The U.S. Federal Trade Commission is signaling a notable shift in how it expects companies to approach children's privacy compliance, encouraging organizations' broad deployment of age verification technologies.

In a new policy statement issued 25 Feb., the FTC announced it will not take enforcement action against organizations that collect, use and disclose individuals' personal data for age verification purposes.

The agency's position frames age verification as a critical safeguard to prevent children from accessing inappropriate content online. To promote the use of age-verification tools, the agency will not enforce elements of the Children's Online Privacy Protection Act, which require online services to obtain parental consent before collecting personal information from individuals under age 13.

The statement follows months of agency focus on age assurance, including an FTC workshop examining how such technologies can be deployed at scale while aligning with COPPA obligations.

In an agency press release, FTC Bureau of Consumer Protection Director Christopher Mufarrige noted age verification tools play a pivotal role in bolstering children's online safety and said the agency's policy "incentivizes operators to use these innovative tools, empowering parents to protect their children online."

COPPA obligations

The new messaging reflects growing regulatory concern around platforms relying on age gates that could be easily bypassed by underage users. Though the agency will not enforce certain COPPA requirements, it noted organizations collecting personal information must enlist strong and compliant safeguards.

In remarks at the agency's recent workshop, FTC Chair Andrew Ferguson previously said policymakers and stakeholders "should be invested in technological innovation that makes it easier for businesses to protect the privacy of children online, because we believe that the flourishing of our nation's children depends on the privacy of their personal data and on the capacity of parents to control who has access to their child's data and how those data are used."

Kelly Drye & Warren Office Managing Partner Laura Riposo VanDruff spent more than nine years at the FTC, including five as the assistant director of the Division of Privacy and Identity Protection. She told the IAPP the policy statement is allowing companies to better identify their customers, while staking them to COPPA's actual knowledge standard and the "high bar" for compliance with the rest of the statute.

"That dynamic puts companies in a bind," she said. "Adopting age verification tools aligns with the FTC's policy direction, but it also increases regulatory exposure if their COPPA programs are anything short of regulator-ready."

The FTC may consider bringing enforcement actions against organizations that use or disclose personal data for purposes outside of age verification. According to the policy statement, companies and third-party vendors must maintain appropriate data deletion practices, ensure their age assurance technology can accurately and safely determine a user's age and provide "clear notice to parents and children of the information collected."

Yoti Chief Policy and Regulatory Officer Julie Dawson said in a LinkedIn post, the agency is setting a clear tone. "The FTC views age assurance technologies as child-protective and does not want COPPA to stand in the way of responsible deployment,” she wrote.

The FTC will initiate a review of the COPPA Rule with potential age verification amendments.

Dawson, who will speak on an age-assurance panel at the IAPP Global Summit 2026, argued that if the FTC carries out additional rulemaking to codify its position, "2026 may be the year the 'actual knowledge' paradox begins to unwind" as regulators clarify that effective age assurance should be built in rather than avoided.

The policy statement will have trickledown impacts with state-level children's online safety enforcement. Riposo VanDruff pointed to a potential "cascade" of state law requirements being triggered by the FTC opening the door to companies knowing children are assessing their online services.

"Many state attorneys general have made youth privacy and safety a top enforcement priority, and knowing a user is a minor may require stricter defaults, limits on profiling, risk assessments or product design changes," she said. "At the same time, ongoing constitutional challenges by groups like NetChoice have created uncertainty about which requirements will ultimately survive. The result is companies navigating a difficult landscape in which determining age can trigger immediate compliance duties even as the contours of their obligations remain unsettled."

Lexie White is a staff writer for the IAPP.