FTC COPPA workshop and policy statement promote flexibility for use of age verification technologies

Background

The policy statement builds on the FTC’s recent age verification workshop on January 28, 2026 which examined the use of age verification and age assurance technologies in online services accessed by children, with a key focus on the COPPA Rule.

Takeaways from the workshop

The workshop focused on: (1) the current landscape of age assurance, including opportunities and challenges; (2) age verification and estimation tools; (3) navigating emerging age assurance laws and frameworks across the U.S.; and (4) how to deploy age verification more widely and at scale.

Chairman Ferguson

FTC Chairman Andrew Ferguson opened the workshop with a clear message: the Commission sees age verification as integral to the future of children’s privacy enforcement. In his remarks, Chairman Ferguson emphasized COPPA’s flexibility and stated that the agency will continue to actively pursue COPPA enforcement to protect minors online.

By grounding age verification in familiar consumer protection principles, Chairman Ferguson signaled the Commission may evaluate age assurance practices through existing legal standards without waiting for new legislation. Against this backdrop, Congress is working to advance COPPA amendments with the Senate’s recent unanimous passage of its version of COPPA 2.0 and the House Energy & Commerce Committee tabling consideration of its version of the bill after the Senate’s passage.

Chairman Ferguson also pointed to recent enforcement actions and the Supreme Court’s decision in Free Speech Coalition v. Paxton, which upheld in part a Texas age verification mandate as applied for certain adult content, while not extending to other content) as examples of how age verification tools can substitute for more onerous compliance measures.

Stakeholders

During the workshop, stakeholders characterized COPPA as restricting the development of more sophisticated age assurance technologies beyond self-attestation. Specifically, panelists highlighted their views that some age verification tools require the collection of personal information that, if collected from a child, would itself trigger COPPA’s consent requirements. Panelists at the workshop argued that this dynamic has discouraged companies from deploying alternative age verification and assurance tools.

Across the workshop panels, speakers also emphasized that age assurance is an umbrella term covering a wide range of approaches with varying degrees of certainty, intrusiveness, and efficacy. Panelists noted that these include:

• Self-declared age gates, such as entering a date of birth;
• Age inference, based on behavioral signals or account metadata;
• Age estimation, often using AI or machine learning models; and
• Age verification, relying on authoritative or third-party sources.

The consensus view appeared to be that self-declared age entry mechanisms are easily bypassed and offer limited protected value, particularly in high-risk contexts. Notably, speakers avoided endorsing a single “correct” method. Instead, they framed age verification and assurance as a continuum of tools that must be evaluated in context, with attention to accuracy, privacy impact, scalability, and risk.

Stakeholders repeatedly endorsed aligning and scaling age verification and assurance requirements with the risk profile of the underlying service.

Takeaways

The workshop’s framing suggests that the FTC may increasingly consider age verification and assurance practices when evaluating whether online services adequately protect children. In his closing remarks at the workshop, FTC Consumer Protection Bureau Director Christopher Mufarrige reiterated that COPPA “should not be an impediment” to effective age verification and previewed additional workshops on consumer data practices.

COPPA enforcement policy statement

The policy statement, issued shortly after the workshop, makes clear the Commission’s position that it will not bring enforcement actions under COPPA against Relevant Operators that collect, use, or disclose personal information solely for age verification purposes, provided that Relevant Operators meet the following conditions:

• limit collection, use, and disclosure strictly to age verification purposes;
• delete data promptly once the age determination is complete;
• disclose data only to third parties that the Relevant Operator has taken reasonable steps to determine can maintain confidentiality and security;
• provide clear notice to parents and children about information collected for age verification;
• implement reasonable security safeguards;
• ensure information is not used for any other purpose and not retained longer than necessary; and
• take reasonable steps to ensure third parties used for age verification purposes can provide reasonably accurate results.

Many of the prescribed guardrails closely mirror themes from the workshop including data minimization, accuracy, and integrity in third party age assurance tools. The policy statement also directly addresses the concern that collection for age verification purposes triggers COPPA consent requirements by clarifying that data collected exclusively for age verification and subject to the safeguards above, will not be the basis for enforcement. Notably, the policy statement communicates enforcement discretion only with respect to “Mixed Audience” and “General Audience” sites and online services, and not sites or online services directed to children (individuals under 13).

The policy statement does not amend the COPPA Rule; rather, it articulates how the FTC intends to exercise its prosecutorial discretion while it continues to evaluate amendments to the Rule. The policy statement notes that in the coming months, the FTC intends to initiate a review of the COPPA Rule to address age verification mechanisms.

This follows the FTC’s multi year rulemaking on amendments to the COPPA Rule which took effect in 2025 and modernized key COPPA requirements. Throughout the rulemaking process the FTC expressly supported the development of age verification mechanisms and noted the Commission was encouraged by the reliability of determining a user’s age by the mechanisms that had been developed.

Looking ahead: The future of age verification and COPPA enforcement

Taken together, the workshop and the policy statement underscore that COPPA remains a flexible federal tool capable of adapting to evolving technologies, even as companies navigate a growing patchwork of state child safety and age assurance laws.

The Commission is signaling a desire for a more coordinated, forward looking framework for age verification—one that balances innovation, privacy, and regulatory clarity as the Commission prepares for an upcoming review of the COPPA Rule to incentivize wider adoption of age verification. In addition, state Age-Appropriate Design Code laws are starting to take effect, which, in some cases, is putting the onus on websites to undertake age verification. It is likely that we are seeing the last days of the neutral age gate as the only age assurance technology, led by this and future guidance from the FTC.

Authored by Bret Cohen, Dan Ongaro, Sophie Baum, Brittney Griffin, and Manvi Harde.