Online safety & content laws in United States (2026)

In TikTok, Inc. v. Garland, all nine justices upheld the Protecting Americans from Foreign Adversary Controlled Applications Act, ruling the national-security rationale justified its burden on speech with no First Amendment violation. The decision set a landmark precedent for federal authority to regulate foreign-owned platforms and triggered TikTok's brief 48-hour U.S. shutdown on January 18–19, 2025.

The FTC adopted the first comprehensive revision of the Children's Online Privacy Protection Rule since 2013, requiring separate parental consent for targeted advertising of children's data, imposing strict data-retention limits, banning push notifications to children without consent, and expanding the definition of personal information to include biometric identifiers and government-issued IDs. The rule became effective June 23, 2025, with full operator compliance required by April 22, 2026.

The FTC referred and the DOJ filed a federal civil complaint alleging TikTok knowingly allowed millions of children under 13 to use the platform without parental consent, with reviewers spending only 5–7 seconds per account, and that ByteDance violated the 2019 consent decree. The action seeks civil penalties up to $51,744 per violation per day.

The U.S. Senate passed a combined package merging the Kids Online Safety Act (imposing a statutory duty of care on platforms regarding minor users) and COPPA 2.0 (extending protections to age 16 and banning targeted advertising to minors) by a 91–3 bipartisan vote. The bill did not advance in the House before the 118th Congress ended, leaving it unenacted.

Enacted as Division H of the national-security supplemental H.R. 815, the Protecting Americans from Foreign Adversary Controlled Applications Act gave ByteDance 270 days to divest TikTok or face removal from U.S. app stores and web hosting services. It was the first federal statute to target a specific social media platform on foreign-adversary national-security grounds.

The Court vacated and remanded Gonzalez without ruling on Section 230's scope, and unanimously held in Twitter v. Taamneh that platforms were not liable under the Anti-Terrorism Act for hosting ISIS content. The paired rulings left Section 230's broad immunity intact and effectively deferred any judicial narrowing of the statute to future litigation or Congress.

The FTC proposed a sweeping modification to Meta's 2019 consent decree, seeking a blanket prohibition on monetizing personal data from users under 18 and alleging ongoing COPPA violations through Messenger Kids. The proposal marked the most aggressive federal enforcement posture toward a major platform's treatment of minor users to date.

The FTC and DOJ settled COPPA charges against Musical.ly (operating as TikTok), imposing a then-record $5.7 million civil penalty for illegally collecting personal information from children without parental consent and requiring deletion of all illegally gathered children's data. The settlement also required TikTok to create a verified children's mode — a consent decree TikTok would later be accused of violating.

President Trump signed H.R. 1865 (FOSTA-SESTA), creating civil and criminal liability for platforms that knowingly facilitate sex trafficking and explicitly removing that category from Section 230's immunity. It was the first time Congress legislated an exception to the platform-immunity framework enacted in 1996, demonstrating that Section 230 was subject to statutory modification.

The FTC's updated COPPA Rule expanded the definition of personal information to include geolocation data, photos, videos, audio recordings, and persistent identifiers such as cookies and device IDs, and explicitly brought mobile apps and third-party plug-ins within the rule's scope. The revision was the first major modernization of children's online privacy rules for the smartphone era.

The FTC's Children's Online Privacy Protection Rule (16 C.F.R. Part 312) began formal enforcement, requiring operators of child-directed websites and online services to post clear privacy policies, obtain verifiable parental consent before collecting personal information from children under 13, and provide parents the right to review and delete their children's data. The rule established the core compliance architecture still in use today.

Congress enacted the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506), establishing the first federal law specifically governing online privacy for children by mandating parental consent before collecting personal information from users under 13 and granting the FTC rulemaking and enforcement authority. COPPA remains the cornerstone federal statute for children's digital privacy more than 25 years later.

President Clinton signed the Telecommunications Act of 1996, embedding Section 230 (drafted by Reps. Cox and Wyden) which immunized online platforms from civil liability for third-party content and permitted good-faith content moderation without losing that immunity. Section 230's near-absolute liability shield became the legal foundation for the modern commercial internet and remains the single most consequential online-safety law in U.S. history.