The central issue in CIPPIC’s allegations was knowledge and consent.
Our Office focused its investigation on whether Facebook was providing a sufficient knowledge basis for meaningful consent by documenting purposes for collecting, using, or disclosing personal information and bringing such purposes to individuals’ attention in a reasonably direct and transparent way.
Enhancing the experience likely encourages existing members to continue to use the site and presumably encourages others to join as well – thereby indirectly contributing to the success of Facebook as a commercial enterprise.
In that sense, collection, use and disclosure of personal information in relation to a feature without an apparent direct commercial link can still be characterized as occurring “in the course of commercial activity” in the sense required under the Act. One of the key concepts of the Act is that of one’s control of their personal information.
All other information is uploaded voluntarily by the user for the express purpose of sharing it with others. To be sure, individuals do post personal information for purely personal reasons.
Nonetheless, personal information posted by individuals for purely personal purposes that would otherwise be exempted under the Act does fall under the Act and imposes obligations on Facebook to the extent that Facebook uses such personal information in the course of commercial activities.
Executive Summary Complaint Introduction Section 1 – Collection of Date of Birth Section 2 – Default Privacy Settings Section 3 – Facebook Advertising Section 4 – Third-Party Apppcations Section 5 – New Uses of Personal Information Section 6 – Collection of Personal Information from Sources Other than Facebook Section 7(a) – Account Deactivation and Deletion Section 7(b) – Accounts of Deceased Users Section 8 – Personal Information of Non-Users Section 9 – Facebook Mobile and Safeguards Section 10 – Monitoring for Anomalous Activity Section 11 – Deception and Misrepresentation Summary of Conclusions Appendix A Appendix B Letter from OPC to CIPPIC outpning its resolution with Facebook The complaint against Facebook by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) comprised 24 allegations ranging over 12 distinct subjects.
These included default privacy settings, collection and use of users’ personal information for advertising purposes, disclosure of users’ personal information to third-party application developers, and collection and use of non-users’ personal information.
There is no conflict between the same information being both for personal purposes and commercial purposes.
Such scenarios are particularly clear in the parts of the report that deal with advertising and non-user personal information. It is reasonable to assume that those features of the site that do not have an obvious link to its business model are included to enhance the user’s experience on Facebook.
On four subjects (e.g., deception and misrepresentation, Facebook Mobile), the Assistant Commissioner found no evidence of any contravention of the Act and concluded that the allegations were not well-founded.
On another four subjects (e.g., default privacy settings, advertising), the Assistant Commissioner found Facebook to be in contravention of the Act, but concluded that the allegations were well-founded and resolved on the basis of corrective measures proposed by Facebook in response to her recommendations.
On the remaining subjects of third-party applications, account deactivation and deletion, accounts of deceased users, and non-users’ personal information, the Assistant Commissioner likewise found Facebook to be in contravention of the Act and concluded that the allegations were well-founded.