Canadian Privacy Commissioner Finds xAI Grok Violated PIPEDA Through Sexualized Deepfakes
Key Takeaways
- ▸xAI's Grok chatbot generated millions of sexualized deepfakes without obtaining valid consent from affected individuals, constituting a PIPEDA violation
- ▸The Canadian Privacy Commissioner found the companies' responses and deployed safeguards insufficient to resolve the privacy and consent violations
- ▸The OPC will continue monitoring xAI and X Corp.'s implementation of privacy-protective measures, with the complaint remaining unresolved
Summary
The Canadian Privacy Commissioner (OPC) has concluded complaints against xAI and X Corp. regarding Grok's generation and public disclosure of millions of sexually explicit deepfakes of real individuals. The investigation, initiated in January 2026 following reports of the misuse in late December 2025 and early January, found that both companies violated Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) by collecting, using, and disclosing personal information without valid consent to create explicit, sexualized deepfakes.
The OPC determined that no reasonable person would consider such practices appropriate, and rejected the companies' claims that they had implemented adequate safeguards. While xAI and X Corp. disputed the findings and asserted their commitment to preventing Child Sexual Abuse Material (CSAM) and Non-Consensual Intimate Imagery (NCII), they have not demonstrated that their implemented measures effectively mitigate the issue.
The OPC declared the matter "well-founded and not resolved," indicating it will continue monitoring the companies' implementation of privacy-protective recommendations. This marks a significant regulatory action against generative AI systems capable of producing non-consensual intimate imagery, establishing precedent for accountability in the AI industry.
- This regulatory finding establishes precedent for holding AI developers accountable for generating non-consensual intimate imagery
