Children’s privacy code – Exploratory consultation

Notice

The call for comments on the exploratory consultation on the development of a children’s privacy code is now closed. Thank you to all participants.

The digital environment can present young people with opportunities for growth and self-expression, but also expose them to increased risks to their privacy. Indeed, children,^{Footnote 1} who may not grasp the consequences of agreeing to the collection, use or disclosure of their personal information, are particularly vulnerable to those risks. It is imperative that children are able to easily make informed decisions about practices related to their personal information online, to mitigate those risks.

Background and context

International developments

Many jurisdictions around the world have benefited from privacy regulators releasing guidance and/or governments adopting legislation that requires organizations to adapt their data practices, including design of products and services, to address the unique needs and best interests of children. Established codes of practice and special protections contained in privacy legislation can empower children to exercise their privacy rights and protect against potential harms experienced by children as they navigate online spaces.

For instance, in the United Kingdom, the Information Commissioner’s Office (UK ICO) has found that their Age-Appropriate Design Code, which came into force in 2021, has resulted in children being better protected online, citing changes in the practices of large online platforms.^{Footnote 2}

Other jurisdictions have also further defined and clarified expected practices to protect children’s privacy rights in the digital realm. For instance, the Irish Data Protection Commission has released guidance that incorporates a child-oriented approach to data processing. Additionally, many states in the U.S. and other jurisdictions around the world have introduced their own children’s privacy codes.^{Footnote 3}

The Office of the Privacy Commissioner of Canada’s commitment to children’s privacy

Over the years, the Office of the Privacy Commissioner of Canada (OPC) has remained diligent in examining privacy issues while giving special consideration to the impacts that may be experienced by children and has encouraged practices that protect and empower children as they engage with products and services online. For example, the Office of the Privacy Commissioner of Canada Sweep Report 2024: Deceptive Design Patterns found that specific deceptive design patterns occurred significantly more often on children’s websites and apps than on those that appeared to be aimed at the general population, and affirmed the OPC’s expectations that websites and apps aimed primarily at children should implement the most privacy-protective settings by default and encourage children to talk to their parents/guardians to help them make privacy decisions.

In 2023, the OPC, with provincial and territorial counterparts, released a joint resolution and companion document on Putting best interests of young people at the forefront of privacy and access to personal information (resolution on the best interests of the child). The content of the resolution was informed by roundtables that were hosted by the OPC with stakeholders on the best interests of the child.

The resolution sets out recommended practices for public and private sector organizations to adopt to prioritize the best interests of young people and protect their privacy. The resolution highlights the particularly sensitive nature of young people’s personal information and recognizes that the privacy rights of young people are their own rights, and that the exercise of their rights must only be limited in particular circumstances that are consistent with their best interests. The principles contained in the resolution and positions that the OPC has taken on children over the years form the basis for both this consultation and future work by the OPC on a children’s privacy code.

The OPC’s Strategic Plan 2024-27 affirms a commitment to champion children’s privacy rights as a key strategic priority area. Through this commitment, the OPC intends to deepen its understanding and appreciation of privacy risks and issues that young people face, and affect positive changes among organizations, parents/guardians, and youth to uphold children’s privacy rights.

Why a code?

The Personal Information Protection and Electronic Documents Act (PIPEDA) imposes a duty on the Commissioner to promote the purposes of the Act by any means that the Commissioner considers appropriate, and recognizes that one mechanism to promote the purposes and compliance with Division 1 and 1.1 is through codes of practice.^{Footnote 4} As such, the OPC believes that a children’s privacy code would be an appropriate tool to promote compliance with privacy obligations under the Act and to encourage best practices in this area.

A Canadian code that addresses the handling of children’s personal information is critical to ensuring that their personal information is properly protected and that they are able to effectively exercise their privacy rights. Given the increased risks to children and developments that have occurred internationally, the OPC believes that it is the right moment for Canadians and Canadian businesses to be able to benefit from a children’s privacy code that would expand on the OPC’s positions in this area and encourage alignment with other jurisdictions.

Goals of the consultation

The aim of this consultation is to inform the development of a Canadian children’s privacy code that will clarify obligations under PIPEDA and set out the OPC’s expectations regarding organizations’ handling of children’s personal information.

While not the focus of the consultation, it should be noted that children could benefit greatly from legislative amendments that provide them with special protections under Canada’s private-sector privacy law and that explicitly recognize the best interests of the child.^{Footnote 5}

Why an exploratory consultation?

The OPC is undertaking this exploratory consultation to provide parties with an opportunity to help it better understand the challenges associated with children’s privacy and to explore potential solutions to assist in the development of a children’s privacy code. Recognizing that a children’s privacy code would impact children, parents/guardians, educators, and private sector organizations, among others, the OPC would like to hear the views of a wide range of stakeholders.

The consultation poses questions about how the OPC’s current positions could be operationalized to ensure that private sector organizations are implementing strong safeguards and transparent practices, as well as providing effective tools for children to meaningfully exercise their privacy rights.

Through these questions, the OPC seeks information that:

builds upon its established principles and positions and their applicability;
identifies potential issues that the OPC should address in a potential children’s privacy code; and
informs the OPC of real “on-the-ground” challenges and/or potential solutions in protecting children’s privacy.

This information will be used to inform the development of a children’s privacy code, as well as other future work undertaken by the OPC in the area of children’s privacy.

The questions contained in the consultation are indicative of the OPC’s areas of interest for a future children’s privacy code, but stakeholders are not expected to respond to all questions.

Exploratory issues and areas of interest

Application of a children’s privacy code

The terms “child” and “young person” have been used in legislation and policy with differing age ranges globally and domestically. For purposes of this consultation, “children” are those individuals under the age of 18. However, it should be noted that the OPC intends to consult with young people directly on their preferred terminology.

Other jurisdictions, such as the UK, California and Ireland, have children’s privacy codes or guidance that apply to organizations that provide a service or product that is directed at, intended for, or likely to be accessed by children.^{Footnote 6}

In the OPC’s view, organizations that provide products or services that are directed at children in the course of their commercial activities would fall squarely in the scope of a children’s privacy code. However, the applicability of a children’s privacy code to organizations whose services are targeted at a broad audience, or may incidentally handle children’s information, requires further consideration and clarification. The OPC is of the view that organizations should take reasonable measures to be aware of the audience they are reaching and adapt their data practices accordingly when that audience is children. Where the intended audience for a product or service is not exclusively children, organizations should assess the likelihood that children are accessing their products or services and, if a significant number of users are children, adapt their data practices accordingly.

There may be different ways to accomplish this assessment and to adapt data practices, and the OPC welcomes views on how this can be done in a privacy-protective manner. The OPC’s exploratory consultation on age assurance outlined how age assurance can be one effective technique to promote online safety for children by directing them to a version of a service that uses data practices tailored to their age range.

Areas of interest – Application of a children’s privacy code

Should a children’s privacy code apply differently to sites exclusively directed at children and those directed at a broad audience that includes children? Which factors should be considered when determining the likelihood of children accessing a service? How can this assessment be done in a privacy-protective manner?
Should a children’s privacy code only apply when certain risks or harms are possible due to access to or use of the site – and if so, which ones?
How should a “significant number of children” be defined? Should this threshold be adjusted or removed?

Enabling the exercise of children’s privacy rights

The United Nations Convention on the Rights of the Child (UNCRC), which Canada has ratified, is an international human rights treaty that defines children as individuals under the age of 18, and explains their specific rights as well as the responsibilities of governments. The United Nations’ General Comment No. 25 (2021) on children’s rights in relation to the digital environment provides guidance on measures to ensure compliance with the UNCRC, including that countries that ratified the convention should ensure that digital service providers offer services that are appropriate for children’s evolving capacities.

The OPC is of the view that a children’s privacy code should apply to the handling of the personal information of those under the age of 18. However, a code could detail how organizations should tailor their practices to account for the evolving capacity of the child, in order to ensure that their privacy obligations are met.

Under PIPEDA, for consent to be meaningful, purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed (Clause 4.3.2 of Schedule 1 of PIPEDA). As such, consent from minors can only be considered meaningful if organizations have reasonably taken into account their level of maturity in developing their consent processes and adapted them accordingly.

The OPC, in its Guidelines for obtaining meaningful consent, expressed the view that while a child’s capacity to consent can vary from individual to individual, there is nonetheless a threshold age below which young children are not likely to fully understand the consequences of their privacy choices. The OPC took the position that, in all but exceptional circumstances, for anyone under the age of 13, consent must instead be obtained from their parents or guardians.

Under Principle 9 of Schedule 1 of PIPEDA, individuals can request access to their personal information and request the correction of errors. The resolution on the best interests of the child and companion document recognize that, in a manner consistent with the child’s best interests and their privacy rights, a parent/guardian’s access to their child’s information may be limited, depending on the particular facts of each case.

The resolution recommends that organizations offer simple means so children, where appropriate, can correct their personal information. This includes providing clear and conspicuous notices to children advising them of their rights of access, correction and appeals; and providing requested information in a form that is readily understandable by the child. The resolution also recommends that organizations allow for deletion or deindexing as a means to allow young people to correct mistakes made with their personal information or to remove personal information they once shared but later change their minds about doing so.

The resolution also highlights that organizations must confirm the identities of children (and their parent/guardian, where appropriate) who seek to exercise these rights. If the requester is a parent or guardian, organizations should take steps to confirm the relationship to the child in question.

Areas of interest – Enabling children’s privacy rights

What measures should be put in place to ensure that a child has the capacity to provide consent? When should consent be sought from parents/guardians instead of a child? How can organizations confirm the relationship of the parent/guardian to a child?
How should an organization present information to children of different developmental age ranges to ensure that they reasonably understand how their information is being collected, used or disclosed and can meaningfully consent to practices?
What are examples of “simple” means by which organizations could allow children and or parents/guardians to easily access, correct, or withdraw consent for the use of the child’s personal information? How might organizations address withdrawing consent which they, or their parents/guardians, have previously provided?

Designing to address privacy impacts and the best interests of the child

Because of the particular vulnerability of children in the digital realm, risks of harm to children should be identified and minimized as early as possible to ensure that privacy and the best interests of children are built into a product or service’s design. Experts have noted that common risks related to privacy for young people can include: (1) content risks, where the child engages with or is exposed to potentially harmful content, such as content that is violent, gory, hateful or extremist; (2) contact risks, where the child experiences or is targeted by contact in a potentially harmful adult-initiated interaction; (3) conduct risks where the child witnesses, participates in or is a victim of potentially harmful conduct such as bullying, hateful peer activity, trolling, sexual messages, pressures or harassment; (4) contracts risks, where the child is party to and/or exploited by potentially harmful contract or commercial interests (e.g.: gambling, exploitative or age-inappropriate marketing, etc.).^{Footnote 7}

Children’s privacy codes and guidance from other jurisdictions like the UK, California and Ireland, require organizations to assess impact, including risks of harm, in data protection impact assessments.^{Footnote 8}

The OPC believes that conducting risk assessments is an important part of any privacy management program and that organizations should develop procedures for conducting privacy impact assessments (PIAs). The resolution on the best interests of the child puts forward a number of recommendations that can be incorporated into PIAs and design processes for projects involving children’s personal information, or to examine potential impacts on children, before handling their personal information. The resolution recommends that traditional PIA processes be adapted to consider the perspectives and experiences of children as individuals, and as a group, through an intersectional lens.^{Footnote 9} This can be accomplished through direct consultation with children, and should involve them, their parents/guardians, teachers, or child advocates in the assessment process.

Areas of interest – Designing to address privacy impacts and the best interests of the child

How can consideration for the best interests of the child be integrated into the design and PIA processes? How can the best interests of the child be best assessed?
What potential impacts, including harms specific to children, should be considered in a PIA?
How should organizations actively involve children, their parents/guardians, teachers or child advocates in the PIA process?

Ensuring child-appropriate transparency practices

Transparency is key to ensuring that individuals can make informed decisions on the collection, use and disclosure of their personal information, and is all the more critical in the context of engaging with children who might not fully appreciate the consequences of their decisions.

In the Office of the Privacy Commissioner of Canada Sweep Report 2024: Deceptive Design Patterns, the OPC found that the most common type of deceptive design pattern was complex and confusing language in privacy policies. In 96% of the cases (89% globally), the privacy policies on websites and apps were either excessive in length (over 3,000 words) or used technical and confusing language, making them difficult to read and understand.

Children’s privacy codes and guidance in other jurisdictions contain transparency requirements to ensure that organizations provide users with terms, policies and community standards in a way that is concise, prominent and uses clear language suited to the age of the child.^{Footnote 10}

Under Principle 8 of Schedule 1 of PIPEDA, organizations are required to make information on its policies and practices available in a variety of ways. This could include interactive and dynamic methods to present the information in a child-friendly way.

The resolution on the best interests of the child and companion document put forward a number of recommendations to ensure the transparent handling of children’s personal information and lists categories of information that should be provided to children.^{Footnote 11} Like other jurisdictions, the resolution highlights that organizations have to provide privacy information to children (and their parents/guardians as appropriate) in a concise, prominent and clear manner suited to the maturity of the young person.

It also recommends that organizations avoid tracking children’s online behaviours, and when tracking is occurring, organizations should make it obvious to the child.

Organizations must also inform children about who to contact if they have questions about the information presented to them and can encourage children to direct questions to a parent/guardian (or trusted adult).

The 2024 FPT resolution, Identifying and mitigating harms from privacy-related deceptive design patterns (resolution on deceptive design patterns), also promotes the use of clear and simple language as a way of both complying with privacy laws, and fostering trust with users. The resolution further recommends consistent and neutral language and designs to present privacy choices to users.

Areas of interest – Ensuring child-appropriate transparency practices

What information should an organization provide in a privacy notice about their handling of children’s personal information?
How can information be tailored to different age ranges and capacities to ensure that children and/or their parents/guardian make informed decisions about privacy? Are there tools or approaches that can be used to support this? What are potential challenges and solutions to doing this effectively?
How and when should information be presented strictly to parents/guardians (or trusted adults)? How should information be presented when directed at both parents/guardians (or trusted adults) and children?
What resources could be provided to parents/guardians (or trusted adults) to help them explain the privacy implications of services or products to children?

Being privacy protective by default

The OPC is of the view that preventing the over collection of children’s personal information and minimizing retention is key to limiting organizations’ exposure to potential breaches and the possibility of reuse of information beyond the initial purposes for which it was collected.

Under Principle 4 of Schedule 1 of PIPEDA, organizations must limit the collection of personal information to that which is necessary for the purposes identified by the organization. The Act also requires that personal information not be used or disclosed for purposes other than the ones for which they were collected, except where consent is provided or as authorized by law.

Part of being protective by default is also limiting the length of time that personal information is retained to only what is necessary to fulfil the purpose, as is required under Principle 5 of Schedule 1 of PIPEDA. The particularly sensitive nature of children’s personal information should also be a primary consideration for organizations developing guidelines and implementing procedures on the destruction of children’s personal information.

Children’s privacy codes in other jurisdiction such as the UK and California require organizations to have default settings that offer a high level of privacy by default, taking into account the best interests of the child, unless the organization can demonstrate a compelling reason for a different default setting.^{Footnote 12}

The resolution on the best interests of the child and companion document contain recommended practices for organizations to ensure that privacy settings are the most protective by default. These include keeping children’s content private by default, refraining from targeting commercial advertisements based on their personal information and providing privacy tools and consent mechanisms appropriate for young people and their maturity level.

The resolution also recommends that, by default, organizations turn off tracking of children, including location tracking, except if:

it is demonstrably necessary for the product or service to function;
it is limited to only when the product or service is actively being used; and,
it is in the best interests of the child.

If the geolocation data of a child is being collected, used or disclosed, explicit consent should be obtained.

While the resolution puts forth geolocation and tracking as areas where high default settings are required or the practice should be avoided, the OPC believes that there are other practices that should be met with the same degree of caution. In particular, the OPC has shared concerns alongside G7 colleagues related to Children and AI, specifically highlighting that the collection and use of children’s personal data to train AI models may lead to harmful consequences. Experts have also identified risks in the development and use of AI systems that impact children, and have put forward guidance to mitigate risks at each stage of the AI lifecycle.^{Footnote 13}

Areas of interest – Being privacy protective by default

What measures could organizations employ to ensure that children’s personal information is only retained for as long as is necessary (for example, having messages automatically “expire” after a shorter period of time)? Are there specific factors that should be considered when setting a retention or disposal policy for children’s information?
Are there any specific practices that should be avoided because of the difficulty in obtaining meaningful consent from a child or because it would constitute an inappropriate data practice?
Are there any scenarios where it would it be in the best interests of the child to have less restrictive default settings?

Avoid deceptive practices

The GPEN Sweep 2024 report found that there is “an extremely high occurrence” of deceptive design patterns across websites and apps worldwide. In Canada, sweepers found that these practices are just as frequent, and at times even more frequent, on the children’s websites that were examined. Examples of common deceptive design patterns affecting privacy that were identified include:

Inaccessible language – the use of complex and confusing language on websites or apps, often found within highly technical and excessively long privacy policies or terms of service;
Interface interference – where design elements on the website or app can be used to influence a user’s perception and understanding of their privacy options;
Nagging – where repeated prompts for users to take specific actions may undermine their privacy interests;
Obstruction – where a website or app inserts unnecessary, additional steps between users and their privacy-related goals;
Forced action – where a website or app requires or tricks users into providing more personal information to access a service than is necessary to provide that service.

Children’s privacy codes and guidance in other jurisdictions require organization to not use nudging techniques to lead children to make poor privacy decisions or provide personal information beyond what is reasonably expected.^{Footnote 14} The UK ICO’s standard on nudging techniques also outlines that organizations should nudge users towards pro-privacy decisions and encourages organizations to consider nudging to promote health and well being.

The OPC provided some clarification over the requirements and expectations related to design practices along with its provincial and territorial counterparts in both the resolution on the best interests of the child and the subsequent resolution on deceptive design patterns. This includes that organizations must not incorporate into products and services manipulative or deceptive design or behavioral incentives that influence children to make poor privacy decisions, engage in harmful behaviours, encourage them to provide more information than what is necessary, or turn off protective privacy settings. Organizations should instead design products and services to empower children to make informed, privacy protective choices and take assertive action to advance their privacy rights through dynamic, innovative, and creative means. They should also regularly test design architecture and usability to detect deceptive design practices and make improvements to the platform.

Areas of interest – Deceptive practices

Beyond the practices set out in Section 5 (Being privacy protective by default) and approaches referenced above, how can products or services be designed to encourage children to adopt privacy protective behaviours?
What practices should be encouraged to mitigate potential harmful behaviours, and/or help children make informed decisions about their personal information?

Limiting disclosure of children’s information

Given the particularly sensitive nature of children’s information, there must be clear limits to sharing and using children’s personal information unless there are exceptions under the law, and/or the disclosure is in the best interests of the child.^{Footnote 15}

Children’s privacy codes and guidance in other jurisdictions, such as the UK and California, place restrictions on the sharing and disclosure of children’s personal information unless there is a compelling reason to do so, taking into consideration the best interests of the child.^{Footnote 16}

More broadly, and as discussed in other sections of this document, consent can only be valid if it is reasonable to expect that an individual would understand the nature, purposes and consequences of the disclosure (section 6.1 of PIPEDA). In these instances, organizations handling children’s personal information will need to make determinations regarding a child’s capacity to consent and whether consent should be obtained by the parent/guardian.

However, PIPEDA also recognizes that there are some scenarios where obtaining consent to disclose personal information is not necessary (subsection 7(3)). One exception is the sharing of information with a person who needs the information because of an emergency that threatens the life, health or security of an individual. The OPC is of the view that privacy should not be an obstacle when the life of any individual or child is at risk, and exceptions to consent for these disclosures align with the best interests of the child.

The resolution on the best interests of the child recommends that organizations avoid disclosing children’s data to third parties unless they obtain valid, express consent, are legally authorized to do so for a valid reason that is in the best interests of the child or are under a legal duty to disclose to third parties the personal information of a child at risk of harm or in need of protection. They must explain disclosures of personal information, including what types of information are being shared. Personal information must also be limited by contracted third parties (such as partners, providers, and agents) to the purposes for which the information was originally collected. Finally, organizations should put in place technical (or other) measures to prevent the unauthorized use of children’s information, rather than relying solely on monitoring and the assumption that third parties will live up to their contractual obligations.

Areas of interest – Limiting Disclosure of Children’s Personal Information

What type of technical (or other) measures could be used to prevent the unauthorized use of children’s information?
Should children receive notifications when their information is being shared? Are there scenarios where this is more critical?
Are there certain types of personal information that should never be disclosed? Are there certain purposes for which a child’s personal information should never be disclosed?

General questions and next steps

The OPC welcomes your comments on the specific questions associated with each area of interest, but also more broadly on the following:

What role do you see the OPC playing in ensuring that the best interests of the child are upheld?
Are there other privacy considerations that should be taken into account in the establishment of a children’s privacy code?
Are there areas/industries where the OPC should provide sector or industry-specific guidance for the handling of children’s personal information?
What challenges or solutions do you foresee in applying a children’s privacy code?

Following this consultation, the OPC intends to draft a children’s privacy code elaborating on expectations regarding the obligations of organizations to ensure that children’s personal information is protected and that they are empowered to exercise their privacy rights.

How to comment

Comments will be accepted by email (cpvp-opcconsultation1@priv.gc.ca) until August 5, 2025, 11:59 PDT. Further information about this consultation can be found in the Call for comments.

Footnotes

Footnote 1

For purposes of this consultation, “children” are individuals under the age of 18. In future work, and in the finalized children’s privacy code, the OPC may further differentiate amongst this group.

Return to footnote 1

Footnote 2

United Kingdom Information Commissioner’s Office. March 3, 2025. Children’s code strategy progress update – March 2025.

Return to footnote 2

Footnote 3

See for example: California, Maryland, France, the Netherlands, and Sweden.

Return to footnote 3

Footnote 4

Personal Information Protection and Electronic Documents Act - S.C. 2000, c. 5 (Section 24)

Return to footnote 4

Footnote 5

OPC Submission on Bill C-27.

Return to footnote 5

Footnote 6

Cal. Civ. Code (Title 1.81.47. The California Age-Appropriate Design Code Act) at §1798.99.31(a); UK ICO. Age-Appropriate Design Code – Likely to be accessed guidance
Ireland’s Data Protection Commission, Fundamentals for Child-Oriented Approach to Data Processing. (p. 15). December 2021.

Return to footnote 6

Footnote 7

Livingstone & Stoilova 2021, and Siibak & Mascheroni, 2021

Return to footnote 7

Footnote 8

UK ICO. Age-Appropriate Design Code – Standard 2: Data Protection Impact Assessment. Cal. Civ. Code (Title 1.81.47. The California Age-Appropriate Design Code Act) at §1798.99.31(a)(1)(B).
Data Protection Commission, Fundamentals for Child-Oriented Approach to Data Processing. Fundamental 13: Do a DPIA (p. 32). December 2021.

Return to footnote 8

Footnote 9

With consideration for the specific privacy risks to vulnerable groups of children such as those with disabilities, First Nations, 2SLGBTQi+.

Return to footnote 9

Footnote 10

Cal. Civ. Code (Title 1.81.47. The California Age-Appropriate Design Code Act) at §1798.99.31(a)(7); UK ICO. Age-Appropriate Design Code – Standard 4: Transparency; Ireland’s Data Protection Commission, Fundamentals for Child-Oriented Approach to Data Processing. Fundamental 6: Child-Oriented Transparency (p. 7). December 2021.

Return to footnote 10

Footnote 11

As per the resolution, organizations should provide children with information about their product or service, their privacy policies and practices, the purposes for collecting personal information, their user controls and default settings, their complaint processes, any associated privacy risks, and any other topic relevant to children accessing their product or service. This could include information on the organization’s special efforts to protect children, such as content moderation or potential harms.

Return to footnote 11

Footnote 12

Cal. Civ. Code (Title 1.81.47. The California Age-Appropriate Design Code Act) at §1798.99.31(a)(7); UK ICO. Age-Appropriate Design Code – Standard 7: Default Settings.

Return to footnote 12

Footnote 13

5Rights. March 2025. Children & AI Design Code: A protocol for the development and use of AI systems that impact children.

Return to footnote 13

Footnote 14

Cal. Civ. Code (Title 1.81.47. The California Age-Appropriate Design Code Act) at §1798.99.31(b)(7); UK ICO, Age-Appropriate Design Code – Standard 13: Nudge Techniques; Data Protection Commission, Fundamentals for Child-Oriented Approach to Data Processing, Fundamental 6: Child-Oriented Transparency (p. 7), December 2021.

Return to footnote 14

Footnote 15

A “disclosure” of personal information differs from a “transfer for processing” under PIPEDA. See Principle 4.1.3 of Schedule 1 of PIPEDA for requirements related to transfers for processing.

Return to footnote 15

Footnote 16

Cal. Civ. Code (Title 1.81.47. The California Age-Appropriate Design Code Act) at §1798.99.31(b)(3); UK ICO. Age-Appropriate Design Code – Standard 9: Data sharing.

Return to footnote 16

Date modified:: 2025-08-20

Language selection

Search and menus

Search