In a landmark joint investigation, Canada’s federal and provincial privacy regulators have delivered a strong message to Canadian organizations: When it comes to protecting personal information – especially when it comes to minors – stronger measures must be implemented.
The case
The Office of the Privacy Commissioner of Canada, along with counterparts in Québec, British Columbia and Alberta, launched a coordinated probe into TikTok’s data practices. Their focus? Whether TikTok’s collection, use and disclosure of personal information – especially from minors – complied with Canadian privacy laws.
What they found
The investigation highlighted various concerns about the handling of personal information of minors and provided helpful guidance for privacy programs more generally.
One of the key findings was that age assurance tools were largely ineffective, allowing many underage users to be profiled for ads and content. The investigation also found that the platform collected sensitive personal information from users – including details about health, gender identity and political views – without valid or meaningful consent.
Furthermore, the investigation concluded that privacy communications were unclear, incomplete and not available in French, failing to meet transparency obligations.
Why it matters
This decision highlights the need for organizations to update their privacy compliance programs particularly with respect to the handling of personal information of minors. It also reinforces that consent must be informed, privacy policies must be accessible and sensitive personal information demands extra care.
What organizations can do
To help your organization align with Canadian privacy laws, consider the following:
Youth protection and age assurance
- Implement robust age verification tools
- Avoid profiling or targeting children without valid consent
- Use plain-language privacy notices tailored for youth
Consent and transparency
- Ensure consent is informed, specific and meaningful
- Make privacy policies clear, concise and available in both English and French (where appropriate)
- Clearly explain data collection, usage and sharing practices
Sensitive data handling
- Limit collection of sensitive data unless absolutely necessary
- Obtain explicit consent for health, political or identity-related data
- Audit data flows regularly for compliance
Privacy governance
- Appoint a Privacy Officer and document their responsibilities
- Maintain a privacy management program with regular reviews
- Use tools like the PIPEDA Self-Assessment Tool to benchmark practices and privacy impact assessments for new programs and features
Third-party oversight
- Conduct privacy due diligence on service providers
- Include privacy and security clauses in vendor contracts
- Use data protection schedules for vendors handling personal data
Training and awareness
- Provide regular privacy training and reminders for all staff
- Customize training by role and responsibility
- Document completion and staff acknowledgments
Access and retention
- Maintain a record retention policy aligned with legal requirements
- Be ready to respond to access requests from individuals
- Keep online privacy policies up to date
Incident response
- Develop and test a breach response plan
- Train staff on breach notification and escalation procedures
- Maintain a breach register and ensure timely reporting
The MLT Aikins privacy, data protection and cybersecurity team have extensive experience advising organizations on privacy compliance issues and have developed resources to help organizations review and update their current policies and practices. They can help you understand the legal and regulatory requirements as well as best practices to create a privacy compliance program that will effectively manage your privacy compliance risks.
A member of our team can also act as a third-party virtual privacy officer for your organization, either by filling that essential role entirely if needed or by supporting your existing privacy officer where it’s most valuable to them.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.
Share
