A joint investigation by four Canadian privacy regulators has found that TikTok’s collection and use of children’s personal information is for an inappropriate purpose and that its consent practices for all users are invalid.
The investigation was conducted by the Office of the Privacy Commissioner of Canada (OPC) and its provincial counterparts in Quebec, British Columbia, and Alberta.
The regulators found that TikTok contravened Canadian privacy laws but have deemed the matter “well-founded and conditionally resolved” after TikTok committed to a series of remedial measures.
Here’s a look at what the investigation can teach organizations about the use of children’s data under Canadian privacy law.
‘Inappropriate purposes’ for processing children’s data
The joint investigation focused on whether TikTok’s collection, use, and disclosure of personal information for ad targeting and content personalization was for an appropriate, reasonable, and legitimate purpose, with a particular focus on children.
TikTok’s terms of use prohibit users under 13 (or 14 in Quebec) from signing up for an account with the platform. However, the regulators found that the company’s measures to enforce this prohibition were “largely ineffective” for the following reasons:
- Ineffective age assurance: The investigation found that TikTok’s primary age assurance mechanism was a simple “age gate” at sign-up, which could be easily bypassed with a falsified date of birth.
- Widespread underage use: TikTok’s own data showed it removes approximately 500,000 underage Canadian users from the platform each year. The regulators concluded that the actual number of children on the platform is likely much higher.
- Collection of children’s data: For a large number of children using the platform, TikTok was using their personal information to serve targeted ads and recommend content. The regulators deemed this data, including behavioral and interest information, to be sensitive.
- Failure to use available technology: TikTok uses more sophisticated age estimation technologies, including facial analytics, for other purposes (like restricting access to its livestreaming feature) but does not employ these tools to prevent children from accessing the main platform.
The regulators concluded that TikTok had no legitimate need or bona fide business interest for its collection and use of children’s sensitive personal information. They found the practice to be “inappropriate, unreasonable, and illegitimate.”
Invalid consent and lack of transparency
The regulators also found that TikTok failed to obtain valid and meaningful consent from its adult and youth (13-17) users for its tracking, profiling, and targeting practices. The report raises the following issues in this area:
- Information not provided up-front: Key information about data collection for advertising and personalization was not provided prominently during sign-up. Instead, it was located within lengthy and complex privacy policy documents.
- Vague and incomplete policies: The privacy policy was found to lack sufficient detail for users to reasonably understand how their information would be used. For example, it did not adequately explain how it trained its machine learning models or what specific data was used for ad targeting.
- Inaccessible supplementary information: While more detailed information was available in other resources like help center articles, these were often not linked from the privacy policy and were difficult for users to find.
- Inadequate notice for biometric information: The investigation determined that TikTok’s use of facial analysis to estimate age and gender from user videos constitutes the collection of biometric information. The regulators found that TikTok failed to adequately explain this practice to users.
- Youth consent: Communications aimed at youth users were also found to be inadequate. Youth-specific resources were hard to find and did not explain the core practices of tracking and profiling for ad targeting. The report notes that TikTok did not provide evidence that its communications were tested with youth to ensure they were understood.
TikTok’s commitments
While TikTok did not accept the report’s findings, it has agreed to work with the regulators to resolve the issues.
The company has committed to several age verification measures, including implementing three new, enhanced age assurance models to better detect and remove underage users. This includes a new “passive underage user detection model” designed to identify underage users who do not post content.
TikTok will also provide more information “up-front” during sign-up, update its privacy policy with clearer explanations and links to supplementary resources, and provide specific details on cross-border data transfers involving China.
TikTok will also develop a new plain-language “Teen Summary” of its privacy policy and a “Privacy Highlights Video” to be delivered to teen users, explaining what data is collected and how it is used.
As of April 2025, advertisers can no longer deliver targeted ads to users under 18 in Canada, except based on generic data like language and approximate location.
The regulators say they will continue to work with TikTok to ensure the timely and effective implementation of these commitments. In the meantime, you can read the full report for more information about the expectations of Canadian data protection regulators when it comes to protecting children’s information.
