The Federal Trade Commission made a significant move today that could reshape how websites and apps approach child safety online. In a new policy statement, the FTC announced it will not take enforcement action under the Children’s Online Privacy Protection Rule (COPPA) against operators that collect personal information solely to verify a user’s age — as long as that data isn’t used for any other purpose.
It’s a carefully targeted action, but its implications are broad.
The Problem the FTC Was Trying to Solve
COPPA, passed in 1998, requires websites and online services directed at children under 13 to obtain verifiable parental consent before collecting any personal information. It’s a foundational piece of children’s privacy law — but it was written before age verification technology existed in any meaningful form.
Fast forward to 2026, and the internet is awash with services that children regularly access, many of which carry serious risks. States have been passing laws requiring platforms to verify users’ ages before granting access to certain content. But there was a critical catch: verifying age often requires collecting personal data — and that very act could trigger COPPA liability.
The result? A perverse incentive. Companies worried that deploying age-verification tools to protect kids could expose them to enforcement risks for violating kids’ privacy laws. As one COPPA rule expert put it, “COPPA unintentionally discourages age checks, because it treats any collection of children’s data as a compliance risk.”
What the Policy Statement Does
Today’s FTC statement resolves that tension — at least for now.
The Commission made clear that operators who collect, use, and disclose personal information only to determine a user’s age through age verification technologies will not face COPPA enforcement for doing so. The safe harbor is narrow by design: data collected for age verification cannot be repurposed, retained beyond what’s necessary, or used for any secondary purpose, such as advertising or profiling.
The FTC also announced it intends to formally initiate a review of the COPPA Rule to address age verification mechanisms on a permanent basis through a rulemaking process. The policy statement will remain in effect until those formal amendments are finalized — or until the Commission withdraws it.
The vote was 2-0.
Why This Matters
The FTC’s own Bureau of Consumer Protection Director, Christopher Mufarrige, called age verification technologies “some of the most child-protective technologies to emerge in decades.” That’s a striking statement from a federal regulator — and it signals where this administration’s priorities lie.
For years, age verification has been stuck in a regulatory gray zone. At the state level, laws in places like Texas, Utah, and Arkansas have pushed platforms to verify ages before granting access to social media or explicit content — but legal challenges have slowed implementation, and companies remained uncertain about their federal exposure. Today’s announcement gives companies a meaningful green light at the federal level.
Iain Corby, executive director of the Age Verification Providers Association, called it “a major landmark.” His reasoning: Silicon Valley is the center of gravity for the global internet, and when America’s top consumer protection regulator endorses age verification, it is likely to become a de facto global standard.
What Companies Need to Know
If you operate a website or app that could be accessed by children, here are the key practical takeaways:
The safe harbor is conditional. You can use age verification technologies without COPPA liability only if the personal data collected is used exclusively for age determination. Any secondary use — analytics, marketing, onboarding — takes you outside the protection.
Data minimization is essential. The FTC’s position is consistent with a broader regulatory expectation that age verification should collect the minimum amount of data necessary. This is not a license to build comprehensive user profiles under the banner of age checking.
The policy is temporary. This is an enforcement policy statement, not a rule. It fills a gap until formal COPPA Rule amendments are completed. Companies should closely monitor the FTC’s rulemaking process, as the formal rule may include additional conditions or requirements.
COPPA compliance deadlines are still approaching. Separate from age verification, the updated COPPA Rule (finalized in early 2025) has a compliance deadline of April 22, 2026. Companies must ensure their broader data practices are aligned with those amendments, regardless of today’s announcement.
The Bigger Picture
Today’s policy statement is part of a consistent pattern from the current FTC. In recent months, the Commission has settled with entities for unlawful collection of children’s data and hosted a workshop focused entirely on age verification. Children’s online privacy is clearly a flagship issue, and with growing state legislation and enforcement actions, now is a perfect time to review your current policies and procedures.
For years, age verification technology existed, but the legal path was unclear. Today, the FTC cleared it…for now!
Reach out if you want Troutman Amin to assist you with reviewing your current policies covering your COPPA obligations.
CIPAWorld 