The KIDS Act Doesn’t Protect Kids—It Makes Them Invisible

In 1998, Congress passed COPPA — the Children’s Online Privacy Protection Act — to protect children under 13 from data collection by online platforms. It was well-intentioned, broadly supported, and carefully drafted.

The practical result: every major platform set 13 as its minimum age and stopped asking questions.

Kids under 13 still use all of them. They just do it without any of the protections COPPA was supposed to provide, because the platforms decided it was easier to claim ignorance than to build safeguards. The law didn’t make children safer online. It made the platforms less legally responsible for what happened to them.

That distinction matters because it tells you who actually paid for COPPA’s design failure. Not the platforms. Not Congress. Children and parents paid. Children lost protection because platforms were incentivized to not know they were there. Parents were given the illusion of safety — an age gate that looked like a locked door but functioned as a suggestion. The cost of restriction-based regulation was absorbed entirely by the people it was supposed to protect.

Congress is now moving fast on AI. The KIDS Act advanced out of the House Energy and Commerce Committee last week. COPPA 2.0 passed the Senate by unanimous consent. The GUARD Act and CHAT Act are working through committee. The momentum is real, and the urgency is justified.

But the architecture of this legislation repeats the same structural mistake. And the cost will be borne by the same people.

The problem is real and it is happening now

70% of children use AI chatbots. Only 37% of parents are aware of it. ChatGPT requires users to be 13 or older and has no meaningful mechanism to verify that. Character.AI has been the subject of wrongful death lawsuits involving minors. The FTC has launched a formal inquiry into AI companion chatbots under its children’s safety mandate.

Kids are using AI tools designed for adults, at scale, right now — with no parental visibility, no age-appropriate safeguards, and no crisis intervention. The stakes are not hypothetical. Congress is right to act.

The KIDS Act’s specific requirements are reasonable: disclose that a chatbot is AI, not a human. Provide crisis resources when a minor mentions self-harm. Prevent access to harmful content. Don’t impersonate licensed professionals. Prompt breaks after extended use. These are sensible, protective, achievable standards.

The problem isn’t what these bills require. It’s who they actually change behavior for — and what happens to children when the largest platforms respond the way we already know they will.

Restriction teaches platforms not to look

There are two ways to approach child safety in a market full of dangerous products.

The first is restriction: set rules, impose penalties for violations, and let the market comply as cheaply as it can. This is how COPPA worked. Platforms didn’t build better protections for children — they raised the minimum age and declined to look closely at who was actually signing up.

The second is certification: define what genuinely safe looks like, create a recognized standard for meeting it, and build a legal and market advantage for products that do.

The KIDS Act follows the restriction model. And the predictable response from general-purpose AI platforms will be one of three things: implement the narrowest possible interpretation of the requirements and call it compliance; absorb fines as a cost of doing business when they fall short; or block minor access entirely, which in practice means children lie about their age and sign up for full adult accounts with zero oversight.

Every one of these outcomes has the same effect on families. Children don’t stop using the products. They become invisible to the systems that were supposed to protect them. Parents are told there’s an age gate, so they believe their child isn’t on there. The platform knows better and has every incentive not to look. The child ends up using an adult AI tool with no guardrails, no parental visibility, and no crisis intervention — and both the platform and the regulation have plausible deniability.

That’s not a compliance failure. That’s the compliance strategy. And the people who pay for it are children and their parents.

The compliance theater problem

This pattern has a name in other regulated industries: compliance theater. The appearance of adherence without the substance of protection.

When a bill passes, large platforms assign a compliance team, implement the minimum viable interpretation, and point to their implementation as evidence the law is working. Press releases are issued. Boxes are checked. And nothing materially changes for the child using the product at 11 p.m. on a Tuesday.

Flat-rate fines accelerate this dynamic. A penalty that represents a rounding error for a company valued in the hundreds of billions is not a deterrent — it’s a licensing fee. The behavioral math is simple: if the cost of genuine child safety infrastructure exceeds the expected cost of periodic fines, the rational choice is to pay the fines. That’s not speculation. That’s how every major platform has responded to every comparable regulatory framework for the past two decades.

Meanwhile, the companies that already built genuine protections — the small, purpose-built platforms that were designed for children from the ground up — face the same compliance paperwork, the same reporting requirements, and the same legal exposure as platforms that are actively working to obscure child usage. The regulation treats them identically. The market receives a clear signal: there’s no advantage to building for kids. The investment wasn’t worth making.

What regulation that protects families looks like

We’re not arguing against regulation. We’re arguing for regulation designed to change outcomes for children rather than to distribute paperwork and produce press releases.

Create a safe harbor certification for purpose-built platforms. A certification process — administered by the FTC or an independent standards body — that recognizes AI platforms meeting defined child safety standards. Certified platforms receive safe harbor protections and reduced compliance burden. Uncertified platforms face the full weight of enforcement. This inverts the incentive structure: instead of rewarding platforms that don’t look for child users, it rewards platforms that are built to protect them.

Distinguish purpose-built from retrofitted. A platform architected specifically for children — with age-adaptive responses calibrated by developmental stage, parental dashboards, values alignment, content filtering enforced at the model level, and crisis intervention baked into the response pipeline — is categorically different from an adult platform that added a “safe mode” toggle under regulatory pressure. Legislation that treats them identically tells the market that the difference doesn’t matter. Families know it does.

Make fines proportional to revenue. Per-user or percentage-of-revenue fine structures are standard in other domains. They should apply here. When the penalty scales with the company, the behavioral math changes — for everyone.

Incentivize building for child safety, not building around it. The GUARD Act’s approach — prohibiting minor access to AI companions unless strict requirements are met — may be well-intentioned, but the practical effect is to reduce the number of safe options in the market, ensuring children migrate to unregulated alternatives. The answer is not fewer products for children. It’s better standards for the products children are already using.

Where we stand

We built HeyOtto because we're parents who understand that our children won't just use AI — they'll grow up in a world shaped by it. We want them to arrive there knowing how to think critically about what AI tells them, when to trust it, when to question it, and how to use it as a tool without being dependent on it.

Every protection these bills propose, we already provide: COPPA compliance, age verification, parental consent, crisis intervention, content filtering, AI identity disclosure, no professional impersonation, no emotional manipulation. We recently completed the KORA child safety benchmark with results that significantly outperform every major general-purpose AI model tested.

Yes, the certification framework we’re proposing would benefit us. That’s the point. The incentive structure should reward companies that build genuine protections for children — including our direct competitors. We’re not advocating for a HeyOtto carve-out. We’re advocating for a regulatory model that stops penalizing companies in active pursuit of harm reduction while rubber-stamping Big Tech compliance theater.

The children using AI right now don’t need platforms that are better at not seeing them. They need platforms that are actively looking for opportunities to protect them. And their parents need to be able to tell the difference.

Build the certification lane. Reward the companies that built for children. Enforce hard against the ones that didn’t.

That’s how you make AI safer for kids — not by making it harder to build safe AI for them.

HeyOtto is a family-first AI platform designed for children ages 8–18, built by parents who weren’t satisfied with the alternatives. COPPA compliant. Start free — no credit card required.