Youth Privacy in Canada

Youth privacy is increasingly important, especially in light of how young people adeptly integrate the Internet and online serves into their daily lives. Under the United Nations 1989 Convention on the Rights of the Child, privacy is a basic human right for everyone under the age of 18. In the United States, the FTC passed the Children’s Online Privacy Protection Act in 1998, specifically protecting children under age 13. Canadian privacy legislation – the PIPEDA and the Privacy Act – also ensure that children’s privacy is protected in the private and public spheres. The Canadian Privacy Commissioner has made youth privacy one of the issues to focus on for 2010.

Beliefs & Behaviors

Online environments often raise issues of youth privacy and awareness. Studies have documented that many young Canadians frequently reveal personal information online without thinking of the potential consequences. According to the Media Awareness Network, 80% of youth use the Internet alone. A 2008 Kids Help Line study revealed that 40% of youth were willing to give personal information to someone they only knew online.

A federal Privacy Commissioner’s survey found that almost half of Canadian youth admit that they do not read privacy policies on websites. The majority of youth believe that if a website has a privacy policy, users are assured that the information they provide will not be shared with third parties. Many are unaware that online services may be used to monitor their behavior, or that personal information can be stored and sold to third parties. Although the Commissioner’s study found that many young Canadians do not agree with increased censorship or surveillance, they do want the ability to make more informed decisions about the sites they visit and their online activities.

Privacy Issues: Facebook

In July 2009, the federal Privacy Commissioner completed an investigation of the popular social networking site, Facebook. The investigation was prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic (CIPPIC), which identified serious privacy gaps and violations of Canadian privacy legislation. This was an overarching concern for the Commissioner, especially since 12 million Canadians are registered on Facebook, many of them youth.

The Commissioner issued a report identifying a number of key privacy issues with Facebook:

  • Third-party application developers (of which there are almost 1 million worldwide) have access to personal information beyond what was necessary to run an application. Developers are also allowed to retain users’ personal information even after the user deletes the application.
  • The option of account deletion was inaccessible to users, which means that Facebook could still retain information in user profiles. Many users confuse account deactivation with account deletion. In situations of account deactivation, Facebook does not inform users that their information is being retained for future use.
  • Facebook does not obtain the consent of non-users before uploading their personal information to the site (e.g. through photos, videos and wall posts). Non-users are not notified if their personal information is provided to Facebook. When users send invitations to non-users, Facebook collects and retains the email addresses of the non-user indefinitely, without knowledge and consent from the individual.
  • Users do not have the ability to opt-out of posthumous displays of their profile. Relatives of a deceased user are unable to remove their family member’s profile. Facebook does not clearly explain that user profiles are kept active after death, in order to allow friends to post comments and memorialize the individual.

As a result of the Commissioner’s report, Facebook agreed to make significant technological and policy changes to help its users better understand how their personal information is used and to make more informed decisions about sharing the information. The Commissioner felt that Facebook’s response was a positive step and agreed with its one-year timetable for implementing changes. The Facebook investigation sets expectations for the privacy practices of other social networking sites.

Privacy Issues: Nexopia

A privacy complaint was filed against the Canadian social networking site Nexopia in January 2010. The Public Interest Advocacy Centre (PIAC), an Ottawa-based consumer advocacy group brought the attention to the federal Privacy Commissioner in a 35-page complaint, which identified six violations of the PIPEDA by Nexopia privacy practices. Under the PIPEDA, the Privacy Commissioner has one year to investigate the complaint and deliver findings. The six violations are outlined below:

  • User profiles and personal information are disclosed to the general public. Non-member visitors can easily access sensitive information, including personal information, comments, blogs, messages and photos. Even with the highest privacy-protective setting on Nexopia, some person information (i.e. username, age, sex and location) will always be available to the public.
  • Members cannot opt-out of being searchable; the “visible to all” default setting is beyond reasonable expectations and violates the PIPEDA.
  • Without providing Nexopia with personal information (i.e. username, email address, birth date, sex and location), a user cannot join the Nexopia community. Users are not directed to the Privacy Policy and are not made aware of the ways in which their personal information can be used or disclosed.
  • While Nexopia uses targeted advertising to generate income, it does not adequately explain its advertising practices. Users do not have meaningful consent as to how their personal information will be used or disclosed. Users do not have the ability to opt-out of the targeted advertising program. According to the Canadian Marketing Association’s (CMA) Code of Ethics, collecting contact information from teens aged 13 to 16 requires opt-in consent. Nexopia fails to incorporate this practice into its information collecting procedures.
  • Current Nexopia practices regarding the transferring and sharing of personal information with third parties is not transparent.
  • Nexopia’s information retention policies violate the PIPEDA. For instance, if Nexopia members send email invitations to their non-member friends, Nexopia stores the email addresses the members provide for future use, although the non-members have not given consent to the collection and use of their email addresses. They also do not have the option to unsubscribe from Nexopia invitations or emails. Further, Nexopia reserves the right to retain members’ personal information indefinitely.

Nexopia’s extremely advanced search function presents additional privacy concerns. The PIAC noted that the member search engine is a worrisome tool, as it permits a fine-grained search of its members. For example, the advanced search can allow an individual to search for females between the ages of 13 and 16 who live in a particular city, or attend a specific school and have certain interests. It is clear that the search tool does not respect youth privacy.

Joint Resolution

In response to child and youth privacy concerns, the federal Privacy Commissioner and provincial privacy oversight officials issued a joint resolution, expressing commitment to improving online privacy standards for children and youth. The resolution, released on June 4, 2008, reinforced children’s rights to privacy and described the actions that the Privacy Commissioner and provincial ombudsmen would take. The Offices advocated an education-based approach that would be upheld by partnerships between commissioners, governments, industry and organizations. Some of the steps to be taken included:

  • Collaboration between Commissioners and ombudsmen on public education activities.
  • Recommendations on privacy education tools to governments, industry, child/youth advocates, parents and teachers.
  • Increase stringency of private sector privacy laws regarding online environments for youth/children.
  • Websites for children/youth to offer privacy policies and user agreements that are clear, simple and easy to understand.
  • Industry guidance for better privacy practices.
  • Commissioners and ombudsmen should be accessible to children/youth to lodge a complaint and seek the appropriate resolution.
  • Collaboration with privacy protection regulators worldwide.

On the same day the resolution was released, the Office of the Privacy Commissioner launched Youth Privacy, an interactive website that offers resources to youth to protect their personal information and their online activities.


This article introduces the issue of child and youth privacy in Canada. It presents a background of youth beliefs regarding online privacy and their privacy protecting behaviors. The article explores two online social networking sites that compromise youth privacy – Facebook and Nexopia. Finally, the article discusses the federal Privacy Commissioner’s and provincial ombudsmen’s responses to issues of youth privacy protection.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

  • Personal Information Protection and Electronic Documents Act of Canada: PIPEDA (III.A.a.)
  • Canadian Private Sector Laws & Practices: privacy incidents (III.B.g.)
  • Online Privacy: online data collection (V.B.C.)
  • Children’s online privacy: parental consent, age restrictions (V.B.f.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>