Social networking site for youth breached Canadian privacy law
A comprehensive investigation of Nexopia by the Office of the Privacy Commissioner of Canada results in two dozen recommendations aimed at providing users with better information about the site’s privacy practices and more control over the sharing of their personal information.
Ottawa, March 1, 2012 — An investigation of a youth-oriented social networking site, Nexopia, has highlighted privacy flaws which must be addressed to bring the site into compliance with Canadian privacy law and better meet the privacy needs of its users, says Privacy Commissioner of Canada Jennifer Stoddart.
“Our investigation found Nexopia has inappropriate default privacy settings; provided inadequate information about a number of privacy practices; and keeps personal information indefinitely – even after people select a ‘Delete Account’ option,” says Commissioner Stoddart.
“While we had good cooperation from Nexopia throughout our investigation and we’re pleased that the organization has agreed to implement most of our recommendations, some important issues remain outstanding.”
This was the Office of the Privacy Commissioner of Canada’s first investigation of a social networking site aimed specifically at youth.
Nexopia, founded in 2003 and based in Edmonton, predates many other popular social media sites. It claims over 1.6 million registered users, with roughly half of users from Alberta and British Columbia.
Prompted by a complaint by the Ottawa-based Public Interest Advocacy Centre, the investigation identified several areas where Nexopia was in breach of federal private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). These included:
- Default settings that were particularly inappropriate for Nexopia’s target youth audience, and a lack of clarity about available privacy settings;
- A lack of meaningful consent for the collection, use and disclosure of personal information collected at registration;
- The sharing of personal information with advertisers and other third parties without proper consent; and
- The indefinite retention of personal information.
The investigation resulted in a total of 24 recommendations.
The Privacy Commissioner was satisfied with Nexopia’s response to 20 of those recommendations. In those cases, the allegations are well-founded and conditionally resolved. This finding, which the Office of the Privacy Commissioner of Canada introduced on January 1, 2012, is used when the Office has found that an organization has contravened PIPEDA, but the organization has made an express commitment to demonstrate its implementation of corrective measures within a specified time period after the Office’s findings are issued.
The unresolved issues involve four recommendations aimed at addressing concerns about Nexopia’s retention of users’ personal information. Nexopia keeps personal information indefinitely, even though federal privacy law requires companies to develop retention policies.
We recommended that Nexopia develop a retention policy and offer users a true “delete” option. However, Nexopia has said the costs of implementing system changes to allow for permanent deletion are prohibitively high.
The company has also argued that archiving personal information indefinitely is helpful in the event law enforcement requests data. Our position is that, while such requests or warrants may justify a longer retention period in specific cases, they do not justify wholesale and indefinite retention of all records just in case there may be a request at some point in time.
“We are disappointed with Nexopia’s position with respect to these outstanding issues. We are addressing these unresolved issues in accordance with my authorities under PIPEDA, which include the option of going to Federal Court to seek to have the recommendations enforced,” says Commissioner Stoddart.
Nexopia promotes itself as “the place to be for teens looking to express themselves to the world.” More than a third of active Nexopia users are between the ages of 13 and 18.
“The fact that the site is targeted at younger people strongly influenced our approach in this investigation. Given that so many of Nexopia’s users are young, extra care is needed to ensure that they understand the site’s privacy practices,” says Commissioner Stoddart.
“Other websites targeted at younger people also need to take note of this investigation and ensure they’ve adequately considered the privacy considerations particular to a youth context.”
Young people also need to carefully consider the potential implications of posting personal information online. Over the last few years, the Office of the Privacy Commissioner of Canada has developed a number of tools and outreach programs aimed at helping youth to protect their privacy in the online world. As well, the Office recently launched a tip sheet for parents to help them to speak with their children about these issues.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations engaged in commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.
- 30 -
For more information (media only), please contact:
Office of the Privacy Commissioner of Canada
NOTE: Journalists are asked to please send requests for interviews or further information via e-mail.