FTC COPPA age-verification policy signals a more permissive phase for child-safety controls

Summary

The FTC has issued a policy statement saying it will not bring COPPA enforcement action against certain general-audience and mixed-audience sites that collect, use, or disclose personal information solely to determine a user’s age through age-verification technologies, so long as they meet specific guardrails. The move signals a more permissive regulatory stance toward age-assurance tooling where operators can show narrow purpose limitation, short retention, clear notice, reasonable security, controlled disclosure, and reasonable accuracy.

What happened

On 25 February 2026, the Federal Trade Commission announced an enforcement policy statement tied to the Children’s Online Privacy Protection Rule. COPPA normally requires operators of child-directed services, and operators with actual knowledge that they are collecting personal information from children under 13, to provide notice and obtain verifiable parental consent before collecting, using, or disclosing that information.

The FTC said it will not bring an enforcement action under the COPPA Rule against certain operators of general-audience and mixed-audience sites and services that use personal information for the sole purpose of determining a user’s age without first obtaining parental consent, provided that they comply with a set of conditions.

Key details

The FTC’s conditions include:

using the collected information only for age-verification purposes
not retaining the information longer than necessary and deleting it promptly afterwards
disclosing the information only to third parties that can maintain confidentiality, security, and integrity, backed by written assurances
providing clear notice to parents and children about the information collected for age-verification purposes
employing reasonable security safeguards
taking reasonable steps to ensure the chosen product, service, method, or third party is likely to provide reasonably accurate age results

The FTC also said it intends to review the COPPA Rule to address age-verification mechanisms more directly. The policy statement remains effective until final rule amendments are published or the statement is otherwise withdrawn.

Why it matters

This matters because child-safety, age-assurance, and privacy compliance are increasingly colliding in practice. Many operators have been caught between pressure to verify age more aggressively and concern that collecting data for age assurance could itself create additional privacy or COPPA risk.

The FTC is trying to reduce that friction. In effect, it is telling operators that age verification can be compatible with COPPA if the practice is tightly scoped, well-governed, and not repurposed into broader data collection.

Assessment

The policy statement is best read as a regulatory signal rather than a blanket approval of age-verification expansion. It creates breathing room for operators that want to deploy child-protective controls, but only where they can demonstrate disciplined handling of the data involved.

That makes this significant for both privacy and platform-governance teams. It suggests US regulators are moving toward a more operational model of child-safety compliance: not simply asking whether age verification is used, but how narrowly it is used, how long information is kept, how securely it is handled, and whether operators can justify the underlying method.

Recommended actions

review whether any existing or planned age-assurance tooling relies on personal information collection that now falls within the FTC’s stated enforcement position
verify that purpose limitation, retention, deletion, vendor controls, notice, and security controls are documented rather than implied
assess whether current age-verification methods are accurate enough to support the organisation’s risk posture and public claims
monitor the forthcoming COPPA rule review, since today’s policy statement is likely a bridge toward more formal rule changes