Actionable insights from the joint investigation of TikTok by Canadian privacy regulators: A practical checklist for organizations

On September 23, 2025, Canada’s federal and provincial privacy regulators in Quebec, British Columbia, and Alberta released their joint findings from their investigation into TikTok for non-compliance with applicable Canadian privacy laws (see backgrounder here). 

While the decision is dense, it highlights key areas of concern for regulators and provides important guidance on their expectations for privacy compliance, particularly in relation to children and youth users of technology platforms. 

Overview

The joint investigation, which was self-initiated, examined TikTok’s collection, use and disclosure of personal information for the purposes of ad targeting and content personalization, particularly as these practices relate to children and youth. Evidence was gathered through written representations, interviews, a site visit, system demos, and internal app testing.

Conducting the investigation jointly allowed these regulatory bodies to leverage their combined expertise and resources, a practice that is becoming increasingly common between Canadian privacy regulators. All jurisdictional challenges by TikTok were dismissed. 

In their report, the regulators provided guidance on a wide array of topics including age-assurance measures; youth-appropriate transparency and consent measures; transparency and consent requirements for tracking, profiling, content personalization and advertising and handling of biometric data/face analytics; French-language accessibility; cross‑border transfers (including to China); and Quebec’s privacy-by-default requirements. 

TikTok disputed aspects of the findings but committed to implementing measures to address the regulators’ concerns, including: 

• Limiting ad targeting for users under 18 in Canada.
• Assessing and implementing enhanced strategies (and underage detection techniques) to prevent users under the age of 13 (under 14 in Quebec) from using the platform.
• Strengthening transparency through youth-focused privacy communications, bilingual communications, and providing additional information to all users on topics such as cross-border data transfers, processing of biometric data, and ad targeting practices.
• Conducting research and testing of its underage detection techniques and youth communications to ensure they are effective.

Self-assessment checklist

To assist your organization in translating the decision’s key takeaways into actionable guidance, the following self-assessment checklist—organized by user category—is intended to help you map current practices to regulator expectations, close gaps, and take any steps necessary to ensure and document compliance.

Children under 13 (under 14 in Quebec)

For organizations that intentionally do not offer services to (or process the personal information of) children under 13 (under 14 in Quebec):

Eligibility and denial of service 

• What measures are in place to prevent collection from underage individuals? Are these measures demonstrably effective at substantially limiting underage registration and our collection/use of their data (not just removing them later)?
  • Do our Terms clearly prohibit access to the service by underage users?
  • Do our product controls effectively prevent account creation/use by underage users? Do moderation measures indicate a high rate of circumvention?
  • Are device/account re‑registration and duplicate account attempts mitigated (e.g., device/browser signals) without over‑collection?
• What measures or moderation practices are in place to detect non-compliance with these rules? 
  • Do measures address detection of non-compliance by passive or “lurker” accounts (not just users who post/comment)?
• Do we conduct testing and document evaluations of the effectiveness of our denial of service measures and any age assurance tools? 
• If current measures are ineffective, are additional measures already in use in other contexts that can be repurposed (with safeguards) to detect and block underage users?

Age‑assurance design and proportionality 

• Are the age-assurance measures and technologies in place or under consideration compliant with our privacy law obligations?
• Have we mapped and minimized the data used for age‑assurance so it is strictly necessary and proportionate to the goal of keeping underage users off the service? 
• Have we completed a privacy impact assessment (PIA) for each age‑assurance mechanism and documented why less intrusive options are insufficient?

Youth aged 13/14 to 18 

For organizations that offer services to (or process the personal information of) teens between the ages of 13 and 18:

Profiling, ad targeting, and ad transparency

• Do we limit ad targeting for users under 18 to non‑behavioral, generic parameters (e.g., language, approximate location) and avoid interest‑based/profiling‑based targeting?
• Are ads clearly and prominently labeled so teens can recognize sponsored content, and so that labels are noticeable and understandable to teens? 
• Do we provide prominent, up‑front notices at sign‑up explaining what data we collect, how we infer interests/demographics, and that we use these for content personalization and (if applicable) ads?

Youth‑appropriate privacy resources

• Do we have targeted youth disclosures drafted for teen comprehension, emphasizing risks and consequences of personalization and advertising (if applicable)?
• Have we tested our communications with teens for comprehension and user experience (i.e. via focus groups, surveys, or other outreach) in English and French?

Users of all ages

For organizations that process the personal information of users of any age, particularly for those engaged in user profiling and targeted advertising:

Clear and timely disclosure of key privacy practices

• Is key information about our privacy practices (i.e. what personal information is collected, for what purposes it is used, to what third parties it may be disclosed, what harm or other consequences may result), provided prominently, up-front and just-in-time, such as during account sign-up? 
• Do we disclose up-front, prominently, any transfers of personal information outside Canada/Quebec (including potential access by foreign authorities such as in China), 
• Do our privacy communications explain our privacy practices in a comprehensive and understandable manner? 
  • Is our privacy policy easy to access and understand? Does it link types of personal information collected with the purposes for which it is used? Does it provide enough detail and specificity regarding the purposes for processing personal information, and avoid vagueness and lack of clarity?
  • Are any supplementary privacy resources, such as plain language summaries, easily accessible and linked to the privacy policy?
• Is information regarding our privacy practices equally accessible to francophone users in Canada, through communications in both English and French?

Privacy settings and privacy by default

• Can users easily review and manage their privacy settings? 
• Do privacy settings allow users to address data processing by the platform, not just by other users?
• For Quebec users, are any functions that identify, locate, or profile individuals deactivated by default? Do we clearly notify users of the use of such technologies and how they may be activated, before any activation is possible?
• For Quebec users, do the privacy settings of any technological product or service used to collect personal information provide the highest level of privacy by default, without any intervention by the person concerned?

Biometric/facial analytics

• If we use computer vision or facial/voice analytics (even if the information used is not uniquely identifying), such as for age estimation or content/ad personalization, do we treat this as sensitive biometric information? 
• Do we provide a comprehensive, up‑front, easily accessible explanation of any biometric/facial analysis that explains our purposes for and the impacts of the processing? 

Stay informed

For tailored guidance on how the report`s findings might impact your organization`s privacy practices, please contact a member of our Cyber Security and Data Protection team.