Putting best interests of young people at the forefront of privacy and access to personal information

Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombuds with Responsibility for Privacy Oversight

Québec, QC, October 4-5, 2023

Context

Canada ratified the United Nations Convention on the Rights of the Child (UNCRC) in 1991. The UNCRC affirms children’s rights, including the right to privacy, and introduces the concept of the best interests of the child.

This concept implies that young people's well-being and rights be primary considerations in decisions or actions concerning them directly or indirectly. As a guiding principle, this concept can be applied in a variety of contexts to help assess and balance the interests of young people against others.

In over 30 years, the UNCRC has had a tremendous influence on young people’s rights around the world, including privacy. Many jurisdictions have recognized that young people may be impacted by technologies differently than adults, be at greater risk of being affected by privacy-related issues, and therefore require special protections.

Some of the most authoritative and current policy and legal instruments that focus on or include provisions for young people’s right to privacy are:

The UN General comment No. 25 on children’s rights in the digital environment, which supplements the UNCRC;
The OECD Council Recommendation on Children in the Digital Environment;
The OECD Guidelines for Digital Service Providers;
The Age Appropriate Design Code, or Children’s Code, created by the U.K.’s Information Commissioner’s Office;
The resolution by data protection authorities from around the world on children’s digital rights;
France’s Commission nationale de l’informatique et des libertés’s recommendations to enhance the protection of children online;
Ireland’s Data Protection Commission’s Fundamentals for a Child-Oriented Approach to Data Processing;
The G20 Digital Ministers’ call for actors involved in the digital environment to uphold the child's best interests;
The California Age-Appropriate Design Code Act; and
The EU’s Digital Services Act.

These initiatives and many others recognize that the digital environment presents many opportunities for young people, but they are also a necessary response to the well-documented harms to young people, such as mental health related harms.

These initiatives are promising, but the signatories believe that there is still work to be done in Canada to ensure that young people are protected from these harms through legislative measures to make their best interests a primary consideration in the design of products and services that concern or impact them.

Therefore

Canada’s Privacy Commissioners and Ombuds with responsibility for privacy oversight call on their respective governments to put the best interests of young people first by taking immediate action as necessary to:

protect young people from commercial exploitation and the use of their personal information to negatively influence their behaviour or to cause them harm;
promote the privacy rights of young people;
review, amend or adopt relevant privacy legislation to be consistent with internationally recognized policy and legal instruments to ensure adequate protection of the privacy rights of young people; and
require private sector organizations that collect, use and disclose the personal information of young people to:
- implement strong safeguards;
- be transparent about these practices;
- enhance access to effective remedies for young people.

The signatories recognize that the privacy rights of a young person are their own rights. Any limitation to their exercise (e.g. vis-à-vis parents/guardians or public bodies) must start from that principle, be specific and limited to the particular circumstances, and be consistent with the best interests of the young person.

The signatories also recognize that privacy rights apply both within and outside of the digital environment. While this resolution mainly focuses on the digital environment, its principles should be applied broadly.

The signatories highlight that young people's personal information is particularly sensitive. Any collection, use or disclosure of such information must be done with this in mind.

The signatories recommend that public and private sector organizations (organizations) adopt the following practices, which also reflect principles that should guide legislative reforms:

1. Build in young people’s privacy and best interests by design

Digital privacy risks to young people should be identified and minimized as early as possible. Organizations should ensure that privacy and the best interests of young people are built into the product or service right from the design stage.

Organizations should:

conduct privacy impact assessments (PIAs) for projects involving the data of young people or to examine the specific potential impacts on them;
adapt their traditional PIA process to think specifically about the perspectives and experiences of young people (as individuals and as a group) before collecting, using or disclosing their information;
actively involve young people, their parents/guardians, teachers, or child advocates in this assessment process;
conduct an intersectional analysis to consider the specific privacy risks to vulnerable groups of young people (e.g. those with disabilities, First Nations, 2SLGBTQI+).

2. Be transparent

Transparency is necessary for informed decision-making and consent.

Organizations must:

provide privacy information to young people (and their parents/guardians as appropriate) in a concise, prominent and clear manner suited to the maturity of the young person;
inform young people of who to contact if they have questions about the information presented;
be transparent about the privacy risks associated with using their product or service. This could include information on their special efforts to protect young people from those risks, such as about content moderation or potential harms.

3. Set privacy protective settings by default, and turn off tracking and profiling

Young people should not bear the burden of making technology settings compatible with their fundamental right to privacy. They also have a right to not be tracked or profiled^{Footnote 1} without justification, knowledge or consent.

Organizations should:

limit the collection, use, disclosure and retention of young people’s personal information to that which is strictly necessary to use the product or service;
set privacy settings to the most privacy protective by default;
turn off tracking, including location tracking, of young people by default, except if it is demonstrably necessary for the product or service to function, limited to only when the product or service is actively being used, and the activity is in the best interests of young people;^{Footnote 2} ^{Footnote 3}
avoid tracking young people’s online behaviours and creating profiles for future uses;
make any monitoring or tracking obvious to the young person;
avoid any commercial advertising aimed at young people based on their personal information; such marketing can be exploitative as young people can have more difficulty in identifying advertising from other forms of content;
inform young people of any change to the settings and the potential impacts, even if the change originated from them;
provide privacy tools and consent mechanisms appropriate for young people and their maturity level (or usable by their parent/guardian, if appropriate).

4. Reject deceptive practices

Young people must not be influenced or coerced into making privacy-related decisions contrary to their interests.

Organizations must not:

incorporate into products and services manipulative or deceptive design or behavioral incentives that influence young people to make poor privacy decisions or to engage in harmful behaviours;^{Footnote 4}
encourage young people to provide more information than what is necessary to use the product or service or to turn off protective privacy settings.

Organizations should:

design products and services intended to empower young people to make informed, privacy protective choices and take assertive action to advance their privacy and transparency rights.

5. Limit the disclosure of personal information

Given the sensitivity of young people’s information, limit sharing and using it.

Organizations must:

avoid disclosing young people’s data to third parties unless they obtain valid, express consent, are legally authorized to do so for a valid reason that is in the best interests of the young person or are under a legal duty to disclose to third parties the personal information of a young person at risk of harm or in need of protection;
clearly explain disclosures of personal information to third parties, including the types of information being shared;^{Footnote 5}
take steps to limit uses of young people’s personal information by contracted third parties (such as partners, providers and agents) for purposes unrelated to the original collection (e.g. research, marketing, product development).

6. Allow for deletion or deindexing and limiting retention

Young people are less likely to understand how companies collect, use and disclose their personal information. They are also more likely to make decisions today that could impact them negatively in the future and for longer periods of time.

Organizations should, and in some cases, must:

give young people the means to correct mistakes made with their personal information or to withdraw personal information they once shared but later regret;
have a data retention policy that is in the best interest of the young person, and that requires retaining personal information for only as long as it is needed to provide a product or service, which reduces the chance of a breach and limits the possibility of reuse beyond its initial purpose.

7. Facilitate access to and correction of personal information

Young people have a right of access to their personal information. This right is fundamental to ensuring that the information held is accurate, up to date, and retained for appropriate purposes. The right of access also serves to hold organizations accountable.

All organizations have a general legal responsibility to provide timely and complete access to a young person’s personal information upon request from that person, and in most cases, upon request from their parent/guardian. It is recognized that a parent/guardian’s access to information may be limited by a young person’s privacy rights as is qualified by the individual’s best interests and dependent upon the particular facts of each case.

To give full effect to the right of access, organizations should:

adapt their practices and procedures to take into account the perspective and needs of young people;
ensure that all young people’s personal information is maintained in a systematic and accessible way for easier retrieval.

Organizations must:

confirm the identities of young people (and their parent/guardian, where appropriate) who seek to exercise their rights of access, correction and appeal;
ensure that the collection of personal information for this purpose is not excessive, and not retained or used for other purposes.

Footnotes

Footnote 1

“Profiling” refers to the use of personal data to automatically evaluate certain personal aspects relating to a person, for instance to analyse or predict their behaviour or to take decisions regarding it.

Return to footnote 1

Footnote 2

For example, it would not be considered to be in their best interests to use their personal information to make it possible to present them with harmful content (e.g. content on gambling or how to engage in self-harm).

Return to footnote 2

Footnote 3

In Quebec, the law provides that functions allowing the person concerned to be identified, located or profiled must be deactivated by default.

Return to footnote 3

Footnote 4

Examples of such design could include oversized opt-in buttons, addictive design such as incentives to lengthen use time (e.g. automatic video playback) or disincentives to exercise rights (e.g. information buried within a site or requiring a large number of steps). See 5Rights Foundation Disrupted Childhood 2023.

Return to footnote 4

Footnote 5

Young people expect that the personal information they provide to one organization will not be shared with another without their knowledge and consent. Research shows that they would like more information and more control over who their data is being shared with.

Return to footnote 5