Notes from the IAPP Canada: Regulators sharpen focus on children's privacy

Having attended and been on the planning committees for several privacy and tech conferences this year, I can confidently say 2026 has emerged as the year of artificial intelligence. 

Recent and upcoming conference agendas are just packed with AI content — and with good reason, of course. As AI touches more and more of what we do, we need to understand and plan for its challenges and opportunities. But as important as this topic is, it's imperative we don't let other emerging privacy challenges fall out of our sights. Exhibit A: children's privacy.  

It seems like it was just yesterday that children's privacy was sharing the limelight with AI as privacy's topic du jour, but lately AI-related headlines and talks seem to be hogging all the attention. As much as AI now dominates the conversation, though, we got a subtle reminder from the Office of the Privacy Commissioner of Canada that children's privacy is still on regulators' minds when they released their suite of guidance on age assurance earlier this month. 

Of course, part of the backdrop here is Bill S-209 — formerly Bill S-210 — which is slowly, but steadily, working its way through Parliament. The bill has completed its three readings in the Senate and a first reading in the House of Commons was completed 30 April. Laws like S-209 have the potential to create legal requirements, or at least very strong incentives, for organizations to use age assurance technologies.

S-209 does this by creating fines of up to CAD250,000, or CAD500,000 for a subsequent offense, for organizations that make internet explicit material available to persons under age 18. It also creates a defense for organizations that implement a "prescribed age-verification or age-estimation method."

So, as legally mandated age assurance marches closer to becoming a reality, practical guidance on how to build and implement it in a privacy preserving way is most welcome. Even outside the age assurance context, the guidance has useful tidbits for any organization handling sensitive personal information.  

The OPC deserves serious credit for its approach to developing this guidance. It was a multistep process with lots of consultation and I believe the end result reflects the OPC's efforts in this regard. The guidance is also notable for its targeted approach, providing specific guidelines for both providers of the technology and adopters — an approach we've also seen in the Information and Privacy Commissioner of Ontario's guidance on AI scribes. 

From my understanding, the OPC has taken a similar, consultative approach for its upcoming Children's Privacy Code. The recently released "What We Heard" report is available here. 

As both a privacy professional and father of a young child, I look forward to a world where children's privacy and protection from online harms is taken more seriously. The proliferation of online gambling ads during these National Hockey League playoffs have been a steady reminder of just one of the harms that could be mitigated with well-functioning and privacy-preserving age assurance. 

I think we can all agree that our children deserve to reach adulthood without gaining a nasty gambling habit along the way.