By Esther Shainblum and Martin U. Wissmath

Federal and Provincial Privacy Commissioners Find TikTok in Violation of Privacy Laws

Canada’s privacy regulators say TikTok broke the law by mishandling personal data. The Privacy Commissioner of Canada, together with the privacy commissioners of Quebec, Alberta, and British Columbia, released their Joint Investigation of TikTok Pte. Ltd. by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Office of the Information and Privacy Commissioner of British Columbia, and the Office of the Information and Privacy Commissioner of Alberta on September 23, 2025, finding that TikTok Pte. Ltd. (TikTok) had breached Canadian privacy laws by failing to obtain valid consent for the collection, use, and disclosure of personal information, particularly from minors. The report underscores the growing scrutiny of global digital platforms’ privacy practices and highlights issues that are increasingly relevant to charities and not-for-profits that collect personal or biometric data through social media, mobile applications, or other online tools.

The investigation assessed TikTok’s compliance with the Personal Information Protection and Electronic Documents Act and with substantially similar private-sector privacy legislation in Quebec, Alberta, and British Columbia, namely Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, Alberta’s Personal Information Protection Act, and British Columbia’s Personal Information Protection Act. The commissioners determined that TikTok’s consent mechanisms were not meaningful within the meaning of those statutes. Users, and minors in particular, could not reasonably understand the extent to which their personal data were collected, analyzed, and shared for targeted advertising and content recommendation.

The commissioners found that TikTok’s collection and use of minors’ personal information went beyond what was necessary or proportionate to the stated purposes. While the platform claimed to implement additional protections for youth, these measures were found to be inadequate. The report emphasized that organizations are responsible for ensuring that consent is informed and that their data practices align with users’ reasonable expectations, especially where minors are concerned.

TikTok’s privacy policy and consent materials were also criticized as overly complex and lacking transparency, particularly with respect to data retention, cross-border transfers, and third-party data sharing. The commissioners concluded that these deficiencies rendered users’ consent invalid under federal and provincial private-sector privacy laws.

In response to the findings, TikTok agreed to implement corrective measures, including revising its consent model, improving privacy communications for minors, and enhancing transparency around data handling practices. The commissioners indicated that they will monitor compliance and consider further enforcement if necessary.

For charities and not-for-profits, the findings highlight the continuing focus on transparency, consent, and proportionality in online engagement. Organizations that rely on social media platforms or digital analytics tools should review their data collection and sharing practices, particularly when engaging with youth audiences. Even when operating outside the scope of federal private-sector privacy legislation, organizations are expected to explain privacy practices clearly and to collect only the personal information reasonably required for their activities

Ontario Divisional Court Upholds Broad Duty to Notify After Ransomware Attack

A ransomware attack that locks data, even without proof of exfiltration (unauthorized or covert movement of private or sensitive data), can still trigger mandatory privacy breach notification. In Hospital for Sick Children v. Ontario (Information and Privacy Commissioner), the Divisional Court upheld two 2024 decisions of the Information and Privacy Commissioner of Ontario (IPC) requiring notice to affected individuals following separate ransomware incidents at the Hospital for Sick Children (SickKids) and the Halton Children’s Aid Society (“Halton CAS”). Released on September 16, 2025, the decision confirms that the temporary loss of access to personal information during a cyberattack may amount to both an “unauthorized use” and a “loss” under Ontario privacy legislation. For charities and not-for-profits, the ruling underscores the need to treat encryption-only ransomware events as privacy breaches requiring notification and documentation. “Encryption-only” ransomware refers to attacks where malicious actors lock or encrypt files, making them temporarily inaccessible, but do not appear to steal or exfiltrate data.

Both affected organizations reported ransomware attacks that encrypted their servers but found no evidence that personal or health information was viewed or exfiltrated. The IPC concluded that by rendering the data inaccessible, the attackers had “handled” or “dealt with” the information, amounting to an unauthorized “use” under section 12(2) of the Personal Health Information Protection Act, 2004 (PHIPA) for SickKids and section 308(2) of the Child, Youth and Family Services Act, 2017 (CYFSA) for Halton CAS. The IPC also found that the temporary loss of availability of personal information constituted a “loss” within the meaning of the same provisions.

On review, the Court held that the IPC’s interpretation was reasonable and consistent with the text, context, and purpose of the legislation. It found that PHIPA and the CYFSA do not impose a “risk of harm” threshold before notification is required. Instead, the notification duty arises from any unauthorized activity affecting personal information, even if the risk to individuals appears minimal. The Court rejected arguments that the IPC’s reasoning was “results-oriented” or would lead to “notification fatigue,” finding that the IPC had taken a balanced, purposive approach to the duty to notify.

The decision also highlights the role of the IPC in promoting transparency and accountability. By confirming that ransomware encryption itself can constitute unauthorized “use” and “loss,” the Court emphasized that data custodians must be transparent whenever personal data are made unavailable due to unauthorized activity, regardless of whether the data is viewed or copied.

For charities and not-for-profits, this decision reinforces the importance of robust breach response protocols. Even in cases where forensic evidence suggests no data exfiltration, organizations holding personal or health information should carefully consider whether a ransomware incident triggers notification obligations under PHIPA or the CYFSA. Those handling donor or beneficiary data should also maintain breach logs, review their incident response plans, and anticipate that regulators may expect notification when systems containing personal data are compromised.

​Read the October 2025 Charity & NFP Law Update