On February 25, 2026, the Federal Trade Commission (“FTC”) issued an enforcement policy statement announcing that the Commission will not bring enforcement actions under the Children’s Online Privacy Protection Act (“COPPA”) Rule against operators of general audience sites and services and mixed audience sites and services that collect, use, or disclose personal information for the sole purpose of determining a user’s age without first obtaining verifiable parental consent (“VPC”).
The policy statement addresses a long standing tension under COPPA: commercial websites and online service operators seeking to provide stronger protection for children through sharing of personal information via age-verification methods, with the stated goal of determining whether the user is a child at the outset of the interaction; and risking a COPPA violation in doing so. COPPA requires parental consent before collecting, using, or disclosing personal information from children under 13.
The policy statement seeks to incentivize companies to adopt robust age verification technologies. By clarifying that the FTC will exercise enforcement discretion where age verification data is collected and used narrowly and responsibly, the FTC addresses concern that collecting data-such as identification or biometric information- for age checks will automatically violate COPPA. Under the policy statement, companies may bypass the strict VPC requirements if they comply with certain conditions, including that they:
- do not use or disclose information collected for age verification purposes for any purpose except to determine a user’s age;
- do not retain this information longer than necessary to fulfill the age verification purposes, and delete such information promptly thereafter;
- disclose information collected for age verification purposes only to those third parties the operator has taken reasonable steps to determine are capable of maintaining the confidentiality, security, and integrity of the information, including by obtaining certain written assurances from those third parties;
- provide clear notice to parents and children of the information collected for age verification purposes;
- employ reasonable security safeguards for information collected for age verification purposes; and
- take reasonable steps to determine that any product, service, method, or third party utilized for age verification purposes is likely to provide reasonably accurate results as to the user’s age.
The policy statement closely tracks themes raised during the FTC’s January 28, 2026 workshop, Protecting American Children: A Workshop to Explore Age Verification Technologies. It responds directly to privacy concerns raised during the workshop, for example, by imposing guardrails on collected data—including strict purpose‑limitation and prompt‑deletion requirements—which mitigate the risk of creating a “honey pot” of sensitive children’s data that could be attractive to bad actors.
At the workshop, the FTC emphasized that children’s privacy remains an enforcement priority and that the agency will continue to pursue vigorous enforcement actions against COPPA violations. At the same time, the FTC acknowledged the role of technological innovation in children’s data protection and recognized stakeholder calls for COPPA enforcement to evolve alongside emerging age verification technologies and related needs. The FTC has indicated in the policy statement that it intends to initiate a review of the COPPA Rule to address age verification mechanisms.
What It Means for Businesses
For businesses, the policy statement presents both opportunity and caution. On the one hand, operators of general and mixed audience services now have clearer guidance that responsibly implemented age verification tools will not automatically trigger COPPA enforcement risk. This may encourage broader adoption of age verification mechanisms, particularly as state level age verification requirements continue to expand, as addressed in our prior advisory.
On the other hand, the policy statement underscores that enforcement discretion is conditional. Companies that deploy age verification technologies will have to carefully assess whether their practices align with the FTC’s stated guardrails—especially around secondary use, retention, vendor management, and security. The statement also reinforces that once a company identifies a user as under 13, it may acquire “actual knowledge” under COPPA, triggering full compliance obligations going forward.
Finally, because the FTC has signaled that formal COPPA amendments may follow, businesses should expect developments in this area to continue to evolve.
