Recent federal and state developments involving age assurance highlight rapidly shifting regulatory requirements for minors' online privacy. Regulators have increasingly signaled support for implementing these tools as part of a business's online privacy compliance strategy. At the same time, court challenges to age assurance requirements enacted by states have created uncertainty for online services that are likely to be accessed by minors.
Age Estimation Revived Amid California Age-Appropriate Design Code Challenges
California's Age-Appropriate Design Code Act (CAADCA), one avenue by which regulators sought to impose age assurance requirements, has faced constitutional challenges, resulting in an injunction that has prevented several of the CAADCA's requirements from taking effect. However, a recent Ninth Circuit decision distinguished the age estimation requirement from many of the other challenged provisions, with the appellate court finding that the record had not established that the age estimation requirement facially violates the First Amendment. Unlike other CAADCA provisions that remain enjoined, the age estimation requirement is now enforceable in California.
FTC Removes Obstacles for the Use of Age Verification Technologies
In February 2026, the Federal Trade Commission (FTC) issued an enforcement policy statement to "encourage the use of robust age-verification mechanisms." The statement clarified that the FTC will not bring Children's Online Privacy Protection Act (COPPA) enforcement actions against operators of general audience or "mixed audience" sites that collect, use, or disclose personal information to verify user ages without obtaining parental consent.
The FTC will exercise this enforcement discretion only if operators implement certain safeguards, including:
- Limiting use, disclosure, and retention of data collected for age verification to only that purpose
- Providing clear notice of the information collection in their privacy policies
- Taking reasonable steps to determine that the age verification method is likely to provide "reasonably accurate results as to the user's age"
The FTC indicated that it intends to pursue further age verification guidance in a forthcoming rulemaking, signaling its continued interest in regulating this space.
Additional State App and App Store Age Requirements
Companies that operate apps should stay alert to emerging state laws that seek to impose age assurance and parental consent requirements on app stores and app developers. As enacted, these laws apply broadly to all apps made available to residents of the applicable state, even if the app is not directed to children or teens. Under these laws, app developers would need to implement processes to request age category and parental consent information from the app stores.
App stores have been working on developing APIs through which developers can request information, though these processes remain in flux as constitutional challenges to these laws work their way through the courts. For example, one constitutional challenge has prevented Texas's law from taking effect, and a similar challenge has been lodged against Utah's law. Utah's law has already been amended in response to this challenge, but continued litigation is likely despite the updates.
What Does This Mean for You?
Despite legal challenges, regulators continue to press forward with efforts to require or promote age assurance processes. To help stay abreast, companies should consider:
- Evaluating whether their services may be subject to age assurance requirements or otherwise benefit from implementing these tools
- Assessing whether age assurance vendor practices and tools align with relevant requirements and the company's privacy practices
- Monitoring ongoing age-appropriate design code and app store accountability litigation developments
If you have questions about these developments or would like assistance evaluating your organization's approach to age assurance and minors' privacy compliance, please contact the authors or Venable's Privacy and Data Security Group.