FTC Makes Clear its Position on Age Verification

The Federal Trade Commission (FTC) recently issued an enforcement policy statement on how the agency views the use of age verification technologies under the Children’s Online Privacy Protection Act (COPPA). The policy reflects growing recognition that age verification tools may play an important role in protecting children online and helping parents understand how their children interact with digital services.

To encourage the use of robust age-verification mechanisms, the Commission stated that it will not bring an enforcement action under the COPPA Rule against an operator that collects, uses, or discloses personal information for the purpose of determining a user’s age without first obtaining verifiable parental consent.

For companies navigating youth privacy compliance, the announcement provides important clarification on how age assurance technologies can be deployed within the COPPA framework.

Note, age verification and verifiable parental consent have become conflated.  It’s important to note that age verification is not the same or equal to parental consent. Verifying age allows the operator to provide an age appropriate experience and obtain verifiable parental consent when required.  

Background: COPPA and the Challenge of Age Verification

COPPA requires operators of commercial websites or online services directed to children under 13, or those with actual knowledge they are collecting personal information from a child, to provide notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information. Certain exceptions apply. Since COPPA was enacted in 1998, children’s engagement with internet-connected technologies has expanded dramatically  which has led to an increased focus on the role age verification mechanisms may play in protecting young users online. Age verification technologies require the collection of some form of personal information to determine a user’s age.  However, collecting a child’s personal information without consent is not compliant with COPPA so verifying age without tripping over COPPA was a challenge. However, the Commission’s statement addresses this challenge. By clarifying how companies could implement age verification tools while maintaining compliance.

How the Policy Helps

COPPA applies to general audience services and mixed-audience services that need to determine whether a user is a child. Under the policy, the Commission states it will not bring enforcement actions under the COPPA Rule against operators that collect, use, or disclose personal information solely for age verification purposes, even if that occurs before obtaining parental consent. The goal is to encourage responsible adoption of more accurate age assurance tools while maintaining strong protections for children’s personal information.

Importantly, this enforcement discretion is limited to the collection and use of data strictly for determining a user’s age. All other COPPA obligations still apply.

Guardrails Apply

To qualify for the FTC’s enforcement discretion, companies must follow a number of safeguards designed to prevent age verification tools from resulting in excessive data collection or secondary uses.

Key conditions include:

• Purpose limitation: Information collected for age verification may only be used to determine a user’s age and cannot be repurposed for advertising, analytics, personalization, or other secondary uses.
  
  
• Third-party controls: If operators rely on vendors or service providers to conduct age verification, they must ensure those parties maintain confidentiality and security protections and agree not to reuse the information.
  
  
• Data minimization and deletion: Personal information collected for age verification may not be retained longer than necessary to determine a user’s age and must be deleted promptly afterward. But the signal then cannot be ignored. If the company’s age verification process suggests a child under the age of consent, then actual knowledge under COPPA has been obtained.
  
  
• Transparency: Operators must clearly disclose their age verification practices in their privacy policies.
  
  
• Security safeguards: Companies must employ reasonable security protections appropriate to the sensitivity of the information collected.
  
  
• Accuracy expectations: Operators must take reasonable steps to ensure that any age verification technology or vendor used is likely to provide reasonably accurate age determinations.

These conditions reinforce the FTC’s broader expectation that age verification technologies be implemented carefully and responsibly.

What This Means for Online Platforms

The FTC’s policy sends an important signal: age verification technologies are increasingly viewed as part of the solution to protecting children online, rather than a regulatory risk in themselves. At the same time, the Commission made clear that enforcement discretion is narrowly scoped. Companies must still comply fully with all other COPPA requirements when they collect personal information from children, including notice, parental consent, and data protection obligations. For many organizations, this means that governance, vendor oversight, and technical implementation of age verification systems will become increasingly important. The policy also indicates that the FTC intends to review the COPPA Rule to address age verification mechanisms in future rule making.

The Role of COPPA Safe Harbor Programs

The FTC’s policy also highlights the importance of governance and oversight when implementing age verification technologies. COPPA includes a “Safe Harbor” provision that allows industry groups to develop self-regulatory programs that provide the same or greater protections for children’s personal information as those required under the COPPA Rule.

Companies that participate in an FTC-approved Safe Harbor program are subject to the program’s review, monitoring, and dispute resolution procedures, often in lieu of direct FTC investigation in the first instance. For organizations navigating the operational complexity of child privacy compliance, Safe Harbor programs provide structured guidance for interpreting regulatory expectations and implementing compliant systems.

As an FTC-approved COPPA Safe Harbor since 2004, PRIVO works with companies to operationalize COPPA compliance across digital services used by children. PRIVO’s program combines regulatory expertise with privacy technology to help organizations implement age assurance, parental consent, and youth privacy protections in a coordinated framework.

This includes:

• Supporting companies in implementing age screening and age verification approaches aligned with regulatory expectations
  
  
• Designing and managing verifiable parental consent workflows
  
  
• Monitoring services for ongoing compliance
  
  
• Providing dispute resolution and remediation processes
  
  
• Supporting organizations as laws and regulatory expectations evolve

PRIVO supports across the board both as a COPPA Safe Harbor and an age verification provider, companies can work with a single partner to design, implement, and maintain compliant age assurance and consent systems. In a regulatory environment where age awareness is increasingly expected, Safe Harbor participation provides companies with comprehensive oversight and a robust compliance framework.

What Companies Should Do Now

The FTC’s policy provides clarity, but it also raises important operational considerations for companies evaluating or deploying age verification technologies. Organizations should consider the following steps:

Evaluate your age assurance approach
Review whether your current age screening or verification methods are sufficiently reliable and appropriate for your service’s audience and risk profile.

Establish governance around age verification data
Ensure that any personal information collected for age verification purposes is subject to clear purpose limitation, retention controls, and security protections. Consider data processing on the device vs sending biometric data to third party servers for processing when leveraging AI age estimation tools.

Assess vendor relationships and technical implementations
If you rely on third-party age verification tools, confirm that contractual protections, confidentiality safeguards, and deletion requirements align with regulatory requirements.

Meet COPPA obligations
Once a user is identified as a child under 13, organizations must be prepared to implement full COPPA protections, including verifiable parental consent and appropriate data practices.

Looking Ahead

The FTC’s enforcement policy will remain in effect until the Commission publishes final amendments to the COPPA Rule addressing age verification mechanisms or withdraws the statement. In the meantime, organizations evaluating age assurance technologies should carefully consider how those systems are designed, governed, and integrated into their privacy compliance programs. Age verification is likely to remain a central issue in youth privacy regulation as policymakers continue to address how children interact with digital services. For companies operating in this evolving regulatory environment, implementing age assurance thoughtfully, and within a broader framework of youth privacy protections is critical.

To read the full policy statement click here.

Want to learn more about PRIVO's Age Verification services? Let's talk.