Over the brief period of Facebook’s existence, the company’s practices have provided a rich source of knowledge for businesses and other organizations that collect and use customers’ information, operate online or generally fall under the Personal Information Protection and Electronic Documents Act (PIPEDA) or other privacy legislation.
Three instructive cases have come before the Privacy Commissioner of Canada in the last couple of years.
Does Facebook obtain consent to collect and use non-users’ information?
In 2010, three complainants—none of them Facebook users at the time—alleged that the company was collecting and using their personal information without their knowledge or consent. The complainants each received invitations by email to join Facebook; the invitations included accurate “friend suggestions”—existing users that Facebook believes the invitee might know. They worried that “Facebook had inappropriately accessed their email address books (or that of their friends).”
The commissioner found that Facebook did—and does—collect and use non-users’ information to suggest friends to invitees, and it did so without invitees’ knowledge or consent. The company might in fact access the external email address books of users, but only with their consent. However, Facebook failed to ensure that it obtained the non-users’ consent to the use of their email addresses (provided by their Facebook-user friends) and failed to inform them of the intended use of their email address. Finally, Facebook failed to provide a convenient procedure for non-users to opt out, prior to the use of their email addresses to suggest friends.
The commissioner ruled that the complaints against Facebook were well-founded. However, over the 18 months of the investigation, the company modified its practices to comply with PIPEDA. Now, in its initial invitation email, Facebook asks non-users directly for consent to use their information to suggest friends, and offers them a clear opt-out mechanism. Friend suggestions only show up in a follow-up email from Facebook, if the non-user consents in the initial invitation.
Persons who are not Facebook users might still worry about Facebook collecting and storing their email addresses, whether it uses them or not. The company continues to rely on existing users to obtain consent to collect invitees’ information. “Since 2009,” the commissioner notes, “Facebook’s Statement of Rights and Responsibilities advises users of the need to obtain the consent of their friends prior to initiating an invitation request.” But this complaint was specifically about how the company used the data, not how it collected it.
Facebook does not share user or non-user information with websites that host Facebook plug-ins
In July 2011, the privacy commissioner reported on its investigation into whether Facebook shares personal information with third-party sites through “social plug-ins.” The “Like” and “Recommend” buttons that you see on news websites, blogs and just about everywhere else are examples of social plug-ins. Facebook describes them as “buttons and boxes designed to display certain Facebook functionality on third-party websites.” The complainant argued that the company was sharing his and other users’ information through these plug-ins, and without consent or knowledge.
The commissioner found that while Facebook collects certain personal information with its social plug-ins, it doesn’t share that information with the third party hosting the plug-in. The plug-in uses the site visitor’s Internet browser to contact Facebook, without going through the third-party host.
Nonetheless, Facebook does collect users’ information via its social plug-ins, which has implications for their privacy. Specifically, the company collects what it calls “log-level data,” which consists of:
- The date and time a visitor visited the web page
- The address of the webpage the visitor is visiting
- The visitor’s general geographic location
- The visitor’s browser cookie identification
- The internet protocol (IP) address associated with the visitor’s computer
- The browser and operating system being used by the visitor
The privacy commissioner dismissed the complaint as not well-founded.
Is it reasonable for Facebook to require a user’s phone number in order to verify the user?
In September 2011, the privacy commissioner responded to a complaint that Facebook was requesting more information than it needed to give users access to their accounts. The complainant also argued that Facebook offered no means to challenge the company’s privacy practices.
The commissioner found:
Facebook’s verification procedure responds to a need to confirm the identity of the user when Facebook finds suspicious activity on an account, and to provide a safe community experience. By offering a variety of choices for authentication, our office finds that Facebook does not require the user to consent to the collection of the user’s personal information beyond which is required to fulfil the purposes.
The commissioner also disagreed with the allegation that Facebook didn’t offer her a way to complain about the privacy policy, contrary to PIPEDA:
According to Principle 4.10.2 of the Act, Facebook is required to provide complaint procedures for challenging compliance that are easily accessible and simple to use. Our investigation established that Facebook provides a web form at the beginning of its privacy policy that allows users to complain to Facebook regarding a privacy issue.
Facebook described a number of ways users can comment on the company’s privacy practices. They can comment on privacy by several privacy-specific contact forms. These messages go to Facebook’s “user operations privacy team, which handles user comments, concerns, questions and complaints related to Facebook’s privacy policy and to privacy issues related to their platform.” They can contact TRUSTe—an industry privacy certification organization—via its Watchdog Dispute Resolution Process. TRUSTe accepts user reports of “violations of posted privacy statements and specific privacy concerns pertaining to TRUSTe member websites,” including Facebook.
Therefore, the commissioner concluded that the complaint was not well-founded.
In each case, the commissioner offered several lessons for organizations that handle customers’ personal information, including:
- At the earliest opportunity, obtain individuals’ knowledge and consent to collect and use their information
- Provide users with clear and understandable information about how your organization use their personal information, including when introducing new features
- When introducing new features that use personal information, evaluate the privacy impacts of those features ahead of their public introduction in order to reduce the need to make corrections after the fact and after an individual’s privacy has been affected
- Allow individuals to access any of their personal information you hold and to have that information removed upon request
- Offer users and non-users a direct method to request access to their information
- Provide users with a variety of means through which they can authenticate their identities
- Provide privacy-complaint procedures that are easily accessible and simple to use
Covering how Facebook protects user and non-user information, these cases clarify some of the social network’s more public practices, and should offer some reassurance that it respects personal information and is responsive to reasonable complaints.
Besides clarifying how Facebook collects, uses and shares the social network’s users’ and non-users’ information, the case reports present valuable insight into the workings of the network and clearly explain various specific technical aspects of how the company uses information. They will be worth a read for organizations and individuals interested in learning more about a private system many Canadians interact with daily.
Adam Gorley
First Reference Internal Controls and Compliance Editor