Skip to main content
Featured Topics
Featured Insights
View All Services
View All Industries
About Us Overview
    • Home
    • Insights
    • FTC Issues Policy Statement on Age Verification Technologies Under COPPA
      February 26, 2026

      FTC Issues Policy Statement on Age Verification Technologies Under COPPA

      Authors:
      Generate PDF
      Share

      On February 25, 2026, the Federal Trade Commission (FTC) issued a policy statement announcing that it will not pursue enforcement actions under the Children’s Online Privacy Protection Rule (“COPPA Rule”) against website and online service operators that collect, use, or disclose personal information solely to determine a user’s age through age verification technologies.

      The policy statement comes as operators prepare for the April 22, 2026 compliance deadline for the significant COPPA Rule amendments the FTC finalized in January 2025. The Commission also indicated its intent to initiate a formal review of the COPPA Rule to address age verification mechanisms more broadly.

      Background

      As states have begun introducing and passing legislation requiring certain websites and online services to deploy age verification mechanisms, operators have raised questions about how these requirements intersect with COPPA. In particular, some age verification technologies require the collection of personal information from children, prompting concerns that the verification process itself could trigger COPPA obligations.

      FTC Chair Andrew Ferguson addressed this tension during the Commission’s January 28, 2026 workshop on age verification technologies. He emphasized that the FTC does not view age verification as creating new legal obligations under COPPA, but rather as a tool that can help companies advance innovative compliance efforts while identifying when existing obligations apply. Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, echoed this view, describing age verification technologies as some of the most child-protective technologies to emerge in decades.

      The Policy Statement

      The FTC will not bring an enforcement action against operators of general audience or mixed audience sites and services that collect, use, or disclose personal information solely to determine a user’s age (“Age Verification Purposes”) without first obtaining verifiable parental consent, provided the operator:

      • Does not use or disclose information collected for Age Verification Purposes for any other purpose;
      • Discloses information collected for Age Verification Purposes only to third parties that the operator has taken reasonable steps to determine can maintain the confidentiality, security, and integrity of the information, including by obtaining written assurances that such third parties will employ reasonable safeguards, will not use or disclose the information for any other purpose, and will delete it promptly after fulfilling the Age Verification Purposes;
      • Does not retain this information collected for Age Verification Purposes longer than necessary to fulfill those purposes and deletes it promptly thereafter;
      • Provides clear notice in its privacy policy to parents and children regarding the information collected for Age Verification Purposes;
      • Employs reasonable security safeguards for information collected for Age Verification Purposes; and 
      • Takes reasonable steps to determine that any product, service, method, or third party utilized for Age Verification Purposes is likely to provide reasonably accurate results as to the user’s age.

      Key Takeaways for Businesses

      The policy statement offers reassurance to operators seeking to implement age verification technologies without concern that the verification process itself will trigger COPPA enforcement. However, the FTC’s enforcement discretion applies only when personal information is collected, used, or disclosed solely to determine a user’s age. Operators should not retain or repurpose personal information collected through age verification for other purposes if they wish to rely on this policy statement.

      Importantly, the policy statement does not change the underlying COPPA Rule requirements. Operators must still comply with all COPPA obligations, including the 2025 amendments expanding the definition of personal information, enhancing notice requirements, mandating written information security programs, and imposing stricter data retention limitations.

      Finally, companies should be aware that the FTC intends to initiate a formal review of the COPPA Rule to address age verification mechanisms. The policy statement will remain in effect until the FTC publishes final rule amendments on this issue or withdraws the policy statement.

      Authors

      Related Services & Industries

      Stay Up To Date With Our Insights

      See how we use a multidisciplinary, integrated approach to meet our clients' needs.
      Subscribe

      Follow us

      © 2026 Mayer Brown. All Rights Reserved

       

       

      Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong LLC (“PKW”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong Pte. Ltd. More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our website.

      “Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.

      Attorney Advertising. Prior results do not guarantee a similar outcome.