FTC Signals Enforcement Shift to Encourage Age Verification Tools Under COPPA

Key Takeaways

• Enforcement Discretion for Age Checks: The FTC said it will not bring COPPA enforcement actions against certain operators that collect, use, or disclose personal information solely to determine a user’s age, provided strict conditions are met.
• Strict Purpose Limitation: Information collected for age verification cannot be used for any other purpose and must be deleted promptly once age determination is complete.
• Security and Vendor Controls Required: Operators must implement reasonable security safeguards and ensure any third-party age verification providers can maintain confidentiality, security, and integrity, including through written assurances.
• Clear Notice Obligations Remain: Companies must provide clear notice to parents and children about what information is collected for age verification purposes.

Deep Dive

As lawmakers globally push for tougher age checks online and platforms scramble to respond, the Federal Trade Commission is stepping in to clarify how far companies can go without tripping over federal child privacy law.

In a policy statement issued February 25, 2026, the FTC said it will not bring enforcement actions under the Children’s Online Privacy Protection (COPPA) Rule against certain website and online service operators that collect, use, or disclose personal information solely to determine a user’s age through age verification technologies, provided they operate within clearly defined limits.

The move addresses a growing compliance dilemma. COPPA requires operators of commercial websites or online services directed to children under 13, and operators with actual knowledge they are collecting personal information from a child, to provide notice to parents and obtain verifiable parental consent before collecting, using, or disclosing that data.

But as children’s use of internet-connected technologies has expanded dramatically since COPPA’s enactment in 1998, policymakers have increasingly turned to age verification as a frontline control. Several states now require certain websites and online services to implement mechanisms to determine users’ ages. That, in turn, has created friction. Some age verification tools require collecting personal information up front, potentially from children, simply to establish whether COPPA applies.

At a recent FTC workshop on age verification technologies, that tension took center stage. Industry participants and privacy experts questioned whether companies could deploy robust age checks without exposing themselves to COPPA liability.

The Commission’s policy statement appears intended to reduce that uncertainty.

Under the new enforcement approach, the FTC will exercise discretion for operators of general audience and mixed audience sites and services that collect personal information solely to determine age without first obtaining parental consent, as long as a series of safeguards are met.

Those conditions are specific. Information gathered for age verification cannot be used or disclosed for any purpose beyond determining a user’s age. It cannot be retained longer than necessary and must be deleted promptly once that purpose is fulfilled. If third parties are involved in the verification process, operators must take reasonable steps to ensure those parties can maintain the confidentiality, security, and integrity of the data, including obtaining written assurances.

Operators must also provide clear notice to parents and children about the information collected for age verification, implement reasonable security safeguards, and take reasonable steps to ensure that any age verification product, service, method, or provider used is likely to produce reasonably accurate results.

Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, described age verification technologies as “some of the most child-protective technologies to emerge in decades,” adding that the statement is meant to incentivize operators to use such tools and empower parents to protect their children online.

Importantly, the Commission did not amend the COPPA Rule itself. Instead, it signaled that broader changes may be ahead. The policy statement indicates that the FTC intends to initiate a review of the rule to address age verification mechanisms more directly. The current enforcement posture will remain in effect until final rule amendments are published in the Federal Register or the statement is withdrawn.

For online platforms navigating an increasingly fragmented regulatory environment, the announcement offers conditional relief rather than a blanket safe harbor. Age verification may be encouraged, but only when narrowly tailored, securely implemented, and strictly limited to its stated purpose.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.