Analyses / Impact Analysis / 119 · HR 2657 Impact Analysis

119-HR-2657 Data-Driven Journalist Impact Analysis

119 · HR 2657 Sammy’s Law

science Science, Technology, Communications
Sammy’s LawThis bill requires large social media platforms to permit certain providers of safety software to monitor and manage the activity of children under the age of 17 on such...
Bottom-line assessment
Overall stance: neutral.
US teens using YouTube / TikTok / Instagram / Snapchat
90% / 63% / 61% / 55% (shares) — 2025 Pew facts
CyberTipline reports (2024)
20.5million reports
Online enticement reports (2024)
546000reports
GAI‑involved exploitation (2024)
1325% y/y increase
Analyzed as
Data-Driven Journalist
Published
14 Dec 2025
Updated
14 Dec 2025
Tags
Whipline · Impact Analysis · US Congress
Unvetted
01 · Section

Summary (Document 119-HR-2657)

- H.R. 2657 mandates that “large social media platforms” (>100M MAU or >$1B revenue) create and maintain third‑party–accessible, real‑time APIs so a teen (13+) or a parent/guardian can authorize a registered safety‑software provider to manage the child’s interactions, content, and account settings “on the same terms as such child,” and to receive secure, machine‑readable data transfers up to hourly. The FTC registers/audits providers and issues guidance; the Act preempts state laws that would themselves require such APIs. Effective upon FTC guidance. [1]Congress.gov — Text - H.R.2657 — 119th Congress (2025–2026): Sammy’s Law - As of December 11, 2025, the House Energy & Commerce Subcommittee forwarded H.R. 2657 to the full committee by voice vote. A CBO cost estimate has not yet posted. [6]House Committee on Energy & Commerce (Republicans) — CMT Subcommittee Forwards…[7]Congress.gov — H.R.2657 — 119th Congress (2025–2026): Sammy’s Law (Overview) - Context: teen social‑media use is widespread and near‑constant for many; the U.S. Surgeon General warns current platforms cannot be deemed “sufficiently safe,” underscoring the policy rationale. [8]Pew Research Center — 10 facts about teens and social media (2025)[9]HHS.gov — U.S. Surgeon General Advisory: Social Media and Youth Mental Health

  • Potential benefits: increased parental visibility and faster escalation channels for harms (e.g., self‑harm, grooming, sextortion) when tools are adopted and well‑designed. [1]Congress.gov — Text - H.R.2657 — 119th Congress (2025–2026): Sammy’s Law[10]NCMEC — CyberTipline Data (detailed 2024 trends)
  • Key risks: new API surfaces and frequent data exports expand third‑party and supply‑chain attack surface; evidence on restrictive monitoring shows mixed or adverse effects for some outcomes; compatibility frictions with end‑to‑end encryption. [11]CISA — CISA: ICT Supply Chain Risk Management[3]Journal of Child and Family Studies (Springer) — Parental Monitoring of Early A…[2]Web search · turn 6 #1[12]Forbes — WhatsApp ‘Third‑Party Chats’ security caveats (analysis)
02 · Section

Economic Effects

Mechanisms include mandated API build/maintenance, compliance programs for third‑party registrants, liability posture under FTC Act enforcement, and national preemption reducing multi‑state fragmentation.

  • Platform compliance and integration costs: Platforms must ship production‑grade, real‑time APIs within 30 days of effective date and support hourly data portability. This accelerates engineering spend (design, authN/authZ, rate‑limiting, logging, abuse prevention) and incident response. Similar interoperability mandates in the EU (DMA messaging) have required complex reference offers and raised debate over how to preserve security at parity under E2EE. Expect non‑trivial CapEx/Opex in year one and ongoing maintenance. [1]Congress.gov — Text - H.R.2657 — 119th Congress (2025–2026): Sammy’s Law[13]BEREC (EU regulators) — BEREC Opinion on Meta’s reference offers for DMA intero…[12]Forbes — WhatsApp ‘Third‑Party Chats’ security caveats (analysis)
  • Third‑party provider market structure: Registration conditions restrict entrants to U.S.‑based, non‑foreign‑controlled firms with U.S.‑only processing/storage and rapid deletion timelines. These localization‑style constraints can raise data‑management costs (business surveys report ~16% for storage‑only and ~55% when combined with flow restrictions) and may reduce foreign competition. [1]Congress.gov — Text - H.R.2657 — 119th Congress (2025–2026): Sammy’s Law[14]OECD — OECD: Economic Implications of Data Regulation (policy implications incl…
  • Preemption and interstate compliance: A single federal standard for API access can lower compliance fragmentation versus varying state mandates, aligning with evidence that regulatory heterogeneity in services raises trade costs. [1]Congress.gov — Text - H.R.2657 — 119th Congress (2025–2026): Sammy’s Law[4]OECD — OECD Services Trade Restrictiveness Index (STRI): Key messages
  • Enforcement and liability: Violations are enforced as unfair/deceptive acts under the FTC Act, with biannual compliance assessments and FTC guidance due within 180 days—driving program costs for both platforms and registrants. No CBO score posted yet to benchmark federal administrative costs. [1]Congress.gov — Text - H.R.2657 — 119th Congress (2025–2026): Sammy’s Law[7]Congress.gov — H.R.2657 — 119th Congress (2025–2026): Sammy’s Law (Overview)
  • Spillovers to existing parental‑control ecosystems: Major platforms already offer “Family Center” features; third‑party APIs could complement/compete with these, potentially shifting value to independent safety vendors while imposing new developer‑relations workload on platforms. [15]Snap Inc. — Snapchat Support: What is Family Center?[16]Discord — Discord Support: What is Family Center?
03 · Section

Social Effects

Impacts depend on adoption, family context, and tool design.

  • Scale of the problem: In 2024, NCMEC’s CyberTipline received 20.5 million reports; online enticement reports rose to 546,000 (+192% y/y), with a 1,325% surge in cases involving generative AI—substantiating demand for faster parental notification workflows. [17]NCMEC — CyberTipline Data (2024 overview)[10]NCMEC — CyberTipline Data (detailed 2024 trends)
  • Potential benefits: Observational public‑health data link higher parental monitoring to lower violence/substance risks; meta‑analyses of parent‑involved cyberbullying programs find small but significant reductions—suggesting targeted gains are plausible when tools are embedded in broader family engagement. [18]CDC — Parental Monitoring and Risk Behaviors — YRBS 2021 (MMWR)[19]PubMed — A Systematic Review and Meta‑analysis of Interventions to Decrease Cyb…
  • Limits and heterogeneity: Restrictive digital monitoring correlates with more problematic use in some cohorts; effects vary by adolescent risk profile (monitoring may help most among high‑aggression trajectories). Tool design that emphasizes active mediation and autonomy‑support may mitigate harms. [3]Journal of Child and Family Studies (Springer) — Parental Monitoring of Early A…[20]PubMed — Protective Effect of Parental Monitoring on Aggressive Behavior (2024)
  • Privacy, dignity, and rights: UNICEF/ICO guidance highlights children’s rights to privacy and the need for transparency when parental controls operate. APIs that surface clear, child‑visible indicators of monitoring and minimize data collection align better with rights‑based norms. [21]UNICEF USA — UNICEF USA: Protecting & Empowering Kids Online (Toolkit)[22]UK Information Commissioner’s Office — ICO Children’s Code: Use of parental con…
  • E2EE and family tools: Many platform “Family Center” implementations limit visibility to metadata (contacts, groups) rather than message content to preserve privacy—third‑party API scopes that demand content access could create tension with such norms. [15]Snap Inc. — Snapchat Support: What is Family Center?
04 · Section

Environmental Effects

Net environmental impacts are likely marginal relative to sectoral baselines.

  • Hourly transfers for a subset of youth accounts add traffic and compute, but against a fast‑growing data‑center baseline (≈415 TWh in 2024; projected ~945 TWh by 2030). Relative contribution from this bill alone is likely de minimis absent very high adoption. [5]International Energy Agency — IEA Energy & AI: Executive summary[23]International Energy Agency — IEA Energy & AI: Energy demand from AI (data cent…
  • Indirect effects: If APIs spur broader moderation/analysis workloads, localized spikes may occur in specific regions where platforms concentrate safety operations; still small relative to AI‑driven demand growth. [5]International Energy Agency — IEA Energy & AI: Executive summary
05 · Section

Temporal Analysis

  1. Immediate (0–6 months after FTC guidance): Platforms stand up minimal‑viable API suites, access controls, and data‑export pipelines; registrants undergo initial FTC security reviews. Heightened risk of misconfiguration and fraud attempts during rollout. [1]Congress.gov — Text - H.R.2657 — 119th Congress (2025–2026): Sammy’s Law[11]CISA — CISA: ICT Supply Chain Risk Management
  2. Near term (6–18 months): Iteration on scopes/rate limits, SOC2‑style attestations, and audit responses; families experiment alongside existing platform Family Centers. Early outcomes uneven, tracking family engagement more than raw tool installation. [15]Snap Inc. — Snapchat Support: What is Family Center?
  3. Longer term (18+ months): If secure patterns stabilize, APIs could enable value‑added services (coaching, crisis escalation). Conversely, poor security hygiene could yield data‑breach externalities (historical parental‑control breaches underscore the risk). [24]TechCrunch — mSpy customer data leaked (2024)
06 · Section

Unintended Consequences

Key risks and second‑order effects to monitor.

  • Encryption trade‑offs: “Same‑terms” third‑party management plus frequent exports could pressure platforms to offer message/content access in ways that complicate end‑to‑end encryption guarantees; EU interoperability experience illustrates how hard it is to preserve E2EE parity across parties. [12]Forbes — WhatsApp ‘Third‑Party Chats’ security caveats (analysis)[13]BEREC (EU regulators) — BEREC Opinion on Meta’s reference offers for DMA intero…
  • Attack surface expansion and vendor risk: Opening APIs to external safety apps expands credential‑theft and exfiltration vectors; prior breaches at consumer monitoring apps (e.g., mSpy) show real‑world consequences. [11]CISA — CISA: ICT Supply Chain Risk Management[24]TechCrunch — mSpy customer data leaked (2024)
  • Market narrowing: U.S.‑only processing and non‑foreign‑control rules can limit entry and raise costs—potentially favoring larger incumbents over startups—consistent with evidence that localization/entry barriers increase costs and reduce competition. [14]OECD — OECD: Economic Implications of Data Regulation (policy implications incl…[4]OECD — OECD Services Trade Restrictiveness Index (STRI): Key messages
  • Legal interaction risk: While H.R. 2657 centers on delegation/portability (not speech restrictions), adjacent state‑level child‑safety laws have faced First Amendment challenges; expect litigation scrutiny of API scopes and disclosures. [25]Reuters — Court blocks California law on children’s online safety (CA AADC liti…
07 · Section

Assessment

Overall stance: neutral.

On balance, H.R. 2657 is likely to lower technical barriers for families who want third‑party assistance and to reduce interstate fragmentation around access, but it also creates material security/compliance obligations and may narrow provider competition via localization/ownership constraints. Given mixed evidence on the effectiveness of restrictive monitoring, net safety gains will depend on careful FTC scoping (least‑privilege APIs, verifiable consent), strong audit/enforcement, and tool designs that emphasize active mediation and child transparency. [2]Web search · turn 6 #1[3]Journal of Child and Family Studies (Springer) — Parental Monitoring of Early A…[1]Congress.gov — Text - H.R.2657 — 119th Congress (2025–2026): Sammy’s Law

08 · Section

Sourcing (selected)

Representative sources underpinning this assessment (see inline citations):

  • Bill text/status and committee action: Congress.gov; Energy & Commerce announcements; Congressional Record. [1]Congress.gov — Text - H.R.2657 — 119th Congress (2025–2026): Sammy’s Law[7]Congress.gov — H.R.2657 — 119th Congress (2025–2026): Sammy’s Law (Overview)[6]House Committee on Energy & Commerce (Republicans) — CMT Subcommittee Forwards…[26]Congress.gov — Congressional Record (Dec 11, 2025): E&C Subcommittee markup inc…
  • Epidemiology and outcomes: U.S. Surgeon General; CDC YRBS. [9]HHS.gov — U.S. Surgeon General Advisory: Social Media and Youth Mental Health[18]CDC — Parental Monitoring and Risk Behaviors — YRBS 2021 (MMWR)
  • Monitoring efficacy and program impacts: peer‑reviewed studies/meta‑analyses. [2]Web search · turn 6 #1[3]Journal of Child and Family Studies (Springer) — Parental Monitoring of Early A…[19]PubMed — A Systematic Review and Meta‑analysis of Interventions to Decrease Cyb…[20]PubMed — Protective Effect of Parental Monitoring on Aggressive Behavior (2024)
  • Platform family controls (status quo): Snapchat and Discord help centers. [15]Snap Inc. — Snapchat Support: What is Family Center?[16]Discord — Discord Support: What is Family Center?
  • Security/supply‑chain risk and breach exemplars: CISA guidance; TechCrunch reporting. [11]CISA — CISA: ICT Supply Chain Risk Management[24]TechCrunch — mSpy customer data leaked (2024)
  • Interoperability/E2EE trade‑offs: BEREC opinion; security commentary. [13]BEREC (EU regulators) — BEREC Opinion on Meta’s reference offers for DMA intero…[12]Forbes — WhatsApp ‘Third‑Party Chats’ security caveats (analysis)
  • Data localization and regulatory fragmentation economics: OECD STRI and data‑flow studies. [4]OECD — OECD Services Trade Restrictiveness Index (STRI): Key messages[14]OECD — OECD: Economic Implications of Data Regulation (policy implications incl…
  • Environmental baselines: IEA Energy & AI. [5]International Energy Agency — IEA Energy & AI: Executive summary
09 · Section

Key Metrics

US teens using YouTube / TikTok / Instagram / Snapchat
90% / 63% / 61% / 55% (shares) — 2025 Pew facts
CyberTipline reports (2024)
20.5million reports
Online enticement reports (2024)
546000reports
GAI‑involved exploitation (2024)
1325% y/y increase
Data‑center electricity (2024 → 2030)
415TWh → ~945 TWh proj.
Sources cited
  1. [1] Text - H.R.2657 — 119th Congress (2025–2026): Sammy’s Law Congress.gov
  2. [2] Web search · turn 6 #1
  3. [3] Parental Monitoring of Early Adolescent Social Technology Use (2024) Journal of Child and Family Studies (Springer)
  4. [4] OECD Services Trade Restrictiveness Index (STRI): Key messages OECD
  5. [5] IEA Energy & AI: Executive summary International Energy Agency
  6. [6] CMT Subcommittee Forwards Kids Internet and Digital Safety Bills to Full Committee House Committee on Energy & Commerce (Republicans)
  7. [7] H.R.2657 — 119th Congress (2025–2026): Sammy’s Law (Overview) Congress.gov
  8. [8] 10 facts about teens and social media (2025) Pew Research Center
  9. [9] U.S. Surgeon General Advisory: Social Media and Youth Mental Health HHS.gov
  10. [10] CyberTipline Data (detailed 2024 trends) NCMEC
  11. [11] CISA: ICT Supply Chain Risk Management CISA
  12. [12] WhatsApp ‘Third‑Party Chats’ security caveats (analysis) Forbes
  13. [13] BEREC Opinion on Meta’s reference offers for DMA interoperability (2025) BEREC (EU regulators)
  14. [14] OECD: Economic Implications of Data Regulation (policy implications incl. localization costs) OECD
  15. [15] Snapchat Support: What is Family Center? Snap Inc.
  16. [16] Discord Support: What is Family Center? Discord
  17. [17] CyberTipline Data (2024 overview) NCMEC
  18. [18] Parental Monitoring and Risk Behaviors — YRBS 2021 (MMWR) CDC
  19. [19] A Systematic Review and Meta‑analysis of Interventions to Decrease Cyberbullying PubMed
  20. [20] Protective Effect of Parental Monitoring on Aggressive Behavior (2024) PubMed
  21. [21] UNICEF USA: Protecting & Empowering Kids Online (Toolkit) UNICEF USA
  22. [22] ICO Children’s Code: Use of parental controls UK Information Commissioner’s Office
  23. [23] IEA Energy & AI: Energy demand from AI (data centre projections) International Energy Agency
  24. [24] mSpy customer data leaked (2024) TechCrunch
  25. [25] Court blocks California law on children’s online safety (CA AADC litigation) Reuters
  26. [26] Congressional Record (Dec 11, 2025): E&C Subcommittee markup includes H.R. 2657 Congress.gov

Discussion