When the intersection of law and technology presents seemingly intractable new challenges, policy makers often bet on technology itself to solve the problem. Whether countering copyright infringement with digital locks, limiting access to unregulated services with website blocking, or deploying artificial intelligence to facilitate content moderation, there is a recurring hope the answer to the policy dilemma lies in better technology. While technology frequently does play a role, experience suggests that the reality is far more complicated as new technologies also create new risks and bring unforeseen consequences. So too with the emphasis on age verification technologies as a magical solution to limiting under-age access to adult content online. These technologies offer some promise, but the significant privacy and accuracy risks that could inhibit freedom of expression are too great to ignore.

The Hub runs a debate today on the mandated use of age verification technologies. I argue against it in a slightly shorter version of this post. Daniel Zekveld of the Association for Reformed Political Action (ARPA) Canada makes the case for it in this post.

The Canadian debate over age verification technologies – which has now expanded to include both age verification and age estimation systems – requires an assessment of both the proposed legislative frameworks and the technologies themselves. The last Parliament featured debate over several contentious Internet-related bills, notably streaming and news laws (Bills C-11 and C-18), online harms (Bill C-63) and Internet age verification and website blocking (Bill S-210). Bill S-210 fell below the radar screen for many months as it started in the Senate and received only cursory review in the House of Commons. The bill faced only a final vote in the House but it died with the election call. Once Parliament resumed, the bill’s sponsor, Senator Julie Miville-Dechêne, wasted no time in bringing it back as Bill S-209.

The bill would create an offence for any organization making available pornographic material to anyone under the age of 18 for commercial purposes. The penalty for doing so is $250,000 for the first offence and up to $500,000 for any subsequent offences. Organizations can rely on three potential defences:

1. The organization instituted a government-approved “prescribed age-verification or age estimation method” to limit access. There is a major global business of vendors that sell these technologies and who are vocal proponents of this kind of legislation.
2. The organization can make the case that there is “legitimate purpose related to science, medicine, education or the arts.”
3. The organization took steps required to limit access after having received a notification from the enforcement agency (likely the CRTC).

Note that Bill S-209 has expanded the scope of available technologies for implementation: while S-210 only included age verification, S-209 adds age estimation technologies. Age estimation may benefit from limiting the amount of data that needs to be collected from an individual, but it also suffers from inaccuracies. For example, using estimation to distinguish between a 17 and 18 year old is difficult for both humans and computers, yet the law depends upon it. Given the standard for highly effective technologies, age estimation technologies may not receive government approvals, leaving only age verification in place.

The government would determine through regulation what constitutes valid age verification or age estimation technologies. In doing so, the bill says it must ensure that the method:

(a) is highly effective;
(b) is operated by a third-party organization that deals at arm’s length from any organization making pornographic material available on the Internet for commercial purposes;
(c) maintains user privacy and protects user personal information;
(d) collects and uses personal information solely for age-verification or age-estimation purposes, except to the extent required by law;
(e) limits the collection of personal information to what is strictly necessary for the age verification or age estimation;
(f) destroys any personal information collected for age-verification or age-estimation purposes once the verification or estimation is completed; and
(g) generally complies with best practices in the fields of age verification and age estimation, as well as privacy protection.

Bill S-209 is an improvement over its predecessor as it seeks to exclude search and other incidental distribution, adopts a new standalone definition for pornographic materials, and sets a higher standard for the technology itself. Yet many concerns remain: the bill still envisions court ordered website blocking, including blocking access to lawful content by those entitled to access it. In fact, the bill expressly states blocking may “have the effect of preventing persons in Canada from being able to access material other than pornographic material made available by the organization.” Orders that knowingly block lawful content is certain to raise Charter of Rights challenges.

From a technological perspective, Bill S-209 still relies on technologies that raise both privacy and accuracy concerns and puts government into the business of evaluating those technologies. Based on the analysis from regulators around the world, the mandated implementation of these technologies appears premature at best. For example, the Office of the Privacy Commissioner of Canada conducted a consultation last year on the issue of such technologies, identifying three key categories of harms that age assurance technologies are meant to remedy or that they may cause.

A harm that proponents of these technologies want to mitigate is “the extent of youths’ exposure to sexually explicit material online, the frequency with which this material is of an aggressive or violent nature, and the potential harms to body image or mental health it may cause”. Opponents note that these technologies are harmful in that they would limit young people’s (especially those from marginalized groups) “access to online content or forums” that provide “avenues for community-building, civic engagement, and education”, as well as “self-discovery”. Further, use of such technologies comes with risk of data breaches that would publicly expose people’s online activities, consequently causing “psychological or physical harms” and possibly discouraging them from “operating freely in the digital environment”.

In light of these risks, the OPC emphasized the importance of “ensuring that any use of age assurance is proportionate to the risk being addressed”. It intends to pursue further consultation to issue guidance on when age assurance should be used and how to build privacy protections into the design of age assurance techniques.

The challenge of implementing these technologies have been raised elsewhere. In February 2025, the European Data Protection Board issued a Statement on Age Assurance that establishes ten principles to design GDPR-compliant age assurance, in order to “reconcile the protection of children and the protection of personal data”. Neither current Canadian privacy law nor Bill S-209 fully address these principles.

The Australian government commissioned “an age assurance trial to examine options to protect children from harmful content such as pornography and other online age-restricted services, as well as harms on social media”, which will serve to guide its decision-making in November 2024. One element of the trial was to “evaluate the potential impact of different age assurance technologies on user privacy”. Results of the trial have not yet been released.

While interest in age verification technologies continues to grow, there remain significant privacy and freedom of expression concerns. For Canadians, the potential framework contained in Bill S-209 would heighten the risks with limited safeguards and an uncertain regulatory enforcement framework. Further study and assurances of privacy and expression safeguards are essential before even considering moving ahead with mandating risky age verification technologies.