The U.S. Federal Trade Commission has issued a policy statement that could significantly reshape how companies approach children’s privacy compliance. In short, the agency says it will not bring enforcement actions against organizations that collect, use, or disclose personal information strictly for the purpose of verifying a user’s age.
The announcement marks a practical pivot in the agency’s approach to the Children’s Online Privacy Protection Act (COPPA). For years, online platforms have faced a paradox: determining a user’s age with certainty can trigger COPPA’s “actual knowledge” standard, which in turn activates strict parental consent and compliance obligations. That dynamic discouraged some companies from implementing robust age checks in the first place. The FTC’s new position appears designed to remove that disincentive.
A Shift From Discouragement to Encouragement
In its statement, the Commission makes clear it views age-verification technologies as protective tools, not regulatory liabilities. The agency emphasized that it will not enforce COPPA provisions that would otherwise penalize companies for collecting limited personal data necessary to confirm whether a user is under 13.
The message is straightforward: if companies are gathering information solely to determine age—and are not repurposing that data for advertising, profiling, or unrelated uses—the FTC does not intend to treat that collection as a violation. The move follows months of agency focus on age assurance, including a public workshop exploring how such tools can be deployed responsibly and at scale.
Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, framed the change as an effort to encourage adoption of innovative safeguards. Age verification, he said, empowers parents and strengthens protections that prevent children from accessing content or services that may not be appropriate for them.
The “Actual Knowledge” Problem
For compliance professionals, the most meaningful element of the statement is what it signals about COPPA’s long-standing “actual knowledge” standard. Under the law, once a company has actual knowledge that it is collecting personal data from a child under 13, it must obtain verifiable parental consent and adhere to strict data-handling requirements.
That framework created tension. If a platform used only a simple age gate—easily bypassed—it might avoid triggering knowledge. But if it deployed more advanced verification tools, it risked confirming the presence of minors and therefore activating heavier regulatory obligations.
Laura Riposo VanDruff, a former FTC official who now leads the Washington office of Kelly Drye & Warren, described the policy shift as both clarifying and complicated. Companies that embrace age verification may now align with the FTC’s stated priorities, but they also increase the likelihood that they “know” minors are using their services. That knowledge carries compliance consequences. In other words, the FTC has lowered one enforcement risk while potentially amplifying another.
Guardrails Still Apply
The FTC’s position is not a free pass. The agency emphasized that companies must implement appropriate safeguards around any personal data collected for age verification. That includes:
- Using the data only for age-assurance purposes
- Implementing strong data deletion practices
- Ensuring the verification method is accurate and safe
- Providing clear notice to parents and children
If a company uses age-verification data for marketing, profiling, or other commercial objectives, enforcement could follow. The safe harbor extends only to legitimate age-checking functions.
The Commission also signaled it may pursue formal rulemaking to update the COPPA Rule itself. That process could codify the policy statement and provide additional clarity around acceptable age-verification practices.
Industry Reaction: Relief, With Caution
The reaction among age-assurance technology providers was swift. Julie Dawson, Chief Policy and Regulatory Officer at Yoti, characterized the announcement as a clear endorsement of responsible age assurance. In her view, the FTC is signaling that COPPA should not stand in the way of deploying protective technologies.
Still, the broader compliance community is proceeding carefully. Determining a user’s age may open the door to additional state-level obligations. Youth privacy laws in California and other states impose design-based duties, profiling limits, and risk-assessment requirements once a service is accessed by minors. Knowing a user is a child can immediately change the compliance posture of a product.
VanDruff warned of a potential cascade effect. Once age is verified, platforms may need to adjust default settings, limit behavioral advertising, and conduct risk assessments. Meanwhile, constitutional challenges to certain state youth safety laws have created legal uncertainty, leaving companies navigating a patchwork of evolving requirements.
What This Means for 2026 and Beyond
The FTC’s statement does not rewrite COPPA overnight, but it does recalibrate the incentives around age verification. For years, some companies hesitated to deploy robust tools out of fear that knowledge would invite enforcement. The Commission now appears to be saying that avoiding knowledge is not the policy goal—protecting children is.
Whether that approach ultimately simplifies compliance remains to be seen. Age assurance may reduce risk in one dimension while increasing regulatory visibility in another. What is clear is that the agency wants innovation in child safety technology, not strategic ignorance.
If the FTC follows through with formal amendments to the COPPA Rule, 2026 could mark the beginning of a structural shift: from a regime where companies avoided confirming age to one where responsible age verification is expected—and built into the architecture of digital services rather than treated as a liability.
