On Sept 23, 2025, the Office of the Privacy Commissioner of Canada ("OPC") and its provincial counterparts in Alberta, British Columbia (BC), and Quebec (together with the OPC, the "Privacy Regulators") released the results of their Joint Investigation into TikTok Pte. Ltd. (the "Joint Investigation"). The findings of the Privacy Regulators in this case provide helpful guidance and reminders for social media companies with users in Canada, as well as other organizations that process personal information about children and youth.
Some key takeaways from the Joint Investigation include the following:
- Age Assurance for Greater Assurance of
Compliance
Organizations should implement effective age assurance mechanisms to ensure that children are not accessing and using online services that are not intended for them. It will not be sufficient to simply state in the organization's terms of use (TOU) that persons under a certain age are not permitted to use the platform. Additional measures implemented by TikTok, such as requesting birthdates for certain services and removing users that are identified by its moderation team as potentially belonging to underage persons, were also deemed insufficient by the Privacy Regulators.
- Express consent for OBA
Consistent with past guidance from the Privacy Regulators, the Joint Investigation serves as an important reminder to organizations that express consent may be needed for online behavioural advertising (OBA), if the personal information involved in such activities is sensitive or the organization's practices fall outside the reasonable expectations of individuals. Organizations should also keep in mind that although certain types of information are considered inherently sensitive (e.g., health and financial data, ethnic and racial origins, political opinions, genetic data, biometrics, sex life, sexual orientation, religious or philosophical beliefs), less sensitive data elements can also be rendered sensitive when they are taken together and analyzed for profiling purposes.1
- Privacy Policies are not a Panacea
As indicated in prior Guidelines for obtaining meaningful consent (the "Guidelines"), information that is "buried" in a privacy policy or TOU cannot be relied upon as the basis for valid consent under the Personal Information Protection and Electronic Documents Act (PIPEDA) and its provincial equivalents. Rather, key information about the organization's practices must be brought to individuals' attention when consent is sought, including: (1) what information is being collected; (2) the parties with whom personal information will be shared; (3) the purposes for collection, use and disclosure of personal information; and (4) risk of harm and other consequences (including that information transferred outside Canada may be accessible to foreign governments). Furthermore, individuals must be provided with clear and detailed information so that they will understand how their information will be collected, used and shared; vague, incomplete or unclear language does not support meaningful consent.2 The Privacy Regulators acknowledged that TikTok makes significant information about its privacy practices available to users, including through just-in-time notices and a layered format in its privacy policy (as recommended in the Guidelines). However, they still recommended a number of improvements to the company's practices, demonstrating once again that the Privacy Regulators impose a high standard for organizations to prove that consent is informed and meaningful.
- Consent – Consider your Audience
Consent mechanisms must take into account the age of users. In particular, when communicating with youth about the intended collection and use of their personal information, it is important to use plain language that is appropriate to their level of cognitive development. In addition, risks and consequences that younger users may not understand should be described in prominent, up-front notifications, including those associated with engaging in a platform that delivers targeted advertising and other tailored content. The Joint Investigation also serves as a reminder that collection of personal information without an appropriate, reasonable or legitimate purpose is inconsistent with PIPEDA even if consent is obtained.3 In the circumstances of this case, it was found that collecting and using underage persons' data for the purposes of targeted advertising and content personalization were not purposes that a reasonable person would consider to be appropriate, reasonable or legitimate.
- Beware of Biometrics
In the Joint Investigation, the Privacy Regulators found that analyzing faces and voices to infer age range and gender can constitute processing of biometric information even when such technologies are not used for the purposes of identifying or authenticating individuals. Furthermore, they found that: (1) information need not be uniquely identifying to be termed "biometric information"; and (2) biometric information does not have to be uniquely identifying in order to reveal sensitive information about an individual (e.g., when such data is used to infer additional personal information such as a person's gender). For more information on the Privacy Regulators' positions on biometrics, see Guidance for processing biometrics – for businesses and Biométrie : principes à respecter et obligations légales des organisations.
- Pay Attention to Provincial Differences
The data protection statutes in Quebec, Alberta and BC each have unique features, which distinguish them from PIPEDA. For example, Quebec's Act respecting the protection of personal information in the private sector (the "Quebec Act") prescribes some unique requirements that are relevant to the online data processing activities of organizations such as TikTok, including the following:- A number of mandatory notices must be provided to individuals when their personal information is collected (see s.8 of the Quebec Act).
- If an organization uses technology that includes functions allowing individuals to be identified, located or profiled, the individuals must first be informed of the use of such technology and the means available to activate such functions. These functions must be deactivated by default, and a specific active gesture must be made by a person to allow their personal information to be collected and used to identify, locate or profile them.
- If an organization offers a technological product or service that has privacy settings to the public, those settings must provide the highest level of confidentiality by default and without any intervention by the user.
- Pay Attention to Provincial Differences
Though TikTok maintained that it complied with the law, the company nevertheless committed to enhancing its practices. In particular, it agreed to implement new underage detection models, update its privacy policy, limit targeted advertising to persons under the age of 18, develop new mechanisms for communicating with teens (i.e., a plain language summary of its privacy policy and a video highlighting certain practices), enhance its privacy communications for all users, provide information in French as well as English, and implement a new "Privacy Settings Check-up" mechanism for Canadian users. Other organizations that operate within Canada or that have a real and substantial connection to Canada or any of its provinces would be well advised to consider similar measures.
Footnotes
1. See Joint Investigation at para. 45, as well as PIPEDA Report of Findings #2015-001.
2. See Joint Investigation at para. 102-104.
3. See Joint Investigation at para. 69.
4. Lyndsay A Wasser Professional Corporation
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2025
