For years, websites and apps have faced a regulatory paradox: verifying a user’s age may be necessary to comply with the Children’s Online Privacy Protection Rule (COPPA), but the very act of collecting data for age-verification—such as facial scans or document scanning—could itself trigger a COPPA violation.
On February 25, 2026, the Federal Trade Commission (FTC) addressed this head-on. In a new policy statement, the Commission announced it will exercise enforcement discretion, signaling it will not pursue a COPPA Rule enforcement action against companies that collect, use, or disclose children’s data—without prior parental consent—solely to determine a user’s age through age verification technology.
This isn’t a free pass. To benefit from this enforcement leniency, operators must adhere to strict data practices. The FTC will refrain from bringing enforcement action against websites and online services engaging in age-verification if those operators:
- Use or disclose such collected information only for age verification purposes;
- Disclose the collected information only to third parties that maintain the confidentiality, security, and integrity of the information;
- Retain the collected information only as long as necessary to fulfill age verification and delete it promptly thereafter;
- Provide notice to parents and children regarding what information is collected and why;
- Employ appropriate safeguards for the information; and
- Take steps to ensure any age-verification mechanism used is reasonably likely to provide accurate results.
Key Takeaways:
- Leeway for age-verification now, but compliance obligations remain high. While the FTC will not pursue COPPA actions for certain age-verification practices, websites and digital services must follow a clear set of guardrails around data minimization, disclosure limits, and data security. As companies navigate a growing patchwork of state age‑verification laws, the FTC’s policy statement reduces the regulatory risk that state‑level compliance with mandatory age-verification obligations introduced.
- Expected rule changes ahead. The FTC indicates it is preparing to update the COPPA Rule to address age-verification technologies more directly, underscoring the agency’s view that such technology can serve as a meaningful tool to protect children online and help parents monitor their children’s online activities.
If your company has been hesitant to implement robust age-gating due to COPPA liability fears, there is now more regulatory flexibility—provided data hygiene is well-maintained. For more information on the evolving age-verification regulatory landscape, please contact any of the authors of this article for additional information.
