2025 Privacy Recap – Youth privacy, breach guidance and other developments

Several significant regulator rulings dominated privacy developments over the past year – focussing on youth privacy and breach response. However, the year also saw important issues of lawful access, freedom of speech and digital sovereignty come into play. On the reform front, a revised federal bill containing selected adjustments to the government’s proposed Consumer Privacy Protection Act (CPPA) was expected to be introduced before Christmas however the timing now will be (early?) in 2026. Finally, a number of on-going cases progressed, in several instances to appeal.

TikTok Investigation Report – youth privacy and online tracking

In September, the OPC and the privacy regulators in three provinces (Quebec, BC and Alberta) issued the Report of their joint investigation into the personal information collection practices of TikTok, the social media platform particularly popular with youth.[1] The Regulators’ investigation focused on issues related to the collection and use of information of children and youth, in particular, the age group 13 to 17, for purposes of ad targeting and content personalization.

The objectives of the investigation were to determine whether the collection, use and disclosure of such information was a permitted, appropriate purpose under the relevant privacy laws and to determine whether TikTok obtained valid consent for purposes of tracking, profiling, targeting and content personalization, including whether it met its obligations to inform users with respect to such uses.

While focussing on the collection and use of personal information of children and youth, the Report contains numerous items of more general compliance guidance. The Report addresses requirements for valid consent on web interfaces, the standard form of privacy policy currently in common usage, consent for biometric information, and consent requirements for profiling and ad targeting.

The TikTok Report also is significant because it contains the first rulings by Quebec’s privacy regulator, the Commission d’accès à l’information (the “CAI”), regarding key new provisions of Law 25, that province’s reformed Private Sector Privacy Act,including those regarding transparency, consent for online data collection, and privacy by default. The CAI’s determinations are important because they impact organizations operating in all jurisdictions across Canada.