- in United States
On February 25, 2026, the FTC issued an enforcement policy statement under COPPA intended to encourage the use of age-verification technologies. The Commission announced that it will not bring a COPPA enforcement action against general audience or mixed-audience operators that collect, use, or disclose personal information solely to determine a user's age, provided that platforms implement appropriate safeguards.
Under the policy statement, companies must:
- Limit collection, use, and retention strictly to age verification;
- Provide clear notice;
- Maintain reasonable data security;
- Ensure third-party vendors protect the information; and
- Use reasonably accurate age-verification methods.
The statement reflects a theme that emerged during the FTC's January 2026 Age Verification Workshop: staff emphasized that COPPA should not be an impediment to the adoption of age-verification technologies. As discussed our prior post covering the workshop, agency officials signaled concern that companies might hesitate to deploy age-verification technologies out of fear that collecting data to determine age could itself trigger COPPA liability. This policy statement directly addresses that tension.
The statement's focus on vendor accuracy and security also underscores a broader regulatory trend. Companies should not rely on vendor promises but rather "take reasonable steps" to determine that a tool provides "reasonably accurate results" and that vendors maintain appropriate security measures.
Importantly, the FTC is not amending the COPPA Rule at this time. Rather, it is announcing an enforcement posture intended to provide clarity while the agency considers potential future rulemaking.
For companies navigating the rapidly evolving age-assurance landscape, particularly amid increasing state legislation, this statement provides meaningful comfort. But it also underscores that age verification must be carefully designed, limited in scope, and supported by strong data governance controls.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
This post first appeared in Frankfurt Kurnit's Focus on the Data blog (www.focusonthedata.com). It provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
Originally published by the New York Legal Ethics Reporter
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
