FTC gives age verification tech a COPPA enforcement shield

The Federal Commerce Fee on February 25, 2026 printed an enforcement coverage assertion that grants a conditional protect to operators of mixed-audience and general-audience web sites that accumulate private information from youngsters for the only objective of figuring out their age. The assertion doesn’t amend the Youngsters’s On-line Privateness Safety Act or its implementing rule, but it surely does describe a set of circumstances below which the Fee will decline to pursue enforcement – a big sensible distinction for firms constructing or deploying age-verification merchandise in the US.

COPPA’s lengthy background

Congress enacted COPPA in 1998 to guard youngsters’s privateness and to empower mother and father to regulate the gathering of non-public data from their youngsters below 13. The FTC issued its first implementing rule on November 3, 1999. The rule was substantively revised in 2013 and once more in 2025, with the latest amendments – printed within the Federal Register on April 22, 2025 – taking effect on June 23, 2025 and carrying a compliance deadline of April 22, 2026. These amendments launched, amongst different issues, stricter necessities on consent for third-party information sharing involving youngsters’s information and an expanded definition of child-directed companies.

The core drawback the February 2026 assertion addresses is easy. COPPA requires operators to acquire verifiable parental consent earlier than gathering private data from a toddler. Age-verification mechanisms themselves require gathering data – typically together with biometric estimates, id alerts, or behavioral inference – to find out whether or not a given person is a toddler within the first place. That creates a authorized paradox: an operator can’t know whether or not parental consent is required with out first gathering information that will itself be coated by the very regulation requiring consent.

In line with the coverage assertion, the Fee acknowledges this rigidity instantly. A rising variety of age-verification mechanisms now permit operators to find out age “extra reliably than a user-provided response to an age-gating perform.” Easy self-declaration – typing a beginning 12 months right into a type – has attracted widespread criticism for being, as one supply cited within the coverage doc put it, “inadequate by way of accuracy, very simple to bypass, and clearly insufficient and inappropriate to be used in high-risk conditions.” The Fee flagged assist for extra dependable alternate options in its January 2024 Discover of Proposed Rulemaking, and the February 2026 assertion formalizes that assist as enforcement coverage.

What the assertion really says

The assertion applies to 2 classes of operators. The primary is what the FTC calls “combined viewers” web sites – these directed to youngsters however not concentrating on youngsters as their major viewers. The second is general-audience websites or companies that will encounter baby customers with out particularly in search of them. Operators whose companies are primarily directed to youngsters obtain no reduction; in keeping with the doc, these operators should proceed to deal with all customers as youngsters and apply COPPA’s full protections accordingly.

For the 2 coated classes, the Fee is not going to carry an enforcement motion below the COPPA Rule the place an operator collects, makes use of, or discloses private data for the aim of figuring out a person’s age – what the assertion calls “Age Verification Functions” – with out first acquiring verifiable parental consent. However the reduction is conditional, and the circumstances are particular.

The operator should not use or disclose data collected for Age Verification Functions for any objective apart from age verification. It should share that data solely with third events that it has vetted for his or her capacity to keep up confidentiality, safety, and integrity, and should acquire written assurances that these third events is not going to repurpose the info and can delete it promptly after the verification is full. The operator itself should delete the data as quickly because the verification objective is fulfilled – the assertion specifies that retention should not lengthen past “the interval crucial to satisfy the Age Verification Functions.”

Past information dealing with, the operator should present clear discover to oldsters and kids of what’s being collected for age verification functions, publish that discover in its privateness coverage, and make use of cheap safety safeguards. It should additionally take cheap steps to make sure that no matter product, service, methodology, or third occasion it makes use of for age verification is prone to produce fairly correct outcomes. Lastly, and critically, the enforcement protect applies provided that the operator is already complying with each different requirement of the COPPA Rule with respect to private data collected from youngsters.

The assertion defines age-verification instruments broadly. In line with the doc, “age verification” as used within the assertion refers to a few classes of instruments: age estimation instruments that estimate a person’s age or age vary; age-verification instruments that confirm a person’s age; and age inference instruments that infer a person’s possible age or age vary primarily based on varied alerts.

The Fee is specific that the assertion “doesn’t create any substantive rights or entitlements,” and that it “retains the precise to analyze and produce actions for violations of the COPPA Rule in particular person circumstances.” The protect is prosecutorial discretion, not authorized immunity. The assertion will stay in drive till the Fee publishes last rule amendments addressing age-verification mechanisms within the Federal Register, or till it’s in any other case withdrawn.

The regulatory course of going ahead

In line with the coverage assertion, the Fee intends to provoke a proper evaluate of the COPPA Rule within the coming months, particularly to handle age-verification mechanisms. This means the February 2026 assertion is a bridge measure – designed to scale back compliance uncertainty whereas a extra everlasting regulatory framework is developed. The FTC revised the COPPA Rule in 2025 after six years of rulemaking; an extra centered rulemaking on age verification would signify the third substantive revision for the reason that unique 1999 rule.

The timing issues. The April 22, 2026 compliance deadline for the 2025 COPPA amendments is lower than two months away. Operators who’ve spent the previous 12 months restructuring their information assortment and consent practices to fulfill these amendments now face a further coverage layer. The February assertion tries to take away a selected barrier to age-verification adoption, but it surely additionally provides a brand new compliance guidelines – written third-party assurances, documented deletion timelines, up to date privateness notices, and accuracy assessments for the verification instruments themselves.

State-level stress and the business context

The FTC’s transfer comes towards a backdrop of state-level legislative exercise that has been accelerating for a number of years. In line with the coverage assertion, varied states have enacted legal guidelines requiring the usage of age-verification mechanisms to entry social media platforms and different content material. The doc cites information from the Age Verification Suppliers Affiliation cataloguing state-level age assurance legal guidelines for each social media and grownup content material. That patchwork of state legal guidelines has created inconsistent obligations for platforms working nationally.

The IAB raised concerns as early as March 2024 that overly broad COPPA necessities might push companies to both cease catering to youngsters or accumulate extra information than crucial to realize compliance – an argument that pointed in the identical path because the FTC’s new enforcement assertion, although from a distinct angle. The Fee’s February 2026 place primarily accepts that some information assortment throughout age verification is a crucial value of defending youngsters at scale, supplied that information is firewalled from different makes use of.

Platform-level responses to age-verification necessities have assorted significantly. X implemented an age-assurance system in July 2025 requiring customers to show they’re over 18 to entry delicate content material, utilizing third-party processors together with Au10tix, Persona, and Stripe – although the system attracted criticism for being positioned behind a premium subscription paywall. Bluesky announced in August 2025 that it could block entry from Mississippi IP addresses relatively than adjust to that state’s Walker Montgomery Defending Youngsters On-line Act, citing compliance prices that reached $10,000 per person for non-compliance. Google Search began rolling out age-verification prompts in August 2025 extending verification necessities from YouTube to its major search interface.

Internationally, the regulatory image has grown extra complicated nonetheless. The European Commission published technical specifications in July 2025 for an EU-wide age-verification system tied to the Digital Providers Act, with full implementation focused by finish of 2026. The UK’s On-line Security Act, which imposed obligatory age checks for grownup content material platforms, triggered a 1,400% surge in VPN registrations when its enforcement provisions activated. Germany’s BVDW digital financial system affiliation published a position paper in February 2026 calling for risk-proportionate age verification confined to platforms presenting real dangers for minors – arguing towards blanket verification mandates that would drawback advertising-funded publishers.

FTC enforcement exercise in context

The FTC has not been passive on youngsters’s privateness throughout this era. The Commission sued robot toy maker Apitor in September 2025 for alleged COPPA violations stemming from the app’s integration of JPush, a software program growth package that collected and shared location information from baby customers. Disney confronted a $10 million penalty in September 2025 for improperly labeling child-directed movies on YouTube and enabling focused promoting to customers below 13. TikTok confronted an FTC lawsuit in August 2024 for alleged assortment of non-public information from youngsters below 13 with out correct parental consent.

The February 2026 coverage assertion sits alongside that enforcement report. It’s not a leisure of COPPA enforcement broadly, however a focused incentive for a selected class of exercise – age verification – that the Fee needs to encourage. The logic is that extra correct age determinations allow operators to use child-protection measures extra exactly, defending extra youngsters. Operators that can’t reliably distinguish youngsters from adults find yourself both treating all customers as youngsters – limiting companies unnecessarily – or treating none as youngsters and doubtlessly exposing younger customers to information practices they need to be shielded from.

What this implies for the advertising and marketing and promoting neighborhood

For digital entrepreneurs and promoting know-how practitioners, the assertion has a number of sensible implications. Combined-audience platforms – which embrace a good portion of the ad-supported web – now have a clearer path to implementing age-verification know-how with out triggering COPPA enforcement for the verification course of itself. That might speed up the adoption of instruments that produce extra dependable audience-age alerts, which in flip impacts how campaigns are segmented, focused, and measured throughout platforms that serve each grownup and baby customers.

The info-use restrictions within the assertion are strict, nevertheless. Info collected for Age Verification Functions can’t be used for every other objective – together with, by implication, promoting concentrating on, viewers enrichment, or behavioral profiling. Operators and their ad-technology companions might want to construct technical and contractual firewalls between age-verification information flows and information flows used for industrial functions. The written-assurance requirement for third events provides a contractual layer to plain data-processing agreements, and the deletion requirement implies that age-verification information can’t be retained in information lakes or information clear rooms for subsequent evaluation.

The accuracy requirement can be notable. Operators should take “cheap steps to find out that any product, service, methodology, or third occasion utilized for Age Verification Functions is probably going to supply fairly correct outcomes.” That customary invitations scrutiny of the verification instruments themselves – their false-positive charges, demographic biases, and technical methodologies. Distributors promoting age-estimation or age-inference merchandise into the US market will face stress to doc and show accuracy, and operators choosing these distributors will want due-diligence processes that transcend customary procurement.

The ICO’s fine of £247,590 against MediaLab for failing to implement any age-assurance measures on Imgur – introduced simply weeks earlier than the FTC assertion on February 5, 2026 – illustrates what regulators on either side of the Atlantic think about the baseline expectation: that platforms accessible to youngsters will need to have some mechanism in place. The FTC’s assertion units a distinct sort of ground for the US market: not simply that verification should occur, however that when it does, the info collected have to be protected, restricted, and deleted.

Timeline

• 1998 – Congress enacts COPPA, directing the FTC to promulgate implementing rules
• November 3, 1999 – FTC points the primary Youngsters’s On-line Privateness Safety Rule
• January 17, 2013 – FTC substantively revises the COPPA Rule for the primary time
• January 11, 2024 – FTC publishes Discover of Proposed Rulemaking for COPPA Rule amendments, supporting growth of age-verification mechanisms (PPC Land)
• March 17, 2024 – IAB raises issues about proposed COPPA modifications, warning they might hurt youngsters’s on-line entry (PPC Land)
• August 2024 – FTC sues TikTok for alleged COPPA violations involving information assortment from youngsters below 13
• February 11, 2025 – European Knowledge Safety Board adopts Assertion 1/2025 establishing ten GDPR-compliant rules for age assurance programs
• April 22, 2025 – FTC publishes complete COPPA Rule amendments within the Federal Register; rule takes impact June 23, 2025 (PPC Land)
• June 13, 2025 – Google’s International Director of Privateness Security criticizes Meta’s age-verification proposal as creating pointless dangers for kids (PPC Land)
• July 10, 2025 – Bluesky publicizes age-verification implementation for UK customers below the On-line Security Act (PPC Land)
• July 14, 2025 – European Fee publishes technical specs for an EU-wide age-verification system (PPC Land)
• July 26, 2025 – X implements age-verification system behind premium paywall for UK and EU customers (PPC Land)
• July 25-27, 2025 – UK On-line Security Act enforcement triggers a 1,400% surge in VPN registrations (PPC Land)
• August 15-18, 2025 – Google Search rolls out age-verification prompts to US customers (PPC Land)
• August 16, 2025 – NextDNS launches DNS-level bypass for age-verification programs (PPC Land)
• August 22, 2025 – Bluesky blocks Mississippi customers relatively than adjust to the Walker Montgomery Defending Youngsters On-line Act (PPC Land)
• September 2025 – FTC sues Apitor for COPPA violations involving third-party SDK information sharing from youngsters’s app (PPC Land)
• February 5, 2026 – UK ICO fines MediaLab £247,590 for failing to implement age-assurance measures on Imgur (PPC Land)
• February 10, 2026 – Germany’s BVDW publishes place paper calling for risk-proportionate age verification and media literacy, arguing towards blanket mandates (PPC Land)
• February 25, 2026 – FTC publishes Enforcement Coverage Assertion Selling the Adoption of Age-Verification Expertise, pledging to not carry COPPA enforcement circumstances towards operators gathering youngsters’s information solely for age-verification functions, topic to strict circumstances
• April 22, 2026 – Compliance deadline for 2025 COPPA Rule amendments

Abstract

Who: The Federal Commerce Fee, performing as the first US enforcement physique for COPPA, issued the coverage assertion. It applies to operators of mixed-audience web sites and general-audience websites or companies that accumulate private information from youngsters as a part of an age-verification course of.

What: An enforcement coverage assertion declaring that the FTC is not going to carry COPPA enforcement actions towards coated operators who accumulate youngsters’s private information for age-verification functions, supplied these operators meet a set of strict circumstances round information use, third-party disclosure, retention, discover, safety, and power accuracy.

When: The assertion was printed on February 25, 2026. It stays efficient till the FTC publishes last rule amendments on age-verification within the Federal Register, or till the assertion is in any other case withdrawn. A COPPA Rule evaluate particularly addressing age verification is anticipated to start within the coming months.

The place: The assertion applies in the US. It was issued by the Federal Commerce Fee below the authority of COPPA, 15 U.S.C. 6501 et seq., and the FTC’s COPPA Rule.

Why: Self-declaration age-gating has confirmed unreliable and simple to bypass. The FTC needs to encourage adoption of extra technically sturdy age-verification mechanisms that may decide a person’s age extra precisely. Extra correct determinations permit operators to use child-protection measures to the precise customers, defending extra youngsters. On the similar time, the verification course of itself requires information assortment that would technically set off COPPA legal responsibility – a paradox the assertion is designed to resolve, with out making a broad exemption that would weaken youngsters’s privateness protections elsewhere.