Overview
On February 25, 2026, the Federal Trade Commission (FTC) issued a Policy Statement clarifying its enforcement approach under the Children’s Online Privacy Protection Act (COPPA) Rule to encourage the use of age verification technologies by certain website and online service operators. The FTC announced that it will not bring an enforcement action under the COPPA Rule against operators of general audience and mixed audience websites and online services that collect, use, or disclose personal information from children solely for the purpose of determining a user’s age using age verification technologies, provided that the operators comply with specified conditions. Importantly, the Policy Statement removes a significant compliance obstacle for website and online service operators that wish to leverage age verification technologies as part of their COPPA compliance strategies.
The Policy Statement also underscores the FTC’s clear, public support for the appropriate use of these technologies. For example, in the press release accompanying the Policy Statement, the FTC’s director of the Bureau of Consumer Protection noted that “[a]ge verification technologies are some of the most child-protective technologies to emerge in decades” and explained that the Policy Statement “incentivizes operators to use these innovative tools, empowering parents to protect their children online.” This position is also consistent with the FTC’s January 2026 age verification workshop, where FTC Commissioner Meador supported the use of age verification technology, noting that “[age verification] offers a way to unleash American innovation without compromising the health and well-being of America’s most important resource: its children.”
The Policy Statement further explains that the FTC intends to initiate a review of the COPPA Rule to address age verification mechanisms. The Policy Statement will remain effective until the FTC publishes final rule amendments on this issue in the Federal Register, or until otherwise withdrawn.
In Depth
After Congress enacted COPPA in 1998, the FTC issued the COPPA Rule in 1999 with substantive amendments in 2013 and 2025. The COPPA Rule has served as the centerpiece of federal children’s online privacy protections. Among other requirements, it generally requires operators of websites or online services directed to children under age 13 – or operators with actual knowledge that they are collecting personal information from a child – to provide direct notice to parents of their information practices and obtain verifiable parental consent before collecting, using, or disclosing the personal information of a child under the age of 13.
The COPPA Rule generally requires any operator of a website or online service that is “directed to children” under the age of 13, or any operator that has any “actual knowledge that it is collecting personal information from a child,” to provide parents with direct notice of their privacy policies and to obtain verifiable parental consent before collecting or using personal information from children under the age of 13. The most recent changes to the COPPA Rule, effective June 2025, established an April 22, 2026, compliance deadline for companies to comply with significant new requirements related to transparency, data sharing, data security, and retention.
The Policy Statement appears to directly address concerns Commissioner Ferguson raised in his January 2026 concurring statement accompanying the COPPA Rule amendments—namely, that the Final Rule “missed the opportunity to clarify that the Final Rule is not an obstacle to the use of children’s personal information solely for the purpose of age verification” and should have added an exception permitting such collection, subject to prompt deletion once that purpose is fulfilled. The Policy Statement explains that age verification includes a variety of tools that obtain information about a user’s age, including age estimation tools that estimate a user’s age range, age verification tools that verify a user’s age, and age inference tools that infer a likely age or age range based on various signals.
The use of age verification tools continues to grow in other contexts. Certain states have begun mandating the use of age verification technologies in specific contexts (e.g., Utah S.B. 194, Texas H.B. 18 (SCOPE Act), Mississippi H.B. 1126), although many of these laws are currently being challenged in litigation.
Conditions on operators
The Policy Statement emphasizes that, in addition to the requirements below, the FTC will refrain from bringing an enforcement action only if the operator is otherwise fully compliant with the COPPA Rule. The FTC believes this enforcement guidance will encourage accurate and reliable age verification mechanisms used solely for age verification purposes, while permitting relevant operators to apply child-protective measures.
The Policy Statement makes clear the FTC will exercise its enforcement discretion only where an operator:
- Does not use or disclose information collected for age verification purposes for any purpose except to determine a user’s age;
- Does not retain this information longer than necessary to fulfill the age verification purposes, and delete such information promptly thereafter;
- Discloses information collected for age verification purposes only to those third parties the operator has taken reasonable steps to determine are capable of maintaining the confidentiality, security, and integrity of the information, including by obtaining certain written assurances from those third parties;
- Provides clear notice to parents and children of the information collected for age verification purposes;
- Employs reasonable security safeguards for information collected for age verification purposes; and
- Takes reasonable steps to determine that any product, service, method, or third party utilized for age verification purposes is likely to provide reasonably accurate results as to the user’s age.
Next steps
Alongside the Policy Statement, we should expect the FTC to propose further amendments and clarifications to the COPPA Rule. Based on Commissioner Ferguson’s January 2026 concurring statement accompanying the COPPA Rule amendments, the FTC could reconsider the new requirement to obtain parental consent when a business shares data with a new third party as well as the requirement that personal information collected online not be retained indefinitely. As Commissioner Ferguson explained in his concurring statement, “the Final Rule does not define materiality with any specificity” and leaves “indefinitely” undefined – gaps that could allow companies to set excessively long retention periods while technically complying, or create ambiguity that complicates compliance and enforcement.
Implications for companies and service providers
By issuing the Policy Statement, the FTC signals that child online safety remains at the forefront of its regulatory and enforcement agenda. The Policy Statement also suggests support for continued state age verification laws and encourages the use of new and reliable technologies to maximize child safety online. Notably, this Policy Statement refers only to the FTC’s enforcement discretion and does not apply to or restrict state attorneys general’s enforcement of COPPA.
Notably, the Policy Statement did not change the COPPA Rule’s substantive requirements. As of April 22, 2026, operators still will be required to comply with the transparency requirements, new limits on data sharing, and enhanced security and retention standards. Adherence to these requirements is essential to avoid enforcement risk. The Policy Statement also requires operators to take “reasonable” steps and employ “reasonable” safeguards to qualify for enforcement discretion, suggesting that the FTC will scrutinize how age verification technologies are implemented and how information collected for age verification purposes is secured.
Companies with users near the age 13 threshold should continue evaluating their age verification practices considering the Policy Statement. We will continue to monitor FTC enforcement activity and any related litigation.
If you have questions about the Policy Statement or its implications for your products and services, please contact any of the authors or your regular McDermott lawyer.