Commentators and some platforms have started to call it the "age verification trap." On one side, lawmakers and regulators are requiring stricter age checks to protect minors. On the other, doing so often means collecting biometric or identity data from exactly the people, children, that privacy laws like COPPA are meant to protect. So platforms are told both "verify age" and "don't over-collect on kids," and the two can feel in tension.
The FTC's narrow path and privacy advocates' pushback
The FTC's February 2026 COPPA policy statement offered a narrow path: it said the agency would use enforcement discretion for operators that collect personal information solely or primarily for age verification, provided they meet conditions on accuracy, security, notice, and retention. Privacy advocates were not reassured. The Electronic Frontier Foundation, for example, has argued that age-verification data collection creates the same risks COPPA is supposed to address, and pointed to incidents like the Discord vendor breach that exposed tens of thousands of ID images. Operators sit in the middle: weak checks draw fines; heavy collection draws privacy risk and a larger breach surface.
The way out: minimise what you collect and keep
Minimise what you collect and keep. Use age verification that does not require storing face images or ID documents. Prefer on-device processing or providers that return only a signed outcome (e.g. "18+") and an audit ID. The less you hold, the easier it is to show you have not kept biometrics or identity data in a form that triggers the sharpest COPPA or GDPR issues. Aim for the outcome regulators ask for, effective age assurance, without building a central store of scans that breach reports feed on. A practical privacy-first flow: integrate once, run ID + liveness the first time (or a short re-check for returning users), and store only a token and an Audit ID for compliance. No IDs or faces on your disks or the vendor’s long-term store keeps you out of the worst version of that trade-off.
