Should Have Known Is the Wrong Standard for Kids’ Safety Laws
Should Have Known Is the Wrong Standard for Kids’ Safety Laws
Congress is closer than ever to rewriting the rules for young people online. Just last week, the House of Representatives passed the KIDS Act, which includes a revised version of the Kids Online Safety Act (KOSA) and the Children’s Online Privacy Protection Act (COPPA) 2.0. Most of the public debate has centered on what these bills would require online services to do: collect less data, switch off certain engagement features, prevent recommendation of certain content, and give families new controls.
Far less attention has gone to a single phrase tucked into both bills, a change to the legal standard for what an online service must know about a user’s age before the law’s obligations kick in. It reads like a minor change. It is not. Lowering that standard would give operators a powerful incentive to do the very thing the bills’ sponsors repeatedly insist they are not requiring: age verification of every user, child and adult alike. A law written to protect children’s privacy could end up building the kind of web that CDT has warned against — one where you must prove who you are before you can read, post, or browse.
A Quick Primer on Mens Rea
“Mens rea” is the legal term for the mental state of a person or company at the time it breaks a rule (i.e., what a person or company knew, intended, or consciously disregarded) that makes conduct unlawful. In the context of these laws, the relevant question is what an online service must know about a user’s age before legal duties kick in.
There is a spectrum of possible answers. At one end sits actual knowledge, where the operator in fact knew it was dealing with a child. This is a subjective standard, assessing the actual state of mind of the operator. Further along sit various constructive knowledge standards, which ask not what the operator actually knew about the child’s age but what it should have known from the surrounding circumstances. These are objective standards, asking what a reasonable person should have foreseen or known in those circumstances. How Congress sets that standard determines how cautious, and intrusive, online services must be in verifying a user’s age.
What COPPA 2.0 and KOSA Would Change
COPPA today sets the highest bar of any mens rea standard: regulators have to show the operator actually knew that it is collecting personal information from children under 13. While the Federal Trade Commission has said that the concept of actual knowledge already applies to an operator that willfully disregards a user’s age, the FTC has declined to further loosen that requirement to a “should have known” standard, explaining that Congress deliberately rejected a constructive knowledge test. The FTC found that holding operators liable for what they should have inferred from browsing habits or friend networks would push them to guess at users’ ages and restrict access far more broadly than the law intended.
KOSA and COPPA 2.0 within the KIDS Act would apply to those who “know or should have known” a user’s age. The current Senate versions of KOSA, which is rumored to be part of a forthcoming package of bills, and COPPA 2.0, which the Senate has passed, would apply to those with “actual knowledge or knowledge fairly implied on the basis of objective circumstances.” The operative change in these bills is the introduction of a “reasonable and prudent person” standard. The language converts a subjective “what did you know” standard into an objective “what you should have known” standard. And “should have known” is a standard that rewards finding out for sure.
Knowledge Requirements Protect Speech
The Supreme Court has long treated knowledge requirements not as technicalities but as safeguards against the chilling of protected speech.
In Smith v. California, the Court struck down an ordinance that made a bookseller criminally liable for carrying an obscene book even if they did not know of the book’s contents. The Court reasoned that without a knowledge requirement, booksellers would only stock books they had time to inspect personally, shrinking the public’s access to lawful books the state had no power to ban. The same logic applied to the internet in Reno v. ACLU. There, the Court invalidated a federal ban on the “knowing” transmission of indecent material to minors, finding that the knowledge requirement could not save a law that chilled speech adults have every right to exchange. In a 100-person chat group, the Court observed, a sender who knows that even one member might be a minor would commit a crime by sending the group an indecent message, leading to self-censorship. More recently, in Counterman v. Colorado, the Court held that even true-threats prosecutions require proving that the defendant consciously disregarded a substantial risk that the communication would be viewed as threatening. A subjective knowledge requirement, the Court reasoned, protects speakers from self-censoring out of fear of misjudging whether their words carry criminal liability, and ultimately preserves “breathing space for protected speech.” While the Supreme Court recently upheld a Texas law requiring age verification to access sexually explicit material in Free Speech Coalition, Inc. v. Paxton, the decision was limited to speech obscene to minors and should not be read to permit age verification for accessing the entire internet.
The case law is clear. When liability turns on something a speaker or intermediary cannot reliably control, the rational response is to pull back and restrict more speech than the law actually forbids. Knowledge requirements exist to check that chilling effect. But lowering the standard in COPPA 2.0 and KOSA incentivizes operators to implement policies that will censor constitutionally-protected speech.
A Lower Mens Rea Standard Means Verifying Everyone
Both bills include language stating that nothing in them requires an operator to “affirmatively collect” age information. But while the language may disclaim a legal requirement to verify users’ ages, the bill still incentivizes operators to do so. Facing hindsight liability and steep penalties for guessing wrong, the safest compliance posture is to establish a user’s age for certain. A statute that says “we are not making you verify age” does not change the calculus for a company that concludes age verification is the only sure way to avoid being told, after the fact, that it should have known a user was a minor.
The risk is sharpened by how much operators can already infer from routine data collection. A 2025 report from Georgetown’s Technology Impact Lab analyzed the “willful disregard” standard under Colorado’s privacy law. It found that Roblox, TikTok, and Character.AI already collect self-declared birthdates, transmit age-related data in network traffic, and segment users by age. It also found that a proof-of-concept tool could infer whether a comment came from a minor, on linguistic patterns alone, with roughly 73 to 80 percent accuracy. That finding cuts both ways. Proponents will say it shows operators already have enough information to know who is a child. But it also shows how easily a “should have known” standard sweeps in any service that collects ordinary product data, turning routine signals into a trigger for liability, and giving every operator a reason to resolve the uncertainty by demanding proof of age upon signing up.
Age verification imposes very substantial harms to Americans online. First, age checks force users to surrender their rights both to read and speak anonymously online, as both the Second and Third Circuits have observed. People go online to access and speak about sensitive topics, such as reproductive health, politics, and whistleblowing, and may want to do so anonymously without having to verify their age. Second, age verification undermines our privacy, as both identity verification and age estimation mechanisms require collecting more data — from identity documents to biometrics — about everyone, including, but not limited to, the very children it is meant to shield. Third, age verification undermines economic competition. Since age verification is costly and adds friction to a user’s experience, the burden falls hardest on small operators and new entrants, for whom a demand to upload a government ID can cut new-user sign-ups roughly in half. While some modes of age verification are more privacy-preserving than others, they all involve collecting more sensitive data, undermine anonymity, and burden smaller websites in this way.
The De-Risking Warning
There is precedent for what happens when a “knowing” standard allows a court to conclude that an organization ignored signs it should have heeded, and it comes from the banking industry. Anti-money laundering (AML) laws are designed to require banks to detect, prevent, and report efforts to disguise illegal funds as legitimate revenue. AML laws use an “actual knowledge” requirement, but courts treat willful blindness as the equivalent of actual knowledge. These laws have led to a phenomenon known as “de-risking.” Rather than carefully manage a customer category that regulators might later deem risky, banks cease to provide services to the category altogether because the compliance cost cannot be justified: a single violation can carry penalties of $1 million per day for willful violations.
A report from the Department of the Treasury documents the negative effects of de-risking. Low-income populations in developing countries, nonprofits working in high-risk regions, and smaller foreign banks lose access to the global financial system. Money migrates to unregulated channels where it is harder to trace and competition weakens as the cost of compliance drives smaller banks out.
While the FTC has interpreted COPPA’s actual-knowledge standard to encompass willful blindness, it has not produced widespread age verification. But a constructive “should have known” standard changes the incentive structure for online services. Willful blindness requires evidence that the operator deliberately avoided confirming that a user was a minor. By contrast, a “should have known” standard only asks whether a hypothetical reasonable operator would have recognized that a minor was using the service. Operators have strong incentives to verify users’ ages affirmatively under a “should have known” standard because there is often no clear answer to what a reasonable operator should have known, especially in the data-rich environment of online platforms. This de-risking story illustrates a broader compliance dynamic: when legal liability increases and legal uncertainty remains difficult to resolve, regulated entities respond by eliminating the uncertainty rather than accepting the risk.
When not knowing a user’s age becomes a liability, rational operators will either over-collect identifying data or pull out of certain markets altogether. We are already watching the second response unfold: faced with state age-verification mandates, Pornhub geo-blocked users across roughly 24 states. Bluesky temporarily blocked access to users in Mississippi and then re-entered the market but only for adults who verify their age.
Getting This Right
CDT shares COPPA 2.0 and KOSA’s goal of protecting kids online, and commends the authors of the KIDS Act for working to strike a careful balance that respects user rights. But there are more effective ways to do so that do not depend on verifying the age of every user — such as through strong data-minimization defaults and meaningful limits on how data is used and retained. Despite the bill authors’ stated goal not to mandate age verification, introducing a lower knowledge standard changes platforms’ incentives in a way that will harm free speech, online privacy, and competition. Before Congress lowers the bar for what operators “should have known,” it should weigh what a de facto age verification mandate would cost everyone who reads, speaks, and browses online.
How it works
Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.
Questions are cached — you'll always get the same 5 for this article.