FTC Relaxes COPPA Enforcement on Age Verification as April Deadline Looms for the Biggest Overhaul of Children's Privacy Rules in a Decade
The FTC will not enforce COPPA against companies collecting children's data solely for age verification, even as sweeping new rules on biometrics, data retention, and parental consent take effect April 22.
Overview
The Federal Trade Commission is sending two contradictory signals on children’s privacy at the same time. On one hand, the agency is weeks away from enforcing the most significant expansion of the Children’s Online Privacy Protection Act (COPPA) since the law was last amended in 2013, with an April 22, 2026 compliance deadline that broadens the definition of personal information, mandates written security programs, and imposes strict data retention limits. On the other hand, the FTC issued a policy statement in late February announcing it will not enforce COPPA against operators who collect children’s personal data for the sole purpose of age verification, effectively carving out an exception to the very law it is tightening.
The result is a regulatory landscape where the rules governing children’s data are simultaneously getting stricter and more permissive, depending on why the data is being collected.
What We Know
The amended COPPA Rule, published in the Federal Register on April 22, 2025, gives operators exactly one year to comply with a sweeping set of changes. The updated rule expands the definition of “personal information” to include biometric identifiers such as fingerprints, voiceprints, facial templates, and retina scans, as well as government-issued identifiers, phone numbers, and precise geolocation data. Operators must now maintain written information security programs with annual risk assessments, publish formal data retention policies specifying what is collected and when it will be deleted, and obtain separate verifiable parental consent before sharing children’s data with third parties for purposes that are not integral to their service.
These are not minor technical adjustments. For any company operating a website or app that collects data from users under 13, the April 22 deadline requires a comprehensive audit of data practices, privacy notices, vendor contracts, and security infrastructure. Fines for noncompliance can reach $2,500 per violation and $7,500 per intentional violation.
Then, five weeks before the compliance deadline, the FTC issued its age verification policy statement on February 25, 2026. Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, called age verification technologies “some of the most child-protective technologies to emerge in decades.” Under the policy, the FTC will exercise enforcement discretion and decline to bring COPPA actions against operators who collect personal data solely to determine a user’s age, provided they meet six conditions: data must be used exclusively for verification, deleted immediately after the check, disclosed only to vendors who maintain confidentiality, protected by appropriate security safeguards, accompanied by clear notice to parents and children, and reasonably accurate.
The policy followed a January 28, 2026 FTC workshop on age verification that explored technologies ranging from government ID scanning and facial age estimation to behavioral inference and reusable third-party tokens. The workshop drew a distinction between “age verification,” which confirms age with high certainty, and “age assurance,” a broader category that includes self-declaration and estimation.
Major platforms are already adapting. Apple rolled out age-verification tools globally in late February to comply with an expanding web of child safety laws across multiple jurisdictions. The FTC’s policy statement gives other operators a clearer path to do the same without fear of COPPA liability for the verification step itself.
What We Don’t Know
The FTC’s policy statement is a promise of prosecutorial restraint, not a change to the law. The Commission has indicated it intends to initiate a formal review of the COPPA Rule to address age verification mechanisms, but no timeline has been set. Until that review is completed and the rule is formally amended, the legal conflict between COPPA’s consent requirements and age verification’s data collection needs remains unresolved.
State enforcement is another open question. The FTC’s enforcement discretion applies only to federal actions. As Cooley’s legal analysis notes, the policy statement “does not claim to apply to actions brought by a state,” and “unless and until the COPPA Rule is amended consistent with the policy statement, states may continue to bring actions even under circumstances where the FTC has chosen not to enforce as a matter of discretion.” Companies implementing age verification in reliance on the federal safe harbor could still face state-level enforcement.
The accuracy and security of the verification technologies themselves remain contested. Critics point out that age estimation systems produce false positives and false negatives, incorrectly categorizing both adults and children. As Techdirt reported, UNICEF has warned that age restriction approaches “may even backfire” and can push isolated children toward less regulated platforms. Every verification system that collects biometric or identification data creates a database that becomes a target for breaches, a concern that sits uneasily alongside COPPA’s new mandate for written security programs.
Analysis
The FTC’s dual approach reflects a genuine tension in children’s privacy regulation. COPPA was designed to prevent companies from collecting children’s data without parental consent. Age verification requires collecting data from everyone, including children, before consent can be obtained, in order to determine who is a child in the first place. The FTC’s solution is to look the other way on the initial collection while tightening the rules on everything that follows.
This creates what critics call an enforcement end run. When courts have struck down state-level age verification mandates on First Amendment grounds, the FTC is achieving a similar outcome through regulatory discretion rather than legislation. The effect is to normalize universal data collection at the gate of every online service, reversing COPPA’s original logic of minimizing data collection.
The April 22 deadline will test whether the industry can absorb both messages simultaneously: stricter rules on biometrics and data retention, combined with a new carve-out that encourages collecting precisely the kind of sensitive data the amended rule now explicitly protects. Companies that have spent the past year preparing for the expanded definition of personal information must now also build age verification systems that handle that same category of data under a different set of expectations.
The FTC’s COPPA overhaul is the most consequential update to American children’s privacy law in over a decade, but the age verification carve-out ensures the debate over how to protect minors online without surveilling everyone is far from settled.