Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Investigation into Aylo (formerly MindGeek)’s Compliance with PIPEDA

Table of Contents

Overview

Complaint and Background

MindGeek

Issues and Scope

Methodology

Analysis

Jurisdiction

Issue 1: Consent

Issue 2: MindGeek’s content takedown process (Challenging Compliance and Withdrawal of Consent)

Issue 3: Accountability

Other

Recommendations

MindGeek’s Response

Conclusion

Footnotes

PIPEDA Findings # 2024-001

February 29, 2024

Overview

MindGeekFootnote 1 is a global technology company incorporated in various jurisdictions, including the province of Quebec (Canada), with its primary operations, and approximately 1000 employees, based in Montreal. The company owns, operates and provides services to many of the world’s most popular pornographic websites, including Pornhub and Youporn.

In 2015, the Complainant’s ex-boyfriend uploaded an intimate video depicting the Complainant to various MindGeek websites, without her knowledge and consent. Pursuant to its normal practice, MindGeek did not seek the Complainant's consent to collect, use and disclose her intimate images, and instead relied exclusively on the uploader, her ex-boyfriend, to attest that she had consented to the video being distributed on MindGeek's websites.

The Complainant learned of the initial uploads containing her intimate images shortly after they were posted on MindGeek’s websites. She contacted MindGeek to request takedown of the content, which was subsequently removed. However, the content, which could be easily downloaded by users at the click of a button, continued to be re-uploaded, both on MindGeek and other websites (including sites unrelated to pornography). Various strangers from around the world, who had seen the video online, contacted her on Facebook using information contained in the video’s title and tags, such as her name, mother’s maiden name, university and sorority.

Ultimately, the Complainant employed a professional takedown service, which led to the removal of more than 700 instances of her intimate imagesFootnote 2 on more than 80 websites. The material continued to resurface on several websites, until at least 2020, and is likely still available online. The permanent loss of control over her intimate images has had a devastating effect on the Complainant, who alleged that it caused her to withdraw from her social life, lose an employment opportunity and live in a constant state of fear and anxiety. She filed a complaint with our Office in relation to MindGeek’s compliance with its privacy obligations under PIPEDA.

In response to that complaint, our Office commenced an investigation seeking to determine whether MindGeek:

  1. obtained valid consent to collect, use and disclose the personal informationFootnote 3 of individuals, including the Complainant, depicted in content uploaded to its websites;
  2. provided individuals, including the Complainant, with an easily accessible, simple-to-use and effective process for having their information removed from its websites; and
  3. was accountable for the personal information under its control.

Having investigated the matter, we found that MindGeek had a legal obligation to obtain the complainant’s consent and had failed to do so. We found that MindGeek’s consent model, which relies on the uploader to attest that they have obtained consent from each individual whose highly sensitive personal information is depicted in uploaded content, does not constitute reasonable efforts to ensure that meaningful consent has been obtained from those individuals. We further found that changes to MindGeek’s practices in 2020, and since, have not remedied this contravention.

MindGeek claimed that its collection and verification of uploaders’ identity, which it commenced in 2020, and the fact that this information could be provided to law enforcement, would discourage uploaders from uploading content without consent — but it provided no examples where it had, in fact, referred any uploader of non-consensual content to law enforcement. MindGeek also claimed that uploaders would be deterred from uploading content on Pornhub without consent, for fear of having their account banned from the website. However, until at least October 2022, an individual whose account had been banned, could simply create a new account with a different username and email address, given that MindGeek did not associate banned accounts with the identity of the uploader.

Furthermore, it continued to rely on the uploader to confirm consent even though systematic audits of certain content (i.e., content in which the uploader does not appear) revealed that approximately 70% of audited uploaders failed to provide the proof of consent that they had committed to obtain. In other circumstances, MindGeek did not even verify whether the uploader could provide such consent documents. MindGeek also relied on moderators who reviewed as many as 500 videos or more each day, and on various AI tools, to check for signs of non-consent, even though the absence of such signs did not establish that the individual had consented to the mass distribution of their intimate images. Ultimately, Pornhub’s own Monthly Non-Consensual Content reports suggest that continued instances of content were being uploaded to MindGeek websites without requisite consent.

We further found that for individuals who never consented to having their images uploaded to MindGeek’s websites, the company failed to provide an accessible, simple to use and effective process to contest consent and to have their content removed from MindGeek’s websites. MindGeek did not, in 2015, explain how individuals could access its takedown process on Pornhub. Furthermore, MindGeek’s takedown process was, and still is, extremely onerous for individuals who often do not know the full details of every video or image containing their personal information across MindGeek’s many websites. Finally, MindGeek lacks an effective mechanism whereby individuals can have all instances of their intimate content removed from all of the company’s websites.

Ultimately, we found that MindGeek failed to be accountable for the personal information under its control. This is particularly concerning in the context of a company that controls significant amounts of highly sensitive personal information, and where the failure to provide adequate privacy protection can have, and has had, devastating harms on affected individuals like the Complainant, including social stigmatization, psychological damage and financial loss.

We found that the measures put in place by MindGeek as a substitute for obtaining valid consent were not acceptable alternatives and could in fact give a false sense that individuals’ information would be protected, while operating to preserve the continued volume and stream of content on its websites.

In December 2022, we issued a preliminary report to MindGeek outlining our findings and sharing several recommendations, including that the company: (i) cease allowing the upload of intimate content without first obtaining meaningful consent directly from each individual appearing in that content; (ii) delete all content that it previously collected without obtaining such consent; and (iii) implement a privacy management program to ensure that it is accountable for information under its control. With a view to ensuring MindGeek’s ongoing compliance with Canadian privacy laws, we also recommended that MindGeek agree to enter into a Compliance Agreement with our Office, and to be subject to oversight by an independent third-party reporting to our Office, for a period of five years.

In its response to our preliminary report, MindGeek expressly disagreed with our findings. It requested certain factual corrections, while also raising new facts and legal arguments, that are reflected and addressed in this final report as appropriate. Ultimately, MindGeek did not accept responsibility and take the necessary corrective measures to redress the significant privacy harms that we uncovered in our investigation, and has yet to offer any commitments in response to our recommendations.

We find this complaint to be well-founded.

Originally scheduled for release in May 2023, the investigation report was delayed as Aylo pursued legal proceedings against the OPC. This included seeking an order barring release of the report pending the completion of its litigation. The report is being released now as Aylo was unsuccessful in that attempt. In light of all of the above, we are issuing our report of findings.

Complaint and Background

MindGeek

  1. MindGeek is a global technology company, incorporated in various jurisdictions, including the province of Quebec (Canada), with primary operations located in Montreal. The company owns, operates and provides services to many pornography websites, including Pornhub.com, Youporn.com, RedTube.com, Tube8.com, XTube.com, among others. MindGeek has 1800 employees globally with more than 1000 employees located in Canada.Footnote 4 In 2018, its annual revenue was estimated at more than $450 million USD.Footnote 5
  2. MindGeek enables individuals within and outside Canada to access user-uploaded adult content, both free and ‘subscription-only’, which generates further revenue through advertising sales.
  3. MindGeek’s former CEO described the company as:
    “a leader in this industry”, “… one of the largest, most well-known brands in the online adult entertainment space [and] Pornhub is among the top five most visited websites on the Internet. Over 12.5% of the adult Canadian population visit our website every day”.Footnote 6
  4. MindGeek’s flagship website, Pornhub, is one of the most popular websites worldwide by number of visits.Footnote 7 According to its public-facing “Insights” reports, Pornhub claims that it had a billion visits to its site and 6.83 million video uploads in 2019, the last year these metrics were published. In addition, MindGeek represented to our Office that April 2020 traffic for its top 10 websites was as follows:
    Platform Traffic (Total) Traffic (Canada)
    Pornhub 4,534,498,835 148,117,922
    Youporn 431,197,369 (Youporn.com)
    20,559,742 (YoupornGay.com)    		 12,929,104 (Youporn.com)
    378,884 (YoupornGay.com)
    Redtube 336,047,354 7,065,842
    MyDirtyHobby 38,152,962 (.com)
    24,613,741 (.de)    		 18,765 (.com)
    3,181 (.de)
    Tube8 108,440,297 1,710,749
    xTube 40,977,570 1,159,138
    Thumbzilla 7,696,098 204,451
    Pornhub Premium 421,007,530 14,967,467
    Youporn Premium 3,983,470 132,114
    Redtube Premium 2,587,216 60,826
  5. MindGeek collects personal information contained in, and associated with, content uploaded by its websites’ users, and subsequently makes that information available on the numerous websites it controls, including Pornhub. Such content generally includes intimate videos and images, as well as associated personally identifiable information (for example, in the Complainant’s case, her full name, mother’s maiden name, university and sorority were contained in the title and description of the video).
  6. MindGeek relies on the person uploading the content to its websites (the “uploader”) to confirm that they have obtained consent from everyone appearing in the content to upload and distribute it on MindGeek’s websites. In the circumstances of the Complainant, her ex-boyfriend uploaded the video and images in question without her knowledge and consent.
  7. In certain situations, MindGeek shares content that is uploaded to one MindGeek website with other MindGeek websites. For example, MindGeek represented to our Office that Thumbzilla, one of the other websites it operates, “acts as a mirror of Pornhub, which means that content made available on Pornhub is also made available on Thumbzilla.” Accordingly, MindGeek stated that the Complainant’s content uploaded to Pornhub would have been accessible on Thumbzilla for as long as it was accessible on Pornhub.
  8. Moreover, during the upload process, individuals can easily opt-in to having the content uploaded to other MindGeek websites by simply clicking a button indicating that they agree to cross-post the content to other MindGeek sites. In addition, at the time relevant to the complaint, a download function allowed any viewer to download a copy of the content once it was posted on a MindGeek website.

The Complaint

  1. The Complainant alleged that:
    1. MindGeek does not obtain consent from all individuals depicted in content prior to collecting, using and disclosing intimate images and other associated personal information;Footnote 8
    2. MindGeek does not take sufficient measures to address individuals’ complaints, and fails to effectively remove personal information from MindGeek’s websites upon being informed that it does not have individuals’ consent; and
    3. MindGeek fails to be accountable for the personal information under its control.

Circumstances leading to the Complaint

  1. In 2013, the Complainant made an intimate video (“the video”) with her boyfriend at the time. The Complainant explained that she felt pressured to make the video, but her boyfriend indicated that he would keep it private.
  2. In January 2015, the Complainant became aware that her ex-boyfriend had disclosed the video and images to various MindGeek websites, specifically Pornhub and Youporn, without her consent. In addition to the Complainant’s intimate images, the title and tags associated with the intimate images contained her personally identifiable information, including her name, her mother’s maiden name and information pertaining to her university and sorority.
  3. In the months that followed, the Complainant began receiving messages from strangers via Facebook. These messages were from people in various countries (including in Canada, Italy, the Netherlands and Georgia), who had seen her intimate images online. This contact was possible because her personal information, including her name, was disclosed on MindGeek and other websites (as discussed later in para. 56) along with her intimate images.
  4. Between January 2015 and November 2017, the Complainant (or one of her representatives) contacted MindGeek to request the takedown of nine iterations of her intimate images from its websites. In at least seven of the nine instances, the content was uploaded by two different, but very similar, usernames and email addresses.Footnote 9 Despite the Complainant’s multiple requests to take down content uploaded by these two usernames/email addresses, content was re-uploaded shortly after it was taken down, using the same credentials.
  5. MindGeek acted, usually within a day or less after receiving the takedown requests, to disable public access to the relevant content, by deindexing it from the search engines on all MindGeek websites and removing the intimate content from the pages in question.
  6. However, until at least July 2018, a search of the Complainant’s full name on an external search engine such as Google led to a webpage on Youporn, which continued to display the Complainant’s full name, former university and descriptive “tags” of the video that had been “taken down”. This was made possible by the fact that: (i) MindGeek allows its content to be indexed by external search engines in order to drive more traffic to its websites; and (ii) while MindGeek disabled links to non-consensual content that had been taken down, it did not automatically delete the pages in question from its servers.
  7. Copies or different versions of the intimate images would also frequently resurface on various user-generated content websites.Footnote 10 As recently as 2020, a search for the Complainant’s name returned her images on various third-party adult content websites. The images were labelled and tagged with the Complainant’s first and last name.
  8. The Complainant ultimately hired a professional ‘take-down service’, to assist her with the removal of any copies of her intimate images that remained accessible online. From September 2017 to October 2018, the service requested removal of more than 700 copies of her intimate images on more than 80 websites, including MindGeek websites. According to representations provided to our Office by the Complainant, some of the websites were adult-oriented in nature, including both mainstream adult entertainment websites and websites targeted to specific activities. However, the Complainant also told us that her intimate images were found on a number of non-adult oriented sites, including Twitter, Pinterest, Tumblr and Reddit.
  9. The Complainant further explained to our Office that the disclosure of her intimate images across the Internet, and the permanent loss of control over her intimate images, had a devastating effect on her. It caused her to withdraw from her social life and live in a state of fear and anxiety.
  10. The Complainant commenced a lawsuit against MindGeek for damages resulting from this non-consensual distribution.Footnote 11 In April 2020, she submitted a complaint to our Office as she considered that our investigation would address, more generally, MindGeek’s privacy-related practices and compliance with its PIPEDA obligations.

Additional Context

  1. Our Office considered this matter in the context of broader privacy concerns associated with MindGeek’s activities. In particular, on December 2, 2020, the New York Times published an opinion piece, “The Children of Pornhub”,Footnote 12 which raised serious concerns regarding MindGeek’s practices. It alleged that MindGeek allowed the upload of child sexual abuse material (“CSAM”) and non-consensual contentFootnote 13 on its adult entertainment platforms and made it unreasonably difficult for individuals whose intimate images had been uploaded without consent to have this content removed. On December 11, 2020, the ETHI Committee announced a study into the allegations raised in the New York Times article, which resulted in a report, Ensuring The Protection Of Privacy And Reputation On Platforms Such As Pornhub: Report of the Standing Committee on Access to Information, Privacy and Ethics, published in June 2021. The report included testimony from senior MindGeek executives, as well as accounts of survivors who have had their intimate images collected, used and disclosed via MindGeek sites without their consent.
  2. In December 2020, Visa and Mastercard suspended their payment processing services with Pornhub.Footnote 14 We note that, at the time of writing this report, the suspension of payment processing was still ongoing for MindGeek’s sites that contain user-generated content.Footnote 15 Furthermore, according to media reports, a lawsuit was commenced against Visa and MindGeek. The lawsuit alleges that Visa and MindGeek facilitated the distribution of CSAM through MindGeek’s websites.Footnote 16 At the time of writing this report, the lawsuit was ongoing.

Issues and Scope

  1. Our investigation sought to determine whether MindGeek met legal requirements under PIPEDA when collecting, using and disclosing personal information on its websites. Specifically, our Office examined whether MindGeek:
    1. obtained valid consent to collect, use and disclose the personal information of individuals, including the Complainant, depicted in content uploaded by a third party to its websites;
    2. provided individuals, including the Complainant, with an easily accessible and simple-to-use process to have their personal information removed from its websites; and
    3. was accountable for the personal information under its control.
  2. Our investigation sought to determine whether MindGeek effectively met legal requirements under PIPEDA when collecting, using and disclosing personal information on its websites. The investigation did not to assess the appropriateness of professional or amateur pornography.

Methodology

  1. Due to the highly sensitive nature of the personal information at issue, our Office accepted the complaint, with measures to strictly protect the Complainant’s identity internally. Our Office investigated without collecting her intimate images, given that further disclosure and review of this content could re-traumatize the Complainant, and because less invasive investigative methods were available. We worked with the Complainant’s representative, a law firm, to communicate sufficient information to MindGeek to allow the company to confirm that it had collected and disclosed, via its websites, the Complainant’s personal information in question, including intimate photographs and videos. MindGeek has not contested that it collected the Complainant’s intimate images, which is an accepted point of fact.
  2. MindGeek is a large organization with thousands of websites under its control, not all of which pertain to the Complainant’s allegations regarding the uploading of intimate images without consent. Considering the allegations and with a view to conducting an efficient investigation, we requested information from MindGeek pertaining to its top 10 ‘tube websites’,Footnote 17 by volume, that host content uploaded by users (the “Specified Websites”, “MindGeek websites” or “sites”), which MindGeek confirmed to be the following: Pornhub, Youporn, Redtube, MyDirtyHobby, Tube8, Xtube, Thumbzilla, Pornhub Premium, Youporn Premium, and Redtube Premium). One of these websites, Xtube, was shut down during the course of our investigation.
  3. Given that the Complainant’s personal information was disclosed to MindGeek websites in 2015 and that MindGeek made changes to its practices in 2020 (some of which appear to coincide with the New York Times articleFootnote 18), our Office requested information and representations from MindGeek pertaining to: (i) 2015, when the Complainant’s personal information was initially collected, used and disclosed; and (ii) changes made to its practices since 2015.
  4. Our Office also completed a virtual site visit (during the pandemic). Pursuant to subsection 12.1(1) of PIPEDA, we interviewed several MindGeek employees, under oath (except for those who were located at MindGeek offices outside of Canada, and certain technical staff who provided a demonstration of the Pornhub website). These employees included: (i) individuals working in content moderation; (ii) managers and directors of the content compliance and moderation programs; and (iii) executives.
  5. In addition to information obtained directly from MindGeek, our Office relied on certain publicly available information cited in this report and our own technical analysis.
  6. We requested an affidavit from MindGeek attesting to the accuracy and completeness of the information it provided in response to our queries. MindGeek agreed and reiterated on several occasions that it would provide the affidavit, but it never did so.
  7. Upon completion of the evidence-gathering phase of our investigation, our Office issued a Preliminary Report of Investigation (“PRI”), which set out the rationale for our preliminary findings, identified several recommendations to bring MindGeek into compliance with the Act, and invited MindGeek to respond. We also met with MindGeek to provide an opportunity for the company to ask any questions it may have on the PRI. In response to a request from MindGeek for an extension of time to submit its response to the PRI, we provided them with an additional two weeks to do so. With this extension, MindGeek had more than twice the time we generally provide respondents to respond to the PRI and submit any corroborating evidence in support of that response.
  8. Ultimately, MindGeek provided a written response articulating its disagreement with our preliminary findings and recommendations. In this letter, MindGeek also provided new information, which our Office considered in producing this report of findings. Where appropriate, we have incorporated MindGeek’s comments into this report.

Analysis

Jurisdiction

  1. The respondents to this complaint, 9219-1658 Quebec Inc. (carrying on business as Entreprise MindGeek Canada), MG Freesites Ltd., MG Freesites II Ltd., and MG Social Ltd., are part of the MindGeek group of companies (“MindGeek” or the “MindGeek Companies”), and are subsidiaries of the indirect parent company, MindGeek S. À. R.L.
  2. Entreprise MindGeek Canada is incorporated in Quebec, MG Freesites Ltd., MG Freesites II and MG Social Ltd. are incorporated in Cyprus, and the parent company, MindGeek S.À.R.L. is incorporated in Luxembourg.
  3. While MindGeek stated that it was reserving the right to make claims and/or defences against the OPC’s assertion of jurisdiction at the outset of the investigation, it made no such claims until after the PRI was issued. In its response to our preliminary report, MindGeek questioned the OPC’s jurisdiction to make findings and recommendations that apply to the MindGeek Companies as a whole, and in doing so, represented that the “sole purpose” of Entreprise MindGeek Canada is to “provide services to various international MindGeek Group entities”, including MG Freesites Ltd., the affiliate that operates the majority of websites at issue in this complaint. MindGeek further stated in response to the PRI that Entreprise MindGeek Canada is merely a “contractor” for the Cyprus-based operators of MindGeek’s websites, including Pornhub and Youporn.
  4. Canadian courts have confirmed that PIPEDA applies to organizations that are based outside of Canada where there is nevertheless a “real and substantial” connection between Canada and the organization’s business activities.Footnote 19 In this case, the MindGeek Companies that are the subject of this complaint are based both in Canada and abroad. Although MindGeek’s parent company is legally incorporated in Luxembourg, MindGeek’s physical office in Montreal has approximately 1000 employees, making up more than 50% of MindGeek’s total global workforce.Footnote 20 MindGeek’s executive leadership structure is also located in its Montreal office, including its Chief Executive Officer and Chief Operating Officer.Footnote 21 Moreover, on March 16, 2023, Ethical Capital Partners, a private equity firm based in Ottawa, announced that it had acquired MindGeek. MindGeek was rebranded as Aylo on August 17, 2023.
  5. During the course of the OPC’s investigation, certain individuals from MindGeek’s Montreal-based executive leadership provided answers to questions about the privacy-related practices of MindGeek’s websites, including Pornhub and Youporn operated by MindGeek Freesites.Footnote 22 MindGeek did not provide any evidence suggesting that the directing mind of its international operations is separate or distinct from the executive leadership based in Montreal, and specifically identified and offered certain of these individuals as the most appropriate employees to provide answers about MindGeek’s privacy practices as they related to the OPC’s investigation.
  6. Additional factors further demonstrate the existence of a real and substantial connection to Canada and the organization’s business activities:
    1. MindGeek’s Terms of Service for Pornhub are applicable to Canadians and address consent to the collection, use, and disclosure of personal information, and content takedown;
    2. Canadian-located users can visit MindGeek websites, view, and upload content to their websites, and employ the “takedown” mechanisms made available for content on their websites;
    3. Every day, over 12.5% of Canadian adults visit MindGeek websites, and approximately 3.6 million Canada-located users visit Pornhub;
    4. Canadian-located users represent 3.7% of all verified users uploading content to Pornhub, accounting for 5.67% of all active content on the website (equivalent to approximately 387,000 video uploads in 2019);
    5. In April 2020, Canadians made between 1.7 million and 148 million individual site visits to MindGeek’s top five most frequented websites; and
    6. The Complainant is a Canadian resident.
  7. In these circumstances, there is clearly a real and substantial connection between the MindGeek Companies as a whole and Canada, such that the Act applies.

Issue 1: Consent

  1. Principle 4.3 of Schedule 1 of PIPEDA requires knowledge and consent for the collection, use and disclosure of personal information, except where inappropriate.
  2. We will first consider MindGeek’s practices in 2015 to determine whether MindGeek contravened consent requirements at the time relevant to the complaint. We will then assess MindGeek’s practices in place at the time of our investigation.
  3. We ultimately found that in 2015, MindGeek failed to obtain valid consent for its collection, use and disclosure of the Complainant’s personal information. Furthermore, we determined that MindGeek’s current practices, including the “enhanced” consent practices MindGeek implemented in 2020, have not remedied this contravention.
  4. As explained below, MindGeek’s consent model, in 2015 and at the time of writing this report, relied on the uploader to ensure that consent had been obtained from each individual whose highly sensitive personal information was shared via the uploaded content. This does not represent reasonable efforts to ensure meaningful consent.

MindGeek’s practices in 2015

  1. In 2015, MindGeek did not seek express consent directly from all those whose images appeared in intimate content (i.e., videos and pictures) that it collected, used and disclosed. Its practice was to require the uploader to attest that the content complied with MindGeek’s Terms of Service (“TOS”), including that they had obtained express written consent from all identifiable individuals.
  2. For example, the 2015 Pornhub TOS required the uploader to agree to the following:Footnote 23
    You have the written consent, release, and/or permission of each and every identifiable individual person in the User Submission to use the name or likeness of each and every such identifiable individual person to enable inclusion and use of the User Submissions in the manner contemplated by the Website and these Terms of Service.
    In most cases, MindGeek did not ask uploaders to provide evidence that such consent had been obtained (see para. 70).
  3. Technological requirements for uploading content on MindGeek’s websites were minimal. The uploader needed only to provide a username and email address. Verification of the email address was optional, and no further verification of the uploader’s identity was required.Footnote 24
  4. MindGeek represented that since well before the Complainant’s content was uploaded, it has relied on moderators to manually review all uploaded content for compliance with its TOS.
  5. MindGeek did not provide us with written documentation detailing the moderation process in 2015. During our virtual site visit, we interviewed MindGeek staff responsible for moderating content, to try to better understand the moderation process. Two moderation management staff who had been employed by MindGeek for many years indicated that in 2015, content was moderated similarly to how it is now (the current process is described below at para 108 and following), but at much higher volumes, and with the assistance of fewer technological tools. The higher volume of content for moderation in 2015 was due to the fact that any user who signed up to the site could upload content without the need to have their identity verified, which was not introduced as a requirement by MindGeek until years later, in 2020, as discussed further below.
  6. Additionally, at the time relevant to the complaint, MindGeek’s websites had a “download function”, which allowed any user to download, retain and/or distribute intimate images uploaded unto its websites, and thus gain control over them. The ability to embed links to MindGeek content in other websites, whether belonging to MindGeek or operated by third parties, also contributed to the ability to easily share such content.
  7. We now turn to the consent requirements that applied to MindGeek’s activities and determine whether MindGeek contravened such requirements in 2015.

Form of consent

  1. MindGeek is required to obtain express consent for the collection, use and disclosure of intimate images and associated content.
  2. Principle 4.3.4 of Schedule 1 of PIPEDA provides that the form of consent sought by an organization may vary, depending on the circumstances and the type of information. In determining the form of consent to use, organizations are required to take into account the sensitivity of the information. Principle 4.3.6 further provides, in part, that an organization should generally seek express consent when the information is likely to be considered sensitive.
Sensitivity
  1. Our Interpretation Bulletin on Sensitive Information provides further specification regarding what factors are relevant when determining whether personal information is sensitive. For example, personal information that pertains to an individual’s sex life or sexual orientation is generally considered sensitive and requires a higher degree of protection.
  2. Per MindGeek’s representations and its current TOS for Pornhub, it collects personal information in content uploaded to its sites directly from users (“user contributions”). These user contributions include “information about yourself and others, [and] upload[ed] content (e.g., pictures, video files, etc.)”.
  3. MindGeek collects large amounts of user-contributed content on its websites, and publicly discloses the content on these websites. This content is sexually explicit and depicts individuals in sexual situations, which will generally be highly sensitive.
  4. Additional factors further contribute to the sensitivity of this information:
    1. it provides personal information that is difficult, if not impossible, to change, such as faces, voices, bodies and additional highly identifiable characteristics including tattoos, scars, moles and/or birthmarks; and,
    2. as described below, there is the potential for individuals to suffer significant reputational, psychological and other harms from the disclosure of this information without their consent.
  5. In the case of the Complainant, along with the sexually explicit video and images, MindGeek collected and disclosed on its websites her full name, mother’s maiden name, university and sorority. This personal information (available on MindGeek and other websites) allowed strangers from across the globe to identify and contact her via Facebook, rendering the information even more sensitive in the context.
  6. In our view, there is a significant risk of harm to individuals who did not provide their consent to have their intimate images disclosed via Pornhub or other MindGeek sites, a practice that is colloquially known as “revenge porn”, or more technically as “non-consensual pornography”, “image-based abuse” or “image-based sexual abuse”, which increases the sensitivity of this personal information. For the purposes of this investigation, we will be describing this practice as image-based abuse.
  7. The research suggests that in many cases, the motivation for this image-based abuse is the intention to shame, cause reputational and emotional harm or exercise power and control over these individuals.Footnote 25 This research has also suggested that women, the sexual and gender-diverse community and people of colour are more likely to be the victims of online violence, including image-based abuse, and to suffer more serious consequences following the non-consensual disclosure of their intimate images.Footnote 26
  8. Individuals who have had their intimate content disclosed without their consent have experienced severe consequences including reputational, financial and emotional harm. These harms can come in the form of targeted harassment that occurs online or in person, loss of job opportunities and mental health impacts up to and including suicide.Footnote 27
  9. In the matter at hand, the Complainant explained that she has suffered episodes of social anxiety and panic attacks and is often nervous in public situations as she fears strangers might recognize her from the images. She has also lost a job opportunity due to her name being associated with these images online.
  10. In light of the sensitivity of this information, and the potential for harm that may flow from it being collected, used and/or disclosed without consent, we find that the appropriate form of consent for the collection, use and disclosure of personal information contained in and associated with intimate images uploaded to MindGeek’s websites is express consent.
  11. As mentioned above, MindGeek requires the uploader to expressly consent to its TOS. However, it is necessary to determine whether such consent is meaningful and whether MindGeek can effectively rely on a third party to attest consent for all the individuals depicted in uploaded content.

Meaningfulness of Consent

  1. MindGeek is required to obtain meaningful consent for the collection, use and disclosure of personal information on its websites, which includes but is not limited to, intimate images or videos, and associated personal information. For the reasons explained below, we find that by relying exclusively on the uploader to obtain consent for all individuals depicted in the content, MindGeek failed to make ‘reasonable efforts’ — within the meaning of principle 4.3.2 — to ensure that individuals are advised of the purposes for which their personal information will be used and disclosed on its websites.
  2. Principle 4.3.2 of Schedule 1 of PIPEDA requires the knowledge and consent of an individual for the collection, use or disclosure of personal information, except where inappropriate. Organizations are required to make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Section 6.1 of PIPEDA further provides that for consent to be valid pursuant to Principle 4.3, it must be reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
  3. In 2015, at the time relevant to the complaint, MindGeek stated that it relied on the uploader to attest that “they owned the rights to the [Complainant’s] Content and that they had the written consent of the parties depicted in the content to upload the content”. MindGeek did not purport to obtain consent directly from the Complainant, nor more generally, from all individuals depicted in content uploaded to its websites, apart from the uploader. Furthermore, MindGeek did not, as a matter of general practice, verify that uploaders had in fact obtained the required consent from depicted individuals (see para. 70).
  4. Our Office has previously concluded that organizations may rely, in appropriate circumstances, on consent obtained from an individual via a third party. However, our Office takes the position that the organization can only do so to the extent that they have implemented reasonable measures to ensure that such consent is valid and meaningful.Footnote 28 We therefore considered whether MindGeek had implemented such reasonable measures.
  5. In 2015, MindGeek had very limited measures in place to ensure that consent represented by the uploader was valid. As mentioned above, technological requirements to upload content were minimal. MindGeek only required a username and an email address. It did not require the email to be verified and did not verify the identity of the uploader.
  6. MindGeek also relied on human moderators to scan content for compliance with TOS, including that all individuals depicted in the content had consented to its upload, as described above in para. 46.
  7. However, regardless of the exact nature of the moderation process in place in 2015, and even if we were to accept that a moderator could meaningfully review hundreds of videos per day (as described below) — which we do not — moderation is not an appropriate tool for determining whether an individual has consented to the collection, use and disclosure of their personal information by MindGeek. We have received no evidence that the mere absence of signs of non-consensual sexual activity and/or recording is sufficient to infer consent of the individual to the actual upload and public distribution of the content. Clearly, an individual may have consented to the sexual activity and its recording without agreeing to have the video uploaded to a MindGeek website.
  8. Finally, MindGeek stated that in 2015, occasional verifications would be undertaken to confirm that appropriate consent was obtained by uploaders. However, MindGeek was not able to indicate at what frequency and under what circumstances moderators would request documentation to verify that uploaders had obtained consent from all depicted individuals and was unable to provide any evidence confirming that such verifications ever took place.
  9. In the case of the Complainant, MindGeek confirmed to our Office that it is aware of nine instances where the Complainant’s intimate images were uploaded to its websites between the period of January and November 2015. MindGeek could not provide any evidence that the Complainant had consented to its collection, use and disclosure of her personal information in any of these known instances.
  10. Moreover, MindGeek received the Complainant’s first takedown request within two days of the first upload of the video. However, MindGeek did not prevent the video from being re-uploaded and going live on Pornhub and Youporn several more times after being informed that the Complainant did not consent. No material safeguards had been implemented to prevent the re-upload of videos that had been taken down for violating its TOS.
  11. On multiple occasions, in addition to the intimate video, MindGeek collected, used and disclosed various other pieces of the Complainant’s personal information in the video’s title and tags, including her full name, mother’s maiden name, university and sorority. According to MindGeek, its policy at the time was to allow identifying personal information, such as names, to appear alongside content only in cases where the individual was a “recognized adult actor”.Footnote 29 In its representations, MindGeek speculated that the Complainant’s personal information displayed in the video’s title and tag may have passed through the controls of its manual process because staff believed that the Complainant’s name was that of a recognized adult actor. However, MindGeek provided no evidence to indicate that it had any processes in place for its moderators to be able to meaningfully check and verify whether an individual was actually a “recognized adult actor”. MindGeek was also unable to offer any explanation as to how the Complainant’s other personal information, including her mother’s maiden name, university and sorority, passed through its moderation process without being flagged for violating its TOS. We therefore are not satisfied that this measure provided any meaningful protection against the upload of personally identifiable information along with intimate images and videos.
  12. The Complainant’s case illustrates how wholly ineffective MindGeek’s consent process was in 2015. Its exclusive reliance on the uploader to obtain consent, and completely inadequate control measures in place at the time (i.e., limited technological requirements to upload content, absence of verification of the uploader’s identify and reliance on human moderation to determine whether consent was obtained), was clearly insufficient to ensure consent. This consent model could only result in devastating consequences for thousands of individuals whose intimated images were shared online without their knowledge and consent.
  13. Ultimately, MindGeek’s consent model, including its reliance on the uploader, falls far short of what would constitute reasonable measures to ensure consent of depicted individuals, especially given that:
    1. the personal information in question is highly sensitive and there is a significant risk of harm associated with its non-consensual disclosure; and
    2. third parties being relied upon can be motivated to misrepresent that they have obtained each participant’s consent, as is most often the case for image-based abuse (see para. 57 and 58).
  14. We therefore find that in the circumstances, MindGeek cannot rely on uploaders to obtain consent from individuals appearing in uploaded content. MindGeek must obtain consent directly from each of these individuals.
  15. Consequently, we find that MindGeek’s 2015 process contravened section 6.1 as well as Principle 4.3 of Schedule 1 of PIPEDA by failing to obtain meaningful express consent from the Complainant, and more generally, from each individual depicted in content uploaded to its websites.

MindGeek’s current practices

  1. In December 2020, MindGeek disabled approximately 10 million pieces of user-uploaded content from Pornhub, amid allegations that MindGeek was hosting CSAM and non-consensual content.Footnote 30 MindGeek submitted to our Office that the decision to disable the content was not taken because there was evidence to support these allegations, but rather because of the move to a verified uploader model, described in more detail below. However, MindGeek provided no evidence to establish that this policy change had been planned in advance of these public allegations.
  2. MindGeek also made several changes to its practices in 2020. Of particular note, as referred to above, since mid-December 2020, individuals have been required to be ‘verified’, according to a process described in para. 87 and following, before they can upload content.
  3. Furthermore, since mid-December 2020, content can only be uploaded to Pornhub and MyDirtyHobby (and not to other MindGeek websites). In the analysis below, we have reviewed the current practices of Pornhub, MindGeek’s most popular website in terms of traffic. Based on MindGeek’ representations, the process and requirements are substantially similar for MyDirtyHobby.
  4. We will first describe the changes MindGeek has implemented in relation to its consent model. We will then explain why these new practices do not address the contraventions we have outlined above, as they still do not require that express consent be obtained directly from each individual depicted in content uploaded to MindGeek websites.
Categories of uploaders
  1. According to its TOS at the time of writing this report, Pornhub allows for uploading of adult-oriented content by: (i) Content Partners; (ii) Models; and (iii) Verified uploaders. Additionally, individuals are allowed to upload content, whether or not they appear in the content themselves.
  2. Content partners are professional studios, producers and other adult-entertainment companies, for which content is usually accessed through paid subscriptions.
  3. Models are members of Pornhub’s ‘Model Partner Program’. Models are paid a percentage of the ad revenue made on their verified videos and can also sell their videos or receive tips from their fans. To subscribe to the ‘Model Partner Program’, models must: (i) create an account and be verified according to the process described below; and (ii) submit a model application that includes personal information such as their legal name, address, date of birth, phone number and payment method.
  4. Verified uploaders are users who have a validated account (i.e., they must create an account and be verified according to the process described below). They can submit content, including videos, but are unable to earn revenue on that content.
  5. MindGeek represented, and we accept, that based on our own internal testing, as of the date of this report, only content partners and members of Pornhub's ‘Model Partner Program’ can upload content. That said, given conflicting evidence provided by MindGeek during the course of our investigationFootnote 31, and given Pornhub's most current TOS which indicate that verified uploaders can still upload content to Pornhub, it is not clear when this change was implemented, or that this limitation is permanent.
User Verification
  1. Not all MindGeek users are required to verify their identity. However, for users to be able to upload content, they are required to be verified.
  2. To become ‘verified’, models and users must create an account by providing an email address, username and identification, and agreeing to the site’s TOS.
  3. At the beginning of the verification process, Pornhub presents the user with a “Certification and Affidavit” form whereby they are required to read and agree, via checkboxes, to a series of statements (described in para. 95) and to provide their full legal name and date of birth (if not previously provided).
  4. MindGeek then uses a digital identity verification solution called YotiFootnote 32 to verify the age (i.e., at least 18 years old), identity and likeness (to the identification provided) of the user who uploads the identification.
  5. Specifically, the user engages in this verification process on the Pornhub website, while logged into Pornhub, via an embedded Yoti interface. The interface asks the user to verify their country of residence, and to upload a piece of government-issued photo ID. The name on the ID must match the name provided in the “Certification and Affidavit” form.
  6. Once the ID has been uploaded, the user must utilize their device camera to conduct a live scan of their face, which is then matched to the user’s uploaded identification document using AI-driven authenticity checks.Footnote 33
  7. In cases where this automated process fails to generate a match, Yoti implements manual verification. Yoti’s website states that 95% of matches are completed via automation, such that “…genuine customers will fly through your automated checks and our 200+ strong team of verification experts can help you with those trickier submissions.”
  8. Yoti will then “provide back all images and results from all liveness attempts” to Pornhub for further processing.Footnote 34 MindGeek retains the personal information provided during the verification, including copies of the identification used.
Consent requirements and verification
  1. Prior to uploading content on Pornhub, uploaders are currently required to certify and confirm that:
    1. All individuals appearing in the content have consented to appear in the content;
    2. The individuals consented to the disclosure of the content on Pornhub;
    3. The individuals were at least 18 years of age at the time the content was produced;
    4. They have valid ID for the individuals appearing in the content;
    5. The content does not violate MindGeek’s TOS (a link to the TOS is provided to the uploader) and related policies (CSAM and Non-consensual content policies).
    6. 18 U.S. Code § 2257 records are maintained and available upon Pornhub request.Footnote 35
  2. With respect to content for sale (i.e., paid-to-view, paid-to-download and videos-for-sale), content partners and models must upload valid IDs and Co-performer Agreements (a standard agreement whereby the co-performer provides certain permissions to the uploader)Footnote 36 for all individuals depicted in the content.
  3. For ‘free to view’ content where the uploader appears in the video (and can earn ad revenue), Pornhub does not require the model to upload Co-performer agreements and related IDs with the content. However, MindGeek represented that Pornhub “does audit models’ records from time to time, to ensure the model’s paperwork is in order”.
  4. For ‘free to view’ content where the uploader does not appear in the video (and cannot earn ad revenue), also referred to, internally at Pornhub, as “ISME:NO content” (i.e., Is it me? No.), Pornhub requires uploaders to collect one piece of photo ID from each performer who appears in the content, as well as a photo of them holding their ID(s). We discuss the steps taken by MindGeek, or lack thereof, to verify compliance with these requirements, below, at para. 99(ii). MindGeek also represented that Pornhub encourages ISME:NO uploaders to have performers agree to its standard Co-performer Agreement (see para. 96).
  5. The MindGeek employees that we interviewed further explained that:
    1. If the uploader is depicted in the content (as with the Complainant’s intimate images uploaded by her ex-boyfriend), Pornhub will only request that the uploader provide ID-verification documentation for co-performers if the content raises issues during the moderation or internal auditing process, or if the content is already live and accessible on Pornhub and has been reported via the content removal form (described below), user flagging or other means.
    2. If the uploader is not depicted in the content, Pornhub will request that the uploader provide ID-verification documentation for depicted individuals within two weeks of the content being submitted.Footnote 37 During this two-week period, content is available for viewing on Pornhub.
  6. According to one MindGeek director we interviewed, whose responsibilities included oversight of the consent validation process, uploaders of ISME:NO content fail to provide the required identification and consent forms for depicted individuals in approximately 70% of cases. Noting that this is an estimate, we asked MindGeek for a written confirmation of that percentage, but it failed to respond to our request.
  7. In light of this estimated 70% failure rate, we asked MindGeek’s Vice President of Operations, whom we subsequently interviewed, why MindGeek continues to rely on the uploader to attest that all individuals have consented, when the result is inevitably that the majority of these videos are made available for viewing when consent will never be documented and confirmed. In his response, the Vice President of Operations explained, under oath:
    [W]e haven't been given a reason to believe [the uploaders] don't have [the consent of those depicted in the content] … We don't have that. We don't have a complaint. We don't have a flag. We don't have any of that.
  8. If the uploader fails to provide the required consent forms and IDs during the two-week period, MindGeek removes the content and “bans” the account, as explained below in more detail.
  9. In response to our PRI, MindGeek provided, without corroboration, a version of events that is materially inconsistent with the interview testimony we received. MindGeek claimed that the estimated 70% failure rate was actually based on an audit commenced in early 2022 and completed by the summer of 2022. MindGeek further claimed that this audit sought to determine the proportion of verified uploaders described in para. 99(ii) who were able and willing to produce, within two weeks of the request, the required consent documentation that they had confirmed they had at the time of the upload.
  10. We do not find this explanation credible. The interview in question was carried out in February 2022, many months prior to the completion of the audit cited by MindGeek in its response to our PRI. Furthermore, the 70% failure rate cited by the director we interviewed was in response to a question regarding the consent audit process he had just described to our Office, which he had explained was carried out systematically each time ISME:NO content went live. While MindGeek had mentioned nothing to our Office of its alleged broader 2022 audit prior to its response to our PRI, it would appear that the results of that alleged audit were consistent with the estimated failure rate of 70% cited by the interviewee in February 2022.
  11. MindGeek further claimed that there was no basis to conclude that 70% of ISME:NO content was uploaded or distributed without the consent of those appearing in the videos. MindGeek asserted that any audit of this type would be expected to yield a significant non-response rate, even from legitimate uploaders, for reasons including an unwillingness to provide further data to the company, language barriers, unmonitored secondary email accounts, etc.
  12. Irrespective of the reasons why an uploader may not have responded to a request for documentation providing evidence of consent, the 70% failure rate for responses clearly demonstrates that in the majority of instances, MindGeek had no knowledge or evidence as to whether all individuals depicted in the content in question had consented to their intimate images being collected, used and disclosed by its websites. This lack of knowledge could logically have only raised with MindGeek, at minimum, a strong reason to suspect that a large proportion of uploaders had not obtained requisite consent from each individual depicted in that content.
  13. Finally, MindGeek represented that as a result of the audit it claimed to have completed in the summer of 2022, it determined that it would no longer permit ISME:NO content to be uploaded to its platforms, unless the uploader first provides government-issued identification for each participant. However, we have received no detailed description or corroborating evidence to substantiate this change. Furthermore, MindGeek made no representations with respect to whether it had, or would, delete all ISME:NO content that does not meet these new conditions and remains live on its websites. In any event, this change does not address MindGeek’s failure to obtain verified consent directly from each individual depicted in uploaded content.
Content Review (Moderation and Audits):
  1. MindGeek submitted that it has implemented various measures to protect against TOS violations, including uploaders’ failure to obtain other participants’ consent.
  2. MindGeek explained that before uploaded content goes live, it puts the content through three categories of third-party and internal automated tools, and that any content caught by these tools is blocked from the website. The tools are as follows:
    1. Fingerprinting technology (e.g., YouTube’s CSAI Match, Microsoft’s Photo DNA, Vobile’s MediaWise and MindGeek’s own tool, SafeGuard) that attempts to match newly uploaded content against a catalogue of content that has been banned, for example, content that has been identified as non-consensual.
    2. Artificial intelligence (e.g., Google’s Content Safety API) as a predictive tool to identify content that may contain a person under 18 years of age and detect unreported CSAM.
    3. Technology to estimate ages, to further support age verification protocols (i.e., a combination of internal proprietary video recognition and Microsoft’s Azure Face API).
  3. A team of human moderators, the “primary moderation” team, then reviews each image and video before it is authorized for public access on its platforms. According to MindGeek, it trains moderators to recognize content that may be illegal or may otherwise violate its TOS, including (i) where there are signs indicating a lack of consent, such as sexual activity where at least one of the depicted individuals cannot physically or verbally consent to any sexual act (e.g., use of sedation, drug consumption or intoxication of a performer); or (ii) where personally identifiable information is contained in the content’s title and tags. If no red flags are identified, the content goes live.
  4. Our understanding, based on our interview with the employee who led the team responsible for the primary moderation process, is that each moderator now reviews up to 500 videos per day, which would correspond to more than 60 videos per hour. Unless red flags are identified, moderators do not generally watch the entire videos but rather click through them quickly to determine if there are any indications that warrant a closer review. Moderators may also analyze the audio to identify signs that would suggest that content is non-consensual. For example, a video where the uploader tells the individual being recorded that it will be ‘just for them’, would be considered non-consensual. That said, the moderator would generally only review the audio, a process which requires watching and listening to the video in real time, where they have identified red flags through their visual scan.
  5. MindGeek asserted in its written representations that moderators may, in certain circumstances (e.g., in relation to content eligible to be monetized, where the performer’s face is not clearly shown), undertake further checks of ID and consent documentation.
  6. In addition to this primary moderation, secondary moderation staff review content that is already live or that was live but has been temporarily removed as a result of a takedown request.Footnote 38 Since 2020, secondary moderation involves a small team reviewing all content that went live in the past 24 hours.Footnote 39 Secondary moderators visually scan videos and images for indications that may violate MindGeek’s TOS.
  7. Finally, each week, MindGeek sends a file containing links to the content uploaded to its websites from the previous week to a third-party compliance vendor, who performs a further review of the content using both technological tools and human review. Any potential content violations identified by the vendor are communicated to the team referred to in para. 113, for further investigation.
Ceasing the download function:
  1. In mid-December 2020, MindGeek removed the ability for users to download copies of content from the Specified Websites, with the exception of paid downloads within its verified Model Partner Program (i.e., models can sell videos, see para. 84). However, we note that content can still be easily captured using various software tools or simply by recording the video with a camera.

Assessment of MindGeek’s amended practices

  1. We find that by continuing to rely solely on the uploader to verify consent, MindGeek fails to ensure that it has obtained valid and meaningful consent from all individuals depicted in content uploaded to its websites. Consequently, MindGeek continues to be in contravention of Principle 4.3 and section 6.1 of PIPEDA.
  2. As stated above, we find that given the sensitivity of the personal information and the fact that certain uploaders can be motivated to intentionally post content without affected individuals’ consent, MindGeek must obtain express consent directly from each individual depicted in content uploaded to its websites. Even if MindGeek’s amended consent practices were implemented perfectly — which they are not (as explained below) — they cannot constitute a replacement or substitute for direct, express, meaningful consent, and could in fact give a false sense that individuals’ personal information is being protected.
MindGeek does not request consent documentation for each individual before content goes live
  1. The respondent has provided conflicting representations with respect to types of uploaders and associated content (e.g., models vs. verified uploaders, whether the uploader appears in the content or not). Furthermore, in certain circumstances, MindGeek’s practices for verification of consent documentation for each type of uploader may have changed during the course of our investigation. However, MindGeek still does not obtain verified meaningful express consent directly from each individual depicted in uploaded content, whether or not the uploader appears in that content. MindGeek continues to rely on uploaders to obtain that consent, and in many circumstances will not verify that such consent has actually been obtained.
  2. For example, MindGeek allowed content uploaded by individuals who were not depicted in the content to go live online for up to two weeks, without first obtaining consent documentation from all individuals depicted in the content. Moreover, in an estimated 70% of those cases, the documentation was never provided by the uploaders. As stated above, in response to our PRI, MindGeek indicated that it no longer collects this kind of content on its websites unless the uploader first provides government-issued identification for each participant depicted in the content. Our Office has received no evidence to support this assertion. In any event, even if accurate, this change does not address MindGeek’s failure to obtain consent directly from each individual depicted in content prior to or at the time of upload.
  3. In the case of the Complainant, her ex-boyfriend who uploaded the content was depicted in the video. For this category of videos, MindGeek does not require the uploader to submit any consent documentation for other individuals portrayed in the content. Although MindGeek may later ask for such documentation if there is a red flag, such as a complaint or request for takedown, in such cases the content would have already been live, viewable and reproduceable by the public on MindGeek’s websites.
Deterrent and remedial actions are not a replacement for MindGeek’s obligation to obtain consent directly from all individuals depicted in the content
  1. MindGeek represented to our Office that its current process, which it claimed now requires uploaders to have their government identification verified by a third party (Yoti) and to provide a method of payment (through registration in the Model Partner Program), is designed to make uploaders more accountable for the content they upload. MindGeek claimed that this acts as a strong deterrent against content being uploaded to its websites without consent, given that uploaders’ personally identifiable information can be provided to law enforcement authorities, where warranted.
  2. Regardless of whether MindGeek’s new uploader verification process may mitigate, to some extent, the risk of non-consensual content being uploaded to its websites, these deterrent and remedial actions are entirely insufficient to ensure compliance with PIPEDA’s consent requirements. Indeed, while these measures may discourage some users from uploading non-consensual content, they pose no impediment to them doing so, as demonstrated in para. 133 and following.
  3. Furthermore, the effectiveness of deterrent measures may vary depending on the individual and the jurisdiction in which they reside. We note that users around the world upload content onto MindGeek websites, and uploaders may be unaware of the potential consequences of uploading non-consensual content. Moreover, not all jurisdictions have comparable criminal law protections against the upload of such content.
  4. Additionally, we have received no evidence demonstrating that MindGeek has referred any uploader of non-consensual content (other than CSAM) to law enforcement authorities. In response to this statement in our PRI, MindGeek asserted that image-based abuse offences require proof of lack of consent at the time of distribution, which MindGeek cannot reliably determine from the removal requests it receives. MindGeek also indicated that while it works with law enforcement whenever appropriate, there is no coordinated international law enforcement approach to reporting distribution of non-consensual content. These challenges, identified by MindGeek, simply undermine its own arguments regarding the deterrent effect flowing from its ability to report uploaders to law enforcement.
  5. In any event, even if MindGeek were to refer all uploaders of non-consensual content to the appropriate authorities, these referrals would always occur after the uploads have taken place, meaning that individuals’ intimate images would have already gone live and been viewed, with the high potential to cause irreparable harm. These remedial actions would in no way equate to MindGeek having met its obligation to obtain express and meaningful consent directly from implicated individuals before collecting their personal information.
  6. Finally, MindGeek’s ‘banning’ process for uploaders who have been found to contravene its TOS, such as by not providing required consent documentation, does not absolve MindGeek of its obligation to obtain consent.
  7. Moreover, the banning process was clearly ineffective. Given that only emails and usernames were blocked, the ban could be easily circumvented by creating a new account using a different name and email address,Footnote 40 and resubmitting the same ID for verification. In response to our PRI, MindGeek explained that in October 2022, it implemented an improved method for banning users, by their legal name “using the known personal information of the user”. However, we have received no additional evidence to explain how this new method of tracking banned uploaders functions, or to substantiate its effectiveness.
  8. Regardless of whether such individuals are eventually banned from MindGeek’s websites, any content they posted will have already been collected by MindGeek, reviewed by MindGeek employees, and made available for public viewing for a period of time on its websites, until it is removed. In these cases, harm will have already occurred before MindGeek bans the user who uploaded it.
Content review (moderation and audits) is not an appropriate measure to verify consent
  1. Despite the fact MindGeek indicated that the number of videos reviewed per day per moderator is now lower than in 2015 (but still as many as 500 per day), and that moderators now have the support of additional tools and advanced technology, we continue to find, as explained in para. 69, that moderation is neither a viable nor appropriate tool to determine whether an individual has consented to their personal information being uploaded to and disclosed via MindGeek sites.
  2. Moderation, and in particular automated tools, may be effective in preventing the upload of some, but not 100%, of content depicting non-consensual acts. It is foreseeable that the amount of content caught by such tools would be substantially lower if MindGeek were to obtain direct express consent, with associated identity verification, from each individual depicted in uploaded content.
MindGeek continues to allow highly sensitive content to be posted without consent, risking significant harm to affected individuals
  1. Despite the changes that MindGeek has made to its policies and procedures since late 2020, MindGeek continues to collect, use and disclose highly sensitive content without consent. Until at least the summer of 2022, an estimated 70% of verified users who uploaded content that they were not depicted in failed to provide MindGeek with required consent documentation, resulting in content being “live” and accessible on MindGeek’s sites for up to two weeks. As indicated above, in response to our PRI, MindGeek indicated that it no longer collects such content without identification from all participants. However, we have received no evidence to support this claim, and in any event, this change does not address our finding that MindGeek must obtain consent directly from all participants.
  2. Furthermore, in cases where the uploader is depicted in the content, MindGeek does not systematically collect consent documentation that the uploader has supposedly obtained from other individuals depicted in the content. As such, MindGeek has no knowledge of the proportion of individuals, other than uploaders, who have actually consented to having their intimate images uploaded.
  3. Moreover, despite the changes it has made to its policies and procedures, MindGeek’s own internal “Pornhub Monthly Non-consensual Content Reports” (the “NCC report”)Footnote 41 suggest that non-consensual content continues to be collected, used and disclosed on its websites. For example, according to the January 2022 report:
    1. 85% of content removals relating to content in the category of “non-consensual distribution” via PornhubFootnote 42 were the result of complaints by individuals who indicated that they had not provided consent for their intimate images and videos to be collected, used and disclosed by Pornhub. The remaining removals resulted from law enforcement requests (13%) and internal moderation (less than 2%). This illustrates how ineffective MindGeek’s processes, and in particular its internal moderation processes (which only caught 2% of the content taken down for having been distributed without consent), are at assessing whether consent has been obtained for the disclosure of content to its websites;
    2. 97% of removed content (all categories, including “non-consensual distribution”) had already been posted live, meaning that only 3% of content was caught by MindGeek’s primary moderation practices. Videos removed following content removal requests had been viewed on average approximately 35,000 times for content uploaded prior to January 2021, and 11,000 times for content uploaded from January 2021 to January 2022. In these instances, affected individuals would have been at extreme risk of suffering serious reputational and other harms, as described in para. 59.
    3. Of the videos uploaded and removed in January 2022 specifically, 45% were removed after they went live and had an average of 714 views prior to removal. This confirms that even in a short period of time (i.e., less than a month), content can be viewed by many users, causing a significant risk of harm.
  4. In response to our PRI, MindGeek claimed that the NCC reports cannot be used to draw the conclusion that non-consensual content continues to be collected, used and disclosed on MindGeek websites, because the reports are not limited to describing removals that relate to image-based abuse. In particular, MindGeek indicated that the reports do not delineate content where the person depicted never provided consent, from content in which consent was subsequently withdrawn. It explained that the results may also include copyright infringement claims, claims by those not depicted in the content, and claims related to consensual content that depict non-consensual acts.
  5. That said, we note that the NCC reports include a category that is specifically named “non-consensual distribution”. MindGeek appears to claim that such content may include videos that were, in fact, uploaded with consent that was later withdrawn. However, this explanation is, on its face, inconsistent with the name of the category, and MindGeek provided no evidence or further statistics to substantiate its assertion. Furthermore, the NCC reports show various other types of content that would appear to constitute image-based abuse, and which are still being uploaded to MindGeek websites. For example, the 1,900 videos referenced in the January 2022 report included videos under the following categories: (i) non-consensual recording; (ii) non-consensual acts; and (iii) non-consensual manipulated content (i.e., content that appropriates a real person’s likeness without their consent). We remain of the view that these reports demonstrate that videos continue to be uploaded without the consent of one or more individuals depicted therein.
  6. Given the sensitivity of intimate images and the significant risk of harm associated with the non-consensual distribution of such content, as well as the demonstrated risk of uploaders misrepresenting consent obtained from others depicted therein, we find that MindGeek cannot meet its obligation to ensure that it has obtained meaningful consent to collect, use and disclose content on its websites. Specifically, it cannot meet its consent obligation without obtaining separate ‘express consent’ from each verified individual directly, before or at the time of the upload.
  7. MindGeek failed, and continues to fail, to obtain valid consent for its collection, use and disclosure of highly sensitive personal information, including that of the Complainant, in contravention of principle 4.3 of Schedule 1 of PIPEDA. Consequently, we find that this aspect of the complaint is well-founded.

Issue 2: MindGeek’s content takedown process (Challenging Compliance and Withdrawal of Consent)

  1. For the reasons outlined below, we find that, at the time relevant to the complaint, MindGeek failed to provide individuals who had never consented to the upload of their personal information (“requesters”) with an easily accessible, simple-to-use and effective process for having content containing their personal information removed from its websites (the “takedown process”).
  2. MindGeek’s takedown process can be extremely onerous and ineffective for individuals who do not have the full details of videos they are seeking to have removed from MindGeek’s websites. Furthermore, until recently, the process still required individuals to identify each instance of content they wanted to have removed (i.e., including different iterations of the same content).
  3. While MindGeek’s recent implementation of a “callback feature” (described below) may have improved the identification and removal of other iterations of the same taken-down content, it is still unclear to what extent this new feature can identify potential matches across all content available on MindGeek’s websites (in particular, content uploaded before the callback feature was in place).
  4. Finally, MindGeek still lacks a mechanism that can remove and delete all instances in which an individual’s personal information appears across MindGeek’s websites (i.e., different videos depicting the same individual). This issue is exacerbated by the fact that MindGeek does not obtain direct consent from each individual depicted in the content, such that those individuals may not be aware of, or have all the details of, all the content that has been posted containing their personal information.
  5. According to Principle 4.10 of the Act, an individual must be able to address a challenge concerning compliance with the principles of PIPEDA to the designated individual or individuals accountable for the organization’s compliance.
  6. Principle 4.10.2 further specifies that organizations must put procedures into place to receive and respond to inquiries about their policies and practices relating to the handling of personal information and ensure that these complaint procedures are easily accessible and simple to use.
  7. MindGeek indicated to our Office that its “takedown process” is the mechanism by which individuals can challenge its compliance with PIPEDA, including where they allege that the content was uploaded without their consent. This process has evolved since 2015.
  8. In 2015 (i.e., the time relevant to the complaint), Youporn’s TOS stated that to submit a request for the removal of uploaded content, an individual had to contact the support team and submit a ticket, providing the URL of the content. The Youporn TOS also indicated that following a request, content “should be taken down within 24-48hrs”. Pornhub’s 2015 TOS did not refer to or explain this process.
  9. Since 2020, individuals who did not consent to the collection, use and disclosure of their personal information contained in content uploaded to MindGeek’s websites have been able to request that the content be removed via the following processes:Footnote 43
    1. The requester must submit an electronic Content Removal Request Form, providing details such as a valid email address, their name, the URL of the content they would like removed, a declaration as to whether they had agreed to the distribution of the content, and the reasons why they are requesting the content be removed.
    2. MindGeek indicated to our Office that they undertake various searches to confirm the requester’s identity and the validity of the takedown request. These searches include a verification of the requester’s name against the IDs on file, emails and a web search of the requester’s name across various social medial sites.
    3. On Pornhub, if the requester’s email address is verified and the request includes a valid URL, the content in question is automatically set to pending, which temporarily hides the content while the matter is being investigated by the secondary moderation team.Footnote 44 If the email address is not verified, the moderation team will generally set the content to pending provided that the Content Removal Request Form is otherwise valid. For example, MindGeek represented that the Content Removal Request Form would be considered invalid if it has been completed in a fraudulent manner, such as by a competitor seeking to have top model content taken down. Content Removal Request Forms for the other Specified Websites are sent directly to the moderation team without automatically disabling the content, such that the content would remain viewable until a decision has been made regarding the takedown request.
    4. If the URL is not provided, the moderation team will ask the requester to provide any other information that could help them locate the content, such as the title, username or the time and date of when the content was uploaded.
    5. If the takedown request is determined to be valid, the moderators will go back to the uploader to request that they provide new proof of consent and IDs, for verification, for all individuals depicted in the content. According to a senior compliance officer that we interviewed during our site visit, “videos are only ever reactivated if (they) receive fresh copies of the IDs” from the uploader. MindGeek claimed that it puts the onus on the uploader to provide proof of consent, rather than requiring that the requester verify their own ID, in part because sometimes fraudulent takedown requests are received from individuals who are not depicted in the videos (e.g., competitors, as described above, or users of the websites). MindGeek further claimed that it wishes to simplify the process and minimize potential harms for the requester.
    6. If the uploader is unable to provide valid documentation, the content will be deemed non-consensual and permanently removed, and the uploader’s account (username and email address) will be ‘banned’. In that case, every video uploaded under the banned username, whether it was consensual or not, will be deleted.
  10. As a preliminary matter, we fail to see how it could be appropriate, under the stated objective of making the process simpler and less harmful to the requester, for MindGeek to ask the uploader to confirm consent of the requester, who has just alleged that the uploader did not have such consent. While this may allow MindGeek to determine whether the uploader has violated its TOS and is required to be banned pursuant to its policies (i.e., for failing to obtain consent), any consent documentation provided by the uploader to evidence such consent would, at best, create a situation of conflicting claims. This untenable situation could have been avoided in many cases had MindGeek obtained direct consent from each individual depicted in content prior to or at the time of upload. A direct consent process would not only have ensured that valid consent was obtained, but it would also have provided MindGeek with a mechanism to keep track of videos associated with an individual.
  11. In response to the PRI, MindGeek provided new information on the takedown process. Requesters are now able to enter up to five URLs in the content removal form. As mentioned previously under Issue 1, MindGeek also claims that as of October 2022, it now bans users who have breached TOS by their legal names “using the known personal information of the user”.
  12. MindGeek further represented, for the first time, in response to our PRI, that for takedown requests based on non-consent, even where the uploader does provide the requested documentation, the content will still be removed — it will be treated as a withdrawal of consent. While this would be a positive development, this explanation is inconsistent with the information provided during the interviews, as described in para. 146(v). This new explanation is also inconsistent with the respondent’s Content Removal Request process, provided to our office by MindGeek in January 2022, which states that “if all requested documents were provided, then we can reinstate the video and account”.
  13. MindGeek further asserted in response to the PRI that “the OPC failed in its analysis of this process to consider the competing contractual rights of uploaders who have a claim to the content and have confirmed that consent from all participants in it has been obtained”.
  14. Notwithstanding any contractual rights that uploaders may have vis-à-vis MindGeek and/or individuals appearing in the uploaded content, MindGeek must, pursuant to PIPEDA, provide a mechanism for challenging compliance that is accessible and easy to use.

MindGeek’s process for challenging compliance was not accessible

  1. In 2015, the takedown process was not easily accessible. While the process was explained in the Youporn TOS, it was not explained in the Pornhub TOS or privacy policy.
  2. The process is now more clearly explained in the TOS of both websites. We also noted that there is now a link at the bottom of each Pornhub webpage that brings the user to the Content Removal page.

MindGeek’s process for challenging compliance was not, and is not, simple to use

  1. However, we find that the takedown process is still not “simple to use”, as required by the Act, for individuals who did not originally provide direct consent for the upload of their personal information to MindGeek’s websites. MindGeek’s Manager of Tubes and Performers Compliance, who led the team responsible for searching for content that has been requested to be taken down, explained that it is difficult to identify or locate content without specific information such as the URL, the title of the content, the uploader’s username and/or time of upload. Failure to provide at least one of these pieces of information would often prevent MindGeek from locating and removing the content from its websites, despite its efforts to do so. Individuals who never consented to the upload of content in which they appear often would not know, or would be unable to find, all of the content depicting them that had been uploaded to MindGeek websites.
  2. Furthermore, at the time of the complaint, the process required individuals to submit separate requests for each URL they wished to have taken down from the website, including for situations where the same, or similar content (e.g., edited partial clip) was posted on Pornhub or various other MindGeek websites. In the case of the Complainant, the takedown process placed a significant burden and emotional toll on her to identify where all copies of her intimate images were located on the websites owned and operated by MindGeek. Furthermore, the Complainant had to make repeated requests to have her intimate images and personally identifying information removed from MindGeek’s websites. In fact, this would have been a potentially traumatizing process for many individuals seeking to remove their intimate images from MindGeek websites.
  3. There also was, and continues to be, no process for an individual depicted in different instances of content originating from distinct videos or images to request that all their personal information be removed from MindGeek’s websites. The process is therefore neither effective nor simple to use for individuals who do not have access to detailed information about each and every instance of the content they wish to see removed from MindGeek’s websites.

In 2015, MindGeek’s takedown process was not effective at preventing further uploads of the same, or other, content depicting the requester

  1. In addition to not being simple to use, MindGeek’s takedown process was, at the time relevant to the complaint, ineffective at preventing further uploads of content containing an individual’s personal information, when the individual had clearly informed MindGeek that it did not have their consent.
  2. In 2015, following a takedown request, non-consensual content was often re-uploaded to MindGeek’s websites. The risk of re-upload was exacerbated by the fact that viewers could download the content from MindGeek’s websites. Once downloaded, the content could be edited or disseminated and re-uploaded by any number of viewers other than the original uploader. Individuals would therefore have to submit repeated takedown requests to keep their personal information off MindGeek’s websites. While the download function is no longer available on MindGeek websites, as explained in para. 115, other tools are still available to capture video for further dissemination and re-upload at a later time.
  3. In the case of the Complainant, the removed content was repeatedly re-uploaded to various different MindGeek websites after takedown. The Complainant had to request the costly services of a professional takedown service, due to the onerous nature of the takedown process and the constant proliferation of her intimate images across the internet. In one instance, her content that was re-uploaded in late 2015, remained live on MindGeek’s website for two years until it was removed as a result of a request by the takedown service.
  4. More recently, MindGeek has leveraged “fingerprinting” technology, described above at para. 109, in an attempt to prevent same or similar (i.e., derivative or edited) versions of removed content from being re-uploaded to its websites. MindGeek represented that when content is removed following a takedown request, MindGeek will fingerprint the non-consensual content using both Vobile’s MediaWise, a third-party automated audiovisual identification system, and MindGeek’s own tool, SafeGuard,Footnote 45 to assist in identifying and blocking the re-upload of suspected non-consensual content. MindGeek’s Manager of Tubes and Performers Compliance stated that fingerprinting “in most cases, prevents reupload of content, unless it is heavily modified”. We asked MindGeek to provide our Office with internal reports on the effectiveness of this mechanism, but MindGeek stated in their response that they had no such reports to provide to our Office.
  5. MindGeek initially represented to our Office that it did not review the already-live content on its websites to find and remove other instances of content that it had removed pursuant to its takedown process. It indicated, however, that it was in the process of developing a ‘callback feature’ into the SafeGuard tool to address this.
  6. In response to the PRI, MindGeek specified that it now fingerprints all content uploaded to its sites before it goes live, and that the callback feature has been implemented. It explained that this tool allows for the automatic and near-instant screening of already-live content to remove any content matching the fingerprint of taken-down content.
  7. This would appear to be an improvement in that it could limit the need for an individual to search for other instances of content that they want taken down. That said, based on the evidence provided to our Office, MindGeek did not clearly demonstrate how this practice has been implemented, and in particular, if MindGeek has retroactively fingerprinted the millions of videos previously uploaded to its websites before the callback feature was in place, to allow it to effectively identify all potential matches.
  8. Furthermore, this technology will not assist in finding other content depicting the requester, where that content does not originate from the banned content (i.e., different videos or images depicting the same individual, with a different fingerprint). MindGeek represented that it is developing a feature that would include facial analysis, which would allow it to identify and “call back” separate instances of content depicting the face of an individual whose content has been taken down. However, we have received no indication that this feature has been implemented yet. Additionally, in its representations to our Office, MindGeek itself noted the limits to the effectiveness of such tools, stating that “at this time, like with other non-adult social media platforms, there is no reasonable tool that allows websites that permit user uploaded content [to] facilitate a user opting out of having any Content that depicts them uploaded. This is because of the infinite ways in which the Content itself could be captured and the currently limited capacity of technology and humans to assess this Content at the scale required.”
  9. In any event, while we accept that fingerprinting technology and the callback feature could assist in identifying content that has been flagged as non-compliant, based on the evidence submitted during our investigation, our Office is not in a position to comment on the effectiveness of this technology, other than to say that, as discussed in para. 160, it is not 100% effective.
  10. That said, regardless of how effective these tools may be, and recognizing that the use of facial recognition technologies may pose other potential privacy concerns, we note that at best, these tools simply seek to mitigate the harm that has already occurred as a result of MindGeek’s collection, use and disclosure of intimate content without consent.
  11. Given the above, we find that MindGeek did not provide individuals who claim that MindGeek never had their consent with an accessible, simple to use and effective mechanism to have the content containing their personal information removed from its websites. It therefore contravened Principles 4.10 and 4.10.2 of PIPEDA, such that this aspect of the complaint is well-founded.
  12. In fact, it is likely impossible for MindGeek to implement such a mechanism in a context where MindGeek does not obtain direct express consent from each individual depicted in the content.

Issue 3: Accountability

  1. The nature of the cumulative contraventions identified through our investigation are indicative of MindGeek’s broader lack of accountability for the vast amount of highly sensitive personal information under its control.
  2. PIPEDA provides that an organization is responsible for the personal information under its control (Clause 4.1 of Schedule 1).
  3. In our view, MindGeek’s lack of accountability is demonstrated by the many deficiencies our investigation identified in MindGeek’s privacy practices, which are wholly inconsistent with an organization taking responsibility for giving meaningful effect to the privacy principles, and legal requirements, under PIPEDA.
  4. Instead of taking responsibility for obtaining consent directly from the individuals whose personal information appears in content uploaded to its websites, MindGeek continues to rely on uploaders for that consent, even in the face of overwhelming evidence that this results in the posting of vast amounts of intimate content without consent:
    1. It is well documented that many uploaders will upload content without such consent, including in the context of image-based abuse.
    2. Until at least the summer of 2022: most “verified uploaders” who did not appear in the content — an estimated 70% — failed to provide required consent documentation during the two-week period when the content was accessible on MindGeek’s websites. MindGeek did not systematically request that uploaders who appeared in the content provide proof of consent for other individuals depicted therein.
    3. Pornhub’s own Monthly Non-Consensual Content reports suggest that non-consensual content is still regularly uploaded and viewed by thousands of users before it is removed.
  5. MindGeek essentially outsources these critical privacy responsibilities to uploaders whose interests are not necessarily aligned with the protection of privacy.
  6. Moreover, MindGeek purports to rely on human moderators — expected to review hundreds of videos per day — as part of its determination of whether an individual has consented to the upload of their content to MindGeek’s websites, despite the fact that such consent cannot be inferred with any level of certainty or confidence from such a review.
  7. MindGeek also put the onus on individuals who never consented to the upload of their intimate images on its websites to undertake the often extremely onerous and emotionally taxing task of identifying and locating all the individual pieces of content that they would like removed across a large number of MindGeek websites, and to submit separate takedown requests for each five times their content appears on a MindGeek website. Its new callback feature would appear to assist with the identification of content flagged as non-compliant, as indicated in para. 162. However, MindGeek did not demonstrate the extent to which this feature can screen and identify potential matches across the entire collection of content available on its websites, particularly for content that was uploaded before the callback feature was implemented.
  8. At least until recently, MindGeek relied on “banning” uploaders to deter those individuals from uploading further content without consent, among other TOS violations, despite the fact that those uploaders could create new accounts and upload further non-consensual content by simply creating a new email address and username. While MindGeek claimed in response to our PRI that, as of October 2022, it now bans users by their legal names using the known personal information of the user, this process is a remedial measure that only occurs after sensitive content has already gone live on MindGeek’s websites.
  9. MindGeek surely benefits commercially from these non-compliant privacy practices, which result in a larger content volume/stream and library of intimate content on its websites. However these practices also create a high risk of causing serious collateral damage in the form of devastating harms to individuals whose most sensitive personal information is shared on the internet without their knowledge and consent, including reputational and financial damages, mental health issues and attempted suicide.Footnote 46
  10. Considering all of the above, we find that MindGeek failed to be accountable as required under Principle 4.1 of Schedule 1 of the Act. Consequently, this aspect of the complaint is well-founded.

Other

  1. There are many allegations of CSAM having been found on MindGeek websites, and on pornographic websites in general.Footnote 47 Children are a vulnerable group, who are greatly harmed by the creation and distribution of CSAM. While our investigation focused on issues of privacy, and not CSAM, in our view, the measures we propose in our recommendations, below, would not only protect the privacy of all individuals whose sensitive personal information may be collected, used or disclosed via MindGeek's websites, but would also provide greater protection to children.

Recommendations

  1. With a view to bringing MindGeek into compliance with PIPEDA, we recommended that the organization:
    1. Immediately cease the collection, use and disclosure of user-generated intimate images and videos, and associated personal information, via its websites, until it has implemented measures to address all PIPEDA contraventions identified in this report, and complied with all recommendations below.
    2. As soon as legally possible, delete all content for which consent compliant with the recommendations below has not been obtained for each individual whose personal information appears in such content, and have any third-party processors, with whom it shared such information, delete the information as well.
    3. Establish, within 9 months, and afterwards maintain, a privacy management program to ensure compliance with the Act, consistent with our Office’s guidance on Accountability.Footnote 48 This should include, without limitation: (i) designating an individual to be accountable for the organization’s compliance with PIPEDA and developing a governance system to ensure the protection of personal information; (ii) allocating the necessary resources (human, technological, etc.) to privacy protection, including hiring, training and effectively supervising staff to carry out moderation and content removal tasks at an appropriate scale; (iii) developing policies and procedures, and associated training, to ensure that employees understand how to handle personal information and the importance of protecting personal information; and (iv) implementing security safeguards, policies and procedures to protect personal information under its control.
    4. Agree to oversight by a qualified independent third-party monitor, appointed by and serving to the benefit of the Privacy Commissioner of Canada, at the expense of MindGeek, to monitor and regularly report on MindGeek’s compliance with the above recommendations for a period of five years.
  2. Finally, we required a commitment from MindGeek that it would not recommence, in the future, the collection, use and/or disclosure of user-generated intimate images, unless it is in a manner that complies with the following recommendations:
    1. Implement measures to ensure that it obtains express, meaningful and valid consent directly from each individual whose personal information is included in uploaded content. Such consent must be in compliance with PIPEDA and the “must do’s” outlined in our Office’s Guidelines for Obtaining Meaningful Consent. In particular, but without limitation, consent should be obtained in a timely manner, before or at the time when individuals’ personal information is collected. It should also inform individuals about the nature, purposes and consequences of the MindGeek’s practices, in a comprehensible and understandable manner. Additional emphasis should be placed on the following key elements:
      1. what personal information is being collected,
      2. with which parties personal information is being shared,
      3. for what purposes personal information is being collected, used or disclosed, and
      4. any other consequences associated with the upload of content to its websites, including but not limited to the potential sharing of the content across the internet resulting in a loss of control over the uploaded content.
    2. Implement measures to validate and ensure that such consent is in fact obtained from the individuals appearing in the content, and that those individuals are of an age such that they can, in fact, legally provide consent.
    3. To the extent that MindGeek’s revised consent and identity verification practices result in the collection of personal information of individuals, considering the high-level of sensitivity of such information in the context, implement robust security safeguards to protect that information in a manner that is compliant with PIPEDA requirements, including, but not limited to, by minimizing the collection and retention of such information to that which is necessary.
    4. Ensure that individuals are provided with a simple-to-use and easily accessible takedown mechanism to request that certain or all content including their personal information be removed from MindGeek websites and deleted. In doing so, MindGeek must implement measures to ensure that:
      1. the takedown process allows for the identification and removal of all the personal information of a requester held by MindGeek, including but not limited to all uploaded content and identifying personal information contained in the title and tags of videos containing the requester’s personal information;
      2. robust safeguards are in place to protect against unauthorized re-uploads by individuals who have previously been found to breach MindGeek’s terms of service in a manner that contravenes the Act; and
      3. all content taken down is immediately, or as soon as legally possible, deleted.
  3. We informed MindGeek that we would be seeking to conclude a Compliance Agreement with MindGeek to address the above recommended measures.

MindGeek’s Response

  1. As detailed in this report, MindGeek expressly disagreed with our conclusions and indicated that it could not provide a complete substantive response to the various recommendations within the set deadline, given that the major business changes contemplated by the recommendations could not be evaluated in the imposed timeline.
  2. MindGeek further asserted that the justification for these recommendations was based upon a substantial misunderstanding of its current practices and the potential for public risk associated with those practices, and upon an unsubstantiated risk of abuse of MindGeek's platforms by third party uploaders.
  3. We disagree. The potential risks and harms associated with the non-consensual uploading of sexually explicit content are well documented. In this context, the conclusions in this report regarding MindGeek's compliance with PIPEDA are based on MindGeek's failure to obtain direct consent from each individual whose sensitive personal information is contained in content uploaded to MindGeek's websites.
  4. MindGeek indicated a willingness to continue discussions regarding this investigation. However, as of the time of writing this report, more than fourtheen months since the issuance of our PRI, MindGeek has not taken the necessary responsibility and corrective measures to redress the significant privacy harm that we uncovered in our investigation. It has not committed to following any of our recommendations, nor has Mindgeek proposed any meaningful alternative measures to address the contraventions we identified.
  5. We therefore issue our report of findings in this matter.
  6. Originally scheduled for release in May 2023, the investigation report was delayed as Aylo pursued legal proceedings against the OPC. This included seeking an order barring release of the report pending the completion of its litigation. The report is being released now as Aylo was unsuccessful in that attempt.

Conclusion

  1. For all the reasons above, we find this complaint to be well-founded, and unresolved.
  2. We expect that our findings in this matter will inform the privacy practices of other organizations similarly situated to MindGeek, and more specifically the form of consent such organizations must obtain when collecting, using and disclosing user-generated sexually explicit content.

Table of Contents

Overview

Complaint and Background

MindGeek

Issues and Scope

Methodology

Analysis

Jurisdiction

Issue 1: Consent

Issue 2: MindGeek’s content takedown process (Challenging Compliance and Withdrawal of Consent)

Issue 3: Accountability

Other

Recommendations

MindGeek’s Response

Conclusion

Footnotes

Date modified: