Age Verification Online: US Compliance Guide (COPPA, KOSA, State Laws)

Online age verification in the United States operates under a fragmented framework of federal statutes, state laws, and regulatory guidance — with no single federal law equivalent to the UK's Online Safety Act or France's loi SREN. The primary federal instruments are the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.), enforced by the FTC, and the proposed Kids Online Safety Act (KOSA), which passed the Senate in July 2024 and remains under House consideration as of April 2026.

The FTC's 2024 amendments to the COPPA Rule, effective July 2024, tightened age verification requirements for operators collecting personal information from children under 13, and require parental consent before any targeted advertising to minors (FTC COPPA Rule 16 CFR Part 312).

Our platform processes over 180,000 documents per month across 32 jurisdictions. Integrating compliant age checks reduces identity verification processing time by 83% compared to manual review (CheckFile internal data, March 2026).

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.

---

What is the US legal framework for online age verification?

The United States has no single federal online age verification law. Instead, a patchwork of federal statutes and rapidly expanding state legislation governs different categories of age-restricted digital services.

COPPA (15 U.S.C. § 6501–6506) applies to operators of websites and online services directed to children under 13, or that have actual knowledge they are collecting personal information from users under 13. COPPA requires verifiable parental consent before data collection. Critically, COPPA defines age verification primarily as a gatekeeping mechanism for data collection, not content access.

KOSA (Kids Online Safety Act), if enacted, would impose a duty of care on social media platforms to prevent algorithmic harm to minors, require default privacy settings for under-17 users, and mandate parental supervision tools. As of April 2026, KOSA has not been enacted into law.

State-level laws are proliferating rapidly. As of April 2026, 19 states have enacted age verification laws for pornographic content, and 13 states have enacted social media age restriction laws for minors. Louisiana's Act 440 (2022) was the first state law requiring age verification for pornographic websites; it has been replicated with modifications across Texas (HB 1181), Virginia, Mississippi, and others.

---

How does online age verification work in the US?

The FTC evaluates age verification methods under COPPA based on their reliability in establishing that consent comes from a verifiable parent. State pornography laws typically require "commercially reasonable" age verification, with specific methods set out in state AG guidance.

Government ID / Database Matching

The user submits a Social Security Number (SSN) partial match, state-issued driver's license, or passport. The verification system cross-references this against government or commercial databases (such as credit bureau records via a Consumer Reporting Agency). This is the method most commonly prescribed by state AG guidance for pornographic content.

Database-based age verification using SSN partial matches or driver's license numbers is the most prevalent method under US state laws, but raises significant identity theft concerns — partial SSN exposure is a known attack vector for fraud. Our platform achieves 94.3% field extraction accuracy across US driver's licenses and passports, with 94.8% fraud detection recall (CheckFile internal data, 2026).

Facial Age Estimation

Biometric algorithms estimate age from a video selfie. No document is required. The method processes in 3-5 seconds and returns a binary pass/fail. Several state laws (including Virginia's) explicitly contemplate "age estimation technology" as an alternative to document submission.

Credit Card / Financial Verification

Some state laws accept credit card verification as evidence of majority, on the basis that cardholders must be 18 or older. However, the FTC and child safety advocates have repeatedly flagged that credit card possession does not reliably indicate the cardholder is the user.

Parental Consent Mechanisms (COPPA)

Under COPPA, verifiable parental consent methods approved by the FTC include: credit card charge, toll-free telephone call, video conference, government ID submission, digital certificate, and knowledge-based authentication. The FTC has stated that email plus a knowledge-based question is insufficient for most purposes.

---

What are the penalties for non-compliance in the US?

Non-compliance exposes operators to both federal FTC enforcement and state AG enforcement, with significant divergence in maximum penalties.

FTC civil penalties under COPPA: The FTC can seek civil penalties of up to $51,744 per violation per day (amount adjusted for inflation; current figure as of 2026). The FTC's 2023 action against Epic Games (Fortnite operator) resulted in a $520 million settlement — the largest COPPA penalty in FTC history — for collecting data from children under 13 without parental consent.

State AG enforcement: Louisiana, Texas, and Utah have brought enforcement actions against pornographic websites operating without age verification. Texas AG filed suit against Aylo (operator of Pornhub) in 2024, seeking injunctive relief and civil penalties.

FinCEN / BSA considerations: For financial services platforms subject to the Bank Secrecy Act (31 U.S.C. § 5311 et seq.), age verification is a component of Customer Due Diligence (CDD) requirements. FinCEN's CDD Rule (31 CFR § 1020.210) requires financial institutions to verify customer identity, including age, as part of their AML compliance programs.

Users on US compliance forums frequently ask: "Do we have to build separate age verification flows for each state?" The short answer is: practically yes, unless you implement the most restrictive state standard uniformly. Louisiana's standard (government ID verification) is currently more demanding than most other states' "commercially reasonable" standards.

---

What must US digital service providers implement?

The compliance pathway differs significantly depending on whether the service is subject to COPPA, state pornography laws, or both.

For COPPA-regulated services (children under 13):

1. Implement a neutral age screen at registration (no incentive to falsify age).
2. Where actual knowledge of under-13 users exists, obtain verifiable parental consent before data collection using an FTC-approved method.
3. Maintain records of parental consent for audit purposes.
4. Update your privacy policy with COPPA-required disclosures.

For state pornography age verification laws:

1. Identify which states' laws apply (Louisiana, Texas, Virginia, Mississippi, and 16+ others as of April 2026).
2. Implement government ID verification or an equivalent "commercially reasonable" method meeting the applicable state standard.
3. Do not retain documentary data beyond verification — most state laws explicitly prohibit retaining personal identifying information after the verification event.

Technical integration: The CheckFile document verification API supports US driver's licenses, passports, state IDs, and biometric age estimation, returning only a signed pass/fail token. The security architecture is designed to avoid retaining documentary data, addressing the retention prohibitions in state AV laws.

For related compliance guidance on KYC requirements and biometric verification methods, see our dedicated guides. Also see our complete guide to document verification.

---

Frequently Asked Questions

Does COPPA require age verification for all websites?

No. COPPA applies only to operators of websites or online services directed to children under 13, or with actual knowledge they are collecting personal information from users under 13. General-audience websites without features directed to children, and without actual knowledge of child users, are not subject to COPPA's parental consent requirements.

What is the difference between COPPA and state pornography age verification laws?

COPPA governs data collection from children under 13, regardless of content type. State pornography age verification laws govern access to sexually explicit content by anyone under 18, regardless of data collection. A pornographic website may be subject to both COPPA (if it collects data) and state AV laws (if it displays explicit content).

Do US age verification laws require government ID specifically?

Requirements vary by state. Louisiana and Texas require methods based on government-issued ID or equivalent official data. Other states require only "commercially reasonable" age verification, which courts and AGs have interpreted to include database checks and biometric methods. The FTC's COPPA guidance recognizes multiple methods for parental consent verification.

Can facial age estimation satisfy US state age verification requirements?

It depends on the state. Virginia's law explicitly recognizes "age estimation technology" as an acceptable method. Louisiana's law focuses on government ID. Texas courts have interpreted "commercially reasonable" to potentially include biometric methods. Companies should obtain state-specific legal advice before relying solely on facial estimation.

What are the data retention rules under US state age verification laws?

Most state AV laws explicitly prohibit operators from retaining "any identifying information" after the age verification event. Louisiana Act 440 states that operators "shall not retain any identifying information of the individual after access is granted." This prohibition is one of the key differentiators from European frameworks, which focus on minimization rather than absolute deletion.