By Esther Shainblum and Martin U. Wissmath

Federal Privacy Commissioner Collaborating on Privacy-Protective Age Assurance

The Office of the Privacy Commissioner of Canada (“OPC”) is collaborating with international regulators to establish a unified approach to age-assurance methods, prioritizing children’s privacy and data protection. This aligns with OPC’s strategic focus and builds on stakeholder consultations for developing privacy-focused age-assurance guidance. The OPC announced its endorsement of the international joint statement, “Joint Statement on a Common International Approach to Age Assurance”, published September 19, 2024 (the “Statement”) on the OPC website. Endorsed by regulators in the United Kingdom, the Philippines, Argentina, and Mexico, the Statement includes 11 principles on the use of age-assurance technology.

“Age assurance can be one important way to protect children, both from inappropriate or harmful online content, and the risks that may arise from the collection and processing of their personal information,” said Philippe Dufresne, Privacy Commissioner of Canada. The statement will remain open for signatures after its publication, allowing both working group members and other regulators that support the shared principles to endorse it.

Alberta Privacy Commissioner Rules Against Students’ Union in Disclosure Case

Alberta’s Privacy Commissioner ordered the University of Alberta Students’ Union to comply with its privacy law obligations, as it faced scrutiny for publicly disclosing a former student council member’s personal information without consent. University of Alberta Students’ Union (Re), published October 1, 2024, involves a complaint filed with the Office of the Information and Privacy Commissioner of Alberta (“PCA”) regarding the University of Alberta Students’ Union (“UASU”)’s online disclosure of the former student council member’s (the “Complainant”) personal information, and breaches of Alberta’s Personal Information Protection Act (“PIPA”).

The personal information stemmed from a 2004 complaint about the Complainant’s conduct while he was an elected member of the student council, along with information regarding his subsequent resignation. Although the UASU removed the information from its website during the inquiry and argued the matter was moot, the Adjudicator found the inquiry was necessary to ensure future PIPA compliance. The Adjudicator also determined the disclosed information constituted the Complainant’s personal information under PIPA. The UASU argued that it was exempt from PIPA as a non-profit organization. It also took the position that “as the Complainant did not request that the student council discuss the complaint and the application in camera, he consented to the disclosure of his personal information on the internet.” While the Adjudicator agreed that the UASU is a non-profit organization, it did not meet the requirements under PIPA as a non-profit “incorporated under the Societies Act, the Agricultural Societies Act, or Part 9 of the Companies Act.”

The UASU’s disclosure was found to violate PIPA because it lacked the authority to disclose the information without consent and the Complainant did not consent, nor could consent be deemed under PIPA. Furthermore, the disclosure did not meet the reasonableness requirements of PIPA, as the UASU failed to demonstrate how the nearly two-decade-long online publication of the complaint served a legitimate purpose of transparency and accountability. The Adjudicator ordered the UASU to continue complying with PIPA in handling the Complainant's personal information.

Privacy Sweep Report from OPC Finds Majority of Apps and Websites use Deceptive Design

The Office of the Privacy Commissioner of Canada (“OPC”), with 25 global privacy authorities, participated in the Global Privacy Enforcement Network Sweep (the “Sweep”), examining deceptive design patterns (“dark patterns”) on websites and apps. The Sweep occurred early this year between late January and early February, and the OPC published its Office of the Privacy Commissioner Sweep Report 2024: Deceptive Design Patterns on July 9, 2024 (the “Report”).

Coordinated with the International Consumer Protection and Enforcement Network, the Sweep assessed 145 sites across sectors like retail, social media, and entertainment, including child-focused platforms. Dark patterns manipulate users’ privacy choices, often leading to excessive personal data sharing. The Sweep revealed that 97% of the websites and apps reviewed found one or more dark patterns, potentially leading individuals to disclose more personal information online.

“Websites and apps should be designed with privacy in mind,” said Privacy Commissioner of Canada Philippe Dufresne in an announcement on the Report’s findings. “This includes providing privacy-friendly default settings and making privacy information easy to find.” Notably, the OPC reported that “websites and apps aimed at children used, more often than websites and apps targeted at the general population, emotive language or nagging to manipulate users into making less privacy-friendly choices.”

The OPC focused on five design patterns based on OECD criteria to understand how these tactics impact user privacy decisions and highlight consumer protection issues:

1.  Complex and confusing language: technical and/or excessively long privacy policies that are difficult to understand;

2.  Interface interference: design elements that can influence users’ perception and understanding of their privacy options;

3.  Nagging: repeated prompts for users to take specific actions that may undermine their privacy interests;

4.  Obstruction: the insertion of unnecessary, additional steps between users and their privacy-related goals; and

5.  Forced action: requiring or tricking users into disclosing more personal information to access a service than is necessary to provide that service.

The Report found that the most common deceptive design pattern involved privacy policies that were lengthy (over 3,000 words) or used complex language, making them challenging to understand. This issue appeared in 96% of reviewed cases, with 33% of policies rated as highly difficult to read. Obstruction was another prominent tactic, where users encountered obstacles in account deletion processes; only 25% of sites allowed account deletion within two clicks, while 43% offered no visible option to delete accounts. Additionally, 65% of platforms pre-selected less privacy-protective settings, steering users toward reduced privacy. These patterns often serve the platform’s interests over user privacy, the Report noted.

Charities and not-for-profits should take note of this Report and make efforts to avoid any dark patterns in their website design or applications. Privacy policies should be clear and comprehensive, but also succinct and not unnecessarily lengthy. Legal advice should be obtained to review policies and advise organizations on best practices to comply with privacy expectations.

​Read the October 2024 Charity & NFP Law Update