Language selection


Facebook findings highlight the need for legislative reform

Investigation findings Facebook’s response How the concerns identified demonstrate federal privacy law must be strengthened

Consent and safeguards

  • Facebook failed to obtain meaningful consent from users installing third-party applications for the disclosure of their personal information to those applications.
  • Facebook failed to obtain meaningful consent from the friends of installing users. Consent was generally sought on registration, in relation to disclosures that would occur years later, to unknown apps for unknown purposes. Facebook relied on installing users to provide consent on behalf of their friends.
  • Facebook relied on overbroad and conflicting language in its privacy communications.
  • Facebook’s safeguards were inadequate to protect personal information of users. The company relied on contractual terms with apps to protect against unauthorized access but never verified that the apps’ privacy policies provided sufficient information to obtain meaningful consent.


  • Facebook should implement measures to ensure that it obtains meaningful consent from installing users and their friends.
  • That consent must:
    • clearly inform users about the nature, purposes and consequences of the disclosures;
    • occur in a timely manner, before or at the time their personal information is disclosed;
    • be express where the personal information to be disclosed is sensitive.

Facebook disputed the validity of the findings and refused to implement the recommendations.

The Office of the Privacy Commissioner of Canada’s interpretation of the law should be binding on organizations.

To ensure effective enforcement, the Commissioner should be empowered to make orders and impose fines for non-compliance with the law.


  • Facebook failed to take responsibility for protecting the personal information of its users. Instead, Facebook attempted to shift responsibility for protecting personal information to the apps on its platform, as well as users themselves.
  • The lack of accountability is even more concerning given an investigation of Facebook in 2009 highlighted very similar concerns. In response to that investigation, Facebook adopted an approach that superficially presented appropriate mechanical steps but in reality did not offer real protection.
  • Facebook’s privacy protection framework was empty.


  • For the next five years, Facebook should permit the federal and BC Privacy Commissioners’ offices to conduct audits of the company’s privacy policies and practices to assess compliance with privacy laws.


Facebook disputed the validity of these findings and refused to implement the recommendations.

Canada’s federal private sector privacy law should authorize the Office of the Privacy Commissioner of Canada to inspect the practices of organizations to ensure compliance with the law. In this manner, organizations that do not act responsibly would be held accountable. It is not enough for an organization to say it is accountable. It must be able to show it is accountable.

Date modified: