The Federal Trade Commission (FTC) remains focused on children’s privacy and the Children’s Online Privacy Protection Act (COPPA). On Jan. 28, 2026, the FTC held an Age Verification Workshop, previewing potential amendments to the COPPA Rule and emphasizing the need for reliable, privacy-protective age-verification technologies. On Feb. 25, 2026, the FTC issued a COPPA Policy Statement promoting the adoption of such technologies.
“Age verification technologies are some of the most child-protective technologies to emerge in decades,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection, in a press release announcing the COPPA Policy Statement. “Our statement incentivizes operators to use these innovative tools, empowering parents to protect their children online.”
Background
Children’s online activity continues to grow, and state legislatures increasingly require age verification for access to certain content or features. These developments present potential compliance challenges for operators who must reconcile varying federal and state standards. In response, the FTC has clarified how platforms may adopt modern age-verification technologies consistent with COPPA’s notice and parental consent requirements.
Key Takeaways from the FTC’s Age Verification Workshop (Jan. 28, 2026)
Support from FTC Leadership
FTC Chair Andrew Ferguson and Commissioner Mark Meador expressed support for age-verification tools as essential to modern COPPA compliance.
“As Congress considers whether to adopt additional legislation to protect children online, . . . the FTC must use every tool at our disposal, chief among them, COPPA and the COPPA Rule, to empower parents who are the first and best line of defense to protect children online,” Ferguson said.
The Commissioners also cited recent enforcement actions as evidence that companies must restrict child access unless they have robust age-verification mechanisms in place.
Age Verification vs. Age Assurance
Panelists distinguished age verification (confirming a user’s age with high certainty) from age assurance (a broader category including self-declaration, age estimation, and other methods). This distinction grows increasingly important as state laws adopt specific terminology and accuracy requirements.
Highlighted Technologies and Legal Risks
Stakeholders discussed emerging technologies, such as government ID scanning, facial analysis or biometric age estimation, behavioral and metadata inference, work email verification, and reusable third-party age-verification tokens. Panelists raised legal questions, including:
- Does collecting personal information solely for age verification — without parental consent — trigger COPPA liability?
- Which entity in the digital supply chain is responsible for verification?
- What accuracy thresholds must be met?
- What is the risk of circumvention by minors?
- What are the data deletion, retention, and minimization obligations?
These issues reflect ongoing uncertainties the FTC may address in upcoming COPPA rulemaking.
Regulatory Alignment Across Jurisdictions
Speakers noted that age-verification requirements are increasingly embedded in U.S. state privacy laws and global frameworks, such as the UK Information Commissioner’s Office’s Children’s Code. Panelists recognized and discussed the need to harmonize requirements across jurisdictions.
COPPA Rule Amendments Possible
Chairman Ferguson indicated that the outcome of the Workshop would inform a future FTC policy statement on age-verification technologies (discussed below), as well as a possible COPPA Rule amendment to promote the use of age verification technologies in compliance with COPPA.
The COPPA Policy Statement: Interim Guidance for Website Operators (Feb. 28, 2026)
The FTC’s COPPA Policy Statement states that it will not bring a COPPA enforcement action against operators that collect, use, and disclose personal information solely to determine a user’s age — even without first obtaining verifiable parental consent — if operators meet certain conditions. Specifically, operators must:
- Purpose Limitation: Use the data only for age verification;
- Vendor Oversight: Ensure third-party providers keep information confidential, use it exclusively for verification, and delete it promptly;
- Data Retention: Not retain the data longer than the period necessary to complete age verification, and delete such information promptly thereafter;
- Transparency: Provide clear notification to parents and children about data collected for age verification;
- Security: Implement appropriate safeguards for the data; and
- Accuracy: Ensure their age-verification mechanisms are reasonably accurate.
The FTC will exercise its discretion not to enforce COPPA in relation to age-verification mechanisms only if the operator is otherwise fully compliant with COPPA regarding all data collected from children.
Takeaways
The FTC’s Workshop and COPPA Policy Statement may signal a regulatory landscape where age verification will become a standard, mandatory component of online compliance for services accessible to children. Companies with general and mixed audience sites may wish to consider implementing age-assurance technologies, strengthening vendor controls, and updating compliance programs in anticipation of forthcoming COPPA amendments.