Please note: This post reflects the legislative status of KOSA and the KIDS Act as of June 8, 2026. Both bills are active and moving.

KOSA and the KIDS Act: What Platforms Are Actually Required to Do on Sexual Exploitation

Most coverage of the Kids Online Safety Act focuses on algorithm design, mental health harms, and the long fight over the duty of care. What gets less attention is that both the Senate version (S.1748) and the House version embedded in the KIDS Act (H.R.7757) explicitly include child sexual abuse material in their list of covered harms, and the compliance obligations for that specific category are technically distinct from everything else in the bill.

Neither bill is law yet. Senate Commerce Committee Chairman Ted Cruz pledged in May 2026 to advance KOSA through his committee, and the KIDS Act cleared the House Energy and Commerce Committee in March 2026 on a party-line vote. But the legislative gap between where things stand today and an enacted statute is not the relevant planning window for most Trust & Safety teams. The relevant window is the one their audit timelines, vendor contracts, and board risk reviews actually operate on.

What the Bill Actually Says About Sexual Exploitation

Both versions of KOSA define “sexual exploitation and abuse” by reference to federal criminal statutes, though they do so through different cross-references. The Senate bill (S.1748) references coercion and enticement under 18 U.S.C. 2422; CSAM as described in sections 2251, 2252, 2252A, and 2260; trafficking for the production of images under 2251A; and sex trafficking of children under 1591. The House KIDS Act references coercion and enticement under 2422; child pornography as defined in section 2256; trafficking for the production of images under 2251; and sex trafficking under 1591. The statutory hooks differ, but the practical coverage is similar: both bills explicitly include CSAM, child sex trafficking, enticement, and trafficking for image production within the harms platforms must prevent.

This is not a vague “harmful content” category. The definitions map directly to the federal criminal statutes that govern CSAM, both traditionally produced material and AI-generated content that meets the statutory threshold. Platforms that treat KOSA as a mental health and algorithm bill, and leave their CSAM detection posture to a separate compliance track, are reading the legislation incorrectly.

Covered-platform scope is broad but not unlimited, and the two bills define it differently. The Senate bill (S.1748) covers online platforms, online video games, messaging applications, and video streaming services that connect to the internet and are used (or reasonably likely to be used) by a minor, with carve-outs for ISPs, broadband providers, email services, educational institutions, and certain news and sports sites. The House KIDS Act uses a five-factor test focused on public-facing UGC sharing, design features that promote user engagement, and use of personal data for ads or recommendations. Social networks, gaming platforms, video-sharing services, and messaging apps with significant minor userbases will almost certainly be covered under both frameworks, but platforms should assess their own status against the specific statutory language rather than assuming coverage.

The Knowledge Standard: Where the Real Compliance Risk Lives

The House and Senate versions of KOSA diverge most sharply on the knowledge standard (the threshold at which a platform’s obligation to prevent and mitigate harm is triggered. The Senate version uses “actual knowledge or knowledge fairly implied on the basis of objective circumstances.” The House KIDS Act uses “actual knowledge or to have acted in willful disregard.” The gap between “fairly implied” and “willful disregard” is significant, and it is the provision that has drawn the most friction in reconciliation negotiations).

For CSAM specifically, this debate matters less than for most other covered harms, and this is the part of the bill that almost no one is writing about. NCMEC reporting obligations under 18 U.S.C. 2258A already come into play when a platform becomes aware of apparent CSAM, meaning the knowledge threshold for the existing federal reporting duty is effectively “when you find it.” What KOSA adds on top of that is the affirmative obligation to have reasonable policies, practices, and procedures to prevent it from appearing in the first place. The bill’s knowledge standard affects when the duty to mitigate is triggered, but not whether a platform needs a detection program. Platforms without meaningful detection capabilities will have a harder time demonstrating that their policies, practices, and procedures are reasonable, particularly for services where user-generated media can be uploaded or shared.

State enforcement appetite is unambiguous. In February 2026, 40 state and territorial attorneys general wrote to congressional leadership supporting the Senate version of KOSA over a House companion bill, emphasizing concerns about federal preemption of stronger state laws and the absence of a meaningful duty of care. Then, on May 26, 2026, a coalition of 44 attorneys general opposed the House KIDS Act specifically, again citing preemption and the bill’s lack of a comprehensive duty-of-care requirement. Whatever version eventually reaches the president’s desk, this enforcement posture will shape how platform compliance programs are evaluated.

The Audit Requirement: Where Detection Infrastructure Gets Examined

Both versions of KOSA require covered platforms to undergo annual independent third-party audits. The House KIDS Act requires the first audit within 18 months of enactment, with audit results submitted to the FTC within 30 days and a public report published within 45 days. The Senate bill requires covered platforms above a size threshold to publish annual public reports based on independent third-party audits, with an 18-month general effective date. Both frameworks give auditors scope to assess compliance with all of the Act’s obligations, including the sexual exploitation provisions.

This is the mechanism that turns KOSA’s sexual exploitation obligation from a policy statement into a technical examination. An auditor assessing a platform’s safeguards against sexual exploitation and abuse will look at what the detection stack actually does, not just what the terms of service say. The bills do not prescribe specific detection technology, but an auditor could reasonably scrutinize whether hash-only detection is adequate for novel or AI-generated CSAM. Hash databases catch previously identified material; they are blind to first-generation content by design. Whether that gap satisfies a “reasonable policies, practices, and procedures” standard is a question platforms should be ready to answer.

The NCMEC CyberTipline recorded a 1,325% increase in CSAM reports involving generative AI in 2024. Any audit framework that takes its obligations seriously will account for that shift. A detection program that was considered adequate in 2022 is not adequate against the current threat environment, and the audit process is where that gap becomes visible.

KOSA Does Not Stand Alone in This Environment

Platform teams assessing KOSA compliance should not evaluate it in isolation. The legislation is moving alongside several other developments that together define the current risk environment for platforms handling user-generated content.

The TAKE IT DOWN Act, signed into law in May 2025, requires platforms to remove non-consensual intimate imagery, including AI-generated deepfakes, within 48 hours of notice. Its compliance deadline arrived in May 2026. The New Mexico jury verdict against Meta in March 2026 imposed $375 million in civil penalties under a state consumer protection statute that exists in some form in nearly every U.S. state (not a sector-specific tech law, just a general unfair practices claim applied to documented failures to protect children). And in the UK, the Online Safety Act’s new reporting duties for in-scope services went live in April 2026, requiring platforms to report detected and unreported child sexual exploitation content to the National Crime Agency rather than simply removing it.

None of these developments wait for KOSA to be enacted. They are creating compliance obligations now. Platforms that treat child safety detection as a future-state concern tied to a specific piece of legislation are already behind.

What Platforms Should Be Doing Before KOSA Becomes Law

The 18-month effective date in the KIDS Act and the audit provisions in both bills provide a meaningful planning window, but only for platforms that start now. Platforms that wait until enactment to assess their detection infrastructure, begin vendor evaluations, and document their compliance rationale will not finish in time.

Three things are worth doing before the legislation lands:

• Map your detection coverage against the CSAM definitions. Both versions of KOSA include CSAM within their sexual exploitation obligations by reference to federal criminal statutes. Your detection program needs to credibly address that category, which means going beyond hash matching for known content to include AI classification capable of flagging novel and AI-generated material. The audit will ask what your stack can and cannot detect.
• Document your current posture. Internal communications were central to the New Mexico Meta trial. What you know about your detection gaps, and what you’ve done or not done about them, is now a documented litigation risk. Building and maintaining clear records of your detection capabilities, the rationale for your operating parameters, and any remediation efforts is no longer optional.
• Evaluate detection vendors before the audit process forces the conversation. Third-party auditors assessing compliance with KOSA’s sexual exploitation obligations will have opinions about what constitutes reasonable technical safeguards. Platforms should understand how their current detection stack compares to available alternatives before that conversation happens in an audit context.

Purpose-Built Detection for the Compliance Environment KOSA Creates

CaseScan’s CSAM detection API is designed for exactly the environment KOSA describes: platforms handling large volumes of user-generated content that need to demonstrate reasonable technical safeguards against sexual exploitation. The API processes content at scale, processing billions of files per day with P95 latency under one second, and detects both known CSAM via perceptual hashing and novel or AI-generated CSAM via deep-learning classification. In Maximum Precision mode, the Context Analysis layer reaches a verified false-positive rate of 1 in 45 million images, enabling autonomous action on high-confidence detections without generating unsustainable review queues.

The Zero Media Retention architecture means files are processed entirely in volatile memory and never written to disk, a material consideration for platforms managing GDPR data minimisation obligations alongside their detection programs. The same infrastructure serves law enforcement agencies globally and enterprise platforms including Wix and DoubleVerify, which means the audit trail supporting its performance claims is grounded in real-world deployment, not controlled benchmarks alone.

To see how CaseScan fits your platform’s environment, book a demo.

Frequently Asked Questions

What does KOSA require platforms to do about sexual exploitation?

Both the Senate KOSA (S.1748) and the House KIDS Act (H.R.7757) require covered platforms to implement reasonable policies, practices, and procedures to prevent and mitigate sexual exploitation and abuse of minors. Both bills define that category by reference to federal criminal statutes, including CSAM and child pornography, enticement, trafficking for image production, and child sex trafficking, though through different statutory cross-references. The Senate version also imposes a duty of care requiring platforms to exercise reasonable care in product design to prevent those harms. The compliance obligation in both cases is active and technical, not limited to written policies.

Has KOSA been signed into law?

No. As of June 2026, neither version of KOSA has been enacted. The KIDS Act (which incorporates a version of KOSA) passed the House Energy and Commerce Committee in March 2026 on a party-line vote and awaits a full House floor vote. The Senate version (S.1748) has not yet been advanced through the Senate Commerce Committee, though Committee Chairman Ted Cruz publicly committed to doing so in May 2026. The two bills have significant differences, particularly on the knowledge standard and state law preemption, and reconciliation between chambers will require further negotiation.

What is the difference between the Senate KOSA and the House KIDS Act?

The most significant differences involve the knowledge standard and the duty of care. The Senate bill requires platforms to act when harm is fairly implied on the basis of objective circumstances; the House KIDS Act requires actual knowledge or willful disregard. The Senate version also retains a duty of care obligating platforms to exercise reasonable care in product design; the House version substituted a requirement for reasonable policies and procedures, which critics argue provides a weaker enforcement hook. A coalition of 40 state attorneys general has formally opposed the House version in favour of the Senate bill.

What does KOSA’s audit requirement mean for CSAM detection specifically?

Both versions of KOSA require covered platforms to undergo annual independent third-party audits assessing compliance with the Act’s requirements, including sexual exploitation obligations. For CSAM detection, this means an external auditor will examine what technical safeguards a platform has in place to prevent child sexual abuse material from being uploaded, shared, or stored. The bills do not mandate specific detection technology, but platforms relying solely on hash-based detection may face scrutiny over whether that approach reasonably addresses novel and AI-generated CSAM, which hash databases cannot catch.

Do platforms need to comply with KOSA before it becomes law?

KOSA itself has no pre-enactment compliance obligations. But the legal environment it is responding to does. U.S. platforms already have NCMEC reporting obligations under 18 U.S.C. 2258A when they become aware of apparent CSAM. The TAKE IT DOWN Act compliance deadline arrived in May 2026. And the state attorney general enforcement model demonstrated in the New Mexico Meta verdict can be applied under existing consumer protection statutes without any new federal law. Platforms that wait for KOSA’s enactment to build detection infrastructure will be building it reactively, under regulatory scrutiny, on an accelerated timeline.