On May 4, 2026, the Office of the Privacy Commissioner of Canada (OPC) released two draft guidance documents on “age assurance,” aimed at supporting safer and more age-appropriate online experiences for children while mitigating potential adverse privacy impacts. The Commissioner had previously shared preliminary positions on age assurance technologies as part of an exploratory consultation, which has informed the new draft guidance documents.
The draft guidance is open for public comment until August 4, 2026. Comments may be sent by email to [email protected].
What Is “Age Assurance”?
The OPC describes age assurance as processes used to determine a user’s age or age range (including age verification, age estimation and age declaration), often to prevent harm to children or to meet legal requirements for age-restricted content and services.
The OPC’s Draft Guidance Documents
The OPC released two complementary guidance documents intended for age assurance tool developers as well as operators of websites and online services:
Key Themes Across the Guidance
Across both documents, the OPC emphasizes a risk-based and proportionate approach, coupled with privacy-by-design principles. In particular, the OPC encourages organizations to implement solutions that minimize the collection and retention of personal information and avoid unnecessary linkage of age assurance results to a user’s broader online activities.
Developer Guidance
- Minimize and delete data: Solutions should collect only the personal information necessary to generate the required age signal, and personal information used for age assurance should be deleted once the age signal is generated. Where feasible, consider privacy-enhancing approaches, such as on-device processing to reduce data sent to servers.
- Limit “age signals”: Developers should prefer solutions that provide only an age range or a binary “above a given age” signal. Any more granular output should be justified, and the collection of identifying characteristics (e.g., name or images used for estimation) should be avoided.
- Confine purposes and disclosures: Developers should not use personal information collected for age assurance for other purposes and must not disclose it except in limited circumstances (e.g., where legally required). This should be demonstrated in documentation.
- Avoid generating unnecessary personal information during processing: If the system generates personal information beyond the final age signal, systems should be redesigned or mechanisms should be in place to ensure that any interim data is protected during processing and deleted immediately afterward.
- Prevent tracking or profiling: Tools should not profile or retain information about an individual’s age-assured online activities. Systems should be designed so the age assurance provider does not learn what sites or content a user is accessing.
- Ensure fairness and effectiveness: Developers should proactively identify and address group-based accuracy limitations. Where limitations cannot be addressed, developers should disclose them to parties relying on age assurance tools and consider offering equally privacy-protective alternative methods for users who may face greater difficulty passing age checks.
Operator Guidance
The Operator Guidance frames age assurance as one tool among many and cautions that it should not become a default condition for accessing the internet. The OPC sets out a three-step approach:
- Step 1 – Identify whether there is a legitimate need to differentiate users by age to (a) prevent access (because of a legal requirement or child-specific harm), or (b) adjust the service and/or data practices to accommodate children where those practices pose potential harm and children are likely to access the service.
- Step 2 – Select the age assurance method based on proportionality. More (or more sensitive) personal information than necessary for the level of effectiveness warranted by the risk should not be collected. Higher assurance may be justified for legal restrictions or more significant harms.
- Step 3 – Implement age assurance in a privacy-protective way. Meet applicable legal obligations, select privacy-protective systems, offer options and appeals and limit repeat checks. Age assurance results must not be repurposed for other purposes and must not be used to connect visits by the same individual.
Key Takeaways for Canadian Businesses
- Developers and operators should review data flows to ensure age assurance inputs and interim outputs are minimized, secured and promptly deleted.
- Organizations considering age assurance should document the specific harm or legal requirement prompting age differentiation and be prepared to justify the proportionality of the chosen method.
- Operators should plan for user experience safeguards (e.g., alternatives and appeal processes) and ensure age assurance is not repurposed to facilitate tracking or profiling.
- Given the consultation period, stakeholders may wish to provide feedback to the OPC on feasibility, effectiveness and privacy-enhancing design choices in their sector.
For more information, please contact the authors or any other member of our Privacy & Data Protection group.
More insights
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2026 Blake, Cassels & Graydon LLP
