At the height of the pandemic last year, I wrote an article arguing that Canada’s federal privacy law needed to be strengthened for children, especially given their all-time highs in online activity and the increased digital tracking of kids.
At that time, the pending Bill C-11 did not directly address children’s privacy rights, representing a missed opportunity for lawmakers. Fast forward to today, the most recent attempt to modernize Canada’s privacy law, Bill C-27, contains child-focused provisions that are being called the bill’s “biggest legacy.” However, unless the bill is updated to strengthen these protections further, other action may be needed to best protect the privacy rights of children and to allow Canada to stay competitive among its global peers.
Bill C-27, currently being debated by the House at second reading (approval in principle), builds upon Canada’s current privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), as well as its predecessor Bill C-11 and for the first time directly addresses children. The most significant change is that the new bill specifically states that “information of minors is considered to be sensitive.” This means that businesses subject to the law will have to adhere to higher standards of protection for that information.
Further, Bill C-27 provides minors with a more direct route to delete their personal information – otherwise known as the “right to be forgotten.” As I previously argued, making mistakes is an important part of growing up. With this change, young people will now have a legislated way to protect themselves and manage their online reputation.
However, the law does not go far enough in protecting children’s privacy. While the information of minors is specifically called out, the law is silent on the definition of “sensitive” and “minor.” This means that businesses are left to decide what is sensitive and appropriate for minors. Further, businesses will have to navigate varying rules in each province, where different definitions of “minor” apply, depending on provincial law.
The Functionary: Kathryn May’s newsletter on the public service
This approach to addressing the privacy of minors does not align with other leading jurisdictions. Leading privacy laws, including the California Consumer Privacy Act, the European Union’s General Data Protection Regulation and Quebec’s Bill 64 all establish a minimum age for consent ranging from 13 to 16. As well, the U.K.’s age-appropriate design code and the California Age Appropriate Design Code Act both demonstrate a more prescriptive approach to regulating the personal information of children and protecting them from potential harms in the online environment.
The California “Kids Code” requires businesses to prioritize the safety and privacy of children by default and in the design of their products. For example, default settings on apps and platforms for users under 18 must be set to the highest privacy level. Further, the code establishes a level of fiduciary care for platforms such that if a conflict of interest arises between what is best for the platform and what is best for a user under 18, the child’s best interest must come first.
If the language in Bill C-27 is not updated to define these terms before it passes into law, this omission represents another missed opportunity to set rules for age-appropriate consent for children. The law contains no direction for companies – including social media platforms such as TikTok and Instagram that are excessively used by minors – on how to handle the personal information of children any differently than they currently do. If this remains the case, there are approaches that can be taken by different stakeholders to advance children’s privacy in Canada.
First, lawmakers and policymakers from the federal, provincial and territorial levels should continue to consult with the public and one another on the protection of children’s privacy. The age-appropriate design work in the U.K. and California are a potential next step in solidifying children’s privacy protections. Ontario’s Information and Privacy Commission (IPC) has taken great strides in its commitment to prioritizing children and youth in a digital world in its current five-year strategic plan and recently announced it will be forming a new IPC youth advisory council.
Second, tech companies and platforms should monitor developments in global privacy laws, specifically in age-appropriate design in the U.K., California and likely more jurisdictions. These types of laws will likely open the door for bigger changes in rules and best practices surrounding children’s personal information and hopefully encourage businesses to meet the highest standard for protection. These laws will force applicable companies to stop collecting unnecessary information about kids, let kids know when they are being monitored and make it easy for kids to report privacy concerns.
Third, parents and caregivers need to play a role, not only in paying attention to what their kids do online, but also to be more careful about how they share information about their kids online. As Leah Plunkett, the Meyer Research Lecturer on Law at Harvard Law School, argues, “sharenting” can fundamentally transform childhood and adolescence from a space of play to a space of surveillance. This has far-reaching, sometimes life-altering implications.
Canada’s right-to-privacy law needs to be strengthened for children
Finally, teachers, schools and coaches are also responsible for teaching students about privacy ethics, as recently advocated by MediaSmarts, a non-profit group advising the government on digital literacy issues. This role of educators is especially important now that educational technology platforms are used in classrooms to provide learning. This puts further onus on schools to ensure that they choose platforms that meet the highest standards of protection with the interests of children in mind.
Not only do children deserve protection from social media, online surveillance and tracking, but they also deserve some mechanism to protect themselves in situations where they have no control over their personal information. If Bill C-27 does not end up providing that mechanism, it is up to policymakers, lawmakers, parents and educators to work together to ensure that children’s privacy rights are defined and protected as they continue to navigate the increased use of technology at school, at home and everywhere they go.