Lets Talk
Search
Close this search box

Newport Thomson

  • Home
  • Bill 64
  • Age Verification Is the Real Privacy Story in Canada’s Under-16 Social Media Bill
June 15, 2026Privacy

Age Verification Is the Real Privacy Story in Canada’s Under-16 Social Media Bill

Date: June 15, 2026 Prepared for: Newport Thomson clients with Canadian customers, users, or members Status of the law discussed: Proposed (bill at first reading) – not in force

Bottom line first

Ottawa has tabled a bill to keep children under 16 off social media. It is a bill, not a law. Nothing here is in force yet, and the details can still change as it moves through Parliament.

But there is a catch worth your attention now. To enforce any age rule, a platform has to check people’s ages. Checking ages means collecting personal information, sometimes sensitive information like government ID or a face scan. That collection is itself a privacy risk. The safety fix can create a new harm.

The Privacy Commissioner of Canada has already seen this coming. In May 2026 the Office of the Privacy Commissioner (OPC) released draft guidance on how to check ages without trampling privacy. That guidance, not the bill, is the practical thing for most Canadian organizations to act on today, and the comment window on it closes August 4, 2026.

No good picking up speed if you’re on the wrong road. The temptation will be to bolt on the heaviest age check available and call it compliance. That is the wrong road, and the OPC has already said so.

1. What is actually on the table (and what is not)

On June 10, 2026, the federal government introduced Bill C-34, the Safe Social Media Act. It would create two new statutes: the Digital Safety Act and the Digital Safety Commission of Canada Act. Among its provisions is a rule preventing children under 16 from holding accounts on social media services, with a pathway for a platform to seek an exemption if it can show it has put strong enough safeguards in place.

A few things to keep straight:

  • It is not law. It sits at first reading. Officials have indicated it could take roughly 18 months to stand up the new regulator after the bill passes, so the timeline is long and uncertain.
  • The bill does not say how to verify age. That detail is pushed down into regulations and into negotiation with the platforms. So the bill creates the requirement to know who is under 16 without settling the method, which is exactly where the privacy risk lives.
  • Private messaging is carved out. The duties do not apply to private messaging features, which keeps tools like family texting outside the net.
  • Penalties are steep. Up to $10 million or three percent of global revenue, whichever is greater.

2. The privacy trap hiding inside “age verification”

“Age verification” is really one slice of a bigger umbrella the regulator calls age assurance. It comes in several forms, and they carry very different privacy weight:

  • Age verification: confirming a date of birth, often with government ID.
  • Age estimation: guessing an age range by analyzing a face scan or behaviour, frequently with AI.
  • Age declaration: the user simply states their age (self-attestation).
  • Age inference: deducing age from other verified information.

The trap is that the methods which feel most “certain”, such as ID uploads and face scans, are also the most invasive. They collect sensitive data, they create a high-value target for a breach, and they can be quietly repurposed to track people. The OPC names all three of these as the central risks.

3. What the OPC already expects (the part to act on now)

The OPC’s draft guidance (two documents: one for websites and online services, one for the developers who build age-checking systems) is the clearest signal of regulatory expectations Canada has produced on this. The headline points:

  • Age checking should not be the default. Use it only when it is proportionate to the actual harm being addressed, and as one layer among several, not the whole strategy.
  • Collect as little as possible. This is plain data-minimization: gather only what the age decision needs, keep it briefly, and protect it.
  • Trigger the check narrowly. Separate out age-restricted features or content so a user only faces a verification step when reaching for the restricted part, not on the way in the front door. Keep risky features off by default until age is confirmed.
  • Lighter methods are preferred where they work. The OPC leaves the door open to a digital-wallet or browser-signal model (closer to the EU approach), where a user proves “over/under 16” without handing the platform their actual ID.
  • A more formal code is coming. The OPC is preparing a code that builds on its consultation, so today’s draft guidance is a preview of firmer expectations, not the final word.

4. How this lands under PIPEDA and Quebec’s Law 25

This is where Newport Thomson clients should focus, because these obligations already apply regardless of whether C-34 ever passes.

  • PIPEDA. The age check is a collection of personal information, so the usual rules bite: collect only what is necessary, get meaningful consent, safeguard it, and do not keep it longer than needed. Government ID and biometric data sit at the sensitive end of the scale, which raises the bar on every one of those points.
  • Quebec’s Law 25. Quebec runs stricter. Privacy-by-default is the rule, a Privacy Impact Assessment is expected for technology projects that handle personal information, and biometric processing carries its own obligations, including notifying the Commission d’accès à l’information about a biometric database. An age-estimation tool that scans faces can pull a client straight into those biometric rules.
  • Strictest-standard logic. An organization operating across the country generally has to design to the toughest applicable standard, which in practice often means designing to Quebec.

5. What we are advising clients to do now

  1. Do not wait for Bill C-34. The live expectations are in the OPC’s draft guidance, and they apply far beyond social media, to any service that gates content by age.
  2. Inventory where you already check age. Most organizations gate something like alcohol, contests, adult content, loyalty programs. Start there.
  3. Choose the least-intrusive method that fits the risk. Prefer self-declaration or estimation-without-retention, or a wallet credential, over storing scans of driver’s licences.
  4. Minimize and set a short clock. Keep only the age decision, not the underlying documents, and do not repurpose age data for marketing or tracking.
  5. Run the Law 25 check if you touch Quebec. Test for PIA and biometric triggers before you deploy anything that scans faces.
  6. Use the August 4 comment window. The OPC is taking input on its draft guidance until then. This is a genuine chance for affected organizations to shape it.

A note on what is still unknown

The verification method is undecided. The exemption criteria for platforms will be set later by regulation. The bill itself may be amended or may not pass at all. Treat anything specific about how the under-16 rule will work as provisional. This briefing is information to support planning, not legal advice for a specific situation; high-stakes compliance calls should go through counsel.

Sources

  1. Bill C-34, Safe Social Media Act – First Reading text  / Tier 1: the primary law – https://www.parl.ca/DocumentViewer/en/45-1/bill/C-34/first-reading Why this source: The actual proposed statutory text, the authority for what the bill does and does not say.
  2. OPC – Age Assurance guidance hub and Policy Note / Tier 2: the regulator – https://www.priv.gc.ca/en/privacy-topics/age-assurance/ Why this source: The Privacy Commissioner’s own expectations on age checking and its privacy risks. The part clients can act on now.
  3. Government of Canada – Bill C-34 backgrounder (Dept. of Canadian Heritage) / Tier 1: government – https://www.canada.ca/en/canadian-heritage/news/2026/06/government-of-canada-introduces-legislation-to-combat-online-harms-particularly-those-impacting-children.html Why this source: The official summary of the under-16 rule, the exemption pathway, and the penalty amounts.
  4. OPC – News release launching the age assurance guidance / Tier 2: the regulator  – https://www.priv.gc.ca/en/opc-news/news-and-announcements/2026/nr-c_260504/ Why this source: Confirms the guidance, the August 4 comment deadline, and that a formal code is in progress.
  5. Osler  – “Bill C-34 at a glance: Canada’s new Digital Safety Act” / Tier 4: established law firm – https://www.osler.com/en/insights/updates/bill-c-34-at-a-glance-canadas-new-digital-safety-act/ Why this source: Careful breakdown of the “regulated services” definitions and the private-messaging carve-out, useful where the bare text is dense.

Newport Thomson – privacy compliance and ethical marketing. This briefing provides information, not legal advice.

Leave a Reply

Sign up to our newsletter!

Yes, please send me information on data, privacy and email compliance in Canada, Europe and the USA from Newport Thomson, 4800 Dundas St West Toronto ON, Canada M9A 1B1. I can reach your Chief Privacy Officer at info@newportthomson.com or 416 524 7844. I know I can unsubscribe at anytime.
go up

Company

Explore

A Global Privacy Agency Based in Canada

Helping marketers implement customer-first privacy programmes.

Location

Inquiry

© Newport Thomson - 2025. Develop by LACKEY Advertising