FTC declines to enforce a kids privacy law for data collected to verify users’ ages

The Federal Trade Commission is encouraging companies to adopt age verification technologies by announcing it will not enforce a children’s online privacy law against certain websites that collect and use minors’ personal data in order to verify their ages.

“Age verification technologies are some of the most child-protective technologies to emerge in decades,” Christopher Mufarrige, the director of the Bureau of Consumer Protection, said in a press release. “Our statement incentivizes operators to use these innovative tools, empowering parents to protect their children online.”

There are certain criteria that websites need to meet in order to avoid enforcement under the Children’s Online Privacy Protection Act (COPPA) Rule, which generally requires commercial website operators to obtain parental consent to collect information on kids under 13. General or “mixed audience” sites will be allowed to collect minors’ data without verifiable parental consent “for the sole purpose of determining a user’s age” if they follow a set of other protocols: they must promptly delete the data after it’s finished being used to verify age; they can only disclose the data to third-party providers that have taken “reasonable steps to determine are capable of maintaining the confidentiality, security, and integrity of the information;” they must provide a clear notice about the information they’ll collect; they’re expected to employ reasonable security measures; and they must try to ensure that results will be “reasonably accurate.”

The statement has been cheered by many who favor age verification technologies, but some privacy advocates like the Electronic Frontier Foundation (EFF) are skeptical the approach will do more to protect kids online. “Age-checking-related data collection poses the very threats that COPPA is designed to address, and we have already seen age estimation systems having issues with data breaches and leaks,” EFF senior counsel David Greene said in a statement. Last year, Discord disclosed that about 70,000 users might have had their government IDs exposed in a breach, after they were collected by a third-party vendor to review appeals related to age. “This is just another sign that the FTC doesn’t truly care about young peoples’ privacy or speech rights,” Greene said.

But the FTC’s policy statement “makes clear that companies choosing to [do] age assurance must do so in a way that is responsible and safeguards against data misuse and inadequate data security,” Suzanne Bernstein, counsel for the Electronic Privacy Information Center (EPIC), said in a statement.

The announcement came in the form of a policy statement, which essentially describes how the agency will use its discretion to enforce the law. But the agency signaled it is looking to make the changes more permanent, by reviewing the underlying rule “to address age verification mechanisms.” The FTC said that the policy statement will be effective until it’s either withdrawn, or the agency publishes a revised version of the rule amending its language around age verification technologies.