Facebook (2008-2010)

On May 30, 2008, CIPPIC filed a 35-page student-driven Complaint under PIPEDA against Facebook, alleging 22 separate violations of the Act by the popular social networking site. The complaint focused upon improving knowledge and control over how user information is being collected, used and disclosed on the site. It additionally set out to establish a set of norms governing the increasing concentrations of personal information seen online in social networking sites such as Facebook. On July 16, 2009, the OPC released PIPEDA Case Summary #2009-008, CIPPIC v. Facebook, its comprehensive report of findings on CIPPIC's complaints.  In this finding, the Assistant Privacy Commissioner found that the majority of CIPPIC's complaints were well-founded.  She additionally provided Facebook with 30 days to agree to comply with the rulings she had made in the finding. On August 25, 2009, the OPC released a Letter of Resolution outlining Facebook's willingness to comply with its initial finding. This resolution established a one year timeline for Facebook to bring itself into compliance. On December 9, 2009, Facebook made sweeping changes to its privacy settings, purportedly in an attempt to bring itself in compliance with the the OPC's finding. As part of this transition, Facebook defaulted many of its user's privacy settings so as to better align these with its recommendations. These changes, however, have raised serious privacy concerns and, in CIPPIC's view, failed to meet the standards set out in that finding, as well as the requirements of PIPEDA. On February 20, 2010, CIPPIC provided Facebook with a comprehensive Statement of Concerns with respect to the nature of new changes on its site. In this statement, CIPPIC has asked Facebook to indicate its willingness to respond to its concerns within 30 days.

Core issues raised by social networking sites relate to the degree of knowledge and control users are given over how their personal information will be collected, used and further disclosed. This is particularly the case with respect to information designated as 'public' by default and with respect to the unbridled degree of access Facebook provides any application or website developer to the personal information of its users. In addition, there are concerns surrounding the extent to which personal information is retained on the site once Facebook no longer has any reasonable use for it. With respect to the December transition in particular, CIPPIC has suggested that Facebook failed to meet clear standards set out in PIPEDA, and as such did not have the informed, meaningful consent of its users for the changes it recommended to them. CIPPIC has asked in its statement of concern that Facebook commit, among other things, to undo any changes that resulted therefrom as well as to provide users with greater control over information it now forces them to make 'public'.  On February 24, 2010, CIPPIC received, in reponse to an Access to Information request, correspondence between the OPC and Facebook (Nov 13; Dec 7) indicating that the Privacy Commissioner's office had similar concerns.

In changes made to its site in April and May of 2010, Facebook responded to some of CIPPIC's concerns, as stated in its Statement. In particular, and to its credit, Facebook has improved ease of access to privacy settings on its site. In addition, Facebook has somewhat improved transparency surrounding what user information application and website advertisers/developers can access when a user interacts with their services. As outlined in a letter sent to Facebook on May 28, 2010, CIPPIC believes Facebook has failed to address the core concerns raised by the operation of its site and as such remains in violation of PIPEDA. In particular, Facebook continues to pre-select default settings for its users that do not reflect reasonable expectations or the sensitivity of the informatoin in question.  Also, it does not appear that Facebook intends to provide granular control over data provided to advertiser/developers.

On September 22, 2010, the Privacy Commissioner closed its ongoing investigation into Facebook, reaching conclusions that in CIPPIC's view did not mesh well with the OPC's statements of concern in late 2009, nor with its Letter of Resolution.

Subsequent complaints to the Privacy Commissioner by third parties, with which CIPPIC was not involved, involving sharing through social plug-ins (such as the "Like" button) and over-collection for identity authentication purposes, were rejected as not well-founded on the basis of adequate disclosure in Facebook's site.