Age Verification Laws Go Global

The death knell of the internet is nigh

Yet another draconian internet bill is currently being debated by Canadian lawmakers. Eagerly following in the footsteps of Australia and the UK, Canadian Senator Julie Miville-Dechêne introduced Bill S-209 titled Protecting Young Persons from Exposure to Pornography Act, which would restrict minors from accessing porn online.

Hard to argue with that, but as it happens with many other laws passed under the guise of safety, this bill is not about safety, but control.

The bill is vague, broad, and lacks basic understanding of how digital tools work. The contents of the bill read as if they were drafted by people who are either woefully naïve and tech illiterate, or they have ulterior motives and their express goal is to further sterilize the internet. I’d venture to say it’s likely a mix of the two.

Screenshot from Senate committee panel discussion - October 2, 2025 Pictured: Sen. Julie Miville-Dechêne, sponsor of Bill S-209

Additional concerns abound, ranging from user privacy, data management, functional creep, censorship, and freedom of expression — none of these concerns are addressed in the bill. If anything, the bill confuses more than it clarifies. For example, it’s not clear which online platforms would be subject to the terms of this legislation. The bill states that it would target “pornographic material – including demeaning material and material depicting sexual violence” but there is room for functional creep here as government officials themselves stated that no website is immune from this bill and that ‘demeaning material’ can be far-ranging. In the UK for example, platforms including Spotify, YouTube, and Reddit have already started rolling out age verification checks for their users.

One of the main components of the bill is how users’ ages will be verified. The bill fails to specify what age verification method will actually be employed as a way to assess someone’s age. It cites both age verification and age estimation as possible methods, but both employ entirely different tools to verify or guess someone’s age. Age verification requires tangible proof, such as a government-issued ID or biometric data, whereas age estimation can use AI tools to guess someone’s age. While less accurate, it can also be just as risky. Both tools pose privacy and security risks and it is disconcerting that lawmakers are not concerned about the key details nor do they even seem to see the difference between the two methods.

There is no way to know what method the government will employ and how these tools will be used. And regardless of what method of verification is chosen, there is no guarantee that our personal information will be protected.

The bill states:

“Whereas online age-verification and age-estimation technology is increasingly sophisticated and can now effectively ascertain the age of users without breaching their privacy rights.”

This line assumes that nothing could ever go wrong, that technology is infallible, and that companies are always to be trusted. But the very act of sharing sensitive information is never without risk. There is no way to possibly guarantee that users’ personal information will not be compromised. No company could ever reasonably make such a promise. Most of the time it’s not a matter of if our information will be compromised, but when, especially when you consider the reputation of companies the government has employed to do its bidding in the past. Ethics just gets in the way of technology. There is no reversing course once enormous swaths of sensitive information are shared with third party companies.

Additionally, the bill barely addresses data management. While it notes that personal information must be destroyed once age verification or estimation is completed, it does not specify how exactly this might be done, nor does it address the following: What is the timeline for information destruction? If so, would users have to verify their age every time they access a website? Where would this data be stored? How will our information be used? Will it be shared with other third parties? How would the company guarantee that our data would actually be destroyed? To the last question, there have been countless examples of companies promising to destroy user data and then we later find out that is not the case. In my own experience, I’ve seen companies that claimed to comply with international privacy laws like GDPR which requires the destruction of sensitive user data, but come to find they hadn’t complied at all. I fail to see a way that anyone could adequately oversee this and ensure that user data is destroyed. But let’s say regulatory bodies are created to ensure the third party company comply — what would this cost taxpayers? How much, and for how long? Who would be in charge? Would they be a neutral party?

Canadians need certain assurances that our sensitive information will be protected, but we’re just not getting that with this bill.

Privacy Commissioner of Canada Philippe Dufresne hardly seems concerned either. Dufresne exposed how cowardly he is based on his recent remarks supporting the bill. He has said that he’s optimistic about the bill given how other countries have implemented their own similar legislation, which somehow proves what, I’m not exactly sure given the mounting issues we’re seeing with these other laws.

Screenshot from Senate committee panel discussion - October 2, 2025. Pictured: Philippe Dufresne, Privacy Commissioner of Canada

In one panel discussion it was evident that the more Dufresne spoke, the more he didn’t make sense. Dufresne admitted that this bill is actually intended more for children who “accidentally stumbled on” bad content and that the children who want to find the “bad” content will find it. Given this, why go to such lengths for a bill that would only catch the kids accidentally accessing porn? Additionally, how does one accidentally stumble upon explicit porn in the first place? Dufrense admits that VPNs and other tools can be easily employed, but again he doesn’t seem to be concerned. Is the money, time, and resources worth all this effort to prevent children from “accidentally” accessing porn? If that’s the whole purpose of the bill, then I see no purpose at all. None of this makes sense because the bill doesn’t make sense.

The above wasn’t even the worst of Dufresne’s remarks. He admitted that he can’t really do much if companies renege on their promises and fail to comply. Dufresne has no authority to take action — he can’t even issue fines. So if a company was found to be non-compliant (i.e., they failed to delete user data), there would be no consequences. All the Privacy Commissioner can do is make recommendations and the non-compliant company doesn’t even have to implement them. Dufresne added that the only way the company would be held accountable is if he took them to federal court and that would be “expensive and lengthy,” implying that it’s something he would likely not do should the situation arise. There’s absolutely no consequence to companies who don’t comply, so what would even be the incentive for companies to adhere to the rules?

Dufresne paradoxically emphasized that we need to use technology to protect privacy without offering any details as to how this would play out. He doesn’t even consider the downstream impacts. There’s a serious risk of further censorship and the removal of lawful content.

Additional questions abound: Should we not expect that parents should, by default, be the first line of defence when it comes to monitoring their children’s online activities? Why is the knee jerk reaction of the government to control this aspect of our lives, too? Why should the government intervene, especially if the potential risks of this bill far outweigh the benefits? As mentioned from the outset, all of these questions can be boiled down to: The government simply wants more control. This isn’t about fighting the noble cause of protecting children, it’s about finding more ways to gain further control and track our activities, collect sensitive data, and streamline data collection and analysis.

While the online information highway is already filled with one too many barriers, one-way streets, and highway patrol, this move takes it to the next level, inching us closer towards further regulation, censorship, and centralization of the internet.

As of this writing, Bill S-209 is currently being debated in the Senate. The only good thing to say about this bill is that it’s getting pushback from all political sides. But pushback is not good enough as evidenced by similar legislation in Australia and the UK. All of these countries are conveniently working in lockstep passing similar bills at similar times despite vocal opposition. This isn’t coincidence. It’s a concerted effort to pacify us at a time when there is more consciousness raising happening all over the world.

It remains unclear how this legislation will work if passed (and likely it will), but if history is any indication, the Canadian government will completely botch an already flawed bill and Canadian citizens will be collateral once again.