Publication

FTC Issues COPPA Enforcement Policy Statement Promoting Age-Verification Technology

Author:
Sheila A. Millar
Tracy P. Marshall
Anushka R. Stein
©2026 Keller and Heckman LLP

On February 25, 2026, the Federal Trade Commission (FTC) released an important children’s privacy enforcement discretion statement: COPPA – Enforcement Policy Statement Promoting the Adoption of Age-Verification Technology. Age verification of minors is an increasingly hot topic in children’s privacy law. As we discussed here, several states recently adopted laws requiring companies to conduct age verification before allowing access to certain apps and online services. With the proliferation of these laws, the regulated community has raised questions about how to comply with the Children’s Online Privacy Protection Rule (COPPA Rule) when implementing age-verification mechanisms. This was one of the topics covered during a full-day workshop at the FTC on January 28, 2026, which we wrote about here. FTC Chairman Andrew Ferguson and Commissioner Mark Meador both made remarks supporting the use of age-verification technologies. Chairman Ferguson also indicated that a policy statement on age-verification technology would be forthcoming, with the possibility of further amendments to the COPPA Rule to promote the use of age-verification technologies.

While proposed amendments have yet to be introduced, the FTC’s policy statement makes clear that the Commission will not bring enforcement actions under the COPPA Rule against operators of general audience sites and services and mixed audience sites and services that collect, use, or disclose personal information without verifiable parental consent for the sole purpose of determining a user’s age. Notably, the policy statement does not alter the Commission’s longstanding position that sites primarily directed to children under 13 should not collect age information; rather, they should assume audiences are under 13 and align data collection practices with COPPA.

Under the COPPA Rule, operators of commercial websites or online services directed to children under 13 years of age and operators with actual knowledge that they are collecting personal information from a child must provide notice to parents and obtain their verifiable consent before collecting, using, or disclosing personal information of a child under 13. The FTC’s policy statement sets out specific steps operators must follow to avoid enforcement under the COPPA Rule for use of age-verification technologies. Operators must:

  • Not use or disclose information collected for age verification purposes for any purpose except to determine a user’s age;
  • Not retain this information longer than necessary to fulfill the age verification purposes, and delete such information promptly thereafter;
  • Only disclose information collected for age verification purposes to third parties if the operator has taken reasonable steps to determine such third parties are capable of maintaining the confidentiality, security, and integrity of the information, including by obtaining written assurances;
  • Provide clear notice to parents and children of the information collected for age verification purposes;
  • Employ reasonable security safeguards for information collected for age verification purposes;
  • Take reasonable steps to determine that any product, service, method, or third party utilized for age verification purposes is likely to provide reasonably accurate results as to the user’s age; and
  • Comply with the COPPA Rule requirements in every other respect with regard to personal information collected from children.

The policy statement echoes comments made by Chairman Ferguson when the updated COPPA Rule was finalized (but not yet published) in January 2025. The Chairman identified three outstanding problems (which we discussed here) at the time, including what he characterized as a missed opportunity “to clarify that the Final Rule is not an obstacle to the use of children’s personal information solely for the purpose of age verification.” He argued that “the old COPPA Rule and the Final Rule contain many exceptions to the general prohibition on the unconsented collection of children’s data, and these amendments should have added an exception for the collection of children’s personal information for the sole purpose of age verification, along with a requirement that such information be promptly deleted once that purpose is fulfilled.”

While the policy statement seeks to address these concerns, it is not without some controversy, as there are opposing views on the benefits of age-verification technologies. Proponents argue that it is necessary to protect “children” – defined from ages 13 to 18, depending on the state – from a variety of possible online harms. Proponents also assert that age-verification technologies are more reliable than self-affirmation by users, age estimation techniques, or other alternatives. However, opponents argue that because age-verification methods require the collection and retention of children’s personal data, they are privacy invasive. Although the policy statement makes it clear that information collected for age verification should be promptly deleted after fulfilling such purposes, it remains to be seen if this language will satisfy critics.

The policy statement expressly states that it does not create any substantive rights or entitlements; the Commission retains the right to investigate and bring actions for violations of the COPPA Rule in individual cases. The FTC also stated that it intends to initiate a review of the COPPA Rule to address age-verification mechanisms. Rule changes will require initiation of a notice and comment process, so expect more opportunities for affected stakeholders to weigh in on any changes.

The Commission vote to issue the policy statement was 2-0.

Related People
Sheila A. Millar
Tracy P. Marshall
Anushka R. Stein
Related Practices
Advertising and Promotion
Privacy, Data Security, and Digital Media