The global emphasis on protecting children's digital privacy is continuing to take on upmost urgency.
At the IAPP Canada Privacy Symposium 2024, policymakers and stakeholders exchanged ideas and best practices for navigating the complexities of children's personal data collection and the safeguards that must be applied to it. Those considerations must also be viewed in a way that meet the requirements of a variety of jurisdictional privacy laws across Canada.
Since his 2022 appointment, Privacy Commissioner of Canada Philippe Dufresne has prioritized improvements over children's online protections. In delivering his keynote address at CPS 24, Dufresne said his office is "championing children's privacy rights."
As examples of the OPC's work to protect children online, Dufresne touched on his agency’s investigation into TikTok and its data collection practices, which also entails inquiring if it obtained lawful consent from minors using the service. In addition, he cited the OPC's investigation into the parent company of a pornographic website operator to ensure nonconsensual images of individuals are not being circulated on its platforms, which he said would amount to a "serious privacy violation."
"While new environments on AI are necessary, our current privacy laws apply and we will enforce them," Dufresne said in his speech. "Consistent privacy laws apply to children."
On 10 June, the OPC released the preliminary findings of an exploratory consultation on age assurance technology and the privacy implications it creates. The OPC's initial positions lay out how age assurance technology can be designed in a "privacy-protective manner," such as restricting its use to high-risk situations for children and teens and deployers considering the impacts on privacy rights for users of the given online service.
Speaking in a breakout session focusing on emerging trends in children's online privacy regulation, Gowling WLG Cyber Security and Data Protection Group co-Leader Wendy Wagner, CIPP/C, said one complicating matter for children's privacy compliance in Canada is the differing ages in which companies need to obtain valid consent from minors between the federal level and the province of Quebec. She cited the requirements of Quebec's Law 25, which requires companies collecting minors' data to obtain valid consent for children age 14 and under, however, on the federal level, the Canadian government requires companies to obtain valid consent from children 13 and under.
Wagner said while the underlying principles in Canadian law establishing the definitions of a child versus a teenager are aligned, the exact wording of federal law compared to provincial laws leaves regulatory gaps in the nation's children's online privacy regime.
"Traditionally we've had a guideline-based approach at least federally with respect to children and children's information has been deemed sensitive, which leads to certain considerations regarding consent, and the need for explicit consent," Wagner said. "There (are) some really significant differences about how you actually treat children's information versus teens’ information. So those differences and how that's defined is not inconsequential."
Speaking in the same session, Office of the Information and Privacy Commissioner of British Columbia Deputy Commissioner Jeannette Van Den Bulk said provincial data protection authorities, in coordination with the OPC, signed onto a joint resolution in October 2023 that applies the 1991 United Nations Convention on the Rights of the Child to their online privacy. She indicated the resolution outlines seven principles for public bodies to guide legislative reform and better synchronize their children's privacy laws.
"Guidance alone doesn't move tech, we need a legally enforceable provisions; we have a carrot, but what is the stick?" Van Den Bulk said. "We need companies and developers to see the selling point for their businesses is how they protect children."
The existing issues in Canada’s children's privacy regime will likely only become more pronounced as artificial intelligence technologies are adopted by more and more organizations throughout the country.
MediaSmarts Director of Education Matthew Johnson shared survey data from a poll his organization conducted about how young people are educating themselves about AI. He said, by and large, children and teens have yet to embrace AI in any significant manner, whereas in prior years in the digital age, young people were early adopters of new digital technologies and often educated their parents on how to use them.
"Kids are not learning about AI, except in a very small number of cases, (such as) those that attend some kind of coding, or other technology-related after school activity," Johnson said. "They don't understand how AI works, and in particular, they don't understand any of the implications of using it."
GEM Privacy Consultant founder Michelle Gordon has witnessed AI technologies being used to streamline "routine assessments" for educators to test students and then use that data to help their schools improve their curricula. Her experience differed slightly from Johnson's observations in terms of young people's wariness of the potential risks AI can pose.
Gordon recommended schools and other organizations working with children looking to integrate AI technologies into their work to start by reading the product’s notice and follow all of the requirements for obtaining valid consent, especially for children under 14 in Canada. She also recommended encouraging parents to seek out AI and privacy literacy, such as the Digital Literacy Curriculum developed by Cyber Civics, so they can understand the impacts of their child's use of AI.
"Make sure you understand who you need consent from and what the parameters are actually contained in the tool," Gordon said. "Children are embracing AI just like any other technology, but they seem to have this inherent knowledge that they need to be taught how to use it with a critical lens."
Alex LaCasse is a staff writer for the IAPP.