The Federal Trade Commission (FTC) takes its stand around age verification technologies and children’s online privacy. In a new policy statement released Wednesday, the agency clarified that it will not bring enforcement actions under the Children’s Online Privacy Protection Rule (COPPA Rule) against website and online service providers that collect and use personal data solely for age verification technologies, provided strict safeguards are followed. This move signals a practical shift in how regulators are approaching the complex balance between privacy compliance and real-world child safety online.

FTC Encourages Adoption of Age Verification Technologies

The new FTC policy statement aims to remove regulatory uncertainty that has long discouraged platforms from implementing age verification technologies. Under the COPPA Rule, operators must obtain verifiable parental consent before collecting personal information from children under 13. However, determining whether a user is a child often requires collecting some form of personal data—creating a compliance dilemma for companies. By clarifying its enforcement stance, the FTC is effectively encouraging platforms to adopt stronger age verification technologies rather than relying on outdated self-reported age gates that are easy for children to bypass. “Age verification technologies are some of the most child-protective technologies to emerge in decades,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection. “Our statement incentivizes operators to use these innovative tools, empowering parents to protect their children online.” The policy reflects the reality that children’s internet usage has dramatically expanded since COPPA was first enacted in 1998. Today’s digital ecosystem includes social platforms, gaming environments, streaming services, and AI-driven applications—many of which were unimaginable when the law was originally written.

Why Age Verification Technologies Are Becoming Essential

The FTC’s position comes at a time when policymakers globally are questioning whether existing frameworks are sufficient to protect minors online. Several U.S. states have already begun introducing regulations requiring platforms to implement age verification technologies. The core issue is simple: platforms cannot protect children if they cannot reliably identify them. Traditional age-gating methods—such as asking users to enter their date of birth—have proven ineffective. More advanced age verification technologies now use biometric estimation, identity verification tools, or secure third-party validation systems to improve accuracy. However, these tools often require temporary collection of personal data, which previously raised concerns about COPPA violations. The FTC’s updated enforcement approach attempts to resolve this contradiction.

Conditions Platforms Must Follow Under the FTC Policy

While the FTC is offering flexibility, the policy is far from a free pass. Platforms must comply with several strict conditions when using age verification technologies, including:

• Using collected data strictly for age verification purposes
• Deleting the information promptly after verification
• Implementing strong security safeguards
• Providing clear transparency to parents and children
• Sharing data only with trusted third-party providers capable of maintaining confidentiality
• Ensuring the verification method produces reasonably accurate results

Importantly, the FTC emphasized that operators must still comply with all other COPPA requirements when handling children’s data. This structured approach suggests the agency is trying to promote responsible innovation rather than loosen privacy protections.

A Practical but Transitional Regulatory Shift

The FTC also confirmed that it plans to review the COPPA Rule to formally address age verification technologies, indicating that this policy statement may be a transitional step toward broader regulatory updates. From an industry perspective, the decision removes a key barrier that has slowed adoption of modern child-safety controls. Many platforms have hesitated to deploy stronger verification tools due to fears of enforcement risk. At the same time, privacy advocates are likely to closely monitor how companies implement these technologies—particularly around biometric data and third-party verification vendors. Ultimately, the FTC’s message is clear: identifying children online is becoming a regulatory expectation, not just a technical option. As digital environments grow more difficult, age verification technologies are increasingly positioned as a foundational layer of online safety. The challenge ahead will be ensuring these tools protect children without creating new privacy risks, a balance regulators and technology providers will need to navigate carefully in the coming years.

The chairman of the Federal Trade Commission (FTC) last week sent a letter to Google’s CEO demanding to know why Gmail was blocking messages from Republican senders while allegedly failing to block similar missives supporting Democrats. The letter followed media reports accusing Gmail of disproportionately flagging messages from the GOP fundraising platform WinRed and sending them to the spam folder. But according to experts who track daily spam volumes worldwide, WinRed’s messages are getting blocked more because its methods of blasting email are increasingly way more spammy than that of ActBlue, the fundraising platform for Democrats.

On Aug. 13, The New York Post ran an “exclusive” story titled, “Google caught flagging GOP fundraiser emails as ‘suspicious’ — sending them directly to spam.” The story cited a memo from Targeted Victory – whose clients include the National Republican Senatorial Committee (NRSC), Rep. Steve Scalise and Sen. Marsha Blackburn – which said it observed that the “serious and troubling” trend was still going on as recently as June and July of this year.

“If Gmail is allowed to quietly suppress WinRed links while giving ActBlue a free pass, it will continue to tilt the playing field in ways that voters never see, but campaigns will feel every single day,” the memo reportedly said.

In an August 28 letter to Google CEO Sundar Pichai, FTC Chairman Andrew Ferguson cited the New York Post story and warned that Gmail’s parent Alphabet may be engaging in unfair or deceptive practices.

“Alphabet’s alleged partisan treatment of comparable messages or messengers in Gmail to achieve political objectives may violate both of these prohibitions under the FTC Act,” Ferguson wrote. “And the partisan treatment may cause harm to consumers.”

However, the situation looks very different when you ask spam experts what’s going on with WinRed’s recent messaging campaigns. Atro Tossavainen and Pekka Jalonen are co-founders at Koli-Lõks OÜ, an email intelligence company in Estonia. Koli-Lõks taps into real-time intelligence about daily spam volumes by monitoring large numbers of “spamtraps” — email addresses that are intentionally set up to catch unsolicited emails.

Spamtraps are generally not used for communication or account creation, but instead are created to identify senders exhibiting spammy behavior, such as scraping the Internet for email addresses or buying unmanaged distribution lists. As an email sender, blasting these spamtraps over and over with unsolicited email is the fastest way to ruin your domain’s reputation online. Such activity also virtually ensures that more of your messages are going to start getting listed on spam blocklists that are broadly shared within the global anti-abuse community.

Tossavainen told KrebsOnSecurity that WinRed’s emails hit its spamtraps in the .com, .net, and .org space far more frequently than do fundraising emails sent by ActBlue. Koli-Lõks published a graph of the stark disparity in spamtrap activity for WinRed versus ActBlue, showing a nearly fourfold increase in spamtrap hits from WinRed emails in the final week of July 2025.

“Many of our spamtraps are in repurposed legacy-TLD domains (.com, .org, .net) and therefore could be understood to have been involved with a U.S. entity in their pre-zombie life,” Tossavainen explained in the LinkedIn post.

Raymond Dijkxhoorn is the CEO and a founding member of SURBL, a widely-used blocklist that flags domains and IP addresses known to be used in unsolicited messages, phishing and malware distribution. Dijkxhoorn said their spamtrap data mirrors that of Koli-Lõks, and shows that WinRed has consistently been far more aggressive in sending email than ActBlue.

Dijkxhoorn said the fact that WinRed’s emails so often end up dinging the organization’s sender reputation is not a content issue but rather a technical one.

“On our end we don’t really care if the content is political or trying to sell viagra or penis enlargements,” Dijkxhoorn said. “It’s the mechanics, they should not end up in spamtraps. And that’s the reason the domain reputation is tempered. Not ‘because domain reputation firms have a political agenda.’ We really don’t care about the political situation anywhere. The same as we don’t mind people buying penis enlargements. But when either of those land in spamtraps it will impact sending experience.”

The FTC letter to Google’s CEO also referenced a debunked 2022 study (PDF) by political consultants who found Google caught more Republican emails in spam filters. Techdirt editor Mike Masnick notes that while the 2022 study also found that other email providers caught more Democratic emails as spam, “Republicans laser-focused on Gmail because it fit their victimization narrative better.”

Masnick said GOP lawmakers then filed both lawsuits and complaints with the Federal Election Commission (both of which failed easily), claiming this was somehow an “in-kind contribution” to Democrats.

“This is political posturing designed to keep the White House happy by appearing to ‘do something’ about conservative claims of ‘censorship,'” Masnick wrote of the FTC letter. “The FTC has never policed ‘political bias’ in private companies’ editorial decisions, and for good reason—the First Amendment prohibits exactly this kind of government interference.”

WinRed did not respond to a request for comment.

The WinRed website says it is an online fundraising platform supported by a united front of the Trump campaign, the Republican National Committee (RNC), the NRSC, and the National Republican Congressional Committee (NRCC).

WinRed has recently come under fire for aggressive fundraising via text message as well. In June, 404 Media reported on a lawsuit filed by a family in Utah against the RNC for allegedly bombarding their mobile phones with text messages seeking donations after they’d tried to unsubscribe from the missives dozens of times.

One of the family members said they received 27 such messages from 25 numbers, even after sending 20 stop requests. The plaintiffs in that case allege the texts from WinRed and the RNC “knowingly disregard stop requests and purposefully use different phone numbers to make it impossible to block new messages.”

Dijkxhoorn said WinRed did inquire recently about why some of its assets had been marked as a risk by SURBL, but he said they appeared to have zero interest in investigating the likely causes he offered in reply.

“They only replied with, ‘You are interfering with U.S. elections,'” Dijkxhoorn said, noting that many of SURBL’s spamtrap domains are only publicly listed in the registration records for random domain names.

“They’re at best harvested by themselves but more likely [they] just went and bought lists,” he said. “It’s not like ‘Oh Google is filtering this and not the other,’ the reason isn’t the provider. The reason is the fundraising spammers and the lists they send to.”