Children’s digital privacy is often discussed as a consumer issue – a matter of parental settings, better consent notices or cleaner app design. That framing is now too small.
In the era of artificial intelligence (AI), children’s privacy should be treated as critical public infrastructure. That may sound like a stretch, but it is not. Infrastructure is what societies rely on every day to make other essential systems work safely and fairly. We understand this instinctively for drinking water, school transportation and vaccination records. The same logic now applies to data about children.
AI systems increasingly shape what children see, how they learn, how they are classified, what risks they face online, and how public and private institutions interact with them. If those systems collect too much, infer too much, retain too much or expose children to harm, the damage is not limited to one bad app.
It weakens trust across education, public services and digital life more broadly. The OECD’s 2025 report How’s Life for Children in the Digital Age? makes it plain that digital services bring both opportunities and significant risks, while UNICEF’s 2025 guidance on AI and children argues that child-centred AI governance must include safety, transparency, fairness and the explicit protection of children’s data and privacy.
AI in the classroom is here. A policy patchwork is failing Canadian students
Public infrastructure is not only concrete and steel. It is also the set of invisible conditions that make safe participation in society possible.
The federal government should act in four key interconnected areas to achieve this by ensuring: any child-facing AI app undergoes a child-specific privacy-and-rights impact assessment before deployment; children’s data should be excluded by default for other uses; public-sector AI should require retention limits; and disclosure should be mandatory when youth-facing AI shapes an interaction or recommendation.
The problem is well-known
In its 2026-27 departmental plan, the Office of the Privacy Commissioner says it will continue to focus on the implications of technologies such as AI while championing children’s privacy. Its Privacy Awareness Week 2026 campaign is themed “Protecting your privacy in the age of artificial intelligence” and the commissioner has linked AI-driven deepfakes to harm affecting Canadians, including children.
Those are not routine communications choices. They reflect a regulator saying publicly that AI governance and children’s privacy now belong in the same policy frame.
In the 2026 Global Privacy Enforcement Network’s Sweep Report: Children’s Privacy, regulators examined how websites and apps used by children collect information, explain privacy practices and limit data collection.
It found that some services still required personal information such as names, email addresses, usernames and even photos or videos on a mandatory basis.
More strikingly, many services that claimed not to knowingly collect children’s data were still widely used by children. That is exactly what an infrastructure problem looks like: the system depends on child data moving through environments that are not actually designed around the child’s best interests.
Calling privacy “infrastructure” also changes what policymakers should do about public institutions. A school board, library, health service or youth-facing public platform should not treat privacy as a legal afterthought once an AI product has already been selected.
The federal government’s 2026 policy on privacy and security for AI help applications points in the right direction. It says privacy risks should be identified early; that only necessary personal information should be collected; that personal information in conversations should not be retained or used for secondary purposes; and that AI systems should be designed around redaction, deletion schedules, audit logs and monitoring.
More is needed
That is a useful baseline. But when the users are children, those practices should not be optional or aspirational. They should be procurement conditions.
The case becomes even stronger once synthetic harms are included. UNICEF’s 2026 report Artificial Intelligence and Child Sexual Abuse and Exploitation warns that AI-powered image- and video-generation tools are escalating risks to children by making abuse material easier to create and circulate.
In February, 61 privacy and data-protection authorities issued a joint statement on the privacy risks of AI-generated imagery, highlighting the harm to identifiable individuals, especially children.
This is why children’s privacy can no longer be reduced to data minimization alone. Privacy now sits alongside identity, dignity and protection from abuse. When an AI system can generate, infer or manipulate a child’s likeness, the boundary between privacy policy and child-safety policy starts to disappear.
None of this means policymakers should chase a single silver bullet such as age verification.
The OECD’s 2025 report on age assurance shows how fragmented the current landscape already is. Age limits vary across privacy, safety and commerce rules, and the requirements for respecting them are often vague. Age assurance may be part of the answer, but it is not the answer.
UNICEF’s child-centred AI guidance is more useful because it works from first principles: regulatory oversight, safety, privacy, fairness, accountability, child rights and children’s best interests. That is the right frame for a public infrastructure problem.
So, what should governments do?
First, any AI system bought or approved for child-facing public use should face a child-specific privacy-and-rights impact assessment before deployment.
Second, children’s data should be excluded by default from model training, secondary use and speculative analytics unless a strong public-interest case exists and clear safeguards are in place.
Third, contracts for public-sector AI should require retention limits, audit logs, plain-language notices for parents and young users, and a simple path for deletion or human review.
Fourth, education and youth-serving institutions should be required to disclose when AI shapes an interaction, recommendation, risk score or decision.
In addition, privacy, child-safety and education regulators should stop treating these as separate silos. The federal AI strategy for the public service already talks about responsible adoption. It should be read together with privacy enforcement, not apart from it.
The deeper point is simple. Public infrastructure is also the set of invisible conditions that make safe participation in society possible.
For children, privacy is now one of those conditions. When it is weak, the costs show up everywhere – in schooling, mental health, exploitation risk, trust and in the long memory of data systems that children never meaningfully chose.
Treating children’s privacy as critical public infrastructure would not solve every AI problem. But it would force policymakers to ask the right question first: Not whether a system is innovative, efficient or convenient, but whether it is safe enough around which to build childhood.
The views expressed are the author’s own and do not necessarily reflect those of his affiliated institutions.
