The United States Federal Trade Commission (FTC) has issued a policy statement indicating it will not bring enforcement actions under the Children’s Online Privacy Protection Rule (COPPA) against websites and online services that collect, use, or disclose personal information solely to determine a user’s age, provided certain conditions are met. The policy statement was approved by the commission and aims to encourage broader adoption of age verification technologies by operators of general-audience sites and mixed-audience services concerned that collecting information for age checks could trigger COPPA compliance obligations.
Under the FTC’s enforcement policy statement, operators will be exempt from COPPA enforcement as long as they collect and use personal information strictly for age verification and not for any unrelated purposes. They must delete information promptly after confirming a user’s age, limit disclosure of such data only to third parties capable of safeguarding it, and employ reasonable security safeguards to protect the information. Sites must also provide clear notice to both parents and users about the data collected, and take steps to ensure that any age-verification methods or third-party services used are likely to produce reasonably accurate results.
The policy statement emphasises that it does not alter other COPPA obligations; operators must still comply with all existing privacy protections required when personal information is collected from children. The FTC said its intention with the statement is to provide legal clarity for companies weighing the implementation of age verification mechanisms while the commission continues a separate review of the COPPA Rule that may formally address age assurance.
COPPA is a U.S. federal law that governs the online collection of personal data from children under 13 and generally requires verifiable parental consent before such data is gathered. The FTC has historically brought enforcement actions for violations of the rule in cases where companies collected personal information from young users without appropriate consent. The agency’s clarification comes amid industry questions over whether age verification technology could inadvertently trigger COPPA enforcement due to the data it requires.
Industry stakeholders have expressed concern that collecting data for age verification may expose companies to enforcement risk under existing children’s privacy rules. By signalling that it will exercise discretion and refrain from acting against age verification practices that meet the specified conditions, the FTC aims to reduce uncertainty and support broader use of such tools to determine users’ ages before allowing access to age-restricted services or content.
The agency noted that the enforcement policy statement will remain in effect until it publishes any final amendments to the COPPA Rule related to age verification in the Federal Register or withdraws the statement. The commission’s move aligns with discussions in regulatory and policy circles about the role of age assurance technologies in child data protection as online safety frameworks evolve.