Online safety legislation

The Online Safety Act 2023 took six years and three Prime Ministers to pass. Its final form is a 250-clause behemoth that imposes duties of care on user-to-user services and search services, classifies content into "illegal," "primary priority harmful to children," and "priority harmful to children," and gives Ofcom power to issue codes of practice with which compliance is a safe harbour. The Act survived because its drafters traded specificity for delegation: most of the actual rules will be written by Ofcom over a five-year implementation horizon. This is administrative-state pragmatism. It is also a structural concession that Parliament cannot draft fast enough to keep pace with the medium it regulates. Parents who want to influence the Act now influence Ofcom consultations, not Westminster floor debates. The locus of power has moved, and the civic skills required to engage have moved with it. Most parent advocacy groups have not yet retooled.

The DSA's innovation is the systemic-risk assessment. Very Large Online Platforms (45 million+ EU users) must annually identify, assess, and mitigate risks to fundamental rights, civic discourse, public health, and minors. Auditors verify. Researchers get data access. The European Commission can fine up to 6% of global turnover. This is the most ambitious regulatory architecture yet attempted for digital services. It is also, as of mid-2026, unevenly enforced: investigations into X, Meta, TikTok, and AliExpress are open but slow. The DSA's strength is that it does not specify content rules; its weakness is that "systemic risk" is sufficiently abstract that platforms can produce voluminous risk reports while changing little. Parents reading those reports — and a small number do — find catalogues of mitigations whose effectiveness is asserted, not demonstrated.

Australia created the world's first dedicated online-safety regulator in 2015 and has steadily expanded its powers. The Commissioner can order takedowns of cyberbullying material targeting children within hours, demand basic online safety expectations from platforms, and issue removal notices for image-based abuse. The model is administrative rather than judicial: speed over due process. It works for clear-cut harms (intimate-image abuse, direct threats) and strains against contested ones (political speech, satire, encrypted messaging). The eSafety model has been studied by every other jurisdiction. Few have copied it wholesale, because few have Australia's combination of small population, parliamentary supremacy, and absence of a constitutional free-speech clause. Exportability is limited; the lessons are not.

California's Age-Appropriate Design Code Act, modelled on the UK's ICO code, required platforms to estimate users' ages, configure high-privacy defaults for likely minors, and conduct Data Protection Impact Assessments. NetChoice sued. The Ninth Circuit, in 2024, held the DPIA provisions likely violated the First Amendment by compelling platforms to opine on whether their content was harmful to children. The injunction did not strike the whole law but gutted its core mechanism. The lesson for US state legislators: any statute that forces platforms to make and publish editorial judgments about content's effects on minors will face strict scrutiny. Architectural rules (defaults, friction, data minimization) survive; content-effect rules do not. This narrows the policy space considerably and explains why subsequent state laws (Maryland, Connecticut, New York) have pivoted toward data-minimization framings.

The Kids Online Safety Act, sponsored by Senators Blumenthal and Blackburn, would impose a federal duty of care on covered platforms to prevent and mitigate harms to minors including anxiety, depression, eating disorders, substance use, and sexual exploitation. It passed the Senate 91-3 in July 2024 and stalled in the House. Civil-liberties critics — EFF, ACLU, Fight for the Future — argue the duty-of-care language would incentivize platforms to over-remove content relating to LGBTQ identity, reproductive health, and political dissent, since any such content could later be alleged to have contributed to a minor's anxiety. Supporters — including many parent groups whose children died by suicide linked to platform content — argue the duty is narrowly drawn and enforceable only by FTC and state AGs, not private suit. Both sides are partly right. The compromise text remains unwritten.

Every online-safety statute eventually collides with end-to-end encryption. The UK Act's Section 122 gives Ofcom power to require "accredited technology" to scan for child sexual abuse material in private messages. Signal and WhatsApp threatened to leave the UK. The government issued a written ministerial statement clarifying the power would not be exercised until technology existed to scan without breaking encryption — which is to say, indefinitely. The EU's proposed Chat Control regulation faces the same collision and the same political stall. Parents are split: those whose children have been groomed in encrypted chats want scanning; those who understand that a backdoor for one is a backdoor for all do not. The 1,000-page manual treats this as an unsolved problem and recommends against asserting it is solved.

Online-safety laws increasingly require "robust" age verification — not self-declaration, not credit-card checks, but identity-document verification or third-party age-estimation services. The architectural consequence is profound: an internet that cannot be browsed anonymously by adults, because the same gates that block minors must verify everyone else. Privacy advocates argue this is the surveillance state by other means. Safety advocates argue children's protection is worth adults' inconvenience. The technical middle path — zero-knowledge proofs of age, federated identity wallets — exists but is not yet deployed at scale. Legislation that mandates age verification without specifying the privacy architecture defaults to the surveillance solution. Parents who want both safety and privacy must demand the architecture, not just the gate.

Ofcom's online-safety budget is roughly £80 million annually. Meta's annual revenue is roughly $135 billion. The FTC has approximately 1,200 staff total. Alphabet has approximately 180,000. Regulators cannot out-resource the regulated; they can only choose leverage points. The leverage points that work are: very large fines (DSA's 6% of global turnover), executive personal liability (UK Act's senior manager offence for failure to comply with information notices), mandatory transparency that enables third-party research, and private rights of action that distribute enforcement to plaintiffs' bars. Parents who want enforcement to bite should support all four. Those who oppose private rights of action — typically on the grounds that they invite frivolous litigation — should explain how, in their absence, regulators will keep up.

As of 2026, more than thirty US states have enacted or proposed children's online-safety legislation. Utah's Social Media Regulation Act required parental consent and curfews; it was partly enjoined. Florida's HB 3 banned under-14s from social media; it was enjoined. Texas's SCOPE Act and Tennessee's similar law face ongoing challenges. The pattern: states pass; NetChoice sues; courts enjoin; states amend. The result for platforms is a compliance matrix that varies by user location. The result for small platforms is exit from minor markets entirely. The result for children is uneven protection that depends on what state their parents drive through. Federal preemption — long opposed by states-rights advocates — is increasingly favoured by parent groups exhausted by the patchwork.

COPPA 2.0, also sponsored by Markey and Cassidy, would raise the protected age from under-13 to under-17, ban targeted advertising to minors, and create an "eraser button" for content posted by minors. It has passed the Senate alongside KOSA and stalled alongside it. The under-17 line is more defensible developmentally than the under-13 line, which was a 1998 negotiation artifact. The targeted-advertising ban is the most consequential provision: it would force platforms to redesign monetization for an entire user cohort. Industry opposition is therefore intense. Parents who treat COPPA 2.0 as a minor update miss its economic significance. It is the closest the US has come to imposing data minimization by statute on a defined population.

Where statutes fail or delay, plaintiffs' lawyers fill the gap. The multidistrict litigation against Meta, TikTok, Snap, and YouTube — consolidated as In re Social Media Adolescent Addiction/Personal Injury Products Liability Litigation — alleges product-liability theories: that the platforms are defective products whose addictive design foreseeably harms minors. School districts, state attorneys general, and individual families are plaintiffs. The first bellwether trials are scheduled for late 2026. If plaintiffs prevail, the doctrinal shift — treating platforms as products rather than publishers — will reshape the regulatory landscape more than any statute. Parents acting collectively through their school districts have, in this litigation, more direct leverage than they have in any legislature.

Most parents will never read a statute, attend an Ofcom consultation, or join a multidistrict litigation. Collective parenthood at scale therefore depends on a small number of organized intermediaries: 5Rights Foundation, ParentsTogether, Common Sense Media, Fairplay, the Center for Humane Technology, Internet Matters. These groups translate, mobilize, and lobby. Their effectiveness varies. Their funding is precarious. Their relationship with platforms (some accept platform funding; some refuse) shapes their credibility. Parents who want collective action should know which intermediaries operate in their jurisdiction, what they prioritize, and whether their priorities match the family's. The civic infrastructure of online-safety advocacy is thinner than the rhetoric suggests, and it is built by people who could be doing other things. Joining it, funding it, or staffing it is the unglamorous answer to "what can we do?"

1. Livingstone, Sonia, and Mariya Stoilova. The 4Cs: Classifying Online Risk to Children. Hamburg: Leibniz-Institut für Medienforschung, 2021. 2. Collier, Anne. The Net Safety Collaborative: Annual Report on Youth Online Risk Policy. Salt Lake City: NetFamilyNews, 2023. 3. Thierer, Adam. Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom. Arlington: Mercatus Center, 2016. 4. boyd, danah. It's Complicated: The Social Lives of Networked Teens. New Haven: Yale University Press, 2014. 5. Aiken, Mary. The Cyber Effect: A Pioneering Cyberpsychologist Explains How Human Behavior Changes Online. New York: Spiegel & Grau, 2016. 6. Solove, Daniel J. "The Limitations of Privacy Rights." Notre Dame Law Review 98, no. 3 (2023): 975-1036. 7. Allen, Anita L. Unpopular Privacy: What Must We Hide? New York: Oxford University Press, 2011. 8. Goldman, Eric. "The Constitutionality of Mandating Editorial Transparency." Hastings Law Journal 73, no. 5 (2022): 1203-1248. 9. Khan, Lina M. "Statement on FTC Workshop on Protecting Kids from Stealth Advertising in Digital Media." Federal Trade Commission, October 2022. 10. Khan, Salman. Brave New Words: How AI Will Revolutionize Education (and Why That's a Good Thing). New York: Viking, 2024. 11. Luckin, Rose. Machine Learning and Human Intelligence: The Future of Education for the 21st Century. London: UCL Institute of Education Press, 2018. 12. Reich, Justin. Failure to Disrupt: Why Technology Alone Can't Transform Education. Cambridge, MA: Harvard University Press, 2020.