FTC Signals New Approach to Age Verification Under COPPA

The Federal Trade Commission (FTC) recently issued an enforcement policy statement signaling a significant shift in how the agency views the use of age verification technologies under the Children’s Online Privacy Protection Act (COPPA). Under the policy, the FTC announced that it will exercise enforcement discretion and decline to bring COPPA actions against certain operators that collect, use, or disclose personal information solely for the purpose of determining a user’s age—without first obtaining verifiable parental consent—provided strict safeguards are met.

The policy reflects growing recognition that stronger age verification tools may play an important role in protecting children online and helping parents understand how their children interact with digital services. For companies navigating youth privacy compliance, the announcement provides important clarification on how age assurance technologies can be deployed within the COPPA framework. Note, this is about smarter age gating, not conflating age verification to equal parental verification when verifiable parental consent is required under COPPA.

Background: COPPA and the Challenge of Age Verification

COPPA requires operators of commercial websites or online services directed to children under 13, or those with actual knowledge they are collecting personal information from a child, to provide notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information. Certain exceptions apply. Since COPPA was enacted in 1998, children’s engagement with internet-connected technologies has expanded dramatically. At the same time, policymakers and regulators have increasingly focused on the role age verification mechanisms may play in protecting young users online. However, many age verification technologies require the collection of some form of personal information in order to determine a user’s age. This has created a practical tension: how can companies verify age before knowing whether the user is a child requiring parental consent? The FTC’s recent policy statement is intended to address this challenge by clarifying how companies may implement age assurance tools while maintaining compliance with COPPA.

What the FTC Policy Allows

The FTC’s policy applies to general audience services and mixed-audience services that need to determine whether a user is a child. Under the policy, the Commission states it will not bring enforcement actions under the COPPA Rule against operators that collect, use, or disclose personal information solely for age verification purposes, even if that occurs before obtaining parental consent. The goal is to encourage responsible adoption of more accurate age assurance tools while maintaining strong protections for children’s personal information.

Importantly, this enforcement discretion is limited to the collection and use of data strictly for determining a user’s age. All other COPPA obligations remain fully in force.

Guardrails Still Apply

To qualify for the FTC’s enforcement discretion, companies must follow a number of safeguards designed to prevent age verification tools from resulting in excessive data collection or secondary uses.

Key conditions include:

• Purpose limitation: Information collected for age verification may only be used to determine a user’s age and cannot be repurposed for advertising, analytics, personalization, or other secondary uses.
  
  
• Third-party controls: If operators rely on vendors or service providers to conduct age verification, they must ensure those parties maintain confidentiality and security protections and agree not to reuse the information.
  
  
• Data minimization and deletion: Personal information collected for age verification may not be retained longer than necessary to determine a user’s age and must be deleted promptly afterward. But the signal then cannot be ignored. If the company’s age assurance process suggests a child under the age of consent, then actual knowledge under COPPA will come into play.
  
  
• Transparency: Operators must clearly disclose their age verification practices in their privacy policies.
  
  
• Security safeguards: Companies must employ reasonable security protections appropriate to the sensitivity of the information collected.
  
  
• Accuracy expectations: Operators must take reasonable steps to ensure that any age verification technology or vendor used is likely to provide reasonably accurate age determinations.

These conditions reinforce the FTC’s broader expectation that age verification technologies be implemented carefully and responsibly.

What This Means for Online Platforms

The FTC’s policy sends an important signal: age verification technologies are increasingly viewed as part of the solution to protecting children online, rather than a regulatory risk in themselves. At the same time, the Commission made clear that enforcement discretion is narrowly scoped. Companies must still comply fully with all other COPPA requirements when they collect personal information from children, including notice, parental consent, and data protection obligations. For many organizations, this means that governance, vendor oversight, and technical implementation of age assurance systems will become increasingly important. The policy also indicates that the FTC intends to review the COPPA Rule to address age verification mechanisms in future rule making.

The Role of COPPA Safe Harbor Programs

The FTC’s policy also highlights the importance of governance and oversight when implementing age verification technologies. COPPA includes a “Safe Harbor” provision that allows industry groups to develop self-regulatory programs that provide the same or greater protections for children’s personal information as those required under the COPPA Rule.

Companies that participate in an FTC-approved Safe Harbor program are subject to the program’s review, monitoring, and dispute resolution procedures, often in lieu of direct FTC investigation in the first instance. For organizations navigating the operational complexity of youth privacy compliance, Safe Harbor programs provide structured guidance for interpreting regulatory expectations and implementing compliant systems.

As an FTC-approved COPPA Safe Harbor since 2004, PRIVO works with companies to operationalize COPPA compliance across digital services used by children and teens. PRIVO’s program combines regulatory expertise with privacy technology to help organizations implement age assurance, parental consent, and youth privacy protections in a coordinated framework.

This includes:

• Supporting companies in implementing age screening and age verification approaches aligned with regulatory expectations
  
  
• Designing and managing verifiable parental consent workflows
  
  
• Monitoring services for ongoing compliance
  
  
• Providing dispute resolution and remediation processes
  
  
• Supporting organizations as laws and regulatory expectations evolve

Because PRIVO operates both as a COPPA Safe Harbor and an age verification provider, companies can work with a single partner to design, implement, and maintain compliant age assurance and consent systems. In a regulatory environment where age awareness is increasingly expected, Safe Harbor participation provides companies with structured oversight and a defensible compliance framework.

What Companies Should Do Now

The FTC’s policy creates new clarity, but it also raises important operational considerations for companies evaluating or deploying age verification technologies. Organizations should consider the following steps:

Evaluate your age assurance approach
Review whether your current age screening or verification methods are sufficiently reliable and appropriate for your service’s audience and risk profile.

Establish governance around age verification data
Ensure that any personal information collected for age verification purposes is subject to clear purpose limitation, retention controls, and security protections. Consider airing on the side of data processing at the edge/ on the device vs sending biometric data for third party server processing when leveraging AI age estimation tools.

Assess vendor relationships and technical implementations
If you rely on third-party age verification tools, confirm that contractual protections, confidentiality safeguards, and deletion requirements align with FTC expectations.

Prepare for downstream COPPA obligations
Once a user is identified as a child under 13, organizations must be prepared to implement full COPPA protections, including verifiable parental consent and appropriate data practices.

Looking Ahead

The FTC’s enforcement policy will remain in effect until the Commission publishes final amendments to the COPPA Rule addressing age verification mechanisms or withdraws the statement. In the meantime, organizations evaluating age assurance technologies should carefully consider how those systems are designed, governed, and integrated into their privacy compliance programs. Age verification is likely to remain a central issue in youth privacy regulation as policymakers continue to address how children interact with digital services. For companies operating in this evolving regulatory environment, implementing age assurance thoughtfully—and within a broader framework of youth privacy protections—will be critical.

To read the full policy statement click here.

Want to learn more about PRIVO's Age Verification services? Let's talk.