On February 25, 2026, the FTC issued an enforcement policy statement under COPPA intended to encourage the use of age-verification technologies. The Commission announced that it will not bring a COPPA enforcement action against general audience or mixed-audience operators that collect, use, or disclose personal information solely to determine a user’s age, provided that platforms implement appropriate safeguards.

Under the policy statement, companies must:

• Limit collection, use, and retention strictly to age verification;
• Provide clear notice;
• Maintain reasonable data security;
• Ensure third-party vendors protect the information; and
• Use reasonably accurate age-verification methods.

The statement reflects a theme that emerged during the FTC’s January 2026 Age Verification Workshop: staff emphasized that COPPA should not be an impediment to the adoption of age-verification technologies. As discussed our prior post covering the workshop, agency officials signaled concern that companies might hesitate to deploy age-verification technologies out of fear that collecting data to determine age could itself trigger COPPA liability. This policy statement directly addresses that tension.

The statement’s focus on vendor accuracy and security also underscores a broader regulatory trend. Companies should not rely on vendor promises but rather “take reasonable steps” to determine that a tool provides “reasonably accurate results” and that vendors maintain appropriate security measures. 

Importantly, the FTC is not amending the COPPA Rule at this time. Rather, it is announcing an enforcement posture intended to provide clarity while the agency considers potential future rulemaking.

For companies navigating the rapidly evolving age-assurance landscape, particularly amid increasing state legislation, this statement provides meaningful comfort. But it also underscores that age verification must be carefully designed, limited in scope, and supported by strong data governance controls.