Age assurance – the umbrella set of techniques used to establish, estimate, or infer the age of an online user – has rapidly emerged as a compliance priority for virtually every company with an online presence. Across federal enforcement, state legislation, and global regulation, companies are now expected to know something meaningful about whether their users are children. This alert maps the current legal landscape, explains the three technical approaches (age verification, age attestation, and age estimation) and identifies the concrete steps companies should take now to position themselves ahead of requirements that are crystallizing faster than most have anticipated.
Children are the future – and, increasingly, the future of advertising, commerce, and regulatory liability. Brands market moisturizer to toddlers, eyeshadow to five year olds, and anti-aging serums to preteens through TikTok; fintech products are aggressively marketed to teens. While the retinol cream will likely be bought by a parent, the data collected along the way belongs to the platform. The concern is not just what children are being sold, but where they go and what happens to them when they get there: the gaming platforms, social media feeds, and general-audience sites that collect data from minors at scale, often without knowing (or asking) who is on the other end of the connection. An entire commercial ecosystem is purpose-built around child consumers, and with it comes a set of legal obligations most companies have not yet fully confronted and operationalized.
Online age assurance has moved, in roughly three years, from a constitutionally marginal idea to a mainstream regulatory regime. Recent litigation illustrates the increasingly heightened focus on children's privacy: Roblox faces lawsuits in Los Angeles County alleging its age-verification architecture is not fit for purpose, exposing children to online predators and inappropriate content. In March 2026, a New Mexico jury returned a $375 million verdict against a major technology company on claims that the company concealed the scope of mental health harm its platforms caused to underage users. A day later, Google faced a similar verdict in Los Angeles. The public is demanding accountability and protection for its most vulnerable population. These implications extend beyond the realm of social media; any company with a digital presence accessible to minors faces growing exposure to similar risks.
Across federal enforcement, state legislation, global regulation, and the plaintiffs' bar, the signal is the same: companies will be required to know something about whether their users are children. What exactly they need to do, and how, remains far from resolved. We map the terrain and what you need to know below.
The Regulatory Movement
Several developments have converged to make 2026 an inflection point for child privacy. In January 2026, the Federal Trade Commission (FTC) held its public Age Verification Workshop, which focused on the interplay between age verification technologies and the Children's Online Privacy Protection Act (COPPA). During the workshop, government regulators, industry representatives, and consumer advocates discussed the importance of age verification, age verification and estimation tools, navigating the regulatory contours of age verification, and how to deploy age verification more widely. The workshop highlighted the agency's continued focus on age verification technology adoption and, from a broader perspective, signaled that age verification tools will continue to become a more mainstream mechanism in privacy compliance efforts, particularly as it pertains to COPPA and the emerging network of state-level children's online privacy laws.
A month later, in February 2026, the FTC issued a COPPA Enforcement Policy Statement creating a conditional safe harbor for operators that collect data solely for age verification purposes, provided they satisfy six specific conditions, including purpose limitation, prompt deletion, and reasonable accuracy. The statement is a bridge to forthcoming rulemaking (not a final rule), but it signals unambiguously that self-declaration of age is no longer acceptable. That the safe harbor is addressed to general audience platforms, not only to child-directed services, is itself telling: the FTC contemplates that all platforms will implement age verification.
The White House's March 2026 National AI Policy Framework called on Congress to establish "commercially reasonable, privacy protective, age-assurance requirements" (such as parental attestation) for artificial intelligence (AI) platforms likely to be accessed by minors and to affirm that existing children's privacy protections, including limits on data collection for AI model training and targeted advertising, apply to AI systems.
Additionally, the Supreme Court's June 2025 decision in Free Speech Coalition v. Paxton removed the First Amendment barrier that had previously stayed numerous state age-gating laws (laws requiring age verification before accessing certain online content), and the FTC's April 2025 COPPA Rule amendments expanded the definition of personal information, tightened data retention obligations, and expressly prohibited using children's data to train AI models without separate verifiable parental consent. Together, they closed the constitutional, regulatory, and policy escape routes that had previously allowed companies to defer or avoid meaningful age-assurance architecture.
American regulators are not leading this movement but catching up to it. Australia enacted a landmark social media ban for users under 16 in December 2025, requiring platforms to develop age-assurance mechanisms at scale. The UK's Online Safety Act brought age verification requirements into force in July 2025. In March 2026, the UK's Ofcom and Information Commissioner's Office issued a joint statement on age assurance, reconciling online safety and data protection obligations under a "highly effective age assurance" (HEAA) standard. Age assurance is not an American regulatory preoccupation but a global compliance imperative. The European Data Protection Board issued its statement on age assurance in February 2025. And in early May, Canada released guidance on age assurance technologies, endorsing their deployment while cautioning against disproportionate privacy risks.
Regulatory pressure is already producing market-level responses. Leading technology companies have announced they are expanding AI-powered age assurance measures to automatically place users they believe may be teenagers into age-appropriate "Teen Account" protections in the EU, Brazil, and the U.S.
The Bottom Line on Regulatory Momentum
The FTC safe harbor, the White House AI framework, the COPPA Rule amendments, the Supreme Court's recent opinion staying age-gating laws, and the global wave of children's online safety laws are a convergence, not independent events. The question for companies, then, is whether they will be ready as specific requirements crystallize.
|
The Central Tension: Verification vs. Attestation
The internet was not designed with children in mind. It largely assumes users are supervised adults, an increasingly fictional landscape belied by every teen, tween, and under-ten who scrolls on their own phones or tablets with unsupervised access. In reality, when a child is online, they are rarely accompanied. A child with a device and an account has functionally the same access as any adult: the same feeds, the same advertising, the same data collection. No one, at any point in that user's journey, verified their age. Regulators have settled on three approaches (verification, estimation, and attestation) that are architecturally distinct, legally significant, and in genuine tension with one another.
Age Verification: High Assurance, High Privacy Cost
Age verification is the gold standard – and a double-edged sword. It requires a platform to independently confirm a user's age through a third-party check: typically a government ID, biometric scan, or database lookup against official records. The assurance it provides is unmatched, and it is mandated by most of the 24-plus states that have enacted adult content age verification laws. But that assurance comes at a significant price.
Verification requires collecting and processing sensitive personal information before any protection kicks in, generating a data trail that must be carefully managed to comply with data minimization requirements under the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR) Article 5, and analogous state frameworks.
Critics of age verification allude to the practice as the "Trojan horse of surveillance," and their concerns are well met. Mandating hard verification, government ID, biometrics, third-party credential checks, as the price of accessing lawful online content means that every adult must prove their innocence before they can participate. The infrastructure built to protect children doesn't disappear after verification; it persists, accumulates, and creates new vectors for breach, misuse, and surveillance that no regulatory intent can fully constrain. The question is not whether age verification works. It does. The question is what else it does – and whether the cure is worse than the disease.
The European Commission's recent rollout of its own age-verification app illustrates how these risks play out in real time. Presented as "technically ready" and touted as the preferred mechanism for platforms to meet their legal obligations under the Digital Services Act, within hours of its open-source release, cybersecurity experts identified serious vulnerabilities in the app: the app stored sensitive identity data on users' devices without adequate protection and could be bypassed to allow a minor to use an adult's verified credential.
Seven member states, Cyprus, Denmark, France, Greece, Ireland, Italy, and Spain, are preparing coordinated national versions of the app for deployment by year-end. The episode illustrates a risk that applies well beyond the EU: political pressure to act quickly tends to produce exactly the surveillance and breach vulnerabilities that privacy-preserving architecture exists to prevent. The gap between what a system promises and what it delivers is not theoretical.
Age Estimation: Low Assurance, High Privacy Cost
Age estimation is a method based on analysis of biological or behavioral features of individuals that vary with age – such as facial geometry, voice patterns, or behavioral signals – to infer a user's approximate age range without requiring identity documents. Unlike verification, it involves no government ID; unlike attestation, it requires the platform to process the user's own physical or behavioral characteristics. The output can be expressed as an estimated most likely age, a binary above/below threshold determination, or a full probability distribution. Although the approach appears promising in concept, in practice, the technology carries significant limitations.
This form of age assurance raises significant concerns around accuracy, entrenched racial biases, and data privacy. A comprehensive study, conducted by the National Institute of Standards and Technology's (NIST) Face Analysis Technology Evaluation (FATE) Age Estimation & Verification project, measured the performance of 33 facial age estimation systems and found high error rates across the board; the best-performing algorithms still carried a mean absolute error of 2.7 years on images of visa applicants.
An additional significant concern is privacy risk, as the system must capture and process the user's facial image. The evaluator of this biometric data could potentially use it to identify the user or misuse it in other ways, implicating a growing body of biometric legislation and carrying a legal risk that extends beyond the age-gating problem the tool was designed to address.
Further, facial age estimation tools may constitute the collection of biometric information under Illinois's Biometric Information Privacy Act (BIPA), Texas's Capture or Use of Biometric Identifier Act (CUBI), and similar state laws, though whether age estimation falls within the statutory definitions of biometric data remains a contested question. Where these laws do apply, consent and deletion obligations attach at the moment of collection, not retention.
Age Attestation: Minimization-Consistent, But Incomplete
Age attestation operates on a fundamentally different premise. Instead of asking a platform to verify who a user is, attestation asks it to trust a signal it never has to touch. That signal originates from the user's device - configured by a parent or device administrator – and communicates an age category to the platform without the platform ever receiving the underlying identity information. No government ID changes hands. No biometric is scanned. The platform simply receives a signal saying, in effect, this user is under 13, or between 13 and 16, or an adult. The identity stays with the user. Only the age category travels.
That architecture is legally significant as well as technically elegant. The signal is low-entropy category data: not a birthdate, not a government ID, not a unique identifier that can be scraped, profiled, or breached. It is a bracket. And a bracket is far harder to weaponize than an identity. California's AB 1043 (Digital Age Assurance Act, effective January 1, 2027) operationalizes this model at the operating system level, requiring providers to transmit a standardized age bracket, under 13, 13 to 16, 16 to 18, or 18 plus, to app developers via API. The legal consequence is significant: a developer that receives the signal is deemed by statute to have actual knowledge of the user's age range, triggering COPPA and analogous state obligations automatically. Colorado enacted a substantially identical framework (SB26-051, effective 2028). What began as a California experiment may be expanding to a national architecture.
Attestation is not a silver bullet. Its reliability depends on a parent configuring the device correctly; it does not yet reach the open web; and a determined teenager can work around it. But those limitations contextualize attestation rather than disqualify it. As the most minimization-consistent architecture currently available, attestation may satisfy age-awareness obligations without building the kind of identity surveillance infrastructure that privacy advocates and, increasingly, regulators find deeply concerning. Companies designing systems today should build toward these signals now, before they become legally mandatory rather than merely available.
The Architecture Decision
Neither verification nor attestation is a perfect solution. Verification provides higher assurance but imposes significant data minimization and estimation imposes biometric privacy costs. Attestation is minimization-consistent but incomplete. AI tools relocate rather than resolve the underlying tensions. Companies should prioritize architectures defensible across multiple possible regulatory outcomes.
|
COPPA's Shadow
COPPA applies to operators of websites and online services directed to children under 13, and to any operator with actual knowledge that it is collecting personal information from a child under 13. The latter is where general-audience platforms consistently underestimate their exposure. Implementing age verification creates a counterintuitive risk: once a platform has a mechanism to confirm user ages, it becomes harder to credibly claim it did not know when a minor was present.
This dynamic can apply to attestation: for example, under California's AB 1043, a developer that receives an age bracket signal is deemed by statute to have actual knowledge of that user's age range, making the "actual knowledge" trigger automatic rather than contingent. A user flagged as under 13 – whether through verification or attestation – activates the full COPPA compliance regime. The FTC's February 2026 policy statement is designed partly to address this dilemma, but the underlying dynamic remains. Any age assurance mechanism is likely to expand COPPA obligations rather than satisfy them.
The FTC's April 2025 COPPA Rule amendments tightened the framework significantly: expanding definitions to capture biometric data and persistent identifiers, implementing stricter data security and retention obligations, introducing new mixed-audience service standards, and including an express prohibition on using children's data to train AI models or support behavioral advertising without separate verifiable parental consent. Ongoing FTC enforcement actions – including a multimillion-dollar settlement with app and game developers for COPPA violations in January 2025 – confirm that the risk is not theoretical. Platforms that knew or should have known their users included children, and failed to take adequate steps, may see consequences play out in civil litigation as well as FTC enforcement actions. This risk applies equally to any platform with significant minor user exposure and inadequate age-awareness architecture.
The Emerging Patchwork: What Is Already Law
More than 24 states have enacted adult content age verification mandates, a trend accelerated by Free Speech Coalition v. Paxton. But adult content laws are only part of the picture – and arguably not the most consequential part. A broader set of children's privacy and online safety laws now reach platforms that have never thought of themselves as adult content providers: social media, gaming, fintech, edtech, and general-audience services with any meaningful minor user base. The landscape now includes more than two dozen enacted state statutes covering adult content age verification, social media age restrictions, children's privacy and age-appropriate design codes, and OS-level attestation frameworks, in addition to a growing set of "app store accountability" laws that reach all app developers regardless of whether their products target minors. This landscape is evolving rapidly; companies should confirm their current status with counsel.
What Companies Should Be Doing Now
The rules are not fully written. But the direction is unmistakable, and the cost of waiting is not neutrality but exposure. Companies that defer architecture decisions until a comprehensive federal framework arrives are likely to find themselves retrofitting compliance into systems not designed for it, on a timeline set by regulators and juries rather than their own engineering cycles.
Six compliance priorities stand out regardless of how the regulatory picture ultimately resolves:
- Audit your age data practices. Inventory services, audiences, and data flows, and determine whether any services are child-directed or likely to attract minors. Identify every point in the user journey where age data is collected, used, inferred, or processed. Understand what is collected, why, where it goes, and how long it is retained. Map regulatory exposure by jurisdiction through the identification of states and user populations served. This audit is the foundation for every other compliance decision.
- Make an architecture decision. Choose a verification, estimation, or attestation approach – or a combination – that is proportionate to your platform's risk profile and defensible across the range of likely regulatory outcomes. For each verification context, identify whether applicable law requires knowledge-based handling, affirmative age determination, or hard verification, and the relevant age thresholds. Apply proportionality and select the least intrusive method that satisfies the legal standard and the platform's risk profile. High-risk platforms in regulated industries – alcohol, gambling, adult content, or financial services – will continue to need hard verification for specific access decisions.
- Engineer for privacy. Adopt a data-minimizing architecture to satisfy age assurance obligations while collecting and retaining only the minimum amount of necessary personal data and document the architecture in data protection impact assessments. Privacy-protective design patterns include: (1) minimizing the output: capture only a binary or range result (over/under threshold), rather than exact age, date of birth, or an underlying document; (2) processing on-device where feasible: run estimation locally so that raw biometrics never leave a user's device; (3) deleting immediately: discard images and IDs once the age result is produced and retain proof only of the assurance event, not the source data; (4) offering choice and fallbacks: provide multiple methods so users are not forced into ID upload; and (5) exercising proportionality: match method rigor to applicable risk and reserve hard verification for high-consequence contexts.
- Vendor diligence. Companies evaluating third-party age verification vendors should scrutinize biometric data handling, model training clauses, and COPPA compliance representations. Existing vendor contracts that predate the 2025 COPPA amendments should be reviewed immediately, particularly pressing given the April 2026 compliance deadline now in effect. Require independent accuracy and demographic bias testing (e.g., NIST participation), data minimization and deletion commitments, security attestations, and clear allocation of COPPA/processor obligations by contract.
- Monitor the horizon actively. The FTC's forthcoming rulemaking will replace the current safe harbor with binding requirements – and the safe harbor's six conditions are a preview of what those requirements will look like. The critical missing piece in the attestation framework – extension of OS-level signals to the open web – is being actively developed in California and at the federal level; when it arrives, the architecture question will stop being optional. State AG enforcement post-Paxton is accelerating: attorneys general now have both the legal authority and the political incentive to move. The window for voluntary architecture decisions is open, but it will not stay open indefinitely.
- Know whether you are an app developer and act accordingly. Companies that operate apps should be alert to a growing body of state laws imposing age assurance and parental consent requirements on app stores and app developers directly. As currently enacted in California, Louisiana, Texas, and Utah, these "app store accountability" statutes apply broadly to all apps made available to residents of those states, and not only apps directed at children or teens. Under these frameworks, app developers would need to implement processes to request age category and parental consent information from the relevant app stores. These obligations attach at the app-developer level regardless of whether a platform otherwise considers itself child-directed.
Conclusion
The age-assurance landscape has shifted not through a single definitive law but through the simultaneous convergence of federal enforcement, state legislation, global standards, and civil litigation – each reinforcing the others and each narrowing the space for inaction. The specific requirements are still forming, and the tension between verification, estimation, and attestation remains genuinely unresolved. But the overall direction has been resolved: toward more robust age awareness, toward minimization-consistent architecture, and toward parental empowerment rather than platform self-regulation. Companies that treat that direction as the destination – rather than waiting for the final map – will be the ones best positioned when the requirements crystallize.
Companies that build thoughtful, proportionate age-awareness infrastructure now will be better positioned across all possible futures than those waiting for clarity that may arrive in fragments, on a timeline driven by regulators and juries. Baker Donelson is available to assist with age verification compliance, vendor contract review, COPPA obligations, and privacy architecture strategy. For more information, please contact the authors, MJ McMahan, Matt White, and David Oberly, or any member of Baker Donelson's Data Privacy and Cybersecurity Team.