On September 23, 2025, the Office of the Privacy Commissioner of Canada (OPC), the Commission d’accès à l’information du Québec (CAI), the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) and the Office of the Information and Privacy Commissioner of Alberta (OIPC AB), collectively referred to as “the Offices”, released their findings pertaining to a joint investigation regarding TikTok Pte. Ltd.’s (TikTok) collection, use and disclosure of personal information. In particular, the investigation examined TikTok’s collection, use and disclosure of such personal information for the purposes of ad targeting and content personalization on the platform, with a particular focus on TikTok’s practices as they relate to children (under 13, and under 14 in Québec).
Ultimately, the Offices found that TikTok was collecting and using the personal information of children (under 13, and under 14 in Québec) without demonstrating a legitimate need or bona fide interest. On consent and transparency, the Offices concluded they did not need to determine whether TikTok had obtained valid consent from children, since consent could not make the collection and use appropriate. However, they did assess the validity of consents obtained from adults and youth and determined these were not sufficient.
While TikTok expressed different views on certain findings by the Offices, it committed to a series of measures, most of which are to be implemented within six months of the report’s release. These measures include enhanced age-verification mechanisms, revisions to its privacy policy to include additional detail, the cessation of advertiser targeting of users under 18, additional communications on its use of biometric data and data processing in China, the publication of youth-focused materials and communications and the implementation of new privacy settings for users who are resident in Canada.
Five Key Takeaways
Based on the Offices' findings, the following are key takeaways organizations should keep in mind when collecting, using and disclosing personal information in the private sector:
- Children's Data: Collecting and using children's personal information to target ads or personalize content (including through tracking, profiling and the use of personal information to train machine learning or refine algorithms) may not be viewed as appropriate, reasonable or legitimate under the privacy legislation.
- Express Consent: Requiring users to accept terms and conditions during account sign-up may be insufficient for obtaining valid consent, particularly when processing personal information for purposes of tracking, profiling, ad targeting or content personalization mechanisms. Since such practices often involve sensitive data, organizations may be required to obtain explicit (i.e. opt-in) consent—even for adult users.
- Transparency in Privacy Practices: Privacy policies and related communications should clearly explain practices such as tracking, profiling, ad targeting, content personalization and the use of biometric data. These explanations should be written in plain language, be easily accessible, and when directed at youth, adapted to their cognitive level. Additionally, privacy policies or other related documentation should not be overly lengthy or complex, ensuring users can easily locate relevant information.
- Age Assurance Mechanisms: Relying solely on a voluntary age gate (birthdate entry) and limited account moderation to prevent children from accessing age-restricted products may be considered insufficient. Depending on the context, organizations may be required to implement more robust and proactive mechanisms, such as technical verification tools, to prevent inappropriate collection and use of children’s data. Even inadvertent collection of children’s data may violate Canadian privacy laws.
- Québec Heightens Obligations: Organizations collecting or using personal information from Québec-based users face heightened requirements. These include: (i) mandatory pre-collection disclosures, (ii) opt-in consent for technologies that identify, locate or profile and (iii) default settings configured to the highest privacy level. Furthermore, all information must be made available in French.
This joint investigation reinforces that Canadian regulators are aligned in expecting robust privacy protections, especially for children and youth. Organizations are encouraged to take note of the practical compliance measures outlined in TikTok’s commitments, ranging from age assurance to plain-language communications, and consider how similar safeguards could apply to their own operations.
For more information about privacy requirements in Canada, please contact a member of our Data Governance Protection and Cybersecurity group.