The Preemption Gambit: App Store Accountability and KOSA Reshape US Tech Policy

A Second Bite at Preemption — This Time Through Kids’ Safety

Washington has tried and failed to preempt state AI laws before. In 2025, a broad moratorium on state AI legislation collapsed in the Senate after bipartisan opposition made it politically toxic. The lesson the Trump administration took from that defeat was tactical: wrap preemption in something electorally safer than enterprise deregulation.

The result is a legislative package that is structurally clever — and contested on nearly every front. According to Biometric Update’s reporting in June 2026, the White House — led by Chief of Staff Susie Wiles, First Lady Melania Trump, the Office of Science and Technology Policy, and the National Economic Council — is working with Senator Marsha Blackburn to attach “subject-matter based” federal preemption to a children’s digital safety bundle. Rather than voiding all state AI laws outright, the approach would only displace state rules that cover the same ground as the federal package.

The three bills at the core of the deal are not new. KOSA has been circulating since 2022. The App Store Accountability Act exists in state form in Alabama, Texas, California, and Utah. The NO FAKES Act was reintroduced in revised form in May 2026. What changed is the political architecture: bundling them together with a preemption clause gives each constituency — tech companies seeking legal certainty, parents worried about online harms, and content creators alarmed by AI deepfakes — a reason to support the package as a whole.

The Three Laws at the Center of the Deal

1. KOSA: Age Verification Shifts to App Stores

The Kids Online Safety Act (KOSA) has gone through multiple iterations, but its June 2026 form — the House version emerging from a bipartisan Energy and Commerce Committee agreement, sometimes called the KIDS Act — places a new set of obligations on social media platforms and app stores. As reported by Fortune in March 2026, the legislative moment represents Congress making “it a lot more complicated” for social media companies already scrambling to verify minors online.

The House version requires platforms to apply default privacy and safety settings for users under 17, restrict direct and disappearing messages, disable compulsive-use design features like infinite scroll and autoplay, and present a three-hour continuous-use prompt for minors. Platforms must also undergo annual independent audits and respond to harm reports within ten days.

Critically, the bill does not require government-issued ID for age verification on adult content sites, attempting to balance child protection with privacy concerns. Even so, the Center for Democracy and Technology warned that the bill “will incentivize age verification to access online services, putting the privacy of all internet users — kids and adults alike — at risk.”

The Senate version (S. 1748) remains pending and diverges meaningfully from the House text: it includes a “duty of care” standard for platforms that the House dropped. Senator Blumenthal characterized the House version as a “blank check” that lacks meaningful corporate accountability. The gap between chambers is the legislation’s most significant unresolved political problem.

2. The App Store Accountability Act: Platform Liability for Minor Safety

The App Store Accountability Act shifts age-verification responsibility upstream — from apps to the stores distributing them. Rather than requiring each developer to implement their own age-check system, the bill mandates that app store operators categorize users into four groups at account creation: under 13, 13 to 15, 16 to 17, and 18 or older. Minors’ accounts must be linked to a verified parent or guardian, and downloads or in-app purchases by minors cannot proceed without transaction-by-transaction parental approval.

State versions of this law have already moved in Alabama (effective in 2026) and Texas (effective January 1, 2026, now in litigation after the Fifth Circuit stayed a preliminary injunction), California, and Utah. The Texas law’s experience is instructive: courts have questioned whether it violates First Amendment protections, and the legal challenge illustrates why tech companies are lobbying for a single federal standard that would render the state-by-state litigation landscape moot.

The federal App Store Accountability Act (H.R. 3149 in the 119th Congress) would consolidate these obligations nationally. App developers receive the parental consent data from the store and must implement age-appropriate restrictions before the app is downloaded. According to McDermott Law’s analysis, developers bear downstream obligations tied to whatever age classification the app store provides — creating a chain of accountability from Apple and Google down to individual app studios worldwide.

3. NO FAKES Act: AI Deepfakes and Content Creator Rights

The NO FAKES Act — Nurture Originals, Foster Art, and Keep Entertainment Safe — creates a federal property right over a person’s voice and visual likeness. Companies and individuals that produce or distribute AI-generated digital replicas without consent face civil liability; platforms that host such replicas knowingly face penalties of up to $750,000 per unauthorized work. The bill cleared the Senate Judiciary Committee by unanimous vote on June 18, 2026, the strongest legislative signal yet that deepfake accountability commands genuine bipartisan consensus.

The bill was reintroduced in its revised May 2026 form by Senator Blackburn and Senator Coons alongside Representatives Salazar and Dean. Backing spans the Recording Industry Association of America, SAG-AFTRA, the Motion Picture Association of America, Walt Disney Co., Getty Images, OpenAI, YouTube, TikTok, and IBM — a rare alignment of traditional media and Silicon Valley. Opposition centers on the Electronic Frontier Foundation and NetChoice, who warn that the notice-and-takedown provisions create incentives for platforms to over-remove lawful content.

The NO FAKES Act’s inclusion in the preemption package is deliberate. The deepfake liability framework applies specifically to AI-generated content, giving the bundle an explicit AI-governance dimension that justifies the preemption clause on AI-adjacent state laws.

What This Means for Tech Companies and Developers

1. App Store Gatekeeping Requirements Will Tighten

If the federal App Store Accountability Act passes, Apple and Google face significant new compliance obligations at the platform level. Both stores would need to implement age verification at account creation — a major infrastructure investment — and maintain ongoing parental consent workflows. These costs will ultimately be passed through to developers in the form of policy changes, SDK requirements, and potentially new App Store fees.

For smaller studios and indie developers, the downstream obligation to implement age-appropriate restrictions based on store-provided classifications adds a new compliance layer that currently only affects teams large enough to build region-specific age-gate systems. The federal law would make this a baseline requirement for any app reaching US minors.

2. Age Verification Implementation Costs Shift Upstream

One of the most consequential aspects of the package is how it reorganizes who bears the cost of age verification. Today, individual apps — especially social platforms and adult content sites — must implement their own verification systems, with wildly inconsistent results across 26 states that have already enacted adult website age verification laws. Federal legislation would concentrate that obligation in two chokepoints: Apple’s App Store and Google Play. This is more efficient from a compliance standpoint, but it also concentrates enormous gatekeeping power in two private companies.

The privacy implications remain unresolved. The White House and Senate have not yet specified which age verification technologies would satisfy the standard — government-issued ID, credit card cross-check, device-level attestation, or third-party identity services each carry different tradeoffs for user privacy. The insideprivacy.com review of end-of-2025 state developments noted that California’s Digital Age Assurance Act takes effect January 1, 2027, and requires operating systems to prompt for birth date at account setup — a sign that even without federal legislation, the pressure on upstream infrastructure is already building.

3. Federal Preemption Will Freeze the State-Law Patchwork

The package’s preemption clause is its most commercially significant — and politically fraught — element. At least 26 states have adult-content age verification laws. States including Idaho, Oregon, Washington, Maine, and Nebraska have enacted or are near-passing AI chatbot regulations. Alabama and Texas have app store accountability laws. California’s comprehensive AB 1043 and SB 976 are set to take effect in 2027. If subject-matter-based federal preemption passes, all of these would be displaced in areas the federal package covers.

For a company shipping a single app to US users, the preemption clause is operationally valuable: one compliance standard replaces 50 state investigations. But for states and child safety advocates, it is a ceiling — preventing states from going further than Congress is willing to go. That tension explains why the first preemption attempt in 2025 failed, and why this second attempt is structured around child safety rather than enterprise relief alone.

From Patchwork to Framework: The New US Digital Governance Order

The legislative package is best understood not as three independent bills but as a federal jurisdictional claim over the digital space minors occupy. KOSA defines how platforms must treat young users. The App Store Accountability Act determines who must verify who those young users are. The NO FAKES Act draws the line on what AI may generate using real people’s identities. Together, they propose a coherent governance layer for the intersection of AI, minors, and digital distribution.

Whether the House and Senate can reconcile their versions of KOSA — particularly the duty-of-care dispute — remains the critical variable. Senate Democrats and privacy groups have signaled they will not accept the House text as-is. The preemption clause adds further friction: any senator from a state with strong consumer protection traditions faces a difficult vote on ceding state authority.

The structural lesson of 2025’s failed moratorium is that preemption must be purchased, not simply declared. The White House’s gambit this time is to make children’s safety the price tag. If the bundle passes in something like its current form, it will represent the most sweeping federal intervention in digital platform governance since COPPA’s original passage in 1998. If it stalls again, the state-law patchwork will continue to harden — and global developers will keep navigating a compliance landscape that grows more fragmented with each legislative session.

Frequently Asked Questions

Sources & Further Reading

• White House, Senate revive push to block state AI laws through kids safety deal — Biometric Update
• US child safety bill reignites debate over age verification — Biometric Update
• State children’s online safety laws expand beyond social media in 2026 — Multistate
• End-of-year 2025 state and federal developments in minors’ privacy — Inside Privacy
• AI deepfakes bill advanced by Senate Judiciary Committee — Roll Call
• Social media companies scramble to verify minors: Congress just made it more complicated — Fortune
• Alabama enacts App Store Accountability Act — Regulatory Oversight
• App store accountability acts: What you need to know — McDermott Law