Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Report of Findings #2012-002
Report of Findings
Facebook didn’t get non-members’ consent to use email addresses to suggest friends, investigation finds
Three complainants received an email invitation to join Facebook, along with so-called “friend suggestions” (i.e., a list of Facebook users and profile photos that the complainants appeared to know). Although none of the complainants were Facebook users themselves, the invitation appeared on behalf of a Facebook user they knew with a rendering of social connections that was on the whole relatively accurate. Absent any additional information, the complainants believed that Facebook had inappropriately accessed their email address books (or that of their friends).
As well, one complainant was concerned that Facebook was maintaining a profile about her, without her knowledge and consent.
Although the Office did not find any evidence that Facebook had accessed the email address books of the complainants, or was maintaining personal profiles about non-users, the Office did find that Facebook had failed to meet the knowledge and consent requirements under the Personal Information Protection and Electronic Documents Act. In particular,
- Facebook had failed to obtain the consent for the use of a non-user’s email address for purposes of generating friend suggestions;
- Facebook had failed to inform non-users of the proposed use of their email address; and
- Facebook had failed to establish a convenient procedure for opting out, prior to the use of a non-user’s email address.
Further to our recommendations, Facebook now provides clear and adequate notice to non-users that their email addresses may be used to generate friend suggestions, and offers non-users an easy to use opt-out mechanism. In light of the changes implemented by the company over the course of our investigation, the complaints were found to be well-founded and resolved.
- Where an organization uses personal information - in this case, a non-user’s email address for generating friend suggestions – that organization must obtain the knowledge and consent of the individual at the earliest opportunity;
- Companies introducing new features which use personal information should evaluate the privacy impacts of those features ahead of their public introduction. Such an approach would help reduce the need to make corrections after the fact and after an individual’s privacy has potentially been affected.
Complaints under the Personal Information Protection and Electronic Documents Act (the Act)
1. The complainants alleged that Facebook, Inc. (“Facebook”) inappropriately accessed their electronic address books (or that of their friends) and used the personal information contained therein without their consent. In all three cases, the complainants received an email invitation to join Facebook which included so-called “friend suggestions” (i.e., a list of Facebook users, along with their respective profile photos, whom the complainants were likely to know).
2. Although none of the complainants were Facebook users themselves, the invitation appeared on behalf of an individual Facebook user they knew. Each invitation contained a rendering of social connections that was on the whole relatively accurate. Absent additional information, the complainants believed that Facebook’s friend suggestions were based on personal information retrieved from their electronic address books or that of their friends.
3. In addition to the above, one complainant was concerned that Facebook had created a profile about her without her knowledge and consent.
4. Facebook was first notified of the complaints on August 11, 2010. Initial representations were received from the company on September 8, 2010. The present report reflects the findings of our investigation.
Summary of Investigation
5. In October 2009, in an effort to expand its subscriber base, Facebook introduced its Friend Suggestion feature. The feature allows Facebook users to upload the email addresses of non-users to their Facebook contacts and to invite people they may know to join the site. Non-Facebook users are enticed to subscribe to the site through a series of emails and reminders, some of which include friend suggestions.
6. Friend suggestions are generated automatically and spontaneously by Facebook using algorithms that identify other users who have:
- imported the non-user’s email address;
- previously sent the non-user an invitation;
- invited the non-user to an event; or
- tagged the non-user in a photo.
7. Facebook states that it does not know whether these individuals are known to the non-user.
8 .Facebook invitations are initiated by users of the site, not by Facebook itself. In this regard, our Office has previously held that Facebook may reasonably rely on its members to obtain the consent of non-users for purposes of sending a Facebook invitation.1 In doing so however, Facebook is required to do its part in ensuring that users are obtaining the consent of their friends prior to initiating an invitation request. Since 2009, Facebook’s Statement of Rights and Responsibilities advises users of the need to obtain the consent of their friends prior to initiating an invitation request.
9. When initiating an invitation, a Facebook user is advised that invitations should only be sent to people they know personally. The statement on Facebook’s invitation form, just below the “invite” button reads: “Please send invites only to people you know personally who will be glad to get them”. Facebook users are further advised that Facebook may send up to two invitation “reminders”. Facebook users may preview the initial invitation to be sent, but not the ensuing reminders. Reminders are sent automatically by Facebook following the first invitation, should the invitee fail to unsubscribe.
11. While users may personalize their Facebook invitation, the invitation may also be sent out using a standard greeting. In our example above, the standard greeting might read: “Hi Mark, Jane is inviting you to join Facebook. Once you join, you’ll be able to see updates, photos and more from your other friends... and share your own”. All invitations bear the company’s Facebook logo.
12. Once Jane initiates an invitation, Facebook may search the Facebook contacts (i.e., the address books of Facebook users on Facebook) for Mark’s email address, and/or other common data points. Indeed, Mark may know several Facebook users, many of whom may have uploaded his email address to their Facebook contacts. Linkages may also be drawn using information provided by Jane (or other Facebook users) during the identification (or “tagging”) of Mark in Facebook photos, or by way of other information collected through user-generated event invitations. Resulting matches, if any, along with other data matches, are then used to identify and select Facebook users that Mark may know.
13. According to Facebook, friend suggestions are entirely system generated. Sophisticated algorithms are used to link non-Facebook users with existing users using common sets of data. Most commonly – but not exclusively – Facebook relies on the email addresses of non-users (as they exist in the electronic address books uploaded by Facebook users, or in previously sent friend and event invitations) to generate friend suggestions.
14. We note that an individual whose email address had been uploaded by a Facebook user retains the right to access that information and to have that address removed upon request. Access requests can be made directly to Facebook by a non-user.
15. At the time our investigation was initiated, Facebook invitations provided limited disclosure and notice to invitees about the invitation process and or the company’s Friend Suggestion feature. Non-users were able to unsubscribe to future invitations and emails, but the unsubscribe button did not figure prominently in Facebook’s email invitations.
16. Furthermore, at the outset of our investigation, the first invitation received by a non-user also included suggestions of people on Facebook a non-user might know. These friend suggestions, included in the initial Facebook invitation, featured the profile names of existing Facebook users along with their posted profile pictures.
17. While all three complainants expressed some degree of irritation at having received an unsolicited invitation to join Facebook, that invitation, in and of itself, was not central to the privacy complaints received by this Office. It was Facebook’s ability – through its Friend Suggestion feature – to accurately connect each complainant to other people which was the subject of their concern, especially since the complainants were not users of the site.
18. In light of the above, our Office undertook a comprehensive examination of Facebook’s Friend Suggestion feature and looked into the company’s use of the complainants’ personal information in this context. The examination included the creation of multiple test accounts, and the initiation and review of the company’s invitation process. We also reviewed select privacy and security features, and checked to see if there were adequate privacy notices and disclosures where appropriate.
19. In our technical review, we also considered the nature of the information at issue, and the reasonable expectations of non-Facebook users when faced with a Facebook invitation with accompanying friend suggestions. In this respect, the shared experiences of complainants proved particularly insightful.
February 8, 2012
20. In making our determination on the issues above, we looked to the purpose of the Act under section 3, and applied Principles 4.2.4, 4.3, 4.3.2, 4.3.4, 4.3.5 and 4.3.6 of Schedule 1 of the Act.
21. Section 3 of the Act sets out the purpose of the Act, which is “to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances”.
22. Principle 4.2.4 states that where personal information is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of that individual is required before information can be used for that purpose.
23. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information. Principle 4.3.2 goes on to say that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. Principle 4.3.4 provides that the form of consent sought by an organization may vary, depending on the type of information in question and the circumstances in which it is being used.
24. Finally, Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are also relevant. Context is therefore important. Principle 4.3.6 provides that an organization should generally seek express consent when the information is likely to be considered sensitive, but also provides that implied consent would generally be appropriate when the information is less sensitive.
25. At their core, these complaints concern whether Facebook obtained the knowledge and consent of each of the complainants, with whom it had no prior existing relationship, in order to use their email addresses for the purpose of generating friend suggestions.
26. While the complainants raised suspicions that Facebook had accessed their e-mail address books without their knowledge and consent, we found these suspicions to be unfounded. Given the limited information available to them at the time of their complaint, the complainants shared some understandable suspicions surrounding Facebook’s ability to access or acquire information from their electronic address books. However, our investigation did not uncover any evidence that Facebook had accessed the complainants’ personal address books or that of their friends. Indeed, our investigation confirmed that Facebook does not, and cannot, access the address books of non-Facebook users through its Friend Suggestion feature.
27. Furthermore, with respect to the complainants’ allegations that Facebook was creating a profile about them, we also found such allegations to be unfounded. Notwithstanding the mechanics of Facebook’s Friend Suggestion feature, we found no evidence that Facebook is engaged in the practice of tracking or storing the personal information of non-users. As well, the company’s Friend Suggestion feature does not involve the disclosure of information to third parties; Facebook maintains that friend suggestions generated during the invitation process are not disclosed or otherwise made known to anyone except the recipient of the invitation.
28. Given the above, we focussed much of our investigation on the issue of whether Facebook was obtaining the meaningful consent of each of the complainants in order to use their e-mail addresses for the purpose of generating friend suggestions.
29. Since the email address of an individual is considered personal information under the Act, the knowledge and consent of an individual is required prior to its collection, use or disclosure, unless a relevant exception under section 7 of the Act applies. In our view, there are no relevant exceptions under section 7 that would apply in this case.
30. The use of a non-user’s email address for the purpose of generating friend suggestions entails the processing of that e-mail address by Facebook through its algorithm, and therefore constitutes a separate use of personal information for which Facebook must itself obtain meaningful consent.
31. At the time of our investigation, friend suggestions were bundled within Facebook’s first invitation to non-users. These invitations provided limited notice to invitees about the Friend Suggestion feature and little information to non-users on how their personal information was being used to generate friend suggestions. More significantly, Facebook had already used the non-users’ email addresses to generate friend suggestions without first providing the non-users with any of the above information, or any meaningful opt-out mechanism. Therefore, at the time our investigation was commenced, we were of the view that Facebook was using a non-user’s email address for the purpose of generating friend suggestions without meaningful knowledge and consent.
32. However, over the course of our investigation, and following discussions with our Office and the data protection authority in Hamburg (Germany), Facebook made a number of changes to its Friend Suggestion feature.
33. In particular, Facebook agreed to remove friend suggestions from initial email invitations, opting to send friend suggestions only in subsequent reminders. In addition, the initial invitation, as well as subsequent reminder e-mails, provide the non-user with a more prominent opt-out mechanism that informs the non-user that his or her email address can be used for generating friend suggestions. It also provides an unsubscribe option, and allows the non-user to (a) learn more about how friend suggestions are generated and sent; and (b) avoid receiving future invitations.
34. The unsubscribe notice now plainly states “If you don’t want to receive these emails from Facebook in the future, or have your email address used for friend suggestions, you can unsubscribe” [emphasis added]. Individuals who unsubscribe are added to Facebook’s “do not email” list, with their email addresses being retained for the purpose of ensuring that the individual no longer receives messages from Facebook.
35. Notwithstanding these changes, the issue remained whether the Act allowed Facebook to rely on the implied consent of a non-user in order to use his or her e-mail address for the purpose of generating and sending a friend suggestion. In other words, could Facebook rely on an “opt-out” approach in the circumstances above?
36. Principle 4.3.4 provides that the form of consent sought by an organization for the use of an individual’s personal information may vary, depending on the circumstances in question and the type of information in use. In determining the form of consent to use, organizations are required to take into account the sensitivity of the information, and the reasonable expectations of individuals.
37. As stated under Principle 4.3.6, an organization should generally seek express (or opt-in) consent when the information to be used is likely to be considered sensitive. Implied (or opt-out) consent would generally be appropriate when the personal information is less sensitive.
38. In the context of this complaint, it is important to bear in mind that a non-user might not reasonably expect that a site like Facebook would use his or her email to create social connections. This is all the more so in the context of this complaint where the complainants, as non-Facebook users, had no prior relationship with Facebook.
39. As well, although an email address may not at first blush be considered to be a sensitive piece of personal information, the existing or presumed social connections between people derived from the use of the e-mail address, in the context of Facebook’s Friend Suggestions feature, could be considered sensitive in certain unique contexts.
40. On the other hand, there is no evidence in the present context that would lead a reasonable person to expect that the use of an email address for the purpose of generating friend suggestions, not seen by anyone but the individual recipient him or herself, would generally be sensitive in nature.
41. Moreover, Facebook argued that an opt-in regime would be wholly unworkable for its Friend Suggestion feature. According to the company, not only would such a process drastically reduce the number of new subscribers generated by user invitations, it was said to be technically impossible to implement a Canadian-only change to the friend suggestion process.
42. Although there may always be unique circumstances that may heighten the sensitivity of otherwise non-sensitive personal information, the interpretation of PIPEDA calls for a reasonable, pragmatic approach. Furthermore, in keeping with the purpose of the Act, there is a need to balance the privacy rights of individuals with the need to facilitate the use of personal information for appropriate commercial purposes. To each of these points, Facebook made representations to our Office which we found compelling.
43. Having considered the issue from both sides, we have come to the following conclusions.
44. In light of the purpose of PIPEDA, and the underlying balance it seeks to achieve between protecting personal information and allowing organizations to use personal information for reasonably appropriate purposes, the Act favours a contextual approach in assessing whether personal information is sensitive for the purpose of determining the appropriate form of consent an organization should seek.
45. Recognizing that an email address could be considered sensitive personal information in certain unique circumstances, in the context of the present complaint, a non-user’s e-mail address for the purpose of suggesting social connections seen by only the non-user, would not generally be considered to be sensitive in nature.
46. Therefore, we accept that an opt-out approach to obtaining consent is appropriate in the present context, provided certain conditions are respected.
47. As previously stated by our Office in our fact fheet entitled Determining the appropriate form of consent under the Personal Information Protection and Electronic Documents Act, and in subsequent guidance documents, opt-out or implied consent may be acceptable where:
- The personal information is demonstrably non-sensitive in nature and context;
- The context in which information is shared is limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure;
- The organization's purposes is limited and well-defined, and stated in a clear and understandable manner;
- The organization obtains consent for the use or disclosure at the time of collection, or informs individuals of the proposed use or disclosure, and offers the opportunity to opt out, at the earliest opportunity;
- The organization establishes a convenient procedure for opting out of, or withdrawing consent to, secondary purposes, with the opt-out taking effect immediately and prior to any use or disclosure of personal information for the proposed new purposes.
48. In cases where there is an existing use or disclosure for secondary purposes, the organization must provide an ongoing mechanism for withdrawing consent to the secondary purpose, and should ensure that the withdrawal takes effect with minimal delay.
49. At the time our investigation was initiated, Facebook failed to meet the standards set out under the Act with respect to knowledge and consent. The company’s original invitations provided only limited notice and disclosure to invitees about its Friend Suggestion feature. Non-users were not made aware of the purposes for which their email addresses were being used, and non-users were unable to opt-out of the use of their personal information for the purpose of generating friend suggestions.
50. Since Facebook originally failed to adequately identify the new purposes for which personal information collected was to be used (contrary to Principle 4.2.4), failed to make reasonable efforts to ensure that individuals were advised of those purposes (contrary to Principle 4.3.2), and failed to obtain the knowledge and consent of non-user’s prior to the use of their e-mail addreses to generate friend suggestions (contrary to Principle 4.3), we find the company to have contravened the Act.
51. However, further to the recommendations of our Office, Facebook now provides clear and adequate notice of its use of e-mail addresses to generate friend suggestions. The company also provides non-users with a convenient and user-friendly manner in which to opt-out of receiving friend suggestions.
52. Given: (i) the various changes brought by Facebook to its Friend Suggestion feature; (ii) the generally non-sensitive nature of an email address in the context of its use to generate friend suggestions; and (iii) the reasonable expectations of individuals receiving a Facebook invitation in its current, improved form, we are of the view that, in the particular circumstances of these complaints, Facebook may rely on the implied knowledge and consent of non-users to use their e-mail addresses to generate friend suggestions. We especially note the more conspicuous opt-out unsubscribe mechanism Facebook now employs, and the information made available to non-users regarding the Friend Suggestion feature.
53. Based on the above, we find the present complaints to be well-founded and resolved.