Fun conversations attempting to game out the question "to what extent is [an OS mandating data collection] / [mandating OS data collection] related to age legal in Canada?"
- Big difference between the acceptability of applying collection at the point of service of a restricted activity v.s. mandating general collection, even if it stays on device.
- Charter FoE rights likely come into play when it comes to mandating the existence of parental controls, optional or otherwise.
- some draft legislation floating around is fairly conservative in application (e.g. requiring explicit collection opt-outs) likely because of the above consideration
- consent of collection/use/distribution also kind of interesting, much of the guidance around data consent explicitly treats persons older than 13 differently when it comes to consent to collect/use/process information i.e. parental/guardian consent may not be sufficient for many applications (including computing access)
My takeaway on the current state in Canada is:
- An OS can mandate age collection (as long as it stays on device)
- Mandating such collection will face issues.
- Deployment of an OS that mandates age collection could be an issue
- Any attempt to use that collected data will face issues (especially if developers are required to be deemed to have collected it)
Something I really really want to emphasize here:
The "age verification" bit doesn't really matter. Even as far as mandating the existence of parental controls is debatable in many contexts.
The "developer liability to know personal information" bit is an existential threat to free software. And the bit that deserves defending from every possible angle (freedom of speech, expression, and privacy law to name a few)
Sarah Jamie Lewis
Stefan Gast