The Office of the Privacy Commissioner of Canada (OPC) has announced that it will be taking Aylo, the owners of Pornhub, a pornographic video-sharing platform, to Federal Court in an effort to force the company to comply with the OPC’s recommendations made in its February 2024 Report of Findings (Report). 

Among other things, the Report found that Aylo could not rely on attestations of consent by third parties/uploaders of videos and that it had to obtain direct, express consent from all persons depicted in the content. Furthermore, the OPC recommended that Aylo implement technical mechanisms to obtain or verify such consent, and implement processes for reporting videos posted without consent. Aylo declined to voluntarily comply with the OPC’s recommendations and the OPC applied to court for an order requiring Pornhub’s owner to make these changes.

The Court will now determine for itself whether Aylo breached PIPEDA, and whether to issue an order.

Companies that use third party consent or attestations of consent should pay close attention as the determination of the court could significantly impact their business model.

Such third party consents are common. Example:

  • vehicle manufacturers (include those with vehicles that collect sensitive information such as driver behaviour or biometric information) often include language in their agreements or privacy notices that indicate the owner represents and warrants that is has obtained the consent of all vehicle passengers.
  • companies with benefits or similar programs in which one individual indicates they have the consent of all persons to provide health or medical information.
  • companies with products or services that use a “refer a friend” model and require that the referrer provide personal information about the friend and attest that their friend has consented.

BACKGROUND

Pornhub is one of the world’s most popular pornographic video-sharing websites – claiming to have had a billion visits to its site. The site provides access to intimate videos uploaded by the site’s users.  By their nature, these videos can contain sensitive and personal information of the individuals depicted in the images (not just the personal information of the individual who uploaded the video).

The OPC’s investigation into Aylo’s privacy practices arose as a result of a complaint made by an individual whose intimate images were uploaded to the site without her knowledge and consent (Complainant).  The Complainant’s ex-boyfriend had uploaded the video in question in 2015.  In accordance with Pornhub’s practices at the time, it did not obtain express consent from the Complainant and instead relied exclusively on the uploader, her ex-boyfriend, to attest that she had consented to the video being distributed.  Pornhub also only required the uploader, the Complainant’s ex-boyfriend, to provide a username and email address.

The Complainant contacted Pornhub’s owner and requested that the video be taken down, which it was. However, the content continued to be re-uploaded on Pornhub and other websites.  The video’s title and tags also contained identifying information about the Complainant, including her name, her mother’s maiden name and information pertaining to her university and sorority. 

In response to the complaint, the OPC commenced an investigation seeking to determine whether Pornhub’s owner:

  1. obtained valid consent to collect and use the personal information of individuals depicted in content uploaded to its websites;
  2. provided individuals with an easily accessible, simple-to-use and effective process for having their information removed from its websites; and
  3. was accountable for the personal information under its control.

After 2015, and prior to the OPC conducting its investigation, Pornhub’s owner made a number of changes to its privacy practices.  Specifically, Pornhub’s owner advised the OPC that:

  1. in order to upload content, users must now have their identities verified, which includes providing their full name, date of birth and government identification;
  2. Pornhub had improved its moderation and audit process in an effort to protect against terms of service violations, including uploaders’ failure to obtain other participants’ consent; and
  3. improving its process for individuals to report content uploaded without their consent.

OPC FINDING AND RECOMMENDATIONS

After reviewing both Pornhub’s 2015 and current privacy practices, the OPC concluded that notwithstanding Pornhub’s changes to its privacy practices, its process was still not sufficient to meet the standard of consent required under the Personal Information Protection and Electronic Documents Act (PIPEDA).

The OPC found that in light of the sensitivity of the personal information in question, and the potential for harm to flow from the information being collected, used and/or disclosed without consent, express consent was required.  Further, the OPC noted that while it had previously found that organizations may rely, in appropriate circumstances, on consent obtained from an individual via a third party, the organization can only do so to the extent that they have implemented reasonable measures to ensure that such consent is valid and meaningful.

Here, the OPC was of the view that Pornhub’s moderation process (which included employees briefly viewing videos for signs of non-consent) and audit process were insufficient and did not constitute ‘reasonable efforts’ for ensuring that meaningful consent had been given by individuals.  As a result, the OPC concluded that, in its view, Pornhub’s owner cannot rely on uploaders to obtain consent from individuals appearing in uploaded content and must obtain consent directly from each participant.  In coming to this conclusion, the OPC rejected the argument that Pornhub’s current requirements that verified users provide government identification and a method of payment acts as a deterrent to misuse and is designed to make uploaders more accountable for the content they upload – stating that these steps are insufficient to ensure compliance with PIPEDA’s consent requirements.

The OPC further found that while Aylo had improved its process for reporting and removing content posted without consent, it was still not simple to use and lacked a mechanism that can remove all instances in which an individual’s personal information appears across its websites.  As a result, the OPC concluded that Aylo had failed to provided individuals with a simple-to-use and effective process for having their information removed from its websites – noting that it was likely impossible for Aylo to implement such a mechanism without obtaining direct express consent from each individual depicted in the content.

In light of its findings, the OPC made a number of recommendations to Aylo, including that the company cease allowing the upload of intimate content without first obtaining meaningful express consent directly from each participant; and that it delete all content previously collected without obtaining such consent.  Aylo expressly disagreed with the OPC’s findings and declined to implements its recommendations. 

As the OPC is only able to issue non-binding “recommendations” and lacks the power to issue an order requiring Pornhub to implement its recommendations, the OPC now seeks the intervention of the court to do so.

The Federal Court is not bound by the OPC’s recommendations, or the OPC’s findings of fact. The proceeding in the Federal Court is essentially a new hearing, in which the OPC will need to lead evidence and prepare legal arguments as to why the Federal Court should find Pornhub violated PIPEDA and issue the requested order. This is very different than the basis on which the OPC can prepare its own Report and make recommendations. In that process, the OPC is not bound by rules of evidence, can accept hearsay or any other information (e.g., anonymous online chatroom chatter, media reports, etc.) that “the Commissioner sees fit, whether or not it would be admissible in a court of law”, and so on.

IMPLICATIONS FOR BUSINESS

While the personal information at issue in this matter is of a sensitive nature, any findings by the court regarding the form of consent required for the collection and use of such information could have wide-ranging implications for organizations that collect similarly sensitive information in reliance on third party consent. 

Companies should consider reviewing their processes to determine if any could be at risk should the court find such processes do indeed violate PIPEDA.

In addition, this matter, combined with the Federal Court of Appeal decision in Privacy Commissioner of Canada v. Facebook Inc., 2024 FCA 140, also shows the OPC’s increasing willingness to seek the court’s assistance in enforcing its privacy recommendations.

For more information on this topic, please contact Emma Irving or other members of the Dentons Privacy and Cybersecurity group.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
, ,
Emma Irving

About Emma Irving

Emma Irving is co-leader of the national Class action group and partner in Dentons’ Litigation and Dispute Resolution group in Vancouver. She represents national and regional clients in a variety of different commercial and regulatory disputes. Emma’s practice encompasses most areas of commercial litigation with a focus on contract and transactional disputes, administrative law, personal injury defence, class actions and product liability.

Full bio

RELATED POSTS