FTC Won’t Enforce Kids’ Privacy Law for Age Verification Data

In a significant shift for online child safety, the Federal Trade Commission has announced it will not enforce a key children’s privacy law against websites that collect minors’ personal data specifically for age verification. This move is designed to incentivize the adoption of new age-checking technologies by providing legal clarity for companies. The agency believes these tools represent a major advancement in protecting young people online, empowering parents with greater control.

Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection, emphasized the protective potential of these systems. He stated that the commission’s new stance actively encourages operators to implement these innovative solutions, framing them as a critical development for safeguarding children in digital spaces.

To qualify for this enforcement discretion under the Children’s Online Privacy Protection Act (COPPA) Rule, websites must adhere to strict criteria. COPPA typically mandates that commercial sites obtain verifiable parental consent before collecting any information from users under 13. The new guidance creates an exception for general audience platforms. They may collect a minor’s data without that prior consent, but only for the sole purpose of determining the user’s age and only if they follow a detailed protocol.

This protocol mandates that companies promptly delete the collected data once the age verification process is complete. Any disclosure of information to third-party service providers is restricted to those who can demonstrate robust capabilities for maintaining data confidentiality, security, and integrity. Operators must also provide clear notice about the information they intend to collect, employ reasonable security measures, and strive to ensure the age verification results are reasonably accurate.

The policy statement has been welcomed by proponents of age verification, who see it as a pragmatic step forward. However, privacy advocates have raised immediate concerns. Organizations like the Electronic Frontier Foundation argue that collecting data for age-checking introduces the very risks COPPA was enacted to prevent. EFF senior counsel David Greene pointed to past incidents, such as a Discord breach where approximately 70,000 users’ government IDs were exposed after being collected by a third-party vendor for age-related appeals. Greene criticized the FTC’s approach, suggesting it indicates a lack of genuine commitment to the privacy and speech rights of young people.

Other experts see a more balanced approach in the FTC’s guidelines. Suzanne Bernstein, counsel for the Electronic Privacy Information Center, noted that the statement explicitly requires companies to implement age assurance responsibly. She highlighted that the policy mandates safeguards against data misuse and insufficient security, setting a clear standard for compliance.

This announcement was issued as a policy statement, outlining how the FTC will use its discretion in applying the law. The agency also signaled its intent to pursue more lasting changes by initiating a review of the underlying COPPA Rule itself to formally address age verification mechanisms. The current policy will remain in effect until the FTC either withdraws it or publishes a revised version of the rule that incorporates new language governing these technologies.

(Source: The Verge)