FTC Announces Non-Enforcement of COPPA for Age Verification Data Collection
The Federal Trade Commission has taken a significant step to promote the adoption of age verification technologies by declaring it will not enforce the Children's Online Privacy Protection Act against certain websites that collect and utilize minors' personal information specifically for verifying user ages. This policy statement represents a strategic move to balance child protection with technological innovation in the digital landscape.
Incentivizing Child-Protective Technologies
Christopher Mufarrige, Director of the Bureau of Consumer Protection, emphasized in an official press release that "Age verification technologies are some of the most child-protective technologies to emerge in decades." He further explained that "Our statement incentivizes operators to use these innovative tools, empowering parents to protect their children online." This approach marks a departure from strict enforcement, aiming instead to encourage voluntary adoption of systems designed to shield young users from inappropriate content and interactions.
Specific Criteria for COPPA Exemption
To qualify for this enforcement exemption under the COPPA Rule—which typically mandates parental consent for collecting data from children under 13—websites must adhere to several critical protocols:
- Data collected must be used exclusively for determining a user's age
- Information must be promptly deleted after age verification is complete
- Third-party providers receiving this data must demonstrate reasonable capability to maintain confidentiality, security, and integrity
- Clear notice must be provided about the information being collected
- Reasonable security measures must be implemented
- Companies must strive to ensure reasonably accurate results from verification processes
Privacy Advocates Express Concerns
While many supporters of age verification technologies have welcomed the FTC's announcement, prominent privacy organizations have raised substantial concerns. David Greene, senior counsel for the Electronic Frontier Foundation, warned that "Age-checking-related data collection poses the very threats that COPPA is designed to address." He pointed to existing vulnerabilities, noting "We have already seen age estimation systems having issues with data breaches and leaks."
Greene referenced last year's Discord incident, where approximately 70,000 users potentially had their government identification documents exposed after collection by a third-party vendor handling age-related appeals. He characterized the FTC's approach as "just another sign that the FTC doesn't truly care about young peoples' privacy or speech rights."
Balancing Innovation with Responsibility
Suzanne Bernstein, counsel for the Electronic Privacy Information Center, offered a more nuanced perspective, stating that the FTC's policy statement "makes clear that companies choosing to do age assurance must do so in a way that is responsible and safeguards against data misuse and inadequate data security." This interpretation suggests the policy creates a framework for responsible implementation rather than eliminating oversight entirely.
Policy Implementation and Future Considerations
The FTC issued this guidance as a policy statement, outlining how the agency will exercise discretion in enforcing existing laws. However, officials indicated this may represent a temporary measure while they review the underlying COPPA Rule to permanently address age verification mechanisms. The current policy will remain effective until either withdrawn or superseded by a revised rule that specifically incorporates language regarding age verification technologies.
This development reflects the ongoing tension between protecting children's privacy online and enabling technological solutions that could enhance safety. As digital platforms increasingly seek methods to verify user ages—whether for compliance, content filtering, or safety purposes—regulatory approaches must evolve to address both the potential benefits and inherent risks of collecting sensitive personal information from minors.
