Skip to main content
Skip to "About this site"

Designing age assurance to be privacy-protective – Guidance for age assurance developers

Notice

The Office of the Privacy Commissioner of Canada is accepting comments on this document until August 4, 2026, at which time we will evaluate whether any amendments are required. Should changes be made at that time, the document will be updated and a link to a summary of any edits will be included. Comments can be sent by email to cpvp-opcconsultation1@priv.gc.ca.

Summary of design considerations for age assurance

1. Minimize collection and avoid retention of personal information.

Age assurance providers must:

Collect the minimum amount of personal information necessary for age assurance.
Delete personal information collected for age assurance once an age signal is generated.

Age assurance providers should:

Consider technological approaches, such as on-device processing, which limit the amount of information sent to a server.

2. Limit the information included in an age assurance result.

Age assurance providers must:

Include no more information than is necessary in an age assurance result.
Justify the inclusion of any information in an age assurance result other than the individual’s age range or a ‘yes/no’ signal indicating whether the individual is above a given age.

3. Avoid secondary use or disclosure of personal information collected for age assurance.

Age assurance providers must:

Not use personal information collected for age assurance for any other purpose.
Not disclose personal information collected for age assurance.

Age assurance providers should:

Demonstrate that these practices are followed, such as through an independent audit or conformity assessment.

4. Minimize, and do not keep or disclose, information generated during the age assurance process (excepting the final result).

Age assurance providers must:

Determine whether any personal information other than the age assurance result is generated during the age assurance process, and either re-design the system to avoid this or ensure that such information is protected during the process and immediately deleted following it.

5. Do not retain any information about the individual’s online activities and, where possible, design systems to ensure that such information cannot be collected.

Age assurance providers must:

Not profile or otherwise retain any information about an individual’s age-assured online activities.

Age assurance providers should:

Design systems in such a way that they do not learn any information about an individual’s online activities.

6. The age assurance process should not disadvantage any group.

Age assurance providers must:

Proactively take measures to identify limitations to the accuracy of their age assurance methods based on group characteristics.
Disclose to relying parties any known limitations in effectiveness, if they cannot be addressed.

Age assurance providers should:

Ensure that equally privacy-protective alternative age assurance processes are available should it be likely or known that individuals of an equity-deserving group will be less able to successfully pass an age assurance check.

1. Introduction

Age assurance^{Footnote 1} can be a legitimate approach to mitigating potential harms to children caused by certain online content, services, and personal information practices. However, these systems must be designed to be privacy protective to avoid creating an undue impact on the privacy rights of Internet users.

This guidance document sets out the Office of the Privacy Commissioner of Canada (OPC)’s expectations and recommendations with respect to the design of age assurance systems.^{Footnote 2} It is for age assurance service providers, defined as those entities responsible for providing age assurance results to websites or online services that are seeking to distinguish between users based on age (“relying parties”).^{Footnote 3} This includes third-party age assurance service providers, developers of applications (such as digital wallets) that allow an age assurance result to be derived from a digital credential, or relying parties themselves should they opt to implement their own age assurance process.

1.1. Approach to this document

The term “age assurance” encompasses a wide variety of methods and techniques, including multiple forms of age verification and age estimation. These vary significantly, both in how they operate and in the extent and nature of personal information that they collect and use. As such, an exhaustive examination of all design considerations is not feasible. Instead, we identify design considerations that developers should or must use to address key privacy risks associated with age assurance.

For each consideration, approaches to implementation are identified. The approaches described are illustrative; other innovative ways to achieve the desired results are possible.

This document is not an exhaustive description of all related obligations under Canada’s privacy laws; for more information about compliance requirements, please visit priv.gc.ca.

1.2. Key privacy risks

The age assurance-related privacy risks that the design considerations set out in this document seek to mitigate include:

Personal information collected during the age assurance process being breached or otherwise disclosed;
An individual’s online activities (across one or multiple sites) being tracked or profiled;
The amount or nature of personal information collected being disproportionate to the risk being addressed; and,
Individuals from certain (often equity-deserving) populations being subject to additional collection of personal information or access restrictions.

The extent to which these risks are mitigated will impact whether an organization has met its requirement to only collect, use and disclose personal information for purposes that a reasonable person considers to be appropriate in the circumstances.^{Footnote 4}

2. Design considerations for age assurance

When designing age assurance systems, organizations must take into account the following considerations.

2.1. Minimize collection and avoid retention of personal information.

Breach of personal information collected for age assurance is a significant risk. The potential sensitivity of both the information being collected for age assurance and the inferences that are possible based on what age-assured content or services are being accessed by the individual will make age assurance providers an attractive target for malicious actors. To address this, organizations designing age assurance systems should pay particular attention to data minimization and limiting retention.

Minimizing the collection of personal information will depend on the nature of the age assurance process and the degree of certainty required in a generated age result. Age assurance providers should thus undertake a contextual analysis of their practices to understand whether and how collection can be minimized. For instance, before introducing an additional data collection to an age assurance process, an organization should evaluate (i) whether the data element will meaningfully impact the degree of certainty associated with an age result, (ii) whether this increase in certainty is both necessary and proportionate to any potential privacy harm, and (iii) whether a less-invasive alternative is possible. Organizations should be able to demonstrate the necessity of each element of personal information collected for the age assurance process, particularly when the individual element or the aggregation of multiple elements is sensitive.

Where personal information must be collected, it must not be retained following the generation of an age assurance result (absent a legal requirement to do so). In particular, organizations should not retain personal information that was collected for age assurance purposes to provide to regulators in potential future investigations.^{Footnote 5} While the OPC may, in the course of an investigation, ask an age assurance provider for information about the overall effectiveness of its practices or the types of information it collects from individuals, the OPC will not expect an organization to provide evidence of the personal information collected to authenticate a specific individual.

Where feasible, providers should also consider technological approaches that allow personal information to be processed on the user’s device, without being transmitted to a server, or pre-processing that information to ensure that only less-sensitive information is sent.

This design consideration would permit reasonable retention of personal information, where a justification exists and the retention is clearly explained to the individual. For instance, an age assurance service provider would generally be permitted to take steps to reduce the need for an individual to repeatedly provide personal information by having them go through the full age assurance process once and create an account through which they can access a reusable age credential. However, in such a case, the information processed during the age assurance process should still be deleted.

Additionally, the requirement to delete information upon generating an age signal does not apply to situations in which age assurance relies on analysis of information already collected by the organization. In that case, the organization’s usual retention schedule would apply.

2.2. Limit the information included in an age assurance result.

An age assurance process should not result in the relying party learning anything about an individual other than the age assurance result. This lessens the possibility of an individual being tracked or profiled based on their age-assured online activities. Age assurance providers should thus ensure that age assurance results generated by their systems do not include unnecessary information.

There are many ways in which this can be achieved, including:

Sending only the age assurance result to the relying party, and ensuring that this result does not contain other information about the individual, including any metadata that could act as a unique identifier;
Issuing the individual a reusable credential to be stored in a digital wallet, with which they can provide the minimal required information to the relying party using selective disclosure^{Footnote 6};
Allowing the user to authenticate their age within their device and set a flag or signal within their browser or device indicating their age range, which is made available to the relying party.

It is possible that a relying party will require more granular information about an individual, such as their exact age. In that case, the age assurance provider should request a justification for the inclusion of this granular information. However, in no case should identifying characteristics of the individual (such as their name or an image collected during age estimation) be included in the age assurance result.

It is acceptable for the age assurance result to contain any necessary non-personal information, such as technical information which establishes the legitimacy and veracity of the result.

2.3. Avoid secondary use or disclosure of personal information collected for age assurance.

In many circumstances^{Footnote 7} it will be reasonable for a relying party to require an individual to undergo age assurance before accessing some or all of a website or online service. However, requiring additional processing of that personal information would generally not be reasonable. As such, providers must not use personal information collected for age assurance for secondary purposes, nor disclose that information. Exceptions to this rule include disclosures based on a legal obligation, or certain limited processing if the individual is clearly informed and provides express consent.

To demonstrate accountability, an organization should seek to determine whether and how it can show individuals (and regulators) that it follows such commitments, such as through a conformity assessment, third-party audit, or other independent review mechanism. This is particularly important in the case where the relying party is also operating the age assurance system, as individuals may be particularly wary of being asked to simply ‘trust’ that their information will not be used in additional ways, such as to identify or profile them.

2.4. Minimize, and do not keep or disclose, information generated during the age assurance process (excepting the final result).

To further reduce both the risk of breach and the potential for disproportionate collection, age assurance should result in the least possible amount of information being generated during the process.

For example, the 2020 joint investigation of Cadillac Fairview^{Footnote 8} found that, in order to estimate individuals’ age and gender, the “anonymous video analytics” technology in place:

took temporary digital images of the faces of any individual within the field of view of the camera;
used facial recognition software to convert those images into biometric numerical representations of the individual faces that could be used to identify individuals based on their unique facial features; and
used that information to assess age range and gender.

While the joint investigation found no evidence that the biometric representations described in step ii) were for purposes other than to assess age range and gender, it also found that individuals would not reasonably expect that such representations would be created. A similar conclusion could be reached if, for instance, a facial age estimation system created a unique biometric identifier for the individual in advance of determining their age, particularly if that identifier was retained or disclosed.

In developing privacy-protective age assurance systems, an organization should consider not just the personal information being collected and the final result being generated. It should also consider the privacy impacts of any mid-stage information created by the system – either avoiding the creation of potentially sensitive information or, at minimum, ensuring its immediate deletion after processing.

2.5 Do not retain any information about the individual’s online activities and, where possible, design systems to ensure that such information cannot be collected.

Age assurance must not result in providers profiling an individual’s online activities based on where they are being age-assured.

A basic age assurance process would operate as follows:

An individual visits a website that requires age assurance for access.
That individual is given the option of using a third-party age assurance service provider, with which they prove their age.
The service provider sends a ‘yes/no’ signal back to the website, which provides the individual access (or not).

To be privacy protective, this process would require a fourth step to ensure the service provider does not receive, or does not retain, information about the websites to which it is sending the ‘yes/no’ signal. Without this, the service provider would be capable of creating a profile of the individual based on the sites to which they are gaining access. Technical measures should be put in place to avoid this outcome.

Systems that ensure that the age assurance provider does not know what content is being accessed and that the relying party does not know the identity of the individual are said to meet the requirements of “double anonymity.”^{Footnote 9} Proofs of concept or demonstrations by the French CNIL^{Footnote 10}, Spanish AEPD^{Footnote 11}, and European Commission^{Footnote 12} all show that double anonymity is possible.^{Footnote 13} This can be achieved by measures such as involving an intermediary (such as an app) that passes messages between the relying party and the age assurance service provider, or by providing the individual with a reusable credential that can be stored in a digital wallet. Age assurance providers are not required to meet this requirement, but the OPC strongly encourages double anonymity to be built into systems, as a privacy protection.

Where a particular implementation does not fully meet the double anonymity standard, privacy-protective practices need to be followed. Specifically, providers must not create or retain information about the content being accessed by an individual nor attempt to create a profile of that individual based on inferences about that content. This includes instances in which an age assurance system based on reusable credentials is designed to contact the credential issuer (or ‘phone home’) to reaffirm that the credential remains valid.

2.6. The age assurance process should not disadvantage any group.

Historically, there have been many instances in which equity-deserving groups have been disadvantaged by new technologies. In developing age assurance systems, organizations must proactively take steps to assess whether the accuracy of their system is reduced for any groups, and if so, develop mitigation strategies.

For example, challenges may include:

Facial age estimation systems that are less accurate depending on skin tone or gender identity;
Age verification systems that rely on government-issued documentation less available to, or less likely to be held by, unhoused individuals or newcomers to Canada, or which do not recognize credentials issued by Indigenous governments; or,
Age assurance systems which rely on credentials stored in a digital wallet that is less available to individuals who use shared devices (including public computers, school-issued devices, or devices shared within a family).

Where an age assurance system provides an incorrect result, individuals may be prevented from accessing content or a service that should be available to them. This may also occur where an individual is required to undergo an appeals process involving the provision of additional information. Operators should proactively ensure that these burdens do not fall disproportionately on any given population (and in particular, on equity-deserving populations), and where complete mitigation of the issue is not possible, that equally privacy-protective alternatives are made readily available.

Should it not be possible to reasonably address biases within an age assurance system, organizations must disclose this to any potential relying party, and relying parties must consider whether the existence of this bias makes use of the system inappropriate in their circumstance.

Footnotes

Footnote 1

For this document, we adopt the definition of age assurance used in ISO/IEC 27566 (s. 3.1.1): age assurance is a “set of processes and methods used to verify, estimate, or infer the age or age range of an individual”.

Return to footnote 1 referrer

Footnote 2

Privacy-protective use of age assurance systems is explored at Assessing whether and how to use age assurance

Return to footnote 2 referrer

Footnote 3

ISO/IES 27566-1, s.3.2.1.

Return to footnote 3 referrer

Footnote 4

Guidance on inappropriate data practices: Interpretation and application of subsection 5(3)

Return to footnote 4 referrer

Footnote 5

This point is clarified due to a finding in the 2025 Australian Age Assurance Technology Trial (Part A – Main Report):

“We found some concerning evidence that in the absence of specific guidance, service providers were apparently over-anticipating the eventual needs of regulators about providing personal information for future investigations. Some providers were found to be building tools to enable regulators, law enforcement or Coroners to retrace the actions taken by individuals to verify their age which could lead to increased risk of privacy breaches due to unnecessary and disproportionate collection and retention of data.”

Return to footnote 5 referrer

Footnote 6

Selective disclosure is a feature of most digital wallets which allows an individual to choose what information from a credential is disclosed. For instance, disclosing that the person is verified to be over a given age rather than their date of birth (or any other personal information in the credential).

Return to footnote 6 referrer

Footnote 7

As described in Assessing whether and how to use age assurance.

Return to footnote 7 referrer

Footnote 8

Joint investigation of the Cadillac Fairview Corporation Limited by the Privacy Commissioner of Canada, the Information and Privacy Commissioner of Alberta, and the Information and Privacy Commissioner for British Columbia

Return to footnote 8 referrer

Footnote 9

For instance, in its technical standard for age assurance systems under the Sécurité et Régulation de l'Espace Numérique (SREN) law, the French communications regulator (Arcom) requires that all pornographic websites provide at least one double-anonymous age assurance option. Référentiel déterminant les exigences techniques minimales applicables aux systèmes de vérification de l’âge mis en place pour l’accès à certains services de communication au public en ligne et aux plateformes de partage de vidéos qui mettent à disposition du public des contenus pornographiques. October 2024.

Return to footnote 9 referrer

Footnote 10

Démonstrateur du mécanisme de vérification de l’âge respectueux de la vie privée (in French only). (June 16, 2022).

Return to footnote 10 referrer

Footnote 11

Spanish Agencia Española Protección Datos (AEPD). Technical Note: Description of the Proofs of Concept of Systems for Age Verification and Protection of Minors from Inappropriate Content

Return to footnote 11 referrer

Footnote 12

EU Age Verification Solution.

Return to footnote 12 referrer

Footnote 13

Double anonymity has been claimed by various commercial providers of age assurance; we have not reviewed these claims and so do not list them here. However, we believe that double anonymity is a concept implementable in practice, and not just in theory.

Return to footnote 13 referrer

Date modified:: 2026-05-04