Canada regulator backs privacy-preserving age assurance

The Office of the Privacy Commissioner of Canada (OPC) has published a policy note and guidance documents pertaining to age assurance, as the country moves toward legislating age checks for adult content, social media sites and (possibly) AI chatbots.

Per the notice, the OPC’s guidance documents on age assurance “set out the ways in which the goal of creating a safer and more appropriate online experience for children can be advanced while mitigating potential adverse impacts on privacy.” They include documents to help organizations assess whether and how to use age assurance, design guidelines for “privacy protective” age assurance, a joint statement on a common international approach to age assurance, and details of an exploratory consultation conducted in 2024.

The OPC is accepting comments on the first two documents until August 4, 2026.

Privacy and safety first

The policy note summarizes concern about potential impacts, and suggests that “innovation in the space of online child protection – including the adoption or mandating of age assurance systems – must prioritize privacy to ensure that any benefits are not offset by disproportionate harms.” These include data breaches, tracking or profiling of an individual’s online activities, disproportionate collection and retention of personal information, and bias leading to access restrictions.

The guidelines for privacy preserving design include strict and explicit recommendations. Providers must collect minimal necessary data and delete it once an age signal is generated. They must include no more information than is necessary in an age check result, and their tech must not disadvantage any group. They must not use personal information collected for age assurance for any other purpose. And they must not retain any information about an individual’s age-assured online activities.

Softer recommendations (“shoulds”) include pursuing independent audits or conformity assessments, and designing systems that do not learn any information about an individual’s online activities. Providers should “consider technological approaches, such as on-device processing, which limit the amount of information sent to a server.”

To that end, the policy statement counts as an endorsement of privacy preserving biometric age assurance and related privacy preserving age check technologies. While the OPC notes that “age assurance is one tool among many, which should be complemented with other measures such as education and privacy-by-design,” it is explicit in its position.

“Based on the work of groups such as the UK’s communications regulator Ofcom and the Australian Age Assurance Tech Trial, we accept that it is possible for age verification, age estimation, or age inference to be implemented in a way that is highly effective (a key consideration with respect to the appropriateness and proportionality of any collection of personal information).”

Trust, context matter in age assurance deployments

The OPC expresses neutrality in terms of which method to use, saying such decisions are contextual: “the privacy impacts of an age assurance system will depend on its design and use. For example, the nature and extent of information collected during an age verification process could pose greater privacy risks than that collected during an age estimation process, or vice versa.”

However, in its document on assessing whether or how to use age verification tools and other age checks, it says “age assurance must always be implemented in a risk-based and proportionate way to reduce the potential harm to users, and particularly children.”

Part of what makes up the relevant context is the level of stable trust with the public. The OPC says that, in its most recent polling, “71 percent of Canadians stated that they had ‘not much’ or ‘no’ trust that ‘Big Tech’ companies would protect the personal information shared with them, while 86 percent said the same of social media companies.”

“This suggests that without a way to establish the trustworthiness of age assurance systems, many Canadians will likely be uncomfortable providing their personal information for such a process and may opt to instead forego accessing content or online services.”

The statement underlines how it is important for age assurance providers to differentiate themselves from the companies that hire them. Part of the trust gap comes from the idea that “no one wants to give their ID to a porn site.” There is value in establishing an age assurance brand that can stand alone as a trusted entity, rather than being equated with porn providers and Silicon Valley techlords.

Canada to take cautious, adaptable approach

Currently, says the OPC, “there is no means of proving one’s age online that has been broadly adopted in Canada.” It notes “voluntary, limited-scope provincial digital wallet initiatives,” but says that, since Canada does not have digital ID, “there are no government-issued digital credentials in wide use that could be used for age assurance.”

“Similarly, we are not aware of any age assurance mechanisms (beyond basic ‘I am over 18’ self-declarations) that Canadians would regularly encounter.”

Changes are coming, on both the policy and standards levels; the OPC notes, in addition to ISO/IEC 27566-1, a new publication from Canada’s Digital Governance Standards Institute (DGSI) addressing age assurance technologies.

And, “if a trusted digital credential becomes widely adopted in Canada, it may be inappropriate for an organization to refuse to accept it and require individuals to undergo a different form of age assurance.”

“Similarly, if industry standard practices for privacy-protective age assurance emerge beyond those described in our guidance, the OPC would assess and update our guidance as needed.”

Overall, the OPC’s position is in keeping with the temperate, measured character of much Canadian policy, concluding that age assurance can be a privacy-protective mechanism for protecting kids online, but that “it should be deployed – or mandated – with caution, acknowledging that the potential privacy risks associated with its use be addressed and mitigated.”

Carry on – but take care.

The same spirit is evident in the joint statement, which aligns with the International Age Assurance Working Group and is endorsed by the UK Information Commissioner’s Office, the Gibraltar Regulatory Authority, the National Privacy Commission of the Philippines, Agencia de Acceso a la Información Pública in Argentina, and Mexico’s Transparency, Public Information Access and Mexico’s Personal Data Protection Institute of State of Mexico and municipalities (INFOEM).

“By publishing this joint statement we aim to set out some key shared principles across industry on age assurance practices as they relate to data protection and privacy, and we therefore urge providers and the suppliers of age assurance services, to take account of these principles in their approach to age assurance,” says the statement. “We hope these principles will act as a useful starting point for continued conversations around how international consistency and coordination in this area can grow – supporting age assurance that is accurate and effective, while still ensuring a high level of user privacy.”

The 11 core principles prioritize compliance with data protection requirements, lawful use of any personal information one collects, and children’s best interests. Six are addressed to specifically age assurance providers.

Six core principles for age assurance providers to follow

Providers, says the group, should “be accountable for their approach to age assurance and for demonstrating that it is privacy preserving, effective, and proportionate.” They should “establish with reasonable certainty whether children are likely to access their platform or website,” and use “an effective means of age assurance” if the answer is yes.

Providers should “assess and document the severity of the potential data protection risks to users, and particularly children, from the age assurance method(s) implemented.” They should “balance the data protection risks posed by the age assurance method(s) implemented against the best interests of the child, including their rights to safely access diverse information online while being protected from harmful material.”

They should “be aware of the state of the art in age assurance technology in order to ensure they implement methods that are effective, while also protecting users’ rights and freedoms, and to keep these methods under review.” And, finally, “providers should be aware that where there is a high data protection risk to users, then relying upon self-declaration alone as a method of age assurance is unlikely to be appropriate as the method can be too easily circumvented.”

Article Topics

age inference  |  age verification  |  biometric age estimation  |  Canada  |  data privacy  |  digital identity  |  regulation