Something that keeps me up at night is knowing my old MSN messenger email account, leafs6rock@hotmail.com, might be floating around on the internet somewhere. I would hope that Microsoft, one of the biggest tech companies in the world, would have a reasonable policy around deleting dormant accounts, but who knows these days? I made that email account when I was 9 years old, so I’d be interested in learning who’s still been trying to email or contact me on MSN messenger after 20+ years.
Retaining and deleting children’s personal information was one of the topics that was covered in the recent amendments to the Federal Trade Commission’s (“FTC”) Children’s Online Privacy Protection Rule (“COPPA”). This got me thinking, how does Canada approach this same issue? So, I looked at the COPPA amendments, the similarities between how the FTC and the Office of the Privacy Commissioner of Canada (“OPC”) approach children’s personal information, and what this means for operators that offer products or services intended for children under the age of 13.
COPPA Overview
COPPA 1 is a consumer protection statute enforced by the FTC which prohibits unfair or deceptive practices in connection with the collection, use, and/or disclosure of children’s personal information on the internet.2 COPPA applies to any commercial website or online service (“Operators”) that is (1) directed to children under the age of 13 (a “Child” or “Children”) and (2) collects, uses, and/or discloses personal information from Children.3 Under COPPA, Operators must:4
Provide notice on its website/service of what information it collects from children, how it uses such information, and its disclosure practices for such information;
Obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from Children;
Provide a reasonable means for a parent to review the personal information collected from a Child and to refuse to permit its further use or maintenance;
Not condition a Child’s participation in a game, the offering of a prize, or another activity on the Child disclosing more personal information that is reasonably necessary to participate in such activity; and
Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from a Child.
Penalties for violating COPPA can carry fines of up to $51,744 per violation.5
COPPA Amendments
On January 16, 2025, the FTC announced that COPPA had been amended for the first time in 12 years.6 Some of the main changes to COPPA are:
Operators are now required to obtain separate, verifiable parental consent to disclose Children’s personal information to third-party companies related to targeted advertising;
Operators can no longer retain Children’s information indefinitely. Operators will need to maintain a written data retention policy that (1) details the specific business need for holding the Children’s data, and (2) lays out the timeline for deleting the data; and
Expanding the definition of personal information to include “biometric identifiers” in order to clarify that COPPA applies to Children’s biometric information.
In Canada
Canada does not have legislation that is specifically dedicated to Children’s privacy similar to COPPA.7 Rather, the Office of the Privacy Commissioner of Canada (the “OPC”) has used various guidance documents and online resources to outline their policies on children’s privacy.8 For example, the OPC has stated that:
For anyone under the age of 13 to provide their consent to the collection, use, and/or disclosure of their personal information, consent must be provided by their parents or guardians;9
Websites and apps aimed primarily at children should implement the most privacy protective settings by default and encourage children to talk to their parents/guardians to help them make privacy decisions; and
Parents/guardians should be able to easily make informed privacy decisions about their Children’s personal information on websites and apps.10
The lack of specific legislation has not prevented the OPC from ensuring that organizations that collect, use, and/or disclose Children’s personal information comply with Canadian privacy laws. For example, in 2012, the OPC initiated its first-ever investigation of a website that targeted Children, Webkinz.com (the “Website”).11 The Website is operated by the Ontario-based toy company, Ganz, and allows users to create virtual pets that they can take care of, play games with, complete tasks with, and earn virtual money for.
The OPC believed that Ganz’s privacy practices were not complying with PIPEDA.12 The OPC determined that the investigation was well-found, as the following privacy practices violated PIPEDA:
When users signed up for an account, there were instructions to read and accept the user agreement, privacy policy, and ad policy, but there was no instruction for the user to have a parent or guardian review the policies;
Many of the account usernames included children’s real names and information that could identify the users, and there was no parental oversight to approve the username;
Third-party advertisers were tracking and potentially profiling children who visited the Website;
A French version of the Website was available, however, there was no French privacy policy on the Website;
Inactive account information is kept indefinitely unless a user or their parent contacts Ganz to request reactivation of the account or its deletion.
The OPC made 11 recommendations for Ganz to comply with PIPEDA, including:13
Parents or guardians should be the ones to consent to the collection, use, and disclosure of their children’s personal information, as well as the Website’s policies;
The French User Agreement and Privacy Policy should be available for French users;
The Privacy Policy should more accurately reflect how the Website collects, uses, and discloses children’s personal information of children;
Appropriate due diligence procedures should be implemented to ensure that third-party advertising networks are not setting tracking cookies on users of the Website for the purposes of building profiles for advertising purposes, or otherwise conducting online behavioural advertising; and,
There should be a policy and procedures for the retention and destruction of inactive user account information.
My Thoughts
Even though there is no specific legislation addressing Children’s privacy in Canada like in the US, there are similarities between how Canadian and American privacy authorities approach Children’s personal information, particularly that (1) the parents should be the ones providing consent to the collection, use, or disclosure of the Children’s information, (2) the reasons for the collection, use, and disclosure should be fully transparent and easily understood prior to consenting, particularly when it relates to online behavioural advertising,14 and (3) operators should not be able to retain Children’s information indefinitely.
However, unlike the OPC,15 the FTC can issue fines for contraventions of COPPA. This has led to heavy fines and frequent lawsuits for operators in the US that violate COPPA.16 Conversely, the OPC has stated that if there is a suspected contravention and complaint, the OPC will initiate an investigation to prevent contraventions from recurring. The OPC takes a “cooperative and conciliatory approach to investigating complaints whenever possible and encourages resolution through mediation, negotiation and persuasion.”17
Even though laws haven’t been codified in Canada to protect Children’s information, the OPC has advocated for the creation of laws that recognize children’s privacy rights.18 Such laws would (i) compel organizations to integrate privacy protections into their products and services, (ii) explicitly recognize children’s data as sensitive, and (iii) implement age-appropriate tools and safeguards to prevent unauthorized access.19 Whether this type of legislation actually gets created remains to be seen, however as Ganz shows, organizations should still treat Children’s personal information as sensitive and should implement procedures to allow the Children’s parents to consent to the collection, use, and disclosure of their Child’s personal information.
If you have questions about your organization’s privacy practices, please don’t hesitate to reach out to GME Law.
1 Children’s Online Privacy Protection Rule, 16 C.F.R 312 (hereinafter “COPPA”).
2 Children’s Online Privacy Protection Rule (“COPPA”), 15 U.S.C. 6501-6508 at §312.1.
3 Complying with COPPA: Frequently Asked Questions, Federal Trade Commission, July 2020.
4 COPPA at §312.3.
5 COPPA ENFORCEMENT: What are the penalties for violating the Rule?, Complying with COPPA: Frequently Asked Questions, Federal Trade Commission, last updated January 2024.
6 Statement of Chair Lina M. Khan Regarding the Final Rule Amending the Children’s Online Privacy Protection Rule, Commission File No. O195404, Federal Trade Commission, January 16, 2025.
7 Act Respecting the Protection of Personal Information in the Private Sector, P-39.1, at Section 4.1 says that anyone under 14 must have their parent consent to the collection of their personal information.
8 See, for example, Collecting from kids? Ten tips for services aimed at children and youth, Office of Privacy Commissioner of Canada, last updated December 2015.
9 Guidelines for obtaining meaningful consent: consent and children, Office of the Privacy Commissioner of Canada, last updated August 13, 2021.
10 Sweep Report 2024: Deceptive Design Patterns, Office of the Privacy Commissioner of Canada, last updated July 9, 2024.
11 Investigation Into the Personal Information Handling Practices of Ganz Inc., Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2014-011, October 7, 2014 (hereinafter “Ganz”).
12 Key Findings in Investigation of Popular Children’s Website, Office of Privacy Commissioner of Canada, March 25, 2015.
13 Supra note 13.
14 See for example, OPC’s guidelines on Privacy and Online Behavioral Advertising, which says that as a best practice, organizations should avoid tracking children and tracking on websites aimed at children, last updated August 13, 2021.
15 Organizations’ Guide to Complaint Investigations under the Personal Information Protection and Electronic Documents Act, Office of the Privacy Commission of Canada, last modified: June 10, 2008.
16 Kids’ Privacy, COPPA: What Parents Should Know, Cases, Federal Trade Commission.
17 Supra note 15.
18 Strategic Plan 2024-2027, Office of the Privacy Commissioner of Canada, January 22, 2024.
19 Ibid.
