FTC Grants 'Shield' for Age Verification Tech
The U.S. Federal Trade Commission has issued new guidance giving a "COPPA enforcement shield" to platforms that use FTC-approved age assurance technology. This move incentivizes the adoption of robust, privacy-preserving age verification, potentially protecting companies from penalties under the Children's Online Privacy Protection Act.
This new enforcement discretion, announced February 25, 2026, addresses a key conflict for platforms: COPPA typically requires parental consent before collecting personal data from users under 13, yet many age-verification methods require collecting data to work. The policy aims to resolve this tension, which was a major topic at an FTC workshop on the subject. The FTC's safe harbor isn't a free pass; it comes with strict conditions. Any data collected—like a photo ID or biometric information—can only be used for the purpose of age verification and must be deleted promptly after. Companies must also provide clear notice to parents and children about the data being collected and ensure any third-party verifiers can maintain its security and confidentiality. This policy specifically applies to "general audience" and "mixed audience" sites. Websites and online services that are directed primarily to children are not covered by this exemption and must still adhere to full COPPA requirements. The FTC has also signaled its intent to formally review the COPPA Rule to further address age-verification mechanisms. For developers, this move encourages the use of more robust age-assurance technologies beyond simple, self-reported age-gates. Privacy-preserving methods like facial analysis for age estimation and zero-knowledge proofs are gaining traction. Zero-knowledge proofs, for example, can confirm a user meets an age requirement without ever revealing their actual birthdate to the online service. Historically, COPPA violations have resulted in significant penalties. The FTC has levied fines against companies for improperly collecting children's data without parental consent, with penalties reaching into the millions of dollars. This new shield is designed to avoid penalizing companies for the very act of trying to determine a user's age to comply with the law. In the edtech space, where services often rely on schools to provide consent on behalf of parents, data use is already strictly limited to educational purposes. Edtech providers are prohibited from using student data for other commercial purposes, like targeted advertising. The new guidance complements these existing restrictions by clarifying the rules for the initial age-gating process.
