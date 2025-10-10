In a landmark joint investigation, Canada's federal and provincial privacy regulators have delivered a strong message to Canadian organizations: When it comes to protecting personal information – especially when it comes to minors – stronger measures must be implemented.

The case

The Office of the Privacy Commissioner of Canada, along with counterparts in Québec, British Columbia and Alberta, launched a coordinated probe into TikTok's data practices. Their focus? Whether TikTok's collection, use and disclosure of personal information – especially from minors – complied with Canadian privacy laws.

What they found

The investigation highlighted various concerns about the handling of personal information of minors and provided helpful guidance for privacy programs more generally.

One of the key findings was that age assurance tools were largely ineffective, allowing many underage users to be profiled for ads and content. The investigation also found that the platform collected sensitive personal information from users – including details about health, gender identity and political views – without valid or meaningful consent.

Furthermore, the investigation concluded that privacy communications were unclear, incomplete and not available in French, failing to meet transparency obligations.

Why it matters

This decision highlights the need for organizations to update their privacy compliance programs particularly with respect to the handling of personal information of minors. It also reinforces that consent must be informed, privacy policies must be accessible and sensitive personal information demands extra care.

What organizations can do

To help your organization align with Canadian privacy laws, consider the following:

Youth protection and age assurance

Implement robust age verification tools

Avoid profiling or targeting children without valid consent

Use plain-language privacy notices tailored for youth

Consent and transparency

Ensure consent is informed, specific and meaningful

Make privacy policies clear, concise and available in both English and French (where appropriate)

Clearly explain data collection, usage and sharing practices

Sensitive data handling

Limit collection of sensitive data unless absolutely necessary

Obtain explicit consent for health, political or identity-related data

Audit data flows regularly for compliance

Privacy governance

Appoint a Privacy Officer and document their responsibilities

Maintain a privacy management program with regular reviews

Use tools like the PIPEDA Self-Assessment Tool to benchmark practices and privacy impact assessments for new programs and features

Third-party oversight

Conduct privacy due diligence on service providers

Include privacy and security clauses in vendor contracts

Use data protection schedules for vendors handling personal data

Training and awareness

Provide regular privacy training and reminders for all staff

Customize training by role and responsibility

Document completion and staff acknowledgments

Access and retention

Maintain a record retention policy aligned with legal requirements

Be ready to respond to access requests from individuals

Keep online privacy policies up to date

Incident response

Develop and test a breach response plan

Train staff on breach notification and escalation procedures

Maintain a breach register and ensure timely reporting

