Canadian Privacy Commissioner: Facebook Violates National Law

by William McGeveran

Friday, July 17, 2009 at 05:16 PM EDT

The Privacy Commissioner of Canada, a federal regulator responsible for overseeing compliance with that country’s broad data protection statute, has issued a long-awaited report on Facebook’s privacy practices. The investigation was triggered by a formal complaint filed by students at the University of Ontario’s cyberlaw clinic. The result is a comprehensive and sophisticated analysis that gives Facebook deserved credit for attention to privacy in some areas, but identifies troubling aspects of its practices that are unlawful in Canada. The full report is worth a look; an official summary is here; and Canadian cyberprof extraordinaire Michael Geist has written up a good overview as well.

As news coverage (see here and here) emphasizes, the Commissioner’s main concerns are the extent to which third-party applications within the Facebook platform slurp up personal information irrelevant to their functions. The report also identifies some ways in which Facebook’s disclosures of its practices are insufficiently clear and criticizes certain data retention practices (particularly after deactivation of accounts). The Commissioner suggested changes Facebook could make to comply with the law; after 30 days if Facebook has not taken adequate corrective action the Commissioner may initiate a lawsuit in Canadian court.

I highlighted the Ottawa clinic’s complaint in my article about social marketing (which, of course, went to the printer just a few days too early to add mention of the report!). So I was especially interested in the report’s analysis of Facebook’s advertising practices. In my view, the Commissioner gets it partly, but not entirely, right, stating:

A Social Ad uses the individual’s actions, thumbnail photo and name to promote a certain product or service. The ad then becomes part of the News Feed and intertwines itself in the regular interactions of the user and his or her friends. In effect, the Social Ad takes on the appearance of an endorsement of the product by the user. For this reason, users would not reasonably expect their information to be used in such a manner and they should, as is the current situation, be able to opt out of such an active use of their personal information.

It seems to me, and I argue in the article, that a social marketing endorsement like the one described here should require an opt in — not only for privacy and reputation reasons, but also for information quality (to ensure it is a true endorsement). In practice, though, since the effective demise of Facebook’s Beacon program, these sorts of social ads only occur when you take actions within Facebook, and in those situations it seems to me reasonable to assume implicit opt-in — after all, why do you “become a fan” of something in Facebook if not to “share” with your friends? The report does go on to criticize the clarity of disclosure about the use of information for social marketing and the difficulty of locating the opt-out. The Commissioner proposed more frequent reminders, but Facebook objected, and the report concludes that if Facebook makes its policies clearer and more accessible that will be good enough.

Overall, a great example of the careful (and collaborative) work a robust privacy regulator can do if given the necessary legal muscle and adequate resources. Now let’s see how Facebook responds next month…

This article originally appeared on Info/Law.