PIPEDA Findings #2026-004: Commissioner-initiated complaints concerning X Corp.’s and X.AI LLC’s compliance with PIPEDA
The Office of the Privacy Commissioner of Canada (OPC) initiated complaints against X Corp. and X.AI LLC after their AI chatbot Grok generated millions of sexually explicit deepfakes of identifiable individuals. The OPC found that the companies failed to obtain valid consent to collect, use, and disclose personal information for this purpose and that a reasonable person would consider such practices inappropriate. Despite some actions taken by the companies, the OPC determined their response was insufficient, and the matter remains unresolved.
- Whether valid consent was obtained for the collection, use, and disclosure of personal information to generate sexualized deepfakes.
- Whether a reasonable person would consider the generation of sexualized deepfakes to be appropriate.
- The adequacy of the organizations' safeguards and response to the generation of non-consensual sexualized deepfakes.
Complaints well-founded — corrective measures recommended.
The OPC found that X Corp. and X.AI LLC contravened PIPEDA by collecting, using, and disclosing personal information to generate sexualized deepfakes without valid consent and for purposes a reasonable person would not consider appropriate. The companies' response to the issue was deemed insufficient.
AI-generated summary for reference only. Always verify against the official decision ↗
The OPC recommended that the respondents immediately suspend the functionality of Grok Imagine until safeguards are proven sufficient, develop a formal process for mitigating privacy issues, provide annual third-party audits of safeguards, and proactively monitor for sexualized deepfakes.
- Principle 4.3 PIPEDA
- s. 5(3) PIPEDA
- Principle 4.3.4 PIPEDA
- Principle 4.3.5 PIPEDA
- s. 6.1 PIPEDA
This summary is for informational purposes only and does not constitute legal advice.