On September 23, 2025, the Office of the Privacy Commissioner of
Canada (OPC), the Commission d'accès à
l'information du Québec (CAI), the Office of the
Information and Privacy Commissioner for British Columbia (OIPC BC)
and the Office of the Information and Privacy Commissioner of
Alberta (OIPC AB), collectively referred to as "the
Offices", released their findings pertaining to a joint
investigation regarding TikTok Pte. Ltd.'s (TikTok) collection,
use and disclosure of personal information. In particular, the
investigation examined TikTok's collection, use and disclosure
of such personal information for the purposes of ad targeting and
content personalization on the platform, with a particular focus on
TikTok's practices as they relate to children (under 13, and
under 14 in Québec).
Ultimately, the Offices found that TikTok was collecting and using
the personal information of children (under 13, and under 14 in
Québec) without demonstrating a legitimate need or bona fide
interest. On consent and transparency, the Offices concluded they
did not need to determine whether TikTok had obtained valid consent
from children, since consent could not make the collection and use
appropriate. However, they did assess the validity of consents
obtained from adults and youth and determined these were not
sufficient.
While TikTok expressed different views on certain findings by the
Offices, it committed to a series of measures, most of which are to
be implemented within six months of the report's release. These
measures include enhanced age-verification mechanisms, revisions to
its privacy policy to include additional detail, the cessation of
advertiser targeting of users under 18, additional communications
on its use of biometric data and data processing in China, the
publication of youth-focused materials and communications and the
implementation of new privacy settings for users who are resident
in Canada.
Five Key Takeaways
Based on the Offices' findings, the following are key takeaways organizations should keep in mind when collecting, using and disclosing personal information in the private sector:
- Children's Data: Collecting and using children's personal information to target ads or personalize content (including through tracking, profiling and the use of personal information to train machine learning or refine algorithms) may not be viewed as appropriate, reasonable or legitimate under the privacy legislation.
- Express Consent: Requiring users to accept terms and conditions during account sign-up may be insufficient for obtaining valid consent, particularly when processing personal information for purposes of tracking, profiling, ad targeting or content personalization mechanisms. Since such practices often involve sensitive data, organizations may be required to obtain explicit (i.e. opt-in) consent—even for adult users.
- Transparency in Privacy Practices: Privacy policies and related communications should clearly explain practices such as tracking, profiling, ad targeting, content personalization and the use of biometric data. These explanations should be written in plain language, be easily accessible, and when directed at youth, adapted to their cognitive level. Additionally, privacy policies or other related documentation should not be overly lengthy or complex, ensuring users can easily locate relevant information.
- Age Assurance Mechanisms: Relying solely on a voluntary age gate (birthdate entry) and limited account moderation to prevent children from accessing age-restricted products may be considered insufficient. Depending on the context, organizations may be required to implement more robust and proactive mechanisms, such as technical verification tools, to prevent inappropriate collection and use of children's data. Even inadvertent collection of children's data may violate Canadian privacy laws.
- Québec Heightens Obligations: Organizations collecting or using personal information from Québec-based users face heightened requirements. These include: (i) mandatory pre-collection disclosures, (ii) opt-in consent for technologies that identify, locate or profile and (iii) default settings configured to the highest privacy level. Furthermore, all information must be made available in French.
This joint investigation reinforces that Canadian regulators are aligned in expecting robust privacy protections, especially for children and youth. Organizations are encouraged to take note of the practical compliance measures outlined in TikTok's commitments, ranging from age assurance to plain-language communications, and consider how similar safeguards could apply to their own operations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.