COPPA 2.0 AINS Brings House Closer to Senate-Approved Language
March 27, 2026
Jessica Arciniega, Morgan Sexton, and Amelia Vance
CC BY-NC 4.0
On March 5, the House Committee on Energy and Commerce held a full committee markup that focused on child privacy and online safety legislation, advancing the Kids Internet and Digital Safety (KIDS) Act, Sammy’s Law, and App Store Accountability Act out of committee. But what didn't happen at the markup may be an even bigger step towards strengthening protections for children online.
The Children and Teens' Online Privacy Protection Act (COPPA 2.0) was on the markup agenda and expected to be replaced by an Amendment in the Nature of a Substitute (AINS) from Rep. Lee. Notably, Lee’s AINS would have moved the House language substantially closer to the bipartisan version of COPPA 2.0 the Senate unanimously passed that same day. However, before the House committee could discuss COPPA 2.0, Chairman Guthrie pulled the bill from consideration. As reported by the IAPP:
“The House version of COPPA 2.0 was originally slated to be part of the Energy and Commerce Committee's markup; however, Rep. Brett Guthrie, R-Ky., the committee chairman, pulled the bill and announced that over the course of the hearing there had been 'substantial progress' in negotiations among the staffers from both sides to work toward a bipartisan agreement. He did not provide a date for when the House COPPA 2.0 bill would have a markup session before the full committee.
‘All of us want to protect kids,’ Guthrie said. ‘Our staffs have continued to work toward a bipartisan agreement ... Our staffs will continue to work in the coming days.’”
If Lee's AINS is adopted, the gap between COPPA 2.0 language in the two chambers narrows considerably, and the differences that remain are ones that could plausibly be resolved in Conference. This would significantly increase the likelihood of COPPA 2.0 becoming law. In this blog we will explore the remaining differences between the House (specifically Lee’s AINS) and Senate versions of COPPA 2.0, providing underlying context about why these areas are contentious and exploring potential paths forward.
Knowledge Standard
The first difference between the House and Senate versions of COPPA 2.0 is the applicable knowledge standard. The Senate version replaces and strengthens COPPA’s existing “actual knowledge” standard with “actual knowledge or knowledge fairly implied on the basis of objective circumstances.” The Senate also adds the following rule of construction to help explain what this new standard means:
“(1) RULE OF CONSTRUCTION.—For purposes of enforcing this title or a regulation promulgated under this title, in making a determination as to whether an operator has knowledge fairly implied on the basis of objective circumstances that a specific user is a child or teen, the Commission or State attorneys general shall rely on competent and reliable evidence, taking into account the totality of the circumstances, including whether a reasonable and prudent person under the circumstances would have known that the user is a child or teen. Nothing in this title, including a determination described in the preceding sentence, shall be construed to require an operator to—
(A) affirmatively collect any personal information with respect to the age of a child or teen that an operator is not already collecting in the normal course of business; or
(B) implement an age gating or age verification functionality.”
The “knowledge fairly implied on the basis of objective circumstances” standard appears to stem from FTC trade guidance and has previously been included in both the proposed Kids Online Safety Act (KOSA) and Kids Off Social Media Act (KOSMA). That said, it is unclear how this standard will actually be applied to determining the age of individuals online.
Critiques of COPPA’s Actual Knowledge Standard
Stakeholders often criticize COPPA’s knowledge standard for allowing companies to “bury their heads in the sand”–to deliberately avoid learning that children are using their platforms in order to sidestep compliance. On the other hand, defenders of the standard argue that a stricter standard could pressure operators to collect more age-related data from children in order to make accurate determinations, raising its own privacy concerns.
The House takes a different approach, establishing a two-tiered knowledge standard based on the size and capacity of the operator:
|
High Impact Social Media Company Defined as a website, online service, online application, or mobile application of an operator that— (A) generates $3,000,000,000 or more in annual revenue, including any revenue generated by any affiliate of such operator; (B) has 300,000,000 or more monthly active users for not fewer than 3 of the preceding 12 months on the website, online service, online application, or mobile application of such operator; and (C) constitutes an online product or service that is primarily used by users to access or share user-generated content. |
|
| All Other Operators |
|
A prior version of COPPA 2.0 in the House (an AINS submitted 9/17/24, see our redline here) included a third tier in the knowledge framework.
|
High Impact Social Media Company Defined as a website, online service, online application, or mobile application of an operator that— (A) generates $3,000,000,000 or more in annual revenue, including any revenue generated by any affiliate of such operator; (B) has 300,000,000 or more global monthly active users for not fewer than 3 or the preceding 12 months on the website, online service, online application, or mobile application of such operator; and (C) constitutes an online product or service that is primarily used by users to access or share user-generated content. |
|
| Operator that has an annual gross revenue of $200,000,000 or more, collects the personal information of 200,000 individuals or more, but does not meet the definition of High Impact Social Media Company |
|
| All Other Operators |
|
It is our understanding that removing the middle tier from this knowledge framework was a major factor in the House version losing its bi-partisan support. But despite their differences, both the Senate and House versions would strengthen COPPA’s existing actual knowledge standard in meaningful ways, and–if enacted–either version would provide greater protections for minors online than current law affords.
Preemption
Another difference between the Senate and House versions of COPPA 2.0 concerns preemption: whether states can implement greater protections for children and teens online than those provided at the federal level. The House version would keep the status quo, maintaining preemption language from the current COPPA statute (below):
“(d) Inconsistent State law
No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section.” (15 USC 91 §6502(d))
The potential problem with the existing language is that it leaves open significant ambiguity about what additional safeguards can be required under state law before those safeguards become “inconsistent” with COPPA’s mandates. There are multiple requirements within state laws that may be interpreted as being inconsistent with how such activities would be treated under COPPA (especially if COPPA 2.0 were to extend COPPA’s protections to teens). For example, while COPPA protects only data collected from children, states like New York and Colorado protect data of minors. This distinction has major implications in practice.
Consider the following scenario: If a child uploaded personal information about themselves onto an online forum, this would be subject to COPPA because the data is being posted by the child themself. However, if an adult (such as their soccer coach) posted the same personal information about that child on the same online forum, this would not be subject to COPPA because the personal information came from a source other than the child. New York and Colorado, on the other hand, would protect the child’s personal information in both scenarios because the data is about a minor regardless of who posted it. COPPA’s current preemption language could be interpreted to mean that states like New York and Colorado can’t require commercial companies subject to COPPA to protect data of children, as such a requirement may be inconsistent with COPPA.
The FTC has not issued guidance on this, nor have any courts ruled on the question, so we don’t have a clear answer. However, the assumption is that COPPA does not preclude higher protections because many state laws that go beyond what COPPA requires have not been challenged in court (such as California’s Eraser Button Law and several state consumer privacy laws).
The Senate version, on the other hand, would replace COPPA’s ambiguous language and explicitly says that states can pass higher protections:
“(d) Relationship to State law.—The provisions of this title shall preempt any State law, rule, or regulation only to the extent that such State law, rule, or regulation conflicts with a provision of this title. Nothing in this title shall be construed to prohibit any State from enacting a law, rule, or regulation that provides greater protection to children or teens than the provisions of this title.” (emphasis added)
Enacting the Senate’s version of the preemption clause would provide meaningful clarity for state policymakers, empowering them to continue strengthening online protections for children and teens in their states. This matters because states have historically moved faster than the federal government in responding to rapid technological change, a point underscored by the fact that COPPA was originally passed in 1998 and has not been updated in nearly three decades.
Rights of Teens
The last major difference between COPPA 2.0 in the Senate and House concerns who holds several key rights: teens themselves or their parents. While the Senate version gives the following rights to teens, the House version gives these rights to the teen’s parents:
- The right to notice and to provide verifiable consent before the teen’s personal information is collected and subsequently used;
- The right to notice before the teen’s personal information is stored in, transferred to, or accessible by a covered nation (as defined in 10 USC 4872(f));
- The right to provide verifiable consent before the teen’s personal information is processed for any purpose that would be a material change;
- Upon request and reasonable identify verification, the right to be provided with:
- A description of the specific types of personal information collected from the teen, how such information is collected, and for what purpose;
- The opportunity at any time to delete personal information collected from the teen or content/information submitted by the teen;
- The ability to refuse to permit the operator any further collection or processing of the teen’s personal information in retrievable form;
- The opportunity to challenge the accuracy of the teen’s personal information and to have inaccurate personal information corrected;
- A reasonable means to obtain any personal information collected from the teen, if such information is available to the operator at the time of the request; and
- When a teen uses technologies at school pursuant to a written agreement between their school and an operator, the school must (upon request):
- Provide notice of the specific types of personal information collected from the teen, how such information is collected, and for what purpose; and
- Request the operator provide a means to review the teen’s personal information and provide a means to review the personal information.
While we’d prefer for the final version of COPPA 2.0 to empower teens with more autonomy over their own information online, it would still be a huge win for anyone (whether teens or their parents) to have these rights protecting teens’ personal information. COPPA currently only provides protections for children under 13 online. Both the Senate and House versions of COPPA 2.0 would extend key protections to teens online, establishing the rights to notice, verifiable consent, and to delete a teen’s personal information. The only difference is what member of the household can exercise those rights. Having these rights–regardless of whether it is the teen or their parent who owns the rights–is better than not having them at all. That said, there is still an opportunity for stakeholders to advocate for teens to co-own these rights alongside their parents.
Additional Changes
Other differences worth highlighting between the Senate and House versions of COPPA 2.0 include:
| Mentions connected devices | Codifies the FTC’s recent policy statement on age verification |
| Includes a GAO study on the privacy and mental health of teens who use financial technology products | Adds the word “maintained” when describing how data must be protected |
| Ambiguity about whether 13-year-olds are children or teens |
The majority of the remaining changes between the Senate and House versions of COPPA 2.0 are not substantive. Instead the changes are primarily editing for formatting or stylistic preferences (such as by separating language out into subclauses, etc.).
Closing Thoughts
COPPA 2.0 represents a significant effort to update federal protections for children and teens online. While the Senate and House versions differ in meaningful ways, both reflect a shared recognition that the current COPPA statute is long overdue for reform. Whatever differences remain to be resolved, passage of either version would mark a meaningful step forward for children and teens in the digital age.