Canada’s Landmark Investigation into TikTok: A Call for Stronger Privacy Measures

In a significant coordinated effort, Canada’s federal and provincial privacy regulators have sent a clear signal to organizations across the nation: protecting personal information, especially that of minors, requires immediate, robust improvements. This landmark investigation scrutinized TikTok’s data practices, probing whether the platform adhered to Canadian privacy laws.

The Case

At the heart of this investigation was a collaboration among the Office of the Privacy Commissioner of Canada and its provincial counterparts in Québec, British Columbia, and Alberta. Their aim? To assess TikTok’s policies on the collection, use, and disclosure of personal information, particularly regarding minors. With TikTok’s immense popularity among younger demographics, this investigation was critical in determining if the platform is providing adequate protections.

What They Found

The investigation unveiled alarming findings, particularly around the handling of minors’ personal information. One major concern was the ineffectiveness of age assurance tools, which failed to prevent underage users from being profiled for targeted ads and content. Moreover, it was revealed that TikTok collected sensitive personal data—including health information, gender identity, and political views—without obtaining valid and meaningful consent.

Another significant shortcoming identified during the investigation was the lack of clarity in TikTok’s privacy communications. Key information was often incomplete and missing appropriate translations, such as French—ultimately, failing to satisfy transparency obligations.

Why It Matters

The implications of this investigation extend far beyond TikTok. This decision emphasizes the urgent need for organizations in Canada to reevaluate their privacy compliance programs, especially regarding the handling of minors’ data. It reiterates that consent must be not only informed but also that privacy policies need to be easily accessible. Sensitive personal information requires even stricter handling protocols.

What Organizations Can Do

To align effectively with Canadian privacy laws, organizations need to undertake several critical measures:

Youth Protection and Age Assurance

• Implement Robust Age Verification Tools: Organizations must invest in effective age verification systems to prevent underage users from accessing areas intended for adults.
• Avoid Profiling Children: It’s imperative to refrain from profiling or targeting children without clear, valid consent.
• Use Plain Language: Privacy notices should be simplified and geared towards younger audiences.

Consent and Transparency

• Ensure Meaningful Consent: Organizations must guarantee that consent for data collection is informed and specific.
• Clarity in Policies: Privacy policies should be straightforward, concise, and bilingual where necessary, including both English and French.
• Data Practices Explained: Clearly articulate data collection, usage, and sharing practices.

Sensitive Data Handling

• Limit Collection: Restrict the collection of sensitive information to what’s absolutely necessary and relevant.
• Obtain Explicit Consent: Ensure explicit consent for data related to health, political views, or identity.
• Regular Audits: Conduct audits of data flows to ensure compliance with best practices and regulations.

Privacy Governance

• Appointment of Privacy Officer: Designate a Privacy Officer within the organization and outline their responsibilities clearly.
• Manage Privacy Program: Develop a privacy management program that includes regular reviews and oversight.
• Utilization of Tools: Leverage resources like the PIPEDA Self-Assessment Tool to benchmark and assess compliance.

Third-Party Oversight

• Conduct Due Diligence: Ensure privacy due diligence when selecting service providers.
• Include Security Clauses: Privacy and security terms should be standardized in vendor contracts.
• Use Data Protection Schedules: Use comprehensive data protection schedules for vendors handling personal data.

Training and Awareness

• Regular Training: Provide ongoing privacy training and reminders for all staff members.
• Role-Specific Training: Tailor training programs according to specific roles within the organization.
• Documentation: Keep a record of completed training and staff acknowledgments for accountability.

Access and Retention

• Retain Records: Develop a retention policy that aligns with legal requirements to manage data.
• Respond to Access Requests: Be prepared to handle requests from individuals seeking access to their data.
• Update Privacy Policies: Keep online privacy policies current and relevant.

Incident Response

• Develop Response Plans: Create and routinely test breach response plans to address potential data security incidents.
• Train Staff: Ensure that team members are well-versed in breach notification and escalation procedures.
• Maintain a Breach Register: Keep accurate records of any data breaches and report them in a timely manner.

With the findings of this investigation, organizations are now facing a pivotal moment regarding how they handle personal information. The MLT Aikins privacy, data protection, and cybersecurity team is poised to assist organizations in navigating these complex privacy compliance issues. By understanding legal obligations and implementing best practices, businesses can create a framework that effectively manages privacy compliance risks.

A well-structured privacy compliance program not only fulfills regulatory requirements but also builds trust with users—especially vulnerable populations like minors.