What happened
On June 11, 2026, the Office of the Privacy Commissioner of Canada (OPC) published PIPEDA Findings #2026-004. The OPC found that X Corp. (operator of platform X) and X.AI LLC (developer of Grok chatbot) violated PIPEDA by failing to obtain valid consent from individuals whose personal information was collected, used, and disclosed to create explicit, sexualized deepfakes via Grok's image generation service. The Commissioner-initiated investigation was launched on January 15, 2026. The OPC found the purpose — enabling sexualised deepfake generation — would not be considered appropriate by a reasonable person, regardless of consent. During the investigation, X and xAI introduced new safeguards to reduce deepfake misuse risk and proactive sweeps to detect/remove harmful content. The OPC will continue monitoring implementation.
Why it matters
This is the first major Canadian privacy enforcement finding directly targeting an AI image-generation capability. It establishes that under PIPEDA: (1) consent cannot legitimise collection/use of personal data to generate sexualised deepfakes; (2) the 'reasonable person' appropriateness test applies to the AI use case itself, not just consent mechanics. This creates binding compliance precedent for all AI image-generation services operating in Canada, and signals how privacy commissioners globally may approach AI-generated intimate content.
Action needed
AI image/video generation service operators with Canadian users must: (1) assess whether their services can generate intimate or sexualised content; (2) implement technical safeguards to prevent such generation; (3) review consent frameworks — consent alone is insufficient if the use is inherently inappropriate under PIPEDA. Implement proactive detection and removal systems for harmful AI-generated content.