FTC Issues COPPA Policy Statement to Encourage Age Verification Technologies

The Federal Trade Commission (FTC) has issued a significant policy statement announcing that it will not bring enforcement actions under the Children’s Online Privacy Protection Rule (COPPA Rule) against certain website and online service operators that collect, use, and disclose personal information solely for the purpose of determining a user’s age via age verification technologies.

This development comes as the FTC seeks to balance its mandate to protect children’s privacy online with the growing recognition that age verification technologies are, in the words of FTC Bureau of Consumer Protection Director Christopher Mufarrige, “some of the most child-protective technologies to emerge in decades.”

Background: The COPPA-Age Verification Tension
Since COPPA was enacted in 1998, there has been an explosion in the use of internet-connected technologies by children. In response to growing concerns about children’s online safety, several states have begun requiring websites and online services to use age verification mechanisms to determine the age of users.

However, as noted at the FTC’s recent workshop on age verification technologies held in January 2026, some age verification mechanisms require the collection of personal information from children, prompting questions about whether such activities could violate the COPPA Rule. This created a somewhat paradoxical situation: The very technologies designed to protect children online could themselves trigger COPPA compliance obligations.

The FTC has now sought to resolve this tension through its new policy statement, designed to “incentivize operators to use these innovative tools, empowering parents to protect their children online.”

Key Conditions for Enforcement Discretion
The policy statement applies to operators of general audience sites and services, as well as mixed audience sites and services (those directed to children, but which do not target children as their primary audience). Under the policy, the FTC will exercise enforcement discretion where operators collect personal information for age verification purposes without first obtaining verifiable parental consent, provided they comply with six key conditions:

1. Purpose limitation: The operator does not use or disclose information collected for age verification purposes for any other purpose.
2. Third-party safeguards: The operator discloses information collected for age verification purposes only to third parties that the operator has taken reasonable steps to determine are capable of maintaining the confidentiality, security and integrity of the information, including by obtaining written assurances from those third parties.
3. Retention limitation: The operator does not retain the information longer than necessary to fulfill the age verification purposes, and deletes such information promptly thereafter.
4. Notice: The operator provides clear notice to parents and children of the information collected for age verification purposes in its privacy policy.
5. Security: The operator employs reasonable security safeguards for information collected for age verification purposes.
6. Accuracy: The operator takes reasonable steps to determine that any product, service, method or third party utilized for age verification purposes is likely to provide reasonably accurate results as to the user’s age.

Critically, the FTC will not exercise its enforcement discretion unless the operator is complying with the COPPA Rule’s requirements in every other respect with regard to personal information collected from children.

Context: The January 2026 Workshop
This policy statement follows the FTC’s workshop on age verification technologies held on January 28, 2026. The workshop examined the interplay between COPPA enforcement and developments in age verification technology, with FTC Chairman Andrew Ferguson emphasizing that “COPPA enforcement is and will remain a top priority of the Trump-Vance FTC.”

The workshop featured extensive discussion of various age verification methods, from facial age estimation and government ID verification to emerging approaches such as behavioral analysis and reusable age credentials. Panelists highlighted both the promise and challenges of these technologies, including privacy concerns, accuracy limitations, and the need for robust data protection safeguards.

A key theme emerging from the workshop was the importance of “double-blind” architectures, where an external service verifies age without knowing which website the data is intended for, and the website confirms age status without learning the user’s identity. Such approaches help ensure that neither party obtains a complete picture of the user’s identity and activities.

Broader Regulatory Context
The policy statement arrives amid a rapidly evolving regulatory landscape. Multiple U.S. states have enacted laws requiring age verification for access to certain online content, with requirements varying significantly in their scope, threshold ages and acceptable verification methods. Similar requirements exist internationally, including the UK’s Age Appropriate Design Code and Online Safety Act, and Australia’s recent social media age verification requirements.

The FTC has indicated that it intends to initiate a review of the COPPA Rule to address age verification mechanisms more formally. The policy statement will remain effective until the FTC publishes final rule amendments on this issue in the Federal Register, or until otherwise withdrawn.

Practical Implications
For operators of general audience and mixed-audience sites and services, this policy statement provides welcome clarity and reduces the legal risk associated with deploying age verification technologies. Operators can now implement these technologies with greater confidence, provided they adhere to the six conditions set out in the statement.

However, several practical considerations remain. Operators should carefully document their compliance with each condition, particularly around third-party due diligence, data retention policies, and accuracy assessments. Privacy policies should be updated to clearly disclose the information collected for age verification purposes.

It is also worth noting that this policy statement does not modify the FTC’s position regarding child-directed sites and services that are primarily directed to children, which must continue to treat all users as children and provide COPPA Rule protections to all users.

Conclusion
The FTC’s policy statement represents a pragmatic response to a genuine regulatory challenge. By providing enforcement discretion for operators using age verification technologies in good faith, the FTC has sought to remove a potential barrier to the adoption of technologies that can enhance children’s online safety.

As Chairman Ferguson observed at the January workshop, “COPPA, a statute designed to empower parents and protect children online, should not be an impediment to the most child protective technology to emerge in decades.” This policy statement reflects that principle whilst maintaining the fundamental protections that COPPA provides.

The FTC voted 2-0 to issue the policy statement.