FTC Clarifies COPPA Age Verification Rules as UK ICO Fines Reddit £14.47m for Children’s Privacy Failures

Want to receive these privacy recaps in your inbox each week? Subscribe here.

The FTC has issued a policy statement clarifying that it will not bring COPPA enforcement actions against certain general and mixed-audience sites that collect children’s personal information solely for age verification, provided that specific safeguards are met. Meanwhile, the UK ICO fined Reddit £14.47m for failing to implement robust age assurance and conduct a data protection impact assessment, underscoring increasing regulatory focus on children’s privacy.

Keep reading to learn more and discover my takeaways.

United States

FTC Approves Collection of Children’s Data for Age Verification.

The Federal Trade Commission (FTC) published a policy statement clarifying that the commission won’t bring enforcement actions under the Children’s Online Privacy Protection Act (COPPA) against general audience (not directed to children) and mixed audience (directed to children but not as their primary audience) sites and services that collect, use or disclose personal information from children for the sole purpose of determining the user’s age without first obtaining parental consent, as long as they: 

1. Do not use or disclose information collected for age verification purposes for any purpose except to determine a user’s age
2. Do not retain this information longer than necessary to fulfill the age verification purposes and delete such information promptly thereafter
3. Disclose information collected for age verification purposes only to those third parties for which the operator has taken reasonable steps to determine are capable of maintaining the information’s confidentiality, security, and integrity, including by obtaining certain written assurances from those third parties
4. Provide clear notice to parents and children of the information collected for age verification purposes
5. Employ reasonable security safeguards for information collected for age verification purposes
6. Take reasonable steps to determine that any product, service, method, or third party utilized for age verification purposes is likely to provide reasonably accurate results as to the user’s age.

TAKEAWAY

The FTC rules under COPPA were amended in 2025 to, among other changes, create a new standalone definition for “mixed audience website or online service.” This definition allows for the collection of age information “or using another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child.” The definition says that “any collection of age information, or other means of determining whether a visitor is a child, must be done in a neutral manner that does not default to a set age or encourage visitors to falsify age information”, but it does not otherwise specify what “age information” means and to what extent personal information besides age or date of birth could be collected without parental consent to enable a more robust age verification process than self identification.
Further, FAQs issued by the FTC indicate an expectation that age verification should be self-identification.

Specifically, it says, “In designing your age screen, you should ask for age information in a neutral manner, making sure the data entry point allows users to enter their age accurately and does not default to an age 13 or over. An example of a neutral age screen would be a system that allows a user to freely enter the month and year of birth. Avoid encouraging children to falsify age information by, for example, stating that certain features will not be available to users under age 13. In addition, consistent with long-standing Commission advice, FTC staff recommends using technical means, such as a cookie, to prevent children from back-buttoning to enter a different age.” This new policy statement clarifies, though, that self-identification is not the only permissible form of age verification, as long as the specified conditions are met. 

In addition to clarifying COPPA, the policy statement potentially helps reconcile COPPA with certain recent state laws that impose heightened standards for age verification or estimation. For example, the California Age Appropriate Design Code Act (currently under an enforcement injunction) requires businesses providing online services, products or features likely to be accessed by children under age 18 to estimate user age with “a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business.” The Utah Social Media Regulation Act requires social media companies to implement an age assurance system reasonably calculated to identify whether an account holder is a minor with at least 95% accuracy. Self-identification might be insufficient to meet these standards. 

Europe

ICO fines Reddit for Children’s Privacy Failures. 

The UK Information Commissioner’s Office (ICO) issued a £14.47m fine against Reddit based on findings that the platform: 

1. Failed to apply any robust age assurance mechanism, thus lacking a lawful basis for processing the personal information of children under 13
2. Failed to conduct a data protection impact assessment (DPIA) to assess and mitigate risks to children. This fine comes just three weeks after the ICO fined MediaLab.AI (owner of the image-sharing platform Imgur) over similar allegations. Both are part of a wider children’s privacy intervention.

TAKEAWAY

The UK Age Appropriate Design Code requires services likely to be accessed by children under 18 to either establish age with a level of certainty appropriate to the risks to children’s rights and freedoms arising from the data processing, or apply the code’s standards to all users. The code is not prescriptive about the exact methods companies should use to establish age, but the ICO provides guidance on considerations for using self-declaration (which may be suitable for low-risk processing), artificial intelligence (which typically provides a greater level of certainty), third-party age verification (which may allow a company to take advantage of technical expertise and the latest developments in the field), account holder confirmation (which allows for confirmation of user age from an existing account holder known to be an adult, as well as setting up child profiles and access restrictions), technical measures (used to strengthen self-declaration measures), or hard identifiers like passports (which are discouraged unless warranted by the risks). 

The announcement of the Reddit fine included a quote from UK Information Commissioner John Edwards: 

“Relying on users to declare their age themselves is not enough when children may be at risk and we are focusing now on companies that are primarily using this method. I therefore strongly encourage industry to take note, reflect on their practices and urgently make any necessary improvements to their platforms.” 

Like the FTC (see story above), the UK children’s code allows the collection of personal data to establish age, provided data protection obligations such as data minimisation, purpose limitation, storage limitation, and security are met.

A LITTLE MORE PRIVACY, IF YOU PLEASE

• FTC Holds Workshop on Data-Driven Consumer Injury
• Alabama House Passes Comprehensive Privacy Law
• Texas AG / Samsung Reach Settlement in Data Collection Case
• Leaked Draft of EU Digital Omnibus Reveals Changes to Personal Data Definition Have Been Struck
• CNIL Issues Draft Recommendations and Launches Public Consultation on Session Replay Use
• Israel PPA Issues Opinion on PPL Consent Obligations
  
  
  

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.