On February 29, 2024, the Office of the Privacy Commissioner of Canada (OPC) published its Report of Findings No. 2024-001, as issued on the same date, in which it found Aylo (formerly MindGeek) in violation of the Information Protection and Electronic Documents Act 2000 (PIPEDA) following a complaint.

Background to the report

The OPC explained that the investigation was launched in response to a complaint from a woman who discovered that her ex-boyfriend had uploaded an intimate video and other images of her to MindGeek's websites without her consent. The complaint alleged that MindGeek:

• does not obtain consent from individuals depicted in content prior to collecting, using, and disclosing intimate images and associated personal information;
• does not take sufficient measures to address individuals' complaints, and fails to effectively remove personal information upon being informed that it does not have consent; and
• fails to be accountable for the personal information under its control.

Findings of the OPC

Following its investigation, the OPC found MindGeek contravened consent requirements as provided in Principle 4.3 of Schedule 1 of PIPEDA, as it failed to obtain valid consent for its collection, use, and disclosure of the complainant's personal information. The OPC highlighted that MindGeek's current practices, including the enhanced consent practices implemented in 2020, have not remedied the contravention. In line with the above, the OPC concluded that MindGeek also failed to provide individuals who did not consent to the upload of their personal information with an easily accessible, simple-to-use, and effective process for having content containing their personal information removed from its websites. Furthermore, the OPC determined that the cumulative contraventions identified indicate that MindGeek also lacked accountability for the highly sensitive personal information under its control in violation of Clause 4.1 of Schedule 1 of PIPEDA.

Outcomes

In light of the above, the OPC made several recommendations to MindGeek, in view of bringing them into compliance with PIPEDA, including:

• cease the collection, use, and disclosure of user-generated intimate images and videos, and associated personal information, via its websites, until it has implemented measures to address PIPEDA contraventions and recommendations in the report;
• delete all content for which consent has not been obtained from each individual whose personal information appears in the content, and have any third-party processors, with whom it shared such information, delete it;
• establish, within nine months, and afterward maintain, a privacy management program to ensure compliance with PIPEDA; and
• agree to oversight by a qualified independent third-party monitor, appointed by the OPC, to monitor and regularly report on their compliance with the recommendations for five years.

Finally, the OPC stated that it requires MindGeek to commit that it would not recommence, in the future, the collection, use, and/or disclosure of user-generated intimate images, unless it is in a manner that complies with the recommendations as specified in the report.

You can read the press release here and the report here.