The FTC just carved out a massive loophole in federal children’s privacy protections, allowing companies to collect kids’ personal data without parental consent—as long as they call it “age verification.”
Story Snapshot
- FTC’s February 2026 policy creates enforcement safe harbor for collecting children’s personal information without parental consent if labeled “age verification”
- New policy represents significant departure from 1998 COPPA requirements that mandated parental consent before any data collection from children under 13
- Companies must meet six conditions including limited use, prompt deletion, and security safeguards to avoid enforcement actions
- Policy remains effective until FTC publishes amended COPPA rules or withdraws the statement, with formal rule review planned
Federal Privacy Law Gets Major Carve-Out
The Federal Trade Commission issued a policy statement on February 25, 2026, fundamentally altering how the Children’s Online Privacy Protection Rule applies to age verification technologies. The FTC announced it will not pursue enforcement actions against website operators who collect, use, or disclose children’s personal information solely for age verification purposes without obtaining verifiable parental consent first. This marks a dramatic shift from COPPA’s original 1998 framework, which required parental consent before any personal information collection from children under 13. The 2-0 Commission vote signals bipartisan support for this regulatory flexibility.
How Companies Bypass Parental Consent Requirements
Under the new policy, operators can collect children’s data without parental consent by claiming it serves age verification purposes, provided they meet six specific conditions. Companies must limit use and disclosure exclusively to age determination, retain information only as long as necessary for verification and delete it promptly thereafter, and disclose data only to third parties with written assurances of confidentiality. Additionally, operators must provide clear notice in privacy policies about information collected for age verification, employ reasonable security safeguards, and take reasonable steps to ensure age verification methods provide reasonably accurate results. This framework essentially creates a parental consent exception that never existed in COPPA’s original structure.
FTC Says Companies Can Collect Kids’ Personal Data, As Long As It’s Called “Age Verification”https://t.co/9Xz2pVZrqu
— useless eater (@alanmonty83) February 27, 2026
Regulatory Tension Between Child Protection and Privacy
The FTC’s policy statement attempts to resolve a regulatory contradiction created by state-level age verification mandates. Several states now require websites to implement age verification mechanisms to prevent children from accessing inappropriate content, yet these verification systems require collecting personal information that could violate COPPA’s parental consent requirements. FTC Chair Andrew Ferguson emphasized during a January 28, 2026 workshop that age verification does not create new legal obligations but serves as a compliance tool. However, this framing obscures the fact that the policy creates a substantial new exception to longstanding parental consent protections, allowing data collection that was previously prohibited.
Privacy Advocates Raise Red Flags About Data Collection
While FTC Bureau of Consumer Protection Director Christopher Mufarrige characterized age verification technologies as “some of the most child-protective technologies to emerge in decades,” the policy raises serious concerns about government overreach and erosion of parental rights. The original COPPA framework empowered parents by requiring their explicit consent before any data collection from their children. This new carve-out shifts that power to companies and regulators who determine what qualifies as legitimate age verification. The policy also creates a precedent for limited-purpose data collection exceptions that could expand beyond age verification, gradually weakening the parental consent principle at COPPA’s core.
Uncertain Future as FTC Plans Formal Rule Changes
The Commission explicitly stated its intention to initiate a formal review of the COPPA Rule to address age verification mechanisms, suggesting this enforcement flexibility represents an interim step toward permanent regulatory changes. The policy statement will remain effective until the FTC publishes final rule amendments in the Federal Register or withdraws the statement. This timeline uncertainty leaves parents, companies, and children in regulatory limbo. Meanwhile, companies implementing age verification systems gain competitive advantages while collecting data that would have triggered enforcement actions under traditional COPPA interpretation. The broader implication is a fundamental shift toward pragmatic regulation that prioritizes industry compliance convenience over the strict parental consent protections that have defined children’s online privacy for nearly three decades.
Sources:
FTC Issues Policy Statement on Age Verification Technologies Under COPPA – Mayer Brown
FTC Makes COPPA Exception for Data Collected for Age Verification Process – Biometric Update
FTC Announces COPPA Policy Enforcement Statement, Forthcoming Rule Review – Wiley Law
