Written By Ruth Promislow, Suzie Suliman and Emma Arnold-Fyfe

Regulatory scrutiny is increasing concerning information of minors. Canadian privacy commissioners have identified minor's rights as a clear priority, and US regulators are setting strict parameters around what organizations can do with this information. Recent activity in both jurisdictions provides a useful guide for those organizations that commercialize the information of minors.

Canada

In Canada, at the federal level, the Privacy Commissioner flagged concern over children's privacy rights early on in his appointment (in 2022). In a 2023 statement, the federal Privacy Commissioner stated “it is critical that government and organizations take action to ensure that young people can benefit from the technology and be active online without the risk of being targeted, manipulated or harmed as a result”.

While not expressly stated so in the current federal privacy legislation, information of minors has been treated as “sensitive” by the Office of the Privacy Commissioner (Canada).  The concept that information of minors is de facto sensitive was written into draft federal privacy legislation under Bill C-27, which Bill is now dead on the Order Paper as a result of Parliament being prorogued.

In February 2023, the Office of the Privacy Commissioner of Canada, along with the offices of the privacy commissioners in British Columbia, Alberta and Quebec, launched an investigation into TikTok. The investigation, which is ongoing, is examining the particulars of what may be required in order to obtain valid and meaningful consent for the collection, use, and disclosure of personal information belonging to minors. In February 2024, the federal Privacy Commissioner announced that his office was launching an investigation into the PowerSchool data breach involving a compromise to information of current and former students of at least 87 school boards across Canada. This investigation is further evidence that the privacy of minors continues to be a central priority for the federal Privacy Commissioner.

United States

Canadian commissioners have not provided more specific insight into what flows from the concept that information of minors is de facto sensitive or what is required in order to obtain valid consent from minors.  However, when we look to the US, we may see a better articulation of what this concept may imply for organizations that collect, use or disclose minor information in the course of their commercial activities.

On January 16, 2025, the Federal Trade Commission (the FTC) issued a press release detailing changes to the Children’s Online Privacy Protection Rule (the COPPA amendment), which set new requirements around the collection, use and disclosure of children’s personal information.  More specifically, the changes include parental opt-in consent for targeted marketing and disclosure to third parties, limits on data retention, and increased transparency and accountability.

1. Parental opt-in consent for targeted advertising and disclosure to third parties:  The COPPA amendment does not mandate what this parental consent would look like but the FTC has provided several examples of what may constitute acceptable methods (including requiring parent to indicate consent and then provide information to verify they are the parent such as providing government issued identification or answering knowledge-based questions);
2. Limits on data retention: The COPPA amendment includes an explicit statement that operators cannot retain collected information indefinitely. Operators are only permitted to retain information for the time that it would reasonably take to fulfill the specific purpose for which it was collected and not for any secondary purpose.
3. Increasing Safe Harbor programs’ transparency:  The Safe Harbor program is a framework established by the Children’s Online Privacy Protection Act that allows industry groups and organizations to create and enforce their own compliance programs for protecting children’s online privacy, provided they meet or exceed COPPA’s legal requirements. Approved Safe Harbor programs oversee companies that voluntarily join the program. The COPPA amendment will require all Safe Harbor program providers to disclose their membership lists and report additional information to the FTC, such as information regarding disciplinary actions and consumer complaints.

The COPPA amendment was released on the same day that the FTC issued a separate statement regarding its referral of a complaint against Snap Inc., the company that operates the popular application Snapchat, to the Department of Justice. In its statement, the FTC has alleged that Snap’s deployment of its MY-AI chatbot caused “risks and harms” to young users of the application.

Key Takeaways

Several questions arise involving the collection, use or disclosure of children's information including but not limited to the following:

• What limitations are there on how information can be used?
• What limitations are there on sharing the information with third parties?
• Can you create new categories of information derived from the collected information (such as presumed preferences or lifestyle) and what, if any, privacy rights attach to those new categories of information?
• To what extent can you use the information for targeted marketing?
• Are there special limitations on retention of this information given its deemed sensitivity and the fact that consent may have been provided by parents prior to the minor becoming an adult?
• Are there any special considerations surrounding the collection of cookie information for minors?
• What is required to obtain valid consent? In other words, how can you demonstrate that the data subject (who is a minor) has understood the key elements namely: what information is being collected, the purposes for that collection, how information will be used, with whom will information be shared and for what purpose, and for how long will information be retained?
• When is parental consent required and how can it be sufficiently demonstrated?

Issues involving the collection, use and disclosure of children's information are novel and complex.  These issues—for which there is no clear road-map—should be navigated carefully to avoid regulatory scrutiny and litigation exposure.  While there are many opportunities to derive value from children's information (particularly given their propensity for online activity beyond what may seem normal to an older generation), we predict that this area will be subject to increased regulatory scrutiny (involving penalties and orders).   

Bennett Jones is available to assist if you have any questions about privacy law in Canada.