top of page
Search

Age verification is becoming a top enforcement theme

  • Writer: Katarzyna Celińska
    Katarzyna Celińska
  • 9 hours ago
  • 2 min read

Ageverification is being enforced more and more aggressively by regulators.

 

I recently wrote about Reddit and MediaLab/Imgur (ICO fines in the UK), and we’re seeing the same direction in the US: regulators are moving from “expectations” to enforcement, and age gates that exist only in a Privacy Policy or Terms & Conditions are increasingly treated as paper compliance.

 

Photo: Freepik


FTC: clearer stance under COPPA

 

A key development is the FTC’s Feb 25, 2026 policy statement: the FTC says it will use enforcement discretion and not bring COPPA actions against certain operators who collect personal information solely to determine a user’s age, if strict safeguards are met. Those safeguards include: purpose limitation, prompt deletion, reasonable security, written assurances from verification vendors, clear notice, and reasonable accuracy.

 

This is not a “free pass.” It’s a signal that regulators want companies to implement real age assurance, but in a way that is privacy-preserving and tightly governed.

 

US enforcement examples

 

We have multiple enforcement actions where child protections and age controls were central:

➡️ FTC v. Microsoft (Xbox) — $20M COPPA settlement for allegedly collecting children’s data without parental notice/consent and retaining it longer than permitted.

➡️ FTC + DOJ v. TikTok/ByteDance — lawsuit alleging widespread COPPA violations, including unlawful collection/retention of children’s data.

➡️ California AG + LA City Attorney v. Tilting Point — enforcement action involving COPPA/CCPA issues, including concerns about how “age screens” were designed and whether they encouraged accurate age entry (i.e., whether the control works in practice).

 

What this means for companies

 

If your service is consumer-facing (apps, communities, content platforms, adtech-enabled products), assume children can access it unless you can prove otherwise.

 

If you potentially process children’s data, it’s time to implement age verification / age assurance mechanisms that actually work and to design them proportionately to risk.

 

Because:

Privacy Policy / T&C statements are not enforcement-proof

regulators increasingly look at technical implementation, not declarations

“age gates” must be neutral, effective, and evidenced



 
 
 

Comments

Stay in touch

office@itgrcadvisory.com

ITGRC ADVISORY LTD. 

590 Kingston Road, London, 

United Kingdom, SW20 8DN

​company  number: 12435469

Privacy policy

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
bottom of page