On February 25, 2026, the Federal Trade Commission (FTC) issued an enforcement statement to promote the use of age verification technologies on the heels of its January 28 workshop on the topic. The workshop explored issues related to age verification and how these innovative tools could be used in furtherance of child safety without creating liability under the Children’s Online Privacy Protection Act (COPPA) and its implementing rule (the COPPA Rule).

While the specific purpose of the workshop was to explore the interplay between COPPA and age verification technologies, FTC Chairman Andrew Ferguson also explained in his opening remarks that the workshop furthered the FTC’s goal of promoting technological innovation that promotes the common good, in this case keeping children safe online. He emphasized that there need not be tension between the FTC’s mission to protect children and tech innovation.

The enforcement statement states that the FTC will not bring a COPPA enforcement action against certain operators who utilize age verification technologies prior to obtaining verifiable parental consent for the collection, use, and disclosure of a child’s personal information. These entities must adhere to certain requirements to be covered by this enforcement policy.

A summary of the enforcement statement, what the FTC plans to do next, and key takeaways are below.

What Does COPPA Require and Who Does It Apply To?

At a high level, COPPA requires operators of websites or online services to provide notice and obtain verifiable parental consent before collecting personal information from children under the age of 13.

These obligations extend to operators of websites and online services that:

• are child-directed under the COPPA Rule’s factors;
• have actual knowledge that they are collecting personal information from children or from other websites or online services directed to children; or
• are mixed audience operators (i.e., those that are child-directed per the COPPA Rule’s factors but don’t target children as the primary audience and limit data collection to permissible purposes prior to collecting or otherwise determining the age of the user).

It does not apply to general audience websites or online services unless they have actual knowledge as described above.

Who Does the Enforcement Statement Apply To?

The enforcement statement applies to mixed audience and general audience websites and online services (“Relevant Operators”). It does not extend to primarily child-directed sites and services.

What Does the Enforcement Statement Permit?

The enforcement statement allows Relevant Operators to collect, use, or disclose personal information for age verification purposes without first obtaining verifiable parental consent.

What Level of Age Assurance Is Covered?

The age assurance legal landscape has various degrees of verification: age declaration, age estimation, and age verification.

As explained by panelists during the FTC’s workshop on the topic, age declaration relies on user-provided age information, such as a birthday. This is the age assurance method currently employed by many operators for COPPA compliance. Age estimation provides greater assurances because it relies on technologies and inferences to estimate a user’s age, such as through a selfie. By contrast, age verification typically refers to the more rigorous standard to determine age, such as by collecting a government ID to verify a user’s age.

Although the FTC’s enforcement statement and press release refer to “age verification” technologies and purposes, to benefit from the statement, Relevant Operators only need to ensure that the method employed provides “reasonably accurate results.” As such, Relevant Operators using age estimation technology will be covered so long as the method is reasonably accurate in determining age.

What Must Operators Do to Benefit from This Policy?

A Relevant Operator who wants to benefit from the enforcement statement must:

• not use or disclose information collected for age verification purposes for any other purpose;
• limit disclosure to third parties that the Relevant Operator has taken reasonable steps to determine are capable of protecting the confidentiality, security, and integrity of the information, including by obtaining written assurances from such third parties;
• such written assurances must state that the third parties will employ reasonable security measures, will not use or disclose information collected for age verification purposes for any other purpose, and will delete the information promptly after fulfilling the purpose;
• not retain information longer than as necessary to fulfill the age verification purpose;
• delete the information once retention is no longer necessary;
• provide clear notice to parents and children of the information collected for age verification purposes in the Relevant Operator’s privacy policy;
• employ reasonable security safeguards for information collected for age verification purposes;
• take reasonable steps to determine that the means for determining a user’s age will provide “reasonably accurate results”; and
• comply with the COPPA Rule in every other respect.

What’s Next?

The FTC announced that it plans to initiate another COPPA rulemaking in the coming months to address age verification.

The FTC released the final amendments to the current COPPA Rule a little over a year ago. Upon its issuance, now-Chairman Ferguson wrote a separate concurrence that raised three objections to the amendments, one being the failure to clarify that COPPA should not be an obstacle to use of age verification technologies. The future rulemaking will focus on age verification mechanisms, but it may address additional issues as well.

Key Takeaways

The FTC’s enforcement statement is an important step for Relevant Operators who want to use age verification technologies. Notably, though, this enforcement statement does not apply to primarily child-directed services. Relevant Operators using age verification technologies that will permit children to use their services should carefully consider whether their service is primarily directed to children under 13 or is a mixed audience service directed to children but not primarily. This distinction can be challenging. The FTC looks at several factors to ascertain child-directedness, including the subject matter of the site or service, visual and audio content, the use of animated characters or other child-oriented activities and incentives, the age of models, the presence of child celebrities or celebrities who appeal to kids, ads on the site or service that are directed to children, and other reliable evidence about the age of the actual or intended audience. Companies should consider these factors in assessing whether their service is primarily directed to children or mixed audience.

Additionally, the enforcement statement only technically applies to FTC enforcement. The policy is not binding on state attorneys general, who themselves are increasingly focused on children’s privacy issues. However, state attorneys general have historically aligned with the FTC when the agency has issued such policy statements.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and specializes in issues pertaining to children’s privacy, including compliance with the COPPA Rule and related federal and state investigations. For more information, please contact Chris Olsen, Maneesha Mithal, Rebecca Weitzel Garcia, or another member of the firm’s Data, Privacy, and Cybersecurity practice.