Privacy & Cybersecurity Law Blog

On February 25, 2026, the Federal Trade Commission announced a new Policy Statement encouraging the use of age-verification technologies, pursuant to the agency’s authority to enforce the Children’s Online Privacy Protection (“COPPA”) and the FTC’s COPPA Rule. Among other requirements, COPPA requires parental notice and verifiable consent prior to the collection, use or disclosure of personal information obtained from children under 13 online. COPPA applies to operators of commercial websites and online services that either: (1) are specifically “directed to children” under 13, as determined by FTC criteria; or (2) have “actual knowledge” – as defined under COPPA – of collecting personal information from children under 13 online. Operators of websites or online services that are “directed to children” must comply with COPPA’s requirements with respect to all users. On the contrary, operators of “general audience” websites or online services (i.e., online services that are not directed to children) must comply with COPPA only when the operator has “actual knowledge” that a user is a child under 13. Additionally, operators of “mixed audience” websites or online services (i.e., websites that may be “directed to children” but do not target children as their “primary audience”) must comply with COPPA with respect to users identified as under 13 (e.g., through the use of an age gate). The Policy Statement collectively refers to operators of “general audience” and “mixed audience” websites and online services as “Relevant Operators.”

The Policy Statement acknowledges the recent enactment of a number of state laws requiring certain websites and online services to use age-verification mechanisms. While neither the COPPA Rule nor the Policy Statement explicitly requires Relevant Operators to verify users’ ages, the Policy Statement encourages the adoption of new age-verification mechanisms that can “determine age more reliably than a user-provided response to an age-gating function.” Such new technologies were discussed at the FTC’s January 2026 Workshop on Age Verification Technologies. According to the Policy Statement, more wide adoption of such technologies will provide Relevant Operators with “more accurate [age] determinations” and, in turn, allow Relevant Operators “to apply their child-protection measures to the fullest extent, thereby protecting more children online.”

To support wider adoption of such “robust” age-verification technologies, the FTC’s Policy Statement indicates that the agency will not bring a COPPA enforcement action against a Relevant Operator that collects, uses or discloses a child’s personal information for the sole purpose of determining a user’s age without COPPA-compliant parental consent, provided that the Relevant Operator otherwise complies with COPPA and:

• limits the use and disclosure of the personal information strictly to age determination purposes;
• retains the personal information for only as long as necessary and promptly deletes it;
• discloses the personal information only to third parties capable of maintaining data confidentiality, security and integrity;
• provides clear notice to parents and children about what personal information is collected;
• implements reasonable security safeguards with respect to the personal information; and
• takes reasonable steps to ensure the age‑verification method is likely to produce accurate results.

The Policy Statement indicates that the FTC intends to initiate a review of the COPPA Rule in the coming months to address age-verification mechanisms, and that the Policy Statement will remain in effect until the FTC publishes final Rule amendments, or until otherwise withdrawn.