United States 
Canada (EN) 
México 
France 
Deutschland 
United Kingdom 
Quick Hits
- The FTC said in a policy statement that it will take a relaxed COPPA enforcement position for certain website and online service operators that collect personal information solely for determining a user’s age without first obtaining parental consent if specific conditions are met.
- The FTC’s policy statement applies only to “general” and “mixed” audience operators of websites and online services, not operators that target children as their primary audience.
- Given overlapping state obligations, flexible standards in the FTC’s policy statement, and a forthcoming formal review of the COPPA Rule that may result in additional regulatory changes, enforcement risks for businesses persist.
COPPA’s Age Verification Dilemma
Under COPPA, covered operators—commercial websites or online services that are directed toward, or have actual knowledge that they collect personal information from, children under the age of thirteen—must provide parental notice and obtain verifiable parental consent before collecting, using, or disclosing personal information from children under thirteen online. This requirement has created a compliance dilemma for businesses that need to deploy age verification technologies because some age verification tools themselves may require the collection of personal information such as the user’s photograph, date of birth, or biometric data. This catch-22 put covered operators in a difficult position: risk violating COPPA by failing to verify a user’s age, or risk violating COPPA by deploying age verification technologies.
The FTC’s policy statement is intended to alleviate this tension. FTC Bureau of Consumer Protection Director Christopher Mufarrige framed the guidance as encouraging innovation, stating that age verification technologies are “some of the most child-protective technologies to emerge in decades” and that the agency’s policy “incentivizes operators to use these innovative tools, empowering parents to protect their children online.”
FTC’s New COPPA Enforcement Posture
Operators who want to rely on the FTC’s signaled enforcement flexibility must satisfy six detailed requirements related to the collection, use, and disclosure of age verification data. Specifically, operators must:
- refrain from using or disclosing information collected for age verification for any other purpose besides determining a user’s age;
- delete such information promptly after completing the age verification process, retaining it no longer than necessary;
- disclose information collected for age verification purposes only to those third parties the operator has taken “reasonable steps” to determine are capable of maintaining the confidentiality, security, and integrity of the information, including by obtaining certain written assurances;
- provide “clear notice” to both parents and children regarding what information is collected for age verification purposes;
- employ “reasonable security safeguards” for age verification data; and
- take “reasonable steps” to determine that the age verification method the operator selects is likely to produce accurate results.
Additionally, operators that target children as their primary audience are not eligible for relaxed enforcement under the policy statement.
Looking Ahead: Formal Regulatory Changes to Come
The policy statement will likely remain in effect until the FTC publishes formal COPPA Rule amendments addressing age verification, which may be initiated in the coming months and could include amendments. Until that time, businesses may want to keep in mind that the FTC’s policy statement has not yet been enshrined in law and could be withdrawn at any time.
Given the limited and discretionary nature of the policy statement, the strict conditions, and the need for “reasonable practices,” the FTC will likely scrutinize implementation. Additionally, the policy statement may have a cascading effect. State rules regarding the collection and processing of minors’ data which are often intertwined with COPPA—potentially including in the age verification context—still apply. For example, our previous article explained the New York attorney general’s guidance for businesses, schools, and other organizations that collect or process the personal data of minors in New York. These frameworks and regulators are not bound by the FTC’s policy statement. Thus, companies may face a landscape in which determining a user’s age can trigger different compliance duties under state and federal laws. Businesses considering deploying age verification technologies may want to evaluate whether their practices align with the policy statement and prepare for potential additional guidance from the FTC.
Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to monitor developments and will provide updates on the Cybersecurity and Privacy blog as new information becomes available.
Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts
