• First Reference
  • About us
  • Contact us
  • 24th Annual Ontario Employment Law Conference 📣
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
You are here: Home / Business / Three Facebook legal challenges businesses should know about

By Adam Gorley | 5 Minutes Read June 25, 2012

Three Facebook legal challenges businesses should know about

Over the brief period of Facebook’s existence, the company’s practices have provided a rich source of knowledge for businesses and other organizations that collect and use customers’ information, operate online or generally fall under the Personal Information Protection and Electronic Documents Act (PIPEDA) or other privacy legislation.
Three instructive cases have come before the Privacy Commissioner of Canada in the last couple of years.
Does Facebook obtain consent to collect and use non-users’ information?
In 2010, three complainants—none of them Facebook users at the time—alleged that the company was collecting and using their personal information without their knowledge or consent. The complainants each received invitations by email to join Facebook; the invitations included accurate “friend suggestions”—existing users that Facebook believes the invitee might know. They worried that “Facebook had inappropriately accessed their email address books (or that of their friends).”
The commissioner found that Facebook did—and does—collect and use non-users’ information to suggest friends to invitees, and it did so without invitees’ knowledge or consent. The company might in fact access the external email address books of users, but only with their consent. However, Facebook failed to ensure that it obtained the non-users’ consent to the use of their email addresses (provided by their Facebook-user friends) and failed to inform them of the intended use of their email address. Finally, Facebook failed to provide a convenient procedure for non-users to opt out, prior to the use of their email addresses to suggest friends.
The commissioner ruled that the complaints against Facebook were well-founded. However, over the 18 months of the investigation, the company modified its practices to comply with PIPEDA. Now, in its initial invitation email, Facebook asks non-users directly for consent to use their information to suggest friends, and offers them a clear opt-out mechanism. Friend suggestions only show up in a follow-up email from Facebook, if the non-user consents in the initial invitation.
Persons who are not Facebook users might still worry about Facebook collecting and storing their email addresses, whether it uses them or not. The company continues to rely on existing users to obtain consent to collect invitees’ information. “Since 2009,” the commissioner notes, “Facebook’s Statement of Rights and Responsibilities advises users of the need to obtain the consent of their friends prior to initiating an invitation request.” But this complaint was specifically about how the company used the data, not how it collected it.
Facebook does not share user or non-user information with websites that host Facebook plug-ins
In July 2011, the privacy commissioner reported on its investigation into whether Facebook shares personal information with third-party sites through “social plug-ins.” The “Like” and “Recommend” buttons that you see on news websites, blogs and just about everywhere else are examples of social plug-ins. Facebook describes them as “buttons and boxes designed to display certain Facebook functionality on third-party websites.” The complainant argued that the company was sharing his and other users’ information through these plug-ins, and without consent or knowledge.
The commissioner found that while Facebook collects certain personal information with its social plug-ins, it doesn’t share that information with the third party hosting the plug-in. The plug-in uses the site visitor’s Internet browser to contact Facebook, without going through the third-party host.
Nonetheless, Facebook does collect users’ information via its social plug-ins, which has implications for their privacy. Specifically, the company collects what it calls “log-level data,” which consists of:

  • The date and time a visitor visited the web page
  • The address of the webpage the visitor is visiting
  • The visitor’s general geographic location
  • The visitor’s browser cookie identification
  • The internet protocol (IP) address associated with the visitor’s computer
  • The browser and operating system being used by the visitor

The privacy commissioner dismissed the complaint as not well-founded.
Is it reasonable for Facebook to require a user’s phone number in order to verify the user?
In September 2011, the privacy commissioner responded to a complaint that Facebook was requesting more information than it needed to give users access to their accounts. The complainant also argued that Facebook offered no means to challenge the company’s privacy practices.
The commissioner found:

Facebook’s verification procedure responds to a need to confirm the identity of the user when Facebook finds suspicious activity on an account, and to provide a safe community experience. By offering a variety of choices for authentication, our office finds that Facebook does not require the user to consent to the collection of the user’s personal information beyond which is required to fulfil the purposes.

The commissioner also disagreed with the allegation that Facebook didn’t offer her a way to complain about the privacy policy, contrary to PIPEDA:

According to Principle 4.10.2 of the Act, Facebook is required to provide complaint procedures for challenging compliance that are easily accessible and simple to use. Our investigation established that Facebook provides a web form at the beginning of its privacy policy that allows users to complain to Facebook regarding a privacy issue.

Facebook described a number of ways users can comment on the company’s privacy practices. They can comment on privacy by several privacy-specific contact forms. These messages go to Facebook’s “user operations privacy team, which handles user comments, concerns, questions and complaints related to Facebook’s privacy policy and to privacy issues related to their platform.” They can contact TRUSTe—an industry privacy certification organization—via its Watchdog Dispute Resolution Process. TRUSTe accepts user reports of “violations of posted privacy statements and specific privacy concerns pertaining to TRUSTe member websites,” including Facebook.
Therefore, the commissioner concluded that the complaint was not well-founded.
In each case, the commissioner offered several lessons for organizations that handle customers’ personal information, including:

  • At the earliest opportunity, obtain individuals’ knowledge and consent to collect and use their information
  • Provide users with clear and understandable information about how your organization use their personal information, including when introducing new features
  • When introducing new features that use personal information, evaluate the privacy impacts of those features ahead of their public introduction in order to reduce the need to make corrections after the fact and after an individual’s privacy has been affected
  • Allow individuals to access any of their personal information you hold and to have that information removed upon request
  • Offer users and non-users a direct method to request access to their information
  • Provide users with a variety of means through which they can authenticate their identities
  • Provide privacy-complaint procedures that are easily accessible and simple to use

Covering how Facebook protects user and non-user information, these cases clarify some of the social network’s more public practices, and should offer some reassurance that it respects personal information and is responsive to reasonable complaints.
Besides clarifying how Facebook collects, uses and shares the social network’s users’ and non-users’ information, the case reports present valuable insight into the workings of the network and clearly explain various specific technical aspects of how the company uses information. They will be worth a read for organizations and individuals interested in learning more about a private system many Canadians interact with daily.
Adam Gorley
First Reference Internal Controls and Compliance Editor

  • About
  • Latest Posts
Follow me
Adam Gorley
Editor at First Reference Inc.
Adam Gorley is a copywriter, editor and researcher at First Reference. He regularly contributes to First Reference Talks, Inside Internal Controls and other First Reference publications. He writes about general HR issues, accessibility, privacy, technology in the workplace, accommodation, violence and harassment, internal controls and more.
Follow me
Latest posts by Adam Gorley (see all)
  • Can you implement a mandatory vaccine policy or ask employees if they have been vaccinated? - June 10, 2021
  • Do you know the latest on terminations? Find out at the Ontario Virtual Employment Law Conference - May 11, 2021
  • Announcing the 2021 Virtual Ontario Employment Law Conference - April 15, 2021

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to email a link to a friend (Opens in new window)
  • Click to print (Opens in new window)
  • More
  • Click to share on Reddit (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to share on Pocket (Opens in new window)
  • Click to share on Mastodon (Opens in new window)

Article by Adam Gorley / Business, Privacy / access to information, collecting information, consent, disclosure of personal information, email address, facebook, friend suggestions, non-users, obtaining consent, Office of the Privacy Commissioner of Canada, opt-out, personal information, Personal Information Protection and Electronic Documents Act, PIPEDA, Privacy Commissioner, privacy legislation, privacy practices, social plug-ins, user verification, using personal information

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Adam Gorley

Adam Gorley is a copywriter, editor and researcher at First Reference. He regularly contributes to First Reference Talks, Inside Internal Controls and other First Reference publications. He writes about general HR issues, accessibility, privacy, technology in the workplace, accommodation, violence and harassment, internal controls and more.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy