The Federal Trade Commission (FTC) has issued guidance about how it will enforce the Children's Online Privacy Protection Act (COPPA). Formally titled the COPPA – Enforcement Policy Statement Promoting the Adoption of Age-Verification Technology, the policy statement makes two important announcements:

First, the FTC will not bring a COPPA enforcement action against companies for collecting, using, or disclosing personal information for the purpose of determining a user's age without first obtaining verifiable parental consent, as long as several detailed conditions are met.

Second, the FTC intends to initiate a review of the COPPA Rule to address age-verification mechanisms.

Below, we provide background on the reasons the FTC took these steps, explain the scope of the new enforcement policy (and the many caveats that apply), and look ahead to the FTC's review of the COPPA Rule.

Background: Age verification technology presents COPPA enforcement risk.

At a recent workshop on age verification technology, FTC leaders expressed strong support for using age verification technology to protect children online. This comes against a backdrop of state laws – many currently being challenged in litigation – that require a range of online companies to verify users' ages in certain circumstances.

Age verification technology can involve the collection of sensitive data – such as photo ID, birth date, or biometric data – to determine whether the user is an adult or a child. But COPPA generally requires verifiable parental consent before collecting data from a child. Thus, using such technology presents COPPA compliance risk. The new enforcement policy is aimed at reducing that risk and, by doing so, incentivizing the use of age verification technology.

Caveats apply: The new policy has a limited scope and several prerequisites.

The policy statement has a number of limitations and requirements that narrow the scope of this discretionary exemption. Specifically, websites that target children as their primary audience are not subject to this exemption and must comply with COPPA. This discretionary exemption applies only to "mixed audience" websites directed to children and adults, as well as "general audience" websites.

There are also six specific requirements related to the collection, use, and disclosure of age verification data for companies seeking to rely on this discretionary exemption:

No use or disclosure of age verification data for any other purpose other than determining a user's age; Data must be deleted promptly after completing age verification; Age verification information may not be disclosed to third parties without taking reasonable steps to determine – and confirm in writing – that the third party will maintain the confidentiality, security, and integrity of the information; Both parents and children must be notified about the collection of age verification information; Companies must take commercially reasonable data security measures to safeguard age verification information; and Companies must take reasonable steps to determine that any age verification technology they use is likely to provide "reasonably accurate results as to the user's age."

Notably, many of the requirements for the exemption depend on having certain "reasonable" practices, meaning that the FTC may still closely scrutinize implementation of age verification technologies in practice.

A look ahead: More could be in store for the COPPA Rule Review.

The policy statement indicates that the Commission intends to initiate a review of the COPPA Rule to address age verification mechanisms. This is no surprise, as Chairman Ferguson previously wrote, when voting to approve recent COPPA rule amendments, that the FTC "missed the opportunity to clarify that the Final Rule is not an obstacle to the use of children's personal information solely for the purpose of age verification." If Chairman Ferguson initiates this review process, he may set up for review two other aspects of the rule revisions he found problematic.

First, the FTC may propose to relax the obligation to obtain new parental consent when a company shares data with a new third party. Chairman Ferguson wrote that the December 2025 rule revision "strongly suggests" that anytime a company changes its list of third parties with whom it shares data, it must notify and obtain new consent from parents. He described this as a "high friction" process that could ultimately harm both consumers and website operators. And he suggested that the FTC "could have mitigated this issue easily" by explicitly stating in the rule that adding a new third party providing a service similar to the service provided by a consented-to third party does not by itself require new consent from parents.

Second, the FTC may propose to revisit the data minimization requirements of the rule. Chairman Ferguson wrote that the requirement in the rule revision not to retain personal information indefinitely is a "serious problem" and "poorly conceived." He noted that adults might be surprised to find their data – such as emails and images – from childhood have been deleted because of this rule. He also noted that "indefinite" is undefined and therefore allows loopholes, such as retention for 200 years.

