bill does," acknowledged one committee Republican during markup. The move prompted 40 state attorneys general to urge Congress to maintain the Senate's stronger version, warning that a weakened federal standard would undermine state-level protections already in place in California, New York, Virginia, and Maryland.

The House passed the KIDS Act package. The Senate has not acted. KOSA remains in committee.

When Would KOSA Actually Take Effect?

Assuming Congress sends a bill to the president's desk sometime in 2026, the implementation timeline unfolds in distinct phases.

Effective Date: KOSA specifies that its substantive requirements take effect 180 days after enactment---approximately six months after signing. This grace period gives platforms time to adjust algorithms, redesign features, and build compliance infrastructure.

FTC Guidance Window: The critical deadline sits 18 months after enactment. Within this window, the Federal Trade Commission must issue guidance explaining how it will determine whether a platform has "actual knowledge" or "constructive knowledge" of a minor's age. This distinction matters enormously: it determines whether platforms must infer age through behavioral signals and data analysis rather than demanding explicit age verification---something privacy advocates and tech companies have fought fiercely against.

Audit Requirements Trigger: Platforms with more than 10 million monthly active users in the United States face additional mandates. They must submit to third-party audits and publish annual transparency reports detailing harms to minors and steps taken to mitigate them.

The Duty of Care: What It Actually Means

The duty of care standard requires covered platforms to take "reasonable steps" to prevent and mitigate specific harms to minors: eating disorders, substance abuse, suicidal behaviors, depressive and anxiety disorders linked to compulsive usage, patterns of addictive usage, severe harassment, and distribution of illegal substances.

But here's where the legal nuance gets thorny. The duty of care does not require platforms to perform age verification. Instead, the law directs the FTC to study device-level and operating-system-level age verification methods without mandating their use. Platforms could theoretically infer age through behavioral patterns---time spent, content consumed, interaction types---without ever collecting explicit birth dates.

Privacy advocates call this a loophole. Industry groups call it pragmatic. The 18-month FTC guidance period will determine which interpretation prevails.

Penalties That Could Bankrupt Smaller Platforms

The enforcement teeth are substantial. The FTC can treat KOSA violations as unfair or deceptive acts under Section 5 of the FTC Act, enabling civil penalties of up to $53,088 per violation (the 2025 inflation-adjusted maximum).

"Per violation" is the operative phrase. Each non-compliant minor account could theoretically constitute a separate violation. A platform with 50,000 affected minor users facing a finding of negligent safeguards could theoretically eye penalties exceeding $2.6 billion---enough to sink all but the largest tech giants.

State attorneys general can also bring civil actions for violations, though KOSA limits their enforcement of the duty of care provision to the FTC. They retain authority to pursue other breaches, including failures to provide parental tools or transparency reports, with penalty structures varying by state.

Platforms Most at Risk

The 10-million-user threshold targets platforms where minors constitute a substantial portion of the user base. TikTok, Instagram, Snapchat, YouTube, and platforms with significant teen engagement face the earliest and most intensive compliance pressure. Gaming platforms with in-app purchases and social features also fall within KOSA's scope.

Smaller platforms lack the legal infrastructure to navigate complex audits and consent rules. Several gaming services and niche social platforms have already begun consulting compliance attorneys, warning internally that a single enforcement action could prove fatal to their business models.

State-Federal Tension: The California Comparison

Without a robust federal preemption clause, KOSA creates potential conflict with state laws. California's Age-Appropriate Design Code, which took effect in 2024, requires platforms to default to the highest privacy settings for minors and provides enforcement mechanisms through the California Privacy Protection Authority.

Forty state attorneys general wrote to Congress in February 2026 urging a federal standard strong enough to avoid a patchwork of conflicting requirements. Their preferred language: a federal floor, not a ceiling---one that states can exceed but not circumvent.

The International Context

KOSA's domestic battles mirror fights overseas. The United Kingdom's Online Safety Act, which became law in 2023, imposes duty of care requirements on platforms serving UK users, with enforcement by Ofcom. The European Union's Digital Services Act requires very large online platforms to assess and mitigate systemic risks, including harms to minors.

The U.S. bill diverges from these models in significant ways: no explicit age verification mandate, a narrower list of covered harms, and primary FTC enforcement rather than a dedicated regulator. Whether this lighter-touch approach proves more politically feasible or less substantively effective remains the central question driving the current legislative deadlock.

This article is part of The Daily Pulse's ongoing coverage of the Congress AI Safety Act provisions. Read our full explainer on how the legislation impacts platforms, parents, and children.

Frequently Asked Questions

What is the current status of KOSA in Congress?

KOSA (S.1748) remains in committee in the Senate. The House passed the KIDS Act (H.R. 7757) in March 2026, a modified version that removes the duty of care provision. No final legislation has reached the president's desk.

If KOSA passes in 2026, when would it actually take effect?

The law would take effect 180 days after enactment---approximately six months after signing. However, the FTC must issue guidance on age knowledge standards within 18 months of enactment, which will determine key compliance requirements.

What are the penalties for violating KOSA?

The FTC can impose civil penalties of up to $53,088 per violation. Since each affected minor account could constitute a separate violation, penalties can quickly reach billions of dollars for large platforms.

Does KOSA require age verification?

No. KOSA does not mandate explicit age verification. Instead, the FTC will issue guidance on how platforms can determine age through "actual knowledge" or "constructive knowledge"---potentially allowing inference through behavioral data rather than explicit birth dates.

Which platforms will be most affected by KOSA?

Platforms with more than 10 million U.S. monthly active users face the strictest requirements, including mandatory third-party audits and annual transparency reports. TikTok, Instagram, Snapchat, YouTube, and major gaming platforms fall within this scope.

How does KOSA interact with state laws like California's?

KOSA currently lacks robust federal preemption, creating potential conflict with state laws. California's Age-Appropriate Design Code remains in effect, and states can potentially enforce stricter standards than federal requirements.