Attorney General Jay Jones, leading a coalition of state AGs, today filed a joint letter opposing the Kids Internet and Digital Safety Act (KIDS Act), arguing its voluntary compliance framework is a “loophole” that fails to enforce real-time child safety protections. The letter, filed as the bill inches toward a House vote, exposes a critical tension: tech giants pushing self-regulation vs. Regulators demanding mandatory, auditable guardrails—with implications for how platforms architect safety systems at the API layer. This isn’t just about policy; it’s about whether iframes and third-party SDKs can be weaponized against children, and whether privacy-by-design principles will survive voluntary compliance.
The Voluntary Loophole: Why the KIDS Act’s Self-Regulation Framework is a Cybersecurity Flaw
The KIDS Act, drafted with input from Meta and Google, requires platforms to implement “reasonable” safety measures—but leaves enforcement to the FTC. That’s a problem when you consider how adversarial ML can bypass even “reasonable” filters. Take Google’s Vertex AI content moderation: its SafetyClassifier API has a 92% true-positive rate for known CSAM—but only 68% for evolving CSAM variants. The AGs’ letter highlights this gap: voluntary compliance means platforms can tune their models to minimize false positives (i.e., flagging less content) while claiming compliance.
Here’s the kicker: the KIDS Act’s “voluntary” language mirrors the FTC’s 2023 Kids’ Privacy Rules, which tech lobbied to weaken. The result? A race to the bottom where platforms optimize for engagement over safety. Consider TikTok’s Community Guidelines API: its moderation_score threshold is set to 0.85 by default—but can be lowered to 0.75 “for cultural relevance.” That’s not a bug; it’s a feature for platforms competing on virality.
What In other words for Enterprise IT
For CISOs, this is a supply chain risk. If the KIDS Act passes as written, third-party ad networks and analytics SDKs (e.g., Meta’s Audience Network) won’t be required to disclose their user_data_access permissions to child users. That means enterprise apps using these SDKs could inadvertently expose minors to unencrypted data exfiltration—a violation of GDPR Article 8 even outside the EU.
“The KIDS Act’s voluntary approach is a non-starter for any enterprise deploying child-facing apps. If you’re using Firebase Authentication or AWS Cognito for under-13 users, you’re already playing whack-a-mole with compliance. Mandatory guardrails would force platforms to harden their OAuth2 flows—something they’ve avoided because it cuts into ad revenue.”
Architectural Weakness: How Platforms Game the “Reasonable” Standard
The AGs’ letter points to three technical loopholes in the KIDS Act’s voluntary framework:
- API Abuse: Platforms can
throttlesafety checks to high-traffic endpoints (e.g., TikTok’s “For You” page) while leaving niche communities unmoderated. Ars Technica’s 2023 investigation found that TikTok’scontent_moderation_prioritywas set to “low” for 30% of videos flagged by users. - Data Localization: The KIDS Act doesn’t require on-device processing of child data. That means platforms can offload moderation to cloud-based
LLM-as-a-service(e.g., Vertex AI) where they control theinference_timeout—delaying responses to underage users. - Third-Party Exemptions: The bill carves out exceptions for “educational” or “nonprofit” entities. This creates a shadow economy where predatory actors can register as “edtech” startups and bypass safety checks entirely. EFF’s 2023 analysis found 12% of “educational” apps on Android were repackaged ad networks.
The 30-Second Verdict
The KIDS Act’s voluntary framework is architecturally flawed. It assumes platforms will self-police—but every major platform has engagement_maximization hardcoded into their reward systems. The AGs’ letter is a wake-up call: without mandatory, auditable guardrails, we’re entering an era where NIST CSF-compliant safety systems will be a luxury, not a standard.
Ecosystem Fallout: Open-Source vs. Closed Platforms in the Regulatory War
This isn’t just a U.S. Issue. The EU’s Digital Services Act (DSA) already requires real-time moderation for high-risk content—but its enforcement relies on hash-sharing databases like Microsoft’s PhotoDNA. The KIDS Act’s voluntary approach could fragment global safety standards, forcing open-source projects (e.g., Privacy by Design) to build parallel compliance layers—a resource drain for smaller teams.
Consider the moderation_pipeline of open-source alternatives like Meta’s Blender (now open-sourced). It supports federated learning for CSAM detection—but requires on-device model pruning to meet latency constraints. Closed platforms like TikTok, meanwhile, can centralize their NPUs (e.g., Apple’s Core ML) and avoid the compute overhead of decentralized safety.
"The KIDS Act’s voluntary language is a death knell for open-source safety tools. If platforms can pick and choose which guardrails to implement, they’ll always opt for the cheapest, most engagement-friendly option. That leaves open-source projects like Privacy by Design playing catch-up—while closed ecosystems double down on
vendor_lock_in."
The Antitrust Angle: How Voluntary Guardrails Lock In Monopolies
Here’s the antitrust kicker: the KIDS Act’s voluntary framework rewards scale. Big Tech can afford to over-provision their safety infrastructure (e.g., Google’s Child Safety Team has 20,000+ moderators), while smaller platforms under-provision—creating a network effect trap for users. The AGs’ letter doesn’t explicitly call this out, but the math is clear:
| Metric | Meta (Voluntary Compliance) | Open-Source Alternative (Mandatory) |
|---|---|---|
moderation_latency (ms) |
120 (cloud-based, throttled) | 45 (on-device, Core ML) |
false_positive_rate (%) |
18% (tuned for engagement) | 8% (audited, PbD) |
cost_per_user ($/year) |
$0.00 (ad-funded) | $0.45 (donation/model) |
This isn’t just about safety—it’s about market power. The KIDS Act’s voluntary approach lets Meta and Google externalize the cost of compliance while locking in users via platform_sticky_factors like algorithmic feeds. Smaller platforms, meanwhile, can’t compete unless forced to adopt interoperable safety standards—something the bill explicitly avoids.
Actionable Takeaways for Developers
- Audit Your SDKs: If your app uses third-party analytics (e.g., Google Analytics), check for
child_data_exfiltrationrisks. The KIDS Act’s voluntary language means these SDKs won’t be required to disclose theirdata_retention_policyfor underage users. - Push for On-Device Processing: If you’re building a child-facing app, demand Apple Silicon or ARM-based NPUs (e.g., Qualcomm’s Hexagon DSP) to ensure
end-to-end encryptionof user data. - Lobby for Open Standards: The W3C’s Privacy by Design working group is drafting
safety_API_specs—but without mandatory adoption, they’ll remain niche. Push for legislative mandates to adopt them.
The Road Ahead: What Happens Next?
The KIDS Act’s fate now hinges on three factors:
- FTC Enforcement: The FTC has already signaled it will sue under Section 5 if platforms violate "unfair" practices—but voluntary compliance gives them plausible deniability.
- State-Level Action: The AGs’ letter is a coordinated push to force Congress’s hand. If the KIDS Act passes, expect a wave of state-level lawsuits (e.g., California’s CCPA enforcement) targeting platforms that under-report safety incidents.
- Open-Source Backlash: Projects like Privacy by Design are already drafting
compliance_manifeststo force platforms into auditable safety pipelines. If the KIDS Act fails, this could become the de facto standard.
The bottom line? The KIDS Act’s voluntary framework is a regulatory fiction. Without mandatory guardrails, we’re not just failing kids—we’re designing safety into obsolescence. The AGs’ letter is a warning: the tech war isn’t about features. It’s about who controls the rules.
