backThe Federal Trade Commission (FTC) issued an enforcement policy statement last week which will create a safe harbor under the Children’s Online Privacy Protection Act (COPPA) and its implementing Rule (COPPA Rule) allowing companies to employ age verification technologies without the fear of enforcement action. This new guidance reflects an effort to balance the FTC’s goal of addressing the collection of children’s personal information with efforts to implement age verification online.
Under the new policy, the FTC will exercise enforcement discretion and decline to bring COPPA actions against platforms that collect, use, or disclose personal information solely to determine a user’s age—without first obtaining verifiable parental consent—if strict conditions are met. The FTC also signaled that a proposal to address age verification mechanisms under the COPPA Rule is forthcoming.
Background
COPPA, enacted in 1998, was designed to give parents knowledge and control over the collection and use of personal information from children under 13. The FTC implemented the COPPA Rule in 1999 and has revised it over time, most recently in 2025 (see our previous alert here), as children’s online engagement and the technologies that support it have evolved.
Since COPPA’s enactment, children’s use of internet-connected technologies and screen media has only increased. In response, states and policymakers have increasingly turned to age verification requirements to address content available to children and restrict certain content or features based on age. These developments have intensified questions about how operators can deploy age verification technologies, some of which necessarily involve the collection of personal information, without running afoul of COPPA’s parental notice and consent requirements. These questions were explicitly debated and addressed at the FTC’s recent Age Verification Workshop held on January 28, 2026, where regulators, technologists, advocates, and industry participants examined the strengths, limitations, and privacy tradeoffs of available verification and age estimation tools. As FTC Bureau of Consumer Protection Director Chris Mufarrige acknowledged, “age verification [i.e., “AV”] technologies will play an enormously important role in protecting kids online, but currently, using certain AV technologies may be [in tension] with COPPA because some technologies require collecting personal information to verify a child's age before parental notice and consent is possible.” This policy statement directly responds to and attempts to balance this tension.
Scope of The Enforcement Policy
The new enforcement policy statement acts as the FTC’s attempt to relieve the pressure points that it recognized exist under the current regime. Specifically, the Commission states that it will not bring an enforcement action under COPPA against certain operators that collect, use, or disclose personal information solely for age verification purposes, even if that occurs before obtaining verifiable parental consent.
This enforcement discretion applies to:
- “Mixed audience” websites or online services— those that do not target children as their primary audience; and
- General audience websites or online services that may obtain actual knowledge of a user’s age.
The policy covers the collection, use, and disclosure of personal information for “Age Verification Purposes,” defined as activities undertaken to determine a user’s age or age range using a variety of age assurance tools, including:
- Age estimation tools;
- Age verification tools; and
- Age inference tools that infer likely age based on various signals.
Echoing themes raised during its workshop, the Commission explains that more accurate age determinations allow operators to apply child‑protection measures more effectively and protect more children online.
Guardrails Still Apply
To qualify for the safe harbor, operators must satisfy a series of conditions, aimed at preventing age verification from resulting in overbroad data collection or profiling.
The FTC’s conditions fall into several key categories:
1. Purpose Limitation
- Information collected for age verification purposes may be used only to determine a user’s age. Functionally, this means that data cannot be repurposed for advertising, personalization, analytics, user engagement, or any other secondary use. Age verification data must remain functionally siloed from the rest of the company’s data ecosystem.
2. Third-party Controls
- Where operators rely on vendors or service providers to perform age verification, disclosures are permitted only if the operator has taken reasonable steps to ensure that those third parties can maintain the confidentiality, security, and integrity of the information.
- These third parties must provide written assurances that they will:
- Employ reasonable measures to protect the information;
- Not use or disclose it for any purpose other than age verification purposes; and
- Delete the information promptly after fulfilling the age verification purposes.
3. Data Minimization and Retention Limits
- Age verification data may not be retained indefinitely. The FTC expects operators to retain information only for the period necessary to complete the age verification function and to delete it promptly thereafter.
4. Transparency and Notice
- Operators must clearly disclose their age verification practices in their privacy policies. Such transparency is critical to maintaining trust and ensuring that age verification mechanisms do not operate as opaque background surveillance.
5. Security Safeguards
- The FTC expects age verification data to be protected by reasonable security measures appropriate to the sensitivity of the information.
6. Accuracy of Age Verification Tools
- Finally, the FTC conditions its enforcement discretion on operators taking reasonable steps to ensure that any age verification tool, method, or vendor is likely to provide reasonably accurate results. The FTC is not mandating any particular technology, but it is signaling that operators should be prepared to assess and defend the reliability of the methods they deploy.
Importantly, the FTC underscores that all other COPPA obligations remain fully in force. Enforcement discretion applies only to the limited act of collecting information for age verification purposes. In other words, it is a narrow safe harbor. Companies that otherwise fail to comply with COPPA’s notice, consent, and data‑handling requirements remain subject to enforcement.
The policy will remain effective until the FTC publishes final amendments to the COPPA Rule addressing age verification mechanisms in the Federal Register or until the policy is otherwise withdrawn. The FTC has indicated that it intends to initiate a rule review on this topic in the coming months.
Key Takeaways for Operators
For companies operating mixed‑audience or general‑audience services, the takeaway is that how age verification is designed, limited, and governed will matter as much as whether it is deployed at all.
The policy has several practical implications:
1. Incentive to Upgrade Age Gating
- The FTC has indicated through this policy that it views age verification as a viable child‑safety measure. Operators now have explicit FTC assurances that they may deploy more sophisticated age verification tools that require personal information, without first obtaining parental consent, provided the collection is strictly for age verification purposes and meets the policy’s safeguards.
2. No Relaxation of Broader COPPA Duties
Once a user is determined to be under 13, whether through age verification or otherwise, operators must continue to fully comply with all COPPA requirements for that user’s data.
3. Governance, Contracting, and Technical Controls Are Critical
- To benefit from the FTC’s enforcement discretion, operators will need clearly documented data governance policies for age verification data, appropriate contractual terms and oversight of third-party age verification providers, and robust security and deletion controls.
4. Forthcoming Rulemaking May Change Requirements
- The FTC has made clear that it intends to revisit age verification mechanisms through formal COPPA rulemaking. Companies deploying or expanding age verification tools now should do so with an eye toward future regulatory standards, not just current enforcement discretion.
5. State Law Still Applies
- The FTC’s policy statement does not displace or preempt state privacy laws, many of which continue to impose independent, and sometimes stricter, requirements on the collection and use of personal data. One such example is the NY Child Data Protection Act (NYCDPA) which limits the collection and use of personal data from users under 18, mandates data deletion, and is enforced by the NY Attorney General with fines up to $5,000 per violation.
The enforcement policy statement is a clear signal from the FTC that the agency does not want concerns over COPPA enforcement to be a barrier to the implementation of age verification technology. However, operators must still take care to ensure that any such technologies are properly developed and implemented to avoid running afoul of the policy statement’s complex requirements.