Federal (Canada) Privacy Decisions

This joint investigation by Canadian privacy authorities found that TikTok's collection and use of personal information, particularly from children, for ad targeting and content personalization was inappropriate and lacked valid consent. TikTok failed to implement adequate age verification measures, leading to the collection of data from underage users without a legitimate purpose. The investigation also found that TikTok's privacy communications were unclear, not easily accessible, and not available in French, failing to provide meaningful consent from adult and youth users for its data practices.

• Appropriate purpose for collecting and using children's personal information.
• Obtaining valid and meaningful consent for tracking, profiling, and targeted advertising.
• Transparency obligations regarding collection and use of personal information for user profiling.
• Adequacy of age assurance measures to prevent underage users from accessing the platform.

This joint investigation by the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) examined a significant data breach at 23andMe, which affected nearly 7 million customers globally. The investigation found that 23andMe failed to implement appropriate safeguards to protect sensitive personal information, including genetic data, from a credential stuffing attack. Furthermore, the company's notifications to both regulatory bodies and affected individuals were found to be inadequate in content and, in some cases, timeliness. Although contraventions were found, the issues were deemed resolved due to significant security improvements made by 23andMe.

• Adequacy of safeguards to protect personal information, particularly genetic data, from credential stuffing attacks.
• Timeliness and completeness of breach notifications to regulators and affected individuals.
• Risk of harm to individuals due to the sensitive nature of compromised personal information.
• 23andMe's assessment of and response to the identified security deficiencies.

This investigation concerned the loss of an unencrypted USB storage device by the Royal Canadian Mounted Police (RCMP), which contained sensitive personal information of 1,741 individuals. The OPC found that the RCMP contravened section 8 of the Privacy Act by disclosing personal information without consent. The investigation also revealed failures in timely breach reporting and inadequate safeguards for personal information on USB devices, leading to the complaint being well-founded and unresolved.

• Contravention of section 8 of the Privacy Act regarding unauthorized disclosure of personal information
• Timeliness and appropriateness of the RCMP's response to the breach
• Sufficiency of RCMP measures to safeguard personal information on USB storage devices
• Adequacy of policies and enforcement regarding USB device usage