In September 2025, the Office of the Privacy Commissioner of Canada (the “OPC”), together with its counterparts in Alberta, British Columbia, and Quebec (collectively, the “Offices”),[1] commenced an investigation into the privacy practices of TikTok.[2]

Social media platforms are highly popular among youth and are one of the main drivers of increased screen use among minors. Depending on the study and its recency, the average child in Canada (aged 5-17) spends between two and seven hours per day using their phone or another personal device. Increasingly, screen time has been linked to various mental health concerns in youth, with compelling indications suggesting that additional screen time results in a higher risk of developing anxiety disorders and depression, as well as overall decreased happiness.[3]

Although the Offices’ investigation did not directly address these broader societal concerns about screen time among minors, this context underlies many of the concerns voiced in the findings, such as children’s increased susceptibility to advertising and the promotion of negative body image.

For Canadian businesses, the message is clear: regulators are raising the bar. Companies that collect and use personal information, especially from minors, must ensure their purposes are legitimate, their consent mechanisms are robust, and their privacy communications are accessible.

Why did Canadian regulators investigate TikTok?

TikTok—one of, if not the, most popular social media platforms used by Canadian children —has long faced scrutiny over privacy and national security concerns, including the ordered dissolution of TikTok Technology Canada, Inc. following a national security review, and the app’s ban from Canadian government-issued devices.

The Offices’ joint investigation examined whether TikTok’s collection, use, and disclosure of the personal information of individuals in Canada for the purposes of ad targeting and content personalization complied with federal and provincial privacy laws (collectively, the “Acts”).[4]

The investigation focused on two key issues:

  1. Whether TikTok’s practices engaged in targeted advertising and content personalization practices that a reasonable person would consider to be appropriate; and
  2. Whether TikTok obtained valid and meaningful consent and, for individuals in Quebec, met transparency obligations under Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (“Quebec’s Private Sector Act”).

What were the regulators’ findings and why TikTok’s practices raised concerns

TikTok collects extensive personal information from its users to support a variety of business functions, including content personalization, targeted advertising, improving the effectiveness of advertising campaigns, enforcing platform policies, promoting security, and developing its machine learning models and algorithms. The Offices examined whether using children’s personal information for content personalization and ad targeting would be considered appropriate under Canadian privacy laws.

TikTok maintained that it does not intentionally collect or use the personal information of underage users. However, evidence showed that large numbers of children continue to use the platform and that TikTok has not implemented effective safeguards to prevent their access or to stop their personal information from being collected and exploited. In fact, TikTok acknowledged that it bans approximately 500,000 underage Canadian accounts each year but relies heavily on weak detection methods, such as self-declared birthdates and limited human moderation tools, leaving many underage users undetected.

Regulators found this inadequate given the sensitivity of children’s data and TikTok’s ability to use sophisticated tools for other business purposes. Importantly:

  • Under the Personal Information Protection and Electronic Documents Act (“PIPEDA”): Subsection 5(3) requires that purposes be those a reasonable person would consider appropriate in the circumstances—a test that involves balancing commercial needs against individuals’ privacy rights.
  • In Alberta and British Columbia: The respective Personal Information Protection Acts adopt similar language, [5] and past orders in both provinces have stressed that collection must address a legitimate issue. In this case, TikTok’s purposes were not considered legitimate needs, particularly given that the company’s own terms prohibit underage users entirely.
  • In Quebec: Quebec’s Private Sector Act imposes even stricter rules and requires purposes to be “serious and legitimate.” It specifically prohibits the collection of information from minors under 14 without parental consent unless it is clearly for the child’s benefit.[6] TikTok neither obtained such consent nor pursued purposes that could be said to benefit minors.

Did TikTok obtain meaningful consent?

Consent requirements under PIPEDA, British Columbia’s Personal Information Protection Act (“PIPA BC”) and Alberta’s Personal Information Protection Act (“PIPA AB”)

PIPEDA, PIPA AB, and PIPA BC require consent for the collection, use, or disclosure of individuals’ personal information, unless an exception applies. Under PIPEDA, organizations must explain their purposes in a manner that allows users to reasonably understand the nature, purposes, and consequences of the collection, use, or disclosure. To assist organizations in assessing the adequacy of any obtained consent under various privacy laws, the OPC, the Office of the Information and Privacy Commissioner of Alberta, and the Office of the Information and Privacy Commissioner for British Columbia jointly issued the Guidelines for Obtaining Meaningful Consent (the “Consent Guidelines”).

The Offices considered whether TikTok obtained valid consent from users for the collection and use of their personal information to serve them targeted ads and tailored content. In this case, express consent was required because:

  1. the personal information collected and used by TikTok through tracking and profiling was likely sensitive; and
  2. the collection or use of personal information went beyond what a reasonable user would expect.

Although TikTok requires users to expressly accept its Terms and Conditions during the initial setup, the Offices found that such consent was not meaningful, comprehensive, or understandable.[7] Specifically:

  1. Terms and Conditions: The Terms and Conditions did not provide sufficient information to users about the material being collected.
  2. Privacy Policy: The Privacy Policy was unclear and lacked the necessary level of detail to support meaningful consent. While supplementary privacy resources were available to users, the information was scattered across the website, not linked to the Privacy Policy, difficult to locate, and not available in French.
  3. Supplement Privacy Resources: TikTok failed to adequately explain its collection and use of users’ biometric information.  While some references to biometric data appeared in the Privacy Policy, they did not fully describe TikTok’s uses of that information, including for determining users’ age and gender to deliver tailored advertising and content.

Notably, the Offices also found that information need not be uniquely identifying to be considered biometric information or to reveal sensitive information about an individual.

How did TikTok fare under Quebec’s transparency rules?

The investigation also considered whether TikTok met its transparency obligations for individuals in Quebec. Section 8 of Quebec’s Private Sector Act requires companies to inform individuals when their personal information is collected, while section 8.1 requires companies that use technology capable of locating, identifying, or profiling an individual to:

  • inform the person of the use of the technology; and
  • inform them of the means available to activate the functions that allow a person to be identified, located, or profiled.[8]

Evidence collected during the investigation flagged that TikTok collects personal information through technology that enables the identification, location, or profiling of users. This information can then be used to deliver targeted advertisements and tailor content recommendations. The investigation determined that TikTok’s Privacy Policy and Terms and Conditions did not fulfill its obligations under sections 8 and 8.1 of the Quebec’s Private Sector Act. In addition, TikTok failed to comply with section 9.1 of Quebec’s Private Sector Act, as its privacy settings did not provide the highest level of privacy by default without any intervention by the user.

During the course of the investigation, TikTok worked to expand the information available to Canadian users in its Privacy Policy. While these were positive steps forward, the Offices stressed the increased risk of harm to users in this case and recommended stricter privacy communications in order to obtain meaningful consent from users.

What compliance recommendations were made?

In response to TikTok’s contraventions, the Offices recommended that the company immediately:

  • cease using Canadians’ personal information for targeted advertising and content personalization;
  • implement effective measures to prevent underage users from accessing the platform;
  • deactivate functions that collect personal information in Quebec by default until users are informed;
  • enhance privacy settings to provide the highest level of protection by default; and
  • improve privacy communications to ensure meaningful consent is obtained, particularly for the collection and use of biometric information.

While TikTok disagreed with some of the findings, it confirmed its willingness to promptly implement other recommendations.

Key takeaways for businesses

The investigation into TikTok underscores the heightened regulatory focus on how organizations collect and use children’s and other personal information in Canada. The Offices made it clear that businesses should keep the following principles top of mind:

  1. Children’s data is inherently sensitive. As such, itrequires a higher standard of protection and safeguards. The Offices will consider the sophistication of an organization’s operations and expect large corporations to use all available tools to safeguard children’s information and limit its collection wherever possible.
  2. Ensure your business purposes are reasonable and legitimate. Organizations should collect, use, and discle personal information only where necessary, and such purposes must be clearly communicated to users.
  3. Consent must be meaningful and transparent. Long, legalistic terms of service or buried privacy policies are insufficient, especially where biometric or profiling technologies are involved. Organizations operating in Quebec must also account for stricter provincial privacy obligations, including providing clear explanations of their practices and setting privacy-protective defaults for users.
  4. Quebec has stricter obligations. Businesses must comply with additional transparency and default privacy requirements.

Canadian regulators are raising the bar on privacy compliance. Businesses should proactively review their privacy frameworks, especially if operating across multiple provinces, and strengthen their consent and transparency practices.

If your organization collects or uses personal data in Canada, now is the time to review your privacy practices. Our Privacy & Cybersecurity team regularly advises businesses on compliance with federal and provincial privacy laws, including consent, transparency, and cross-jurisdictional risks.  If you have any questions or would like guidance on ensuring your organization’s privacy policies comply with the Offices’ guidance, please contact a member of the Miller Thomson LLP Privacy & Cybersecurity team.

Stay informed on key legal developments by subscribing to our newsletters.

[1] Being the Commission d’accès à l’information du Québec (CAI), the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC), and the Office of the Information and Privacy Commissioner of Alberta (OIPC AB).

[2] Joint investigation of TikTok Pte. Ltd. by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Office of the Information and Privacy Commissioner for British Columbia, and the Office of the Information and Privacy Commissioner of Alberta, 23 September 2025, PIPEDA Findings #2025-003, <https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2025/pipeda-2025-003/>.

[3] Toigo, Stephanie et al., “Recreational Screen Time and Mental Health Among Canadian Children and Youth” (2025) 45:7/8 Health Promotion and Chronic Disease Prevention in Canada 45-7/8, <https://doi.org/10.24095/hpcdp.45.7/8.01>.

[4] Specifically, the Personal Information Protection and Electronic Documents Act [PIPEDA], Quebec’s Act Respecting the Protection of Personal Information in the Private Sector [Quebec’s Private Sector Act], British Columbia’s Personal Information Protection Act [PIPA BC], and Alberta’s Personal Information Protection Act [PIPA AB].

[5] PIPA AB ss. 11, 14; PIPA BC ss. 11, 16.

[6] Quebec’s Private Sector Act, sa. 4, 4.1.

[7] PIPEDA ss. 4.3 and 4.3.2 of Schedule 1, s. 6.1; PIPA AB ss. 7, 8; PIPA BC ss. 6, 7.

[8] Quebec’s Private Sector Act, ss. 8, 8.1.