The FTC’s Age-Check Wink: Kids’ Safety, Adults’ Privacy, and the New ID Checkout Line

I was in the library yesterday, where the dust still believes in rules. The books sit there quietly, not demanding a driver’s license before you can open chapter one. Online, the door policy is changing, not with a bouncer but with a policy statement stamped somewhere between a committee room and a server farm.

What the FTC did (and did not do)

The Federal Trade Commission says it will not bring COPPA enforcement actions against certain sites and services that collect and use personal information strictly to determine a user’s age, as long as they follow conditions: no secondary use, prompt deletion, limited disclosures to vetted third parties, clear notice, reasonable security, and reasonable steps toward accuracy. The agency also signaled it intends to review the COPPA Rule to address age verification mechanisms. The Commission vote was 2-0.

This is not Congress rewriting the law. It is the FTC describing how it plans to use enforcement discretion while the rulebook gets reviewed. In plain English, the referee is saying: run this play, but keep your hands where everyone can see them.

The tradeoff

I understand the impulse. COPPA was enacted in 1998, back when the family computer lived in the kitchen like a second microwave. Now kids carry the internet in their pockets, state laws are pushing platforms toward age gates, parents want help, lawmakers want headlines, companies want predictable compliance, and the FTC wants child-safety efforts that do not accidentally trip COPPA.

But the tradeoff is simple: you may reduce kids’ exposure to adult content and predatory corners of the internet, and you may also normalize an ID checkpoint society. Normalize age verification and you normalize identity friction. After that, someone starts selling the grease.

The Orwell check

Listen to the language: age verification, age assurance, child-protective technologies, incentivize innovation. This is where control starts dressing like a seatbelt. Privacy advocates have warned that age-check data collection can create the very risks COPPA was meant to reduce, especially when sensitive documents or identifiers enter the mix. A policy that depends on perfect deletion and perfect vendor hygiene is a policy that has not met the American internet.

The liberty ledger

• Gains: Parents gain a tool. Platforms gain a clearer compliance lane. The FTC gains breathing room while it considers rule updates. Some kids may gain protection from content they should not be wading through.
• Losses: Adults lose a little anonymity by default. Teens can lose privacy in mixed-audience spaces. Smaller sites face new vendor and compliance costs that giants can absorb. Verification vendors gain a bigger market.

And then there are the people who rarely make the press release: people without easy access to ID, people in unsafe homes, and people exploring sensitive topics who do not want yet another intermediary in the middle.

The Paine test

Does this expand liberty or concentrate power? If age checks can be done with true data minimization, strong security, and real deletion, they might help families set boundaries without turning the public square into a checkpoint. If they drift toward document uploads, biometrics, or persistent identifiers, power concentrates fast, and “temporary” systems tend to renew their lease.

Guardrails that should not be optional

The FTC’s conditions are a start, but paper promises are not guardrails. As this moves from policy statement to rule review, I want: mandatory independent audits for operators relying on this lane; bright-line bans on retaining raw identity documents when less invasive methods exist; public reporting on what categories of data are collected and by which vendors; a strict prohibition on repurposing age-check data for advertising, profiling, or behavioral scoring; and real sunsets with real expiration dates.

Accountability, not vibes

If the FTC is going to steer by discretion while it reviews the COPPA Rule, Congress should hold oversight hearings focused on implementation, state attorneys general should watch for backdoor data collection, courts should remain skeptical of child-safety rationales that track adults, and watchdogs should keep dragging euphemisms into daylight.

We can want kids safer online and still refuse a culture where you have to show papers to enter the public square. If age checks are becoming the new normal, what specific guardrails would you require before you hand over one more scrap of your identity?