On February 25, 2026, the Federal Trade Commission (FTC) issued a policy statement announcing it will exercise discretion with respect to enforcement of the Children’s Online Privacy Protection Act (COPPA) to enable broader adoption of age verification technologies. As discussed in our February 4 alert regarding a recent FTC workshop, FTC leadership has acknowledged a perceived tension between implementing age assurance technologies and complying with COPPA’s prohibition against collecting personal information of children under 13 without verifiable parental consent (VPC). This new policy statement is the agency’s first step toward resolving that tension.

Background: COPPA enforcement and age verification tension

Under the COPPA Rule, operators of commercial websites and online services that are directed to children under 13 – or that have actual knowledge that they are collecting personal information from such children – must provide clear notice of information practices and obtain VPC before collecting, using or disclosing the child’s personal information, subject to narrow exceptions.

At the FTC’s January 28 workshop on age assurance technologies, agency leadership acknowledged that this leads to a “chicken-versus-egg” dilemma: COPPA’s parental consent requirement can impede deployment of technologies that are designed precisely to avoid unlawful data collection from children under 13 by learning a user’s age upfront.

The FTC’s new policy statement: What it says and what it means

The FTC states that it will not bring an enforcement action under the COPPA Rule against general or mixed audience operators that collect, use or disclose personal information solely for age verification purposes – even without first obtaining VPC – so long as the operator follows specified safeguards, including:

  • Limited purpose and use: Information collected for age verification must be used only to determine a user’s age and not for other purposes, such as marketing or profiling.
  • Data minimization and retention: Operators must retain only what is necessary to achieve age verification and promptly delete the information when no longer needed.
  • Third-party safeguards: Where age verification is performed with third parties, operators must take reasonable steps to ensure the third party can protect the confidentiality, integrity and security of the information.
  • Clear notice: Operators must provide clear notice to users – including parents and children – about the information collected for age verification.
  • Security: Operators must use reasonable security safeguards.
  • Accuracy considerations: Operators must take reasonable steps to ensure that the products, services, methods or third parties used for age verification are likely to produce reasonably accurate age determinations.

Importantly, the FTC will not “exercise its enforcement discretion [] unless the Relevant Operator is complying with the COPPA Rule’s requirements in every other respect with regard to personal information collected from children.”

Practical impact: The policy statement offers limited safe harbor protection from the risk of enforcement by the FTC and encourages deployment of age assessment tools. Operators with mixed audiences – where the risk of unknowingly collecting a child’s data is high – can adopt age verification technologies (consistent with the FTC requirements) with less concern that they may be the targets of enforcement by the FTC. For example, age verification based on the collection of images, videos or biometrics from users, without obtaining VPC in advance, now presents less risk as a result of the policy statement.

What the FTC’s new policy does not do

It does not amend COPPA or the COPPA Rule.

The policy statement is not a rulemaking and does not change statutory or regulatory text. It is a declaration of enforcement posture under the current FTC commissioners. Future commissioners may amend or withdraw the policy statement. However, when announcing the policy statement, the FTC indicated that it intends to initiate a review of the COPPA Rule to address age verification mechanisms – which companies should watch for, and Cooley will monitor.

It does not apply to state enforcement of COPPA.

Under COPPA, states – as parens patriae – may bring civil actions on behalf of the residents of the state. The policy statement does not claim to apply to actions brought by a state. Unless and until the COPPA Rule is amended consistent with the policy statement, states may continue to bring actions even under circumstances where the FTC has chosen not to enforce as a matter of discretion.

It does not help ‘primarily child-directed’ services.

Operators that are primarily directed to children remain expected to treat all users as children for COPPA purposes and provide COPPA protections across the service.

It does not waive COPPA for everything else.

The enforcement discretion is narrowly framed: It applies only to collection/use/disclosure for age verification purposes and only if the operator is otherwise in compliance with COPPA, where applicable. Once age is determined, the operator’s obligations may change materially, particularly if the operator gains “actual knowledge” that a user is under 13. Notably, the policy statement does not green light the use of personal information collected from children for age assurance purposes other than the immediate age verification of individual users. For example, it does not contemplate the collection or use of children’s information to build datasets used to train age estimation algorithms, nor does it provide new safe harbor protection for the retention of age verification information to help operators prevent future attempts to circumvent their age policies. For these types of broader age assurance purposes, operators will need to continue navigating carefully within the parameters of the existing COPPA Rule.

Practical implications for product, legal and vendor strategy

Greater comfort when using cutting-edge age verification technologies.

The policy statement is intended to encourage novel and more highly effective age verification technologies than simple age gates based on user-declared birthdates. The policy statement should give companies that felt hamstrung by COPPA increased comfort when taking advantage of technologies that leverage the collection of images, videos or biometrics from users for age verification, which are increasingly being used – and required – in foreign markets.

Age verification can create ‘actual knowledge.’

Age verification can convert uncertainty into certainty. If an age check indicates a user is under 13, the operator may gain actual knowledge, triggering COPPA obligations. Depending on the service and the circumstances, an operator that has obtained actual knowledge may be forced to obtain VPC or delete all personal information pertaining to the user in question.

Alignment with the broader ‘age assurance maze.’

As our February 4 alert noted, COPPA is only one part of the age assurance landscape; state laws and global regimes are pushing age gating and age estimation in parallel. The FTC statement helps reduce COPPA-specific friction for the age-check step, but it does not resolve the wider patchwork around when age checks are required, how they must be performed and what content or features must be gated.

Other laws may still apply.

Other laws, including comprehensive state privacy laws, may apply to the collection of personal information for age verification purposes. The policy statement does not impact the applicability of those laws. For example, if a company chooses to take advantage of the policy statement by employing biometrics-based age verification, it should remain cognizant of laws that regulate the collection and use of biometric data, including the Illinois Biometric Information Privacy Act (BIPA), which requires certain disclosures and consent, notwithstanding the policy statement.

Monitor litigation developments involving age assurance laws.

The constitutionality of age assurance and age verification laws is being actively litigated in both state and federal courts across the country. Businesses should monitor developments in these cases to inform their assessments of risk and regulator expectations.

Related insights

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as "Cooley"). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. When advising companies, our attorney-client relationship is with the company, not with any individual. This content may have been generated with the assistance of artificial intelligence (Al) in accordance with our Al Principles, may be considered Attorney Advertising and is subject to our legal notices.