The U.S. Federal Trade Commission (FTC) has issued a policy statement indicating that it will not pursue enforcement actions under the Children’s Online Privacy Protection Act (COPPA) against certain online platforms that collect personal information solely to verify a user’s age. The move is intended to provide guidance to websites and digital services that rely on age-verification technologies to restrict access to minors.
The announcement has reignited a wider debate among privacy advocates, policymakers, and technology experts about whether current age-verification systems are compatible with existing child privacy laws.
COPPA, enacted in 1998, was designed to protect the personal information of children under the age of 13. The law prohibits online services from collecting, using, or sharing personal data from children without obtaining verifiable consent from a parent or guardian. However, the growing push for stronger online age checks has created a difficult situation for platforms attempting to comply with both safety expectations and privacy regulations.
To verify a user’s age, many platforms require identifying information such as government-issued IDs, biometric scans, or other forms of verification. But if a child submits such information during the process, the platform may end up collecting personal data from a minor before parental consent is obtained—potentially violating the very law meant to protect them.
FTC Creates a Narrow Safe Harbor for Age-Verification Data
In its policy statement, the FTC said it will refrain from bringing COPPA enforcement actions against website operators that collect personal data strictly for the purpose of determining a user’s age, provided they follow specific conditions.
According to the agency, companies must ensure that the information collected is used only for age verification and not for other purposes such as marketing or data profiling. Platforms must also implement strong security protections to safeguard the information and delete it once the age determination process has been completed.
This guidance effectively creates a limited safe harbor for companies deploying age-verification technologies. By clarifying its enforcement stance, the FTC is attempting to encourage platforms to implement age checks without the immediate risk of regulatory penalties.
However, the policy also highlights the complicated legal and technological challenges surrounding online age verification.
Tension Between Privacy Law and Age-Verification Technology
One of the central issues raised by the FTC’s announcement is the apparent conflict between age-verification systems and the requirements of COPPA.
In many cases, verifying a person’s age requires collecting identifying information. If the person being verified turns out to be under the age of 13, that information may have already been collected without parental permission.
Privacy advocates argue that this creates a structural problem within current regulatory frameworks. The very process used to confirm whether a user is a child could inadvertently violate child privacy protections.
The FTC’s policy appears to recognize this tension. By signaling that it will not enforce COPPA in certain limited cases involving age verification, the agency is acknowledging that strict enforcement could make it difficult for companies to implement age-check systems at all.
Rather than requesting legislative changes to address the issue, the FTC has opted to rely on enforcement discretion.
Debate Over Whether the Approach Solves the Problem
Supporters of the policy say it reflects a practical compromise that allows companies to adopt safety measures aimed at keeping minors away from harmful content. In recent years, lawmakers in several jurisdictions have pushed for stronger age verification rules for social media platforms, gaming services, and websites that host adult content.
From this perspective, the FTC’s approach could help remove a regulatory obstacle that might discourage companies from implementing age-verification systems.
Critics, however, argue that the policy sidesteps the underlying problem rather than solving it. Some privacy advocates believe that creating an enforcement carve-out effectively allows companies to collect sensitive personal information from users—including minors—under the justification of age verification.
They also worry that once such data collection systems are in place, they could expand over time or become attractive targets for cybercriminals.
Privacy and Security Risks Raise Concerns
Age-verification technologies often rely on highly sensitive data. In many cases, users are required to submit scans of identification documents, photographs for facial recognition analysis, or other biometric data.
Experts warn that storing or processing this type of information introduces significant security risks. If databases containing such information were compromised, it could expose millions of individuals to identity theft or other forms of fraud.
Accuracy is another concern frequently raised by critics. Age-verification technologies are not always reliable, and errors can occur in both directions. Adults may sometimes be incorrectly flagged as minors, while underage users might still find ways to bypass the systems.
Teenagers with sufficient technical knowledge can often circumvent restrictions using virtual private networks (VPNs), borrowed devices, or shared accounts.
Because of these limitations, some digital rights advocates argue that mandatory age verification may produce large-scale data collection without effectively preventing minors from accessing restricted services.
Broader Concerns About Impact on Young Users
In addition to privacy risks, child welfare organizations have warned that strict age-based restrictions could have unintended consequences.
Organizations including the UNICEF have cautioned that online platforms play an important role in many young people’s lives. Social media and digital communities can provide spaces for education, creativity, and connection—especially for teenagers who may feel isolated in their offline environments.
Experts have also noted that strict bans or heavy verification systems might drive younger users toward less regulated platforms or encourage them to find workarounds. This could make it harder for parents, educators, and regulators to monitor online activity and ensure safety.
As a result, some child protection advocates believe that age verification should be only one part of a broader strategy that includes digital literacy, stronger platform moderation, and better parental tools.
Policy Decision Comes Amid Changes at the FTC
The FTC’s decision also comes at a time when the commission is operating with fewer members than usual. The agency is typically structured to include five commissioners, representing both major political parties.
However, the commission currently has fewer members after the removal of two Democratic commissioners during the administration of Donald Trump. As a result, the vote approving the policy statement was taken by the remaining commissioners.
Although the decision was described as unanimous among those members, critics have pointed out that the commission is not currently operating at full capacity.
