Home Compliance Bulletins TikTok Report – the CAI’s Quebec Law 25 takeaways

TikTok Report – the CAI’s Quebec Law 25 takeaways

As discussed in my October Compliance Bulletin, the investigation by the Office of the Privacy Commissioner and the privacy regulators in three provinces (Quebec, BC and Alberta) into the information collection practices of TikTok focused on issues related to the collection of personal information of “under-age” users (meaning those under the age of majority, i.e. 18 or 19) for purposes of using that information for ad targeting and content personalization.[1]

While focussing on the online collection and use of personal information by such users, the Regulators’ Report contains numerous items of compliance guidance of general application.  In this regard, the Report addresses transparency requirements for consent on web interfaces, critiques the standard form of Privacy Policy currently in common usage, considers consent requirements for collection of biometric information, and provides guidance for consent for profiling and ad targeting.

Significance of the CAI’s Law 25 determinations

The TikTok Report also is significant because it contains the first rulings by Quebec’s privacy regulator, the Commission d’accès à l’information (the “CAI”) addressing key new provisions of Law 25, the province’s reformed Private Sector Privacy Act (enacted in September, 2021 but only fully in effect last year).  Key provisions of that law include those regarding transparency, consent for online data collection, and privacy by default.  While the CAI’s determinations are important for compliance by organizations operating solely in Quebec, they also impact organizations that operate in all jurisdictions across Canada.

As we know, reform of the federal privacy law, PIPEDA,[2] has been stalled in Parliament for several years.  While the most recent version of the proposed reformed law, the Consumer Privacy Protection Act (CPPA),[3] contained many items of modernized privacy protection, it did not include a number of provisions found in Law 25 relating to transparency, consent, and privacy by design – which can be traced back to themes found in the EU’s General Data Protection Regulation (GDPR).   The GDPR, it may be argued, represents the acknowledged standard for privacy compliance in 2025 and beyond.  Irrespective of the ultimate form of the CPPA once enacted, many of the Law 25 norms are likely to become an effective national standard – for the simple reason that organizations conducting activities on national platforms will not have privacy rules that differ between Quebec and the rest of Canada.

The CAI’s determinations regarding transparency and consent for tracking and targeting

The key issues addressed by the CAI relate to transparency and consent for purposes of profiling and targeting.  While these issues were addressed by all the Regulators in their findings regarding TikTok’s platform generally, they have particular relevance in the context of Law 25 because of that statute’s more rigorous provisions, relative to PIPEDA.

The framework of Law 25 relating to consent in its main application represents an implied consent regime.  The law provides that if certain disclosures are made to a person in connection with the collection of their personal information directly from them,[4]  that person is considered to have consented to the use of their personal information for the purposes disclosed.[5]

However, the law provides more restrictive requirements for personal information collected for profiling purposes or in connection with offering a technological product.  In those cases, the collector of the information must, by default, collect only the minimum information required to provide the product, and in any event if the information is collected for profiling purposes must only activate such collection once the person concerned has expressly agreed to such activation.[6]  Consequently, any collection of information unrelated to provision of a technological product, such as through user tracking technologies, must be disclosed to the user and in any event must be activated only by their positive step – i.e. opt-in.

These were the principles stated by the CAI in connection with TikTok’s platform activities, resulting in its determination that the platform did not comply with Law 25.

The CAI concluded that TikTok collects personal information using technology enabling it to identify, locate, or profile the user.  Specifically, it uses its platform, along with technologies such as computer vision and audio analytics, to collect and infer information about users – including their demographics, interests and location – with the objective of creating profiles about them, which in turn may be used for purposes of targeted advertising and content recommendations.

The CAI examined whether the platform’s functionalities enabled a positive opt-in by users.  It concluded that these functionalities, which included a pop-up linking to the TikTok Privacy Policy requiring the user to click “Agree and Continue”, as well as an explanation that continuing with account creation serves as confirmation that a user has read and agreed to the Privacy Policy, were insufficient to provide either the information to be disclosed or the required positive opt-in.  As stated by the CAI, because key elements of TikTok’s privacy practices were not prominently emphasized and information was spread out across its website and difficult to find, it is unlikely that individuals would have read and received the information sufficient to consent knowingly to their information being collected.  Simply referring to TikTok’s Privacy Policy or other similar documents, via a pop-up referencing and linking to such documents, was insufficient to provide the mandatory information required under sections 8 and 8.1.

The CAI also addressed TikTok’s compliance with section 9.1 of Law 25 which requires an organization that collects personal information when offering a technological product or service that has privacy settings to ensure that those settings provide the highest level of privacy by default, without any intervention by the person concerned.  This provision has been characterized as a “privacy by design” requirement.[7]  The CAI determined that by collecting profile information without clear opt-in by the user, TikTok also contravened section 9.1.

Conclusions

The CAI’s determinations in the TikTok Report regarding transparency and consent requirements under Law 25, and in particular s. 8.1, are instructive.  They represent the first published rulings of the CAI in an actual case addressing these requirements.  Furthermore, it is significant that they are contained in a report issued by four privacy regulators, in both English and French, and therefore may have wider exposure than if they were provided only in a CAI-specific report, available in French but not English.

The CAI’s determinations make clear not only that s. 8.1 is an opt-in requirement for tracking and profiling using technology functionalities, but also that the functionalities for executing the opt-in must be transparent and clearly presented to the user.  These determinations have application to almost all websites and mobile interfaces currently active anywhere in Canada.

Many of such interfaces now incorporate pop-ups or so-called “cookie notices” which in varying terminology disclose the use of tracking technologies.  However, most of these interfaces do not comply with the transparency and user-friendliness criteria set out by the CAI.  The CAI’s determinations make clear that simply linking in a cookie notice to a privacy policy or other documents that provide information regarding tracking is not sufficient to satisfy Law 25’s opt-in rule.  To be compliant, there needs to be sufficient information provided in the notice, in a user-understandable form, that communicates the intention to collect tracking information and if the particulars (including the purposes) of such tracking are not included in the notice sufficient language that communicates the availability of such information in the linked documents.

For more information please contact:      David Young       416-968-6286     david@davidyounglaw.ca

Note:     The foregoing does not constitute legal advice. © David Young

Read the PDF: TikTok Report – the CAI’s Quebec Law 25 takeaways

[1] Joint investigation of TikTok Pte. Ltd. by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Office of the Information and Privacy Commissioner for British Columbia and the Office of the Information and Privacy Commissioner of Alberta, PIPEDA Findings # 2025-003, September 23, 2025

[2] Personal Information Protection and Electronic Documents Act.

[3] Part 1 of Bill C-27, the Digital Charter Implementation Act, 2022.

[4] Law 25, s. 8; the purposes for which the information is collected; the means by which the information is collected; the rights of access and rectification provided by law; and the person’s right to withdraw consent to the communication or use of the information collected, and, if applicable, any third party for whom the information is being collected, the names of the third parties or categories of third parties to whom it is necessary to communicate the information for the stated purposes, as well as the possibility that the information could be communicated outside Québec.

[5] Law 25, s. 8.3.

[6] Law 25, ss. 8.1 and 9.1.

[7] TikTok took issue with this determination on the basis that s. 9.1 was modeled after the GDPR’s “data protection by default” principle, sometimes referred to as a “privacy by design” rule, with which its privacy settings were effectively aligned.  The CAI disagreed, stating that the default privacy settings requirements applicable under Law 25 are not the same as those applicable under the GDPR, given the differences in wording of between the relevant provisions.