Global Privacy Commissioners Find Children’s Apps are Collecting More Personal Info
Children’s privacy is drawing increased regulatory attention as more websites and apps collect personal information from young users. In a March 25, 2026 news release, the Office of the Privacy Commissioner of Canada (“OPC”) announced the results of a global privacy sweep of 876 websites and apps used by children, conducted with 26 privacy authorities in Canada and abroad. The sweep examined transparency, age-assurance mechanisms, protective controls, account deletion, inappropriate content, and high-risk data practices.
The OPC reported some improvement since a similar 2015 sweep, including greater use of age assurance and more accessible account deletion options. However, it also identified concerning trends. More services now require personal information to access full platform functionality, and more privacy policies indicate that personal information may be shared with third parties. Although 45 per cent of reviewed websites and apps used age assurance, privacy authorities found that nearly three-quarters of those measures could be circumvented. They were uncomfortable with children using 41 per cent of the reviewed services, citing concerns such as inappropriate content, geolocation, public-by-default settings, behavioural profiling, weak parental controls, and other high-risk design features.
For charities and not-for-profits offering youth programs, online portals, apps, or digital resources, the release reinforces the need for privacy-by-design, child-appropriate notices, limited data collection, parental controls where appropriate, and accessible account-deletion processes.
Federal Privacy Office Tells Loblaw to Prove Retained Customer Data is Anonymous or Delete It
Organizations that retain data after an account is closed must be able to show that the data cannot realistically be linked back to an individual. In its PIPEDA Findings #2026-001, titled, “Investigation into the personal information retention practices of Loblaw for the PC Optimum Loyalty Program,” published March 5, 2026, the Office of the Privacy Commissioner of Canada (“OPC”) found that Loblaw Companies Ltd. and related entities operating the PC Optimum loyalty program (“Loblaw”) contravened the Personal Information Protection and Electronic Documents Act (“PIPEDA”) by failing to demonstrate that customer information retained after account deletion had been effectively anonymized. The finding is important for charities and not-for-profits because many organizations maintain donor, member, volunteer, client, and service-user databases, and may assume that removing obvious identifiers is enough to make retained records anonymous, and therefore no longer subject to privacy-law requirements. Although PIPEDA may not apply to most charities and not-for-profits directly, it does apply to commercial activities that charities and not-for-profits may engage in, and PIPEDA’s Schedule 1 provides the Fair Information Principles that serve as a best-practice standard for privacy protection in Canada.
The investigation arose after the OPC received six complaints from individuals who alleged that they were unable to delete their PC Optimum accounts and associated purchase histories, and that Loblaw was unresponsive to their deletion-related inquiries. When an online account was closed, Loblaw deleted or replaced direct identifiers such as name, email address, phone number, and address, but retained historical transaction data, loyalty data, and usage data for analytics and program-related purposes.
The OPC considered whether Loblaw responded properly to privacy challenges about account deletion, and whether it retained personal information longer than necessary after members deleted their accounts. On the first issue, the OPC found that Loblaw failed to respond to all inquiries and took an unreasonable amount of time to address some requests during a period of high volume from May through July 2024. That contravened PIPEDA’s Schedule 1 principle 4.10 that requires organizations to have procedures to receive, investigate, and respond to privacy complaints or inquiries, although the OPC found the issue resolved after Loblaw enhanced its procedures, staff training, and communications with complainants.
Under PIPEDA’s principle 4.5.3, personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. On the issue of data retention and anonymization, the OPC accepted that an organization may choose anonymization instead of deletion, but emphasized that the organization bears the onus of showing that there is no serious possibility of re-identification, whether from the retained data alone or in combination with other available information.
The OPC found that Loblaw had not met that standard. The retained data included purchase details, transaction dates, store identifiers, loyalty information, login information, browsing behaviour, device information, and public IP address data. The OPC was concerned that transaction patterns could identify some individuals, particularly in smaller communities or where purchases were distinctive. Loblaw had not shown that identifiers were removed from backup systems. Loblaw did not “aggregate, scramble, or perturb” the retained data from closed accounts. The OPC also identified weaknesses in Loblaw’s anonymization process, including a manual processing error in which an employee inserted a complainant’s name into a dummy email address instead of a random string of characters.
As a result, the OPC found the data retention complaint was well-founded. It recommended that Loblaw either obtain an independent third-party assessment of its anonymization process and implement necessary risk-mitigation measures, or delete the information associated with closed PC Optimum accounts on or shortly after account closure. Loblaw disagreed with the finding but agreed to the third-party assessment. The OPC therefore found this aspect of the complaint conditionally resolved. For charities and not-for-profits, the lesson is broader than loyalty programs: if an organization keeps donor, member, volunteer, client, or program data after the original purpose has ended, it should have a Records Management Policy with clear retention schedules, timely deletion processes, and evidence that any anonymized data is not reasonably capable of being linked back to identifiable individuals.