The Federal Trade Commission (FTC) has a new plan to “protect children online.” It starts by relaxing enforcement of the very privacy law designed to protect them.
In a new enforcement policy statement on the Children’s Online Privacy Protection Act (COPPA), the FTC signals that it will decline to pursue enforcement actions against companies that collect personal information for age-verification purposes before obtaining verifiable parental consent (VPC). In effect, the agency is inviting companies to gather additional data—including from children—in order to determine users’ ages.
That move sits uneasily with COPPA’s statutory design. It also reflects a broader policy shift: rather than mandating age verification directly, the FTC appears to be encouraging it indirectly through selective non-enforcement.
When the Courts Say No, Try Policy Statements
Across the country, federal courts have repeatedly struck down state age-verification mandates on First Amendment grounds, whether aimed at social-media platforms or app stores. These laws may be well intentioned, but courts have concluded that they impose unconstitutional barriers to accessing lawful information online.
As I’ve observed previously, the shift in strategy by age-verification advocates has been evident for some time:
The fight has shifted. Lawmakers have moved their focus from social-media platforms to app stores. But the basic problem hasn’t changed: the First Amendment still stands in the way.
By now, the pattern is clear. Courts have held that age-verification and parental-consent mandates for social media restrict minors’ access to lawful speech and fail constitutional scrutiny because they do not employ the least-restrictive means.
Courts have also pointed to those less-intrusive alternatives. Parents and teens can rely on device-level controls, platform tools, and other user-managed safeguards to address online risks without requiring every user to verify their age simply to access lawful speech.
Justice Brett Kavanaugh made this point explicit when reviewing the Supreme Court’s First Amendment precedents, including Free Speech Coalition. As he explained, “[g]iven those precedents, it is no surprise that the District Court in [NetChoice, LLC v. Fitch] enjoined enforcement of the Mississippi law and that seven other Federal District Courts have likewise enjoined enforcement of similar state laws.”
The FTC now appears to be pursuing a different route to the same objective. The commission’s COPPA Enforcement Policy Statement references the wave of state laws requiring age verification but does not acknowledge that many of those laws have been enjoined or remain under active constitutional challenge.
The timing is notable. Having struggled to enact age-verification mandates that survive First Amendment scrutiny, policymakers now appear to be encouraging the same outcome through regulatory non-enforcement.
That strategy may not be unconstitutional. It nonetheless raises serious concerns. The agency appears to be using regulatory discretion to achieve what Congress has not enacted—and in a way that cuts against COPPA’s core privacy protections.
COPPA Has No Pre-Consent Clause
COPPA’s rule is straightforward: operators must obtain verifiable parental consent before collecting personal information from a child under 13. The statute contains no exception that allows companies to collect data first in order to determine whether a user is a child.
That distinction matters. COPPA regulates the collection of children’s data; it does not function as a general age-verification statute. Its companion legislation, the Children’s Online Protection Act (COPA), did attempt to regulate access to certain online material through age verification. The U.S. Supreme Court ultimately struck down COPA as a violation of the First Amendment.
The FTC’s policy statement moves COPPA closer to that model through enforcement discretion. The agency declares it “will not bring an enforcement action” against companies that collect personal information for “Age Verification Purposes” before obtaining VPC.
That position sits uneasily with the statute’s text. COPPA requires parental consent before collecting children’s personal information. By promising not to enforce the rule when companies collect additional data to verify age, the FTC effectively invites conduct the statute appears to prohibit.
The legal footing for that invitation is thin. The policy statement itself acknowledges its limited legal force, noting that “[t]his Enforcement Statement does not create any substantive rights or entitlements, and the Commission retains the right to investigate and bring actions for violations of the COPPA Rule in individual cases.”
The issue is not that the statement itself is unconstitutional. The FTC is not mandating age verification, and enforcement discretion falls within executive authority. The concern is that the agency appears to be using non-enforcement to encourage the very policy outcome courts have repeatedly blocked when legislatures attempted to impose it directly.
The Collect-It-All Solution
The FTC argues that the policy will “promote innovation” in age-verification technology. In practice, it encourages a “collect-it-all” model.
Reliable age verification often requires biometric identifiers, government-issued IDs, or behavioral “age inference” signals. To determine who might be under 13, companies would likely collect such information from anyone who lands on a site.
That approach reverses COPPA’s logic. The statute was designed to prevent the collection of children’s personal information without parental consent. Age-verification systems, by contrast, operate by collecting information first and determining age afterward. In many cases, a child’s data could be collected before a parent even knows the child visited the site.
The implications extend beyond children. Because age-verification systems must screen every user to identify minors, they necessarily collect information about adults as well. What begins as a rule aimed at protecting children becomes broad-based data collection affecting everyone online.
Large-scale age-verification databases also create security risks. Even with “reasonable security safeguards,” repositories containing biometric identifiers, government IDs, or similar signals would present attractive targets for hackers.
The Long Way Around the First Amendment
The FTC’s approach resembles a familiar regulatory maneuver. When courts reject direct mandates, agencies sometimes pursue similar goals indirectly—here, by signaling that certain conduct will not trigger enforcement.
Encouraging age verification through regulatory forbearance risks achieving through policy signals what legislatures have repeatedly failed to impose through law. At the same time, the approach undermines COPPA’s central safeguard: limiting the collection of children’s personal information without parental consent.
Congress should instead revisit the issue directly. Protecting children online is an important objective, but policies that raise serious First Amendment concerns while expanding data collection are unlikely to survive judicial scrutiny—or improve privacy outcomes.
A more durable approach would empower parents, rather than expand surveillance. Tools that allow families to control how and when minors share age-related information can address safety concerns without requiring universal age verification or testing constitutional limits.
