TikTok Investigation Report – Regulators focus on consent guidance for youth - David Young

In late September, the OPC and the privacy regulators in three provinces (Quebec, BC and Alberta) issued the Report of their joint investigation into the personal information collection practices of TikTok, the social media platform particularly popular with youth.[1] The Regulators’ investigation focused on the diverse issues related to the collection and use of personal information of children and youth, in particular, the age group 13 to 17, for purposes of ad targeting and content personalization.

The stated objectives of the investigation were:

(a) to determine whether the collection, use and disclosure of personal information, in particular that of children, was a permitted, appropriate purpose under the relevant privacy laws;

(b) to determine whether TikTok obtained valid and meaningful consent from its users for tracking, profiling, targeting and content personalization; and

(c) to determine whether TikTok met its obligations to inform users with respect to collection and use of their personal information to create user profiles for the purposes of ad targeting and content personalization.

While focussing on the collection and use of personal information by “under-age” users (meaning those under the age of majority, i.e. 18 or 19), the Report contains numerous items of compliance guidance of general application – in other words, with respect to privacy practices applicable to adults as well as children. In this regard, the Report: provides detailed particulars of transparency requirements for meaningful consent on web interfaces; critiques the standard form of Privacy Policy currently in common usage; addresses consent requirements for collection of biometric information; and provides guidance regarding consent requirements for profiling and ad targeting.

Certainly, there will be “push back” from stakeholders as to whether the Regulators’ guidance and interpretation of the laws is appropriate, whether the requirements for transparency laid out in the Report are realistic or doable, and whether the age assurance methodologies addressed in the Report will be effective and represent an appropriate level of information collection for validation purposes. However, it can be argued that the compliance expectations indicated – age assurance methodologies aside – simply reflect prior determinations and guidance by the Regulators, with some added particularity.[2] With respect to age assurance, it should be acknowledged that this is an area where the technology is still evolving and the norms for acceptable information collection are not yet settled.

Appropriate Purpose

The Regulators’ investigation into appropriate purpose focused on TikTok’s collection, use and disclosure of the personal information of children under the age of 13 (14 in Quebec).[3] TikTok’s terms of use prohibit users in this age group from using the platform. However, the Regulators found that TikTok had not implemented adequate measures to keep them off its platform, which resulted in the collection of the sensitive information of many children, and the use of that information for purposes of ad targeting and content recommendation.

The Regulators determined that TikTok’s purposes for collecting and using underage users’ data – to target advertising and personalize content (including through tracking, profiling and the use of personal information to train machine learning and refine algorithms) – are not purposes that a reasonable person would consider to be appropriate, reasonable or legitimate under the circumstances. In sum, the Regulators found that TikTok was collecting and using the personal information of children under the age of 13 (in Quebec 14) with no legitimate need or interest, and that its practices were therefore inappropriate and not permitted under the relevant laws.[4]

What personal information is collected and for what purposes?

TikTok stated that the information it collects about its users can include: profile information, user-generated content posted by the user, information derived from ‘computer vision’ and audio analytics of the content of videos and images, engagement with content and ads (i.e. viewing behaviour.), purchase information, device information, contacts (contact list from device), and other social media profiles, geolocation data, and information shared by third-party partners who provide, for example, ad measurement execution data.

TikTok advised that it collects and uses this information for diverse purposes, including to estimate or infer additional information about users, personalize content, provide targeted advertising, improve the effectiveness of advertising, enforce its policies, promote security, and improve its machine learning models and algorithms, among other purposes.

Consent and transparency

The Regulators’ guidance in this area likely will be the most controversial as it reflects dramatically enhanced detail and functionalities of transparency disclosures with respect to all ages of users, over what is currently the norm.

The Regulators reviewed the consent obtained and transparency measures applied regarding both adults and youth (i.e. persons ages 13 to 17). They did not address TikTok’s collection and use of personal information from children under 13 (14 in Quebec) as that collection was determined not for an appropriate purpose and could not be validated by consent.

The Regulators noted that TikTok may collect sensitive information about users – likely requiring express consent – depending on the content they upload or view on the platform. Such information could include information about users’ health, political opinions, gender identity, and sexual orientation. While TikTok explained that it takes steps to prevent its third-party advertiser partners from using sensitive information to target users, it was concluded that, when taken together, the entirety of the personal information collected and used by TikTok for the purposes of targeting may be sensitive, requiring express consent.

Additionally, the Regulators concluded that, while users might reasonably expect TikTok to track them while on the platform, they would not expect that TikTok collects the wide array of data elements (as noted above) or the ways in which TikTok uses that information to deliver targeted ads and personalize the content provided to them. Therefore, they concluded that TikTok must obtain express consent for its collection, use, and disclosure of all users’ information for its purposes of targeting ads and personalizing content. While express consent is obtained expressly when users accept TikTok’s Terms and Conditions and Privacy Policy during account sign-up, the Regulators concluded that this consent was not valid or meaningful, for reasons of lack of transparency.

With respect to TikTok’s privacy communications, the Regulators concluded that while TikTok’s in-app notifications do provide certain key information up-front or ‘just-in-time’ for specific functions (location services, sharing contacts, making accounts public, etc.), these notices only cover limited topics. Furthermore, as small pop-ups designed for mobile devices, these notifications can only provide limited information in relation to each practice due to space limitations.

The Regulators also noted that key elements of TikTok’s privacy practices are not prominently emphasized when individuals are signing up for a TikTok account. Rather, these details are found in TikTok’s lengthy Privacy Policy and associated privacy documents that, in their view, few users are likely to read. More specifically, given that TikTok’s primary business model is to generate advertising revenue by personalizing content and delivering targeted ads, the Regulators expected to see certain key information explained to users up-front and prominently during account sign-up, including the various types of personal information that TikTok collects from and about users – such as details related to videos viewed and posted, comments posted, user location, device information, system settings, and information from third-party sources – and that their personal information will be used both to analyze and infer user demographics and interests and to develop its machine learning tools and algorithms and for purposes of delivering targeted ads.

The Regulators noted that while TikTok’s Privacy Policy summarizes many elements of its practices, in the absence of accessible supplementary information or communications, the policy lacks the necessary level of detail to support meaningful consent. For example, while the policy does enumerate in detail various types of personal information that TikTok collects under the “Information You Provide”, “Automatically Collected Information”, and “Information From Other Sources” sections, it does not effectively explain specifically what personal information would be used for each purpose and how it would be used to achieve those purposes. Instead, in “How we use your information”, the policy provides a long list of TikTok’s potential uses of that information, often with no link between the specific information collected and its potential uses.

In sum, with respect to adults, the Regulators concluded that for the above reasons as well as that it failed to adequately explain its collection and use of biometric information, TikTok did not explain its privacy practices in a manner that would result in meaningful consent being obtained from adult users.[5]

The Regulators also found deficiencies in the consent that TikTok obtained from youth users.

The Regulators found that TikTok did not explain, in sufficiently plain-language communications appropriate to teen users, how it would collect and use a wide scope of their personal information to serve them targeted ads. Instead, TikTok relied largely on the same communications that they obtained from adults – which the Regulators had found to be inadequate for purposes of meaningful consent. The Regulators found this particularly concerning given the research highlighting both the potential harms to young people associated with targeted advertising and social media, and their observation that it was often difficult to differentiate ads from TikTok videos.

Specifically, TikTok’s youth-specific privacy measures were inadequate to ensure meaningful consent for youth for the following reasons: (i) youth-specific communications in TikTok’s portal were not easy to find; (ii) none of those communications explained TikTok’s collection and use of personal information, including via tracking and profiling, for purposes of ad targeting and content personalization; and (iii) TikTok provided no evidence to establish that its communications had, in fact, led to an understanding by youth users of what personal information TikTok would use, and how, for such purposes.

Biometric information

In addition to considering whether TikTok obtained meaningful consent from adults generally the Regulators also considered whether TikTok was obtaining meaningful consent for its use of biometric information, specifically facial analysis, which TikTok advised that it uses for purposes of its age estimation models. Tik Tok advised that these models are used to categorize videos for recommendation and targeting, and to protect the safety of minors (as part of TikTok’s tools to identify inappropriate material posted on the platform).

However, the Regulators found that TikTok also was collecting such biometric information for purposes of inferring additional personal information about users, such as gender, which can be sensitive, for purposes of delivering ads and content recommendations.

The Regulators noted that TikTok does not provide, prominently and up-front during the sign-up process, key information about its practices regarding biometric information – a user signing up would have no reason to expect that TikTok would conduct facial analysis and its purposes, nor are they likely to review TikTok’s privacy policy to learn about its biometric practices. Furthermore, the policy information provided does not explain how TikTok will use biometric information, or facial analysis, to estimate their age and gender for purposes of delivering tailored ads and content recommendations. The Regulators therefore found that users would not reasonably understand TikTok’s biometric practices or their consequences, for purposes of providing meaningful consent.

Age assurance and authentication

The Regulators gathered evidence from TikTok about its age controls and account moderation processes. TikTok stated that it had implemented various measures to prevent underage users from using the platform, in the form of public facing documents, age ratings and informational publications, in addition to in-platform tools. However, the primary mechanism for preventing underage users from creating accounts on the platform was simply an “age gate”, which required the user to provide a date of birth during the account creation process. The Regulators’ investigation determined that this was the only age assurance mechanism that TikTok implemented at the sign-up stage to prevent underage users from accessing the platform.

TikTok explained that it has a moderation team in place to identify users who are suspected to be underage, and that members of this team are provided with specific training to identify individuals under the age of 13, based on various behavioural and physiological cues which form a component of its moderation policies, specifically user reports (where someone, such as a parent, contacts TikTok to report that a user is under the age of 13) and automated moderation which included scanning for keywords in text inputted by the user that would suggest that they may be under the age of 13.

The Regulators determined that the tools implemented by TikTok to keep under-age users off its platform were largely ineffective. This was particularly true in respect of the majority of users who the Regulators described as “lurkers” or “passive users” – i.e. those who viewed videos on the platform without posting video or text content. For example, noting that TikTok’s own statistics show that most users do not comment at all on the platform, the Regulators concluded that Tik Tok’s automated moderation methods have significant limitations.

On the other hand, the Regulators noted that TikTok had implemented a robust proactive age assurance mechanism, including facial analytics, to prevent under-18 users from using its livestreaming function (TikTok LIVE). TikTok also employed sophisticated analytics tools to estimate the age of users for other business purposes. However it did not employ those same or similar tools to keep underage users off its platform.

TikTok advised that there were approximately 500,000 underage users in Canada each year who accessed and engaged with the platform before their accounts were removed. However, concluding that TikTok’s internal age moderation practices had significant limitations, the Regulators determined that many more underage users likely engage with the platform without being detected.

Furthermore, for this large number of underage users who engage with the platform, including those who engage with the site until they are detected and removed from the platform, TikTok gathers a wide array of potentially sensitive personal information – in the form of behavioural, interest, device and geolocation information, etc. – for purposes that include targeting ads and personalizing content as well as developing TikTok’s machine learning tools.

TikTok undertook to implement two new “underage detection models” to identify suspected underage user accounts on the platform, and flag them for moderation and potential removal: a “core underage model”, which will use visual signals (including via facial analysis based on content posted on the platform) and behavioural signals (such as videos watched or liked); and a supplementary “natural language processing” model, trained in both English and French, which will analyse text posted by users, for example in their bio or comments. However, TikTok acknowledged that these new age assurance models would be largely ineffective at detecting underage lurkers who view videos but do not post content or comments.

The Regulators recommended that additional measures be implemented to prevent under-age users from creating accounts or using any of TikTok’s platforms and that these measures should: substantially limit not only such users’ presence on the platform, but also TikTok’s collection and use of personal information from those users, who are using the platforms contrary to TikTok’s own Terms and Conditions; ensure that the information collected and used is only that which is necessary to effectively prevent underage users from opening a TikTok account and/or using the platform; and that there is no loss of privacy disproportionate to the benefits of keeping underage users off the platform. Furthermore, TikTok should conduct testing to confirm that any implemented mechanisms are demonstrably effective, and that the privacy impact is, in fact, minimized and proportionate.

Conclusions

The Tik Tok Investigation Report represents a comprehensive compendium of Canadian private sector privacy Regulators’ expectations for compliance in regard to social media online interfaces. It provides detailed particulars of transparency requirements for meaningful consent, provides guidance regarding consent for profiling and ad targeting, critiques the standard form of Privacy Policy currently in common usage, and addresses consent for collection of biometric information, all of which may receive push back from stakeholders but which likely are consistent with prior guidance.

With respect to the Report’s recommendations for age authentication and assurance for purposes of limiting or preventing access and engagement with the platform by under-age users, it is noted that this is an area where the technology is still evolving and the norms for acceptable information collection are not yet settled. Key concerns are protection of the information collected, the potential for over-collection, implications for surveillance, and even the potential for use of age authentication information in targeting and content moderation. In this regard, the Report, without articulating specific methodologies, sets out some bright lines for rules, which echo recognized principles in this area. [6]

For more information please contact: David Young – 416-968-6286 – david@davidyounglaw.ca

Read the PDF: TikTok Investigation Report – Regulators focus on consent guidance for youth

[1] Joint investigation of TikTok Pte. Ltd. by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Office of the Information and Privacy Commissioner for British Columbia and the Office of the Information and Privacy Commissioner of Alberta, PIPEDA Findings # 2025-003, Sept. 23, 2025. Note that this Bulletin does not address the separate findings regarding Quebec’s Law 25, which will be the subject of a subsequent commentary.

[2] See in particular, Guidelines for obtaining meaningful consent, May 24, 2018, issued by the OPC and the Alberta and BC Commissioners.

[3] In Quebec the relevant age is 14. Under Law 25, s. 4.1, personal information of a minor under the age of 14 may not be collected without the consent of the parent or the guardian, except when such collection is clearly for the benefit of the minor.

[4] See, for example, the threshold rule under the federal law, PIPEDA, s. 5(3): An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

[5] Also its relevant privacy communications were not made available in French.

[6] See for example, Joint Statement on a Common International Approach to Age Assurance, Sept. 19, 2024, adopted by privacy regulators in the UK, Canada, Mexico, The Philippines, Argentina and Gibraltar.