- within Law Department Performance, Food, Drugs, Healthcare, Life Sciences and Tax topic(s)
- with Finance and Tax Executives and Inhouse Counsel
- with readers working within the Law Firm industries
The Office of the Privacy Commissioner of Canada led a joint investigation with provincial privacy regulators from Alberta, British Columbia, and Quebec into TikTok's collection, use, and disclosure of personal information of Canadians. The results of the joint investigation focused on ad targeting, content personalization, and the platform's treatment of children and youth. The investigation examined whether TikTok's practices complied with Canadian privacy laws, particularly whether valid, meaningful consent was obtained from users, especially minors.
Key findings that affect privacy policies
The regulators found that blanket statements buried in lengthy terms of use or privacy policies cannot substitute for clear, youth-appropriate transparency and consent mechanisms. Privacy policies must not hide essential information about profiling, tracking, behavioural advertising, or the use of biometrics. When profiling or advertising practices exceed reasonable expectations, organizations should obtain express consent rather than rely on implied or buried disclosures.
Requirements for meaningful privacy policies
Privacy policies must be concise, accessible, and tailored to the audience, with special attention to children and youth. They must clearly explain what personal information is collected, why it is collected, how it is used for ad targeting and personalization, whether biometric or face analytics processing occurs, and whether cross-border transfers take place. Policies should also explain age-assurance measures and the specific protections in place for underage users. Information presented in policies must be bilingual where required and suitable for youth comprehension. For example, the following chart clearly details the information collected, the purpose and use of information, and applicable safeguards:
|
Description of Personal Information Collected |
Why and How Personal Information is Used |
Protection Measures Taken |
|
Name and contact (such as email address and phone number). |
To provide and maintain services, including account setup and customer support. |
Implementation of appropriate technical, organizational, and physical safeguards to protect personal information against loss, theft, and unauthorized access and disclosure. These measures include encryption, secure servers, restricted access, and staff training. |
Practical implications for organizations and policy language
Organizations should treat privacy policies as active tools for compliance rather than passive legal shields. Policies must:
- be readable and prominently presented;
- include specific, plain-language explanations of profiling, targeting, and data sharing;
- disclose cross-border data flows and third-party access;
- detail any biometric processing; and
- outline user choices and how to withdraw consent.
Closing takeaway
The TikTok joint investigation reinforces that privacy policies must be transparent, audience-appropriate, and actionable, especially where children and targeted advertising are involved. Organizations must move beyond dense legal text to provide clear disclosures, obtain express consent when profiling or advertising practices exceed reasonable expectations, and publicly document age-assurance and youth-protection measures in their privacy communications.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
