The Office of the Privacy Commissioner of Canada (“OPC”) has released a draft guidance (“Guidance”) on the use of “age assurance” technologies by websites and online platforms, reflecting growing regulatory focus on protecting children online while safeguarding privacy rights. These technologies would limit or prevent individuals under a given age from accessing some or all of a website or online service with the goal of mitigating the potential harms to children.
The Guidance examines a range of age assurance methods, including age verification (such as government-issued identification), age estimation (including AI- or biometric-based assessments), and age declaration or self-attestation. The OPC emphasizes that age assurance should not be the default and that organizations should only implement age assurance measures (1) as part of multiple approaches to protect children, and (2) in proportion to the potential harm being addressed. Age assurance may be required when it is necessary to prevent access to a website or online service based on age due to legal restrictions or where the organization has determined that a potential harm is likely to occur to a non-trivial number of children.
The Guidance points out that the age assurance practices themselves may be the cause of potential harm to children, such as by requiring the provision of more personal information than is necessary to address the identified risk, personal information being breached or being used to track online activities. Therefore, even where the use of age assurance is justified, organizations are expected to adopt the least privacy-intrusive approach available and to ensure that any collection, use, or disclosure of personal information for age assurance purposes is proportionate to the identified risk. Organizations should use an age assurance method that minimizes the additional collection of personal information about users, even if it might mean less certainty that children will not be exposed to potential harm.
Organizations should also consider whether there are other risk mitigation approaches that could address the potential harm instead of age assurance. Once age assurance is used, organizations should implement privacy-protective measures such as not using the information collected for age assurance for other purposes, not using it to correlate or track visits by users, providing individuals with privacy-protective appeal mechanisms and with options regarding the type of personal information they would prefer to provide and limiting the number of authentications as much as possible. Organizations should be accountable for ensuring that the age assurance they put in place is privacy-protective and should have the ability to audit third party providers to ensure that the process being contracted meets these requirements.
Charities, not-for-profits, educational organizations and online service providers that engage with youth or operate digital platforms that might be accessed by children or youth should be aware of the increasing expectations around child safety, privacy-by-design, and responsible use of emerging technologies signaled by the Guidance, and be ready to implement age assurance processes if and when appropriate. The OPC is accepting public comments on the draft guidance until August 4, 2026, after which a finalized version is expected to inform future compliance and enforcement efforts.