TikTok's Privacy Blunders: A Wake-Up Call for Business Owners

New guidance from the offices of the Canadian Privacy Commissioner and the Quebec, British Columbia, and Alberta Privacy Commissioners (collectively, the “Offices”) has been published through the recently released decision in PIPEDA Findings # 2025-003 (the “Finding”) with respect to the Offices’ expectations of organizations who are collecting, using, or disclosing personal data. While there has been no great overnight amendment to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) or other privacy legislation, the Finding makes clear that businesses will be held to a high standard when it comes to privacy and will likely need to update their own privacy policies and privacy-related documentation post-Finding. A summary of the Finding can be found below, but first, in review of the Offices’ decision, here are the eight primary points made with respect to privacy practices, consent requirements, and what they mean for businesses that collect, use, or disclose personal data during commercial activities.

1. Privacy practices must be communicated in a way that users can reasonably understand how their personal information will be (i) used and (ii) the nature, purpose, and consequences of a business’s handling practices.
2. All privacy policies and related documentation should be available in French and English.
3. Organizations are expected to place greater focus on the following privacy factors:
   • The personal information being collected;
   • The parties with whom such information is shared;
   • The purposes for which the personal information shall be collected, used or disclosed; and
   • The associated risks of harm and other outcomes.
4. Organizations must ensure that key privacy information is presented prominently when users create their accounts. Key privacy information being “hidden” in lengthy privacy policies where few users will review it is not sufficient.
5. Documents containing additional details about privacy practices should be linked to or readily accessible through the organization’s privacy policy, and otherwise made easily discoverable.
6. Organizations must communicate their privacy practices clearly, thoroughly, and accessibly. The expected level of detail includes detailed explanations that specify which personal information is used for which purposes, and the manner in which it is used to achieve those purposes. The Offices supported the use of “just-in-time notices”, FAQ pages, and feature-specific articles.
7. The validity of consent may depend on the individual’s cognitive capacity and level of developmental maturity, as well as other factors.
8. Privacy communications should be tested to ensure that information and explanations of complex technologies and privacy practices are understandable to their intended audience. This practice is particularly important when the target audience is children or youth.

A Short Summary of the Key Determinations

The Findings is the result of an investigation into TikTok’s collection, use, and disclosure of personal information by the Offices. The Offices examined whether TikTok’s privacy practices, particularly as they relate to children, would be considered reasonable (i.e., whether they were “appropriate purposes”) and whether TikTok had obtained valid and meaningful consent with respect to those purposes.

In this case, TikTok did not obtain valid and meaningful consents as the Offices found, amongst other findings, that (1) key information about TikTok’s practices were not provided up-front for users to consider, (2) the Privacy Policy did not provide a clear and comprehensive explanation of practices, (3) relevant privacy documents were not made available in French, (4) TikTok did not adequately explain its collection and use of users’ biometric data, and (5) the practices TikTok had in place to restrict children’s access to its platform did not function effectively, meaning personal information of many Canadian children was collected with “no legitimate need or bona fide interest.”

Further specific findings, which are not detailed in this article, were made with respect to Quebec’s privacy laws and practices and should be reviewed by organizations operating in Quebec.

Meaningful Consent

Under PIPEDA, an individual must consent, either expressly or through implied consent, to the collection, use, or disclosure of their personal information. Meaningful consent requires “knowledge and consent.” Under PIPEDA, the “knowledge” qualifier requires that “an individual must be able to reasonably understand the nature, purposes, and consequences of the collection.”

In this case, the Offices found that where “the collection or use of personal information falls outside of the reasonable expectations of an individual or what they would reasonably provide voluntarily, then the organization generally cannot rely upon implied or deemed consent.” TikTok had been using collected data to furnish targeted ads and personalized content to users. In their decision, the Offices found that TikTok was required to and should have obtained express consent for such purposes, which could have been done using a click-wrap agreement or a hybrid agreement (meaning the agreement includes links to terms of use and other specified documents).

Biometric Data

The Offices also found that “information need not be uniquely identifying to be termed ‘biometric information’” or to reveal sensitive information about an individual. TikTok’s computer vision technology, as explained more thoroughly in the Finding (see paragraphs 110-114), was found to “collect and use biometric information, in that it collects and analyzes numerical representations of various physiological features of individuals.” As such, though the technology was not designed to support user identification, it was being used to “infer potentially sensitive information about users,” and that was enough to require specific and meaningful consent for its collection, use, and disclosure.