OTTAWA, July 16, 2009 – The Office of the Privacy Commissioner of Canada has completed an in-depth investigation into a wide-ranging complaint about the privacy practices and policies of Facebook, a social networking website. The complaint was filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC).
The investigation was conducted under PIPEDA, the Personal Information Protection and Electronic Documents Act, which is the federal private-sector privacy law.
Our investigation concluded that four aspects of the complaint were well founded. Another four were well founded but considered to be resolved after Facebook agreed to make specific changes to its policies or practices. The final four issues raised by the complaint were dismissed as not well founded.
Here are examples from each of the three categories of our findings. The full report is available on our website at www.priv.gc.ca.
Well-founded allegation of the complaint: Third-party applications
One key allegation of the complaint that we upheld as well founded related to Facebook’s disclosure of personal information to third-party developers who create applications, such as games, quizzes and classified ads, that run on the Facebook platform. There are more than 950,000 application developers in some 180 countries.
When users add an application, they consent to giving the application’s developer access to some of their personal information, as well as that of their “friends.” Moreover, the only way that users can refuse to share personal information when their friends add applications is by opting completely out of all applications, or blocking specific applications.
Based on our investigation, we recommended that Facebook implement technological measures to restrict application developers’ access only to the user information essential to run a specific application. We also called on Facebook to ensure that users are informed of the specific information that an application requires, and what the purpose is.
We further recommended that users signing up for an application be asked for express consent to provide their personal information to third-party developers. Measures are needed to prohibit all disclosure of the personal information of users who are not themselves adding an application.
Facebook has not agreed to the recommendations.
Well-founded and Resolved allegation of the complaint: Facebook advertising
The complainant alleged that Facebook was not making a reasonable effort to notify users clearly that their personal information is used for advertising purposes.
Our Office examined the two types of ads on Facebook that use personal information – “Facebook ads,” which are targeted to demographic profiles or key words in a user’s profile, and “social ads,” which are triggered by actions such as becoming a fan of a page or joining a particular group.
Social ads are inherently intrusive because they use peoples’ actions, thumbnail photos and names to promote products and services. The ads give the appearance that a user is endorsing a particular product. Users can, however, opt out of this type of ads.
On the other hand, users cannot opt out of Facebook ads. But, because only users can see the ads being targeted at them, we considered them to be less invasive.
Facebook agreed in principle to describe advertising more clearly and to configure its systems to allow users to more easily find information about advertising.
Not Well-founded allegation of the complaint: Deception and misrepresentation
The complainant alleged that Facebook was misrepresenting itself by claiming to be purely a social networking site when, in fact, it was engaged in other activities, such as advertising and third-party applications, and did not clearly explain this involvement. The complainant also alleged that Facebook was misrepresenting users’ level of control over their personal information.
We found no evidence that Facebook was willfully misleading or deceiving users about the purposes for which it collects information, or that it is obtaining consent through deception.
The Road Ahead
The Privacy Commissioner has given Facebook 30 days to comply with any unresolved recommendations. During that time, our Office will continue to work with the company to address any outstanding concerns.
Under PIPEDA, the Privacy Commissioner can apply to the Federal Court of Canada to have her recommendations enforced.