The U.S. Federal Trade Commission signaled age-verification and age-assurance tools are becoming a key mechanism in privacy compliance efforts. During the FTC's age verification workshop 28 Jan., stakeholders said proportionate and effective age assurance practices could reshape how organizations comply with the Children's Online Privacy Protection Act and the emerging network of state-level children's online safety rules.
COPPA requires organizations collecting the personal data of children under age 13 years to remain transparent about their data collection practices and obtain parental consent. Meanwhile, state comprehensive privacy laws require similar enhanced protections and requirements for children's data while many states are adding legislation that directly requires age verification.
"As Congress considers whether to adopt additional legislation to protect children online, which it has been doing for some time, the FTC must use every tool at our disposal, chief among them COPPA and the COPPA Rule, to empower parents for the first and best line of defense to protect children online," FTC Chair Andrew Ferguson said in his workshop remarks.
The FTC recently announced a USD10 million settlement with Disney after the agency allegedly found the company insufficiently labeled child-friendly content on YouTube. The action outlined expectations for age verification and content labeling tools by noting that companies are expected to restrict certain content to users who have not verified their age.
Ferguson noted the order "therefore authorized Disney, which uploads an incredible amount of content to YouTube to phase out the systemic review," and implement age-verification technology to ensure COPPA compliance.
"Higher costs are no excuse for breaking the law or for relaxing standards for complying with the law, and the FTC order permits neither," he added. "It instead encourages technological innovation in COPPA compliance, which in turn expands the protection of children by reducing the cost of complying with COPPA or of voluntarily implementing other measures to protect children."
The regulator perspective
As organizations continue to deploy age-verification tools, global regulators have worked to examine how the tools can be used to bolster compliance with children's online safety regulations.
The U.K. Information and Commissioner's Office has contemplated how assurance tools fit with Children's Code requirements. Speaking at the FTC workshop, ICO Head of Regulatory Policy Michael Murray noted that while design practices often request users provide their age, "self-declaration is not age assurance."
The U.K.'s approach focuses on applying protections based on the likelihood individuals under 18 will access a service. The framework allows organizations to tailor protections based on risk, rather than imposing broad verification requirements across all services.
"The whole age assurance system, including the complaints processing, must be secure and services must be accountable for the decision," Murray said. "So, we're not looking just at the initial age gate, but the whole process of age assurance from the start to the finish of the decision-making process."
While the FTC's enforcement through COPPA does not require organizations verify the age of all users, stakeholders noted age-assurance tools may affect how companies assess whether they are obligated to implement age verification.
Ferguson emphasized the agency does not view age verification as creating new legal obligations under COPPA, but as a tool that can help companies continue to advance innovative efforts while identifying when existing obligations apply.
"The task of innovators is not to find innovative ways of breaking the law, as we sadly see so often in our consumer protection cases, but to develop and adopt new technologies or business practices that make compliance with the law and the company's service to consumers easier and more cost-effective," Ferguson said.
He also argued lawmakers, regulators and businesses "should be invested in technological innovation that makes it easier for businesses to protect the privacy of children online because we believe that the flourishing of our nation's children depends on the privacy of their personal data and on the capacity of parents to control who has access to their child's data and how those data are used.”
FTC Division of Privacy and Identity Protection Associate Director Ben Wiseman previously noted at an IAPP KnowledgeNet that the agency has set its focus on enforcing COPPA's new amendments adopted in 2024.
The FTC's enforcement measures aim to provide greater control to parents to prevent underage users from accessing potentially harmful content online. Ferguson claimed while regulators cannot prevent children from every online harm, organizations "can make it easier for parents to protect their children from it by adopting robust age-verification technologies."
Effectiveness
Despite regulators' efforts to clarify requirements and ensure compliance, the effectiveness of age-verification regulations has raised concerns about whether they can meaningfully protect children online without creating new privacy and access risks.
Utah Department of Commerce Consumer Protection Division Director Katherine Haas noted the state's implementation of the App Store Accountability Act is intended to address online harms that parents cannot mitigate on their own.
"There is some sort of obligation of these companies that are out there on the web to make sure that they're protecting youth who are coming onto their platforms," Haas said. "So all of the laws that Utah is passing are to protect children from harms that we are seeing, whether it's social media with their algorithms, whether it's now AI platforms and chatbots, whether it's downloading harmful material and on the App Store, and most especially, also pornography."
While these laws aim to protect children from online harms and access inappropriate content, Cato Institute Technology Policy Senior Fellow Jennifer Huddleston questioned whether age-verification mandates achieve those goals.
She warned some age-verification laws often "require additional data collection, which could create a kind of honey pot for bad actors to know where all the young people's information is." She also argued parents, not policymakers, "are often the best decision-makers when it comes to when it's appropriate for their child to have certain online experiences."
Children's access to the internet could be a beneficial tool for educational purposes. Ethics and Public Policy Center Bioethics, Technology and Human Flourishing Program Fellow Clare Morell noted age-verification regulations do not aim to prevent children from accessing content that is deemed appropriate for underage users.
"I don't think any of these age-verification laws are talking about the internet as a whole, but it's recognizing there are parts of the internet … that are highly addictive to children," Morrell said. "These laws are necessary, and I don't see them as being kind of opposed to what parents want, but actually empowering parents and helping them out with the government kind of providing critical backup."
Lexie White is a staff writer for the IAPP.
