1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Privacy Commissioner Report on Youth Social Networking Site

Print Friendly

Earlier this month, the Office of the Privacy Commissioner of Canada (“OPC”) released its first  report of findings for 2012. This first report concerned a complaint regarding the privacy practices at a on-line “open community” social networking site popular with youth.

The original complaint against the social networking site was filed in January 2010 by a public interest advocacy group. According to the OPC, the social networking site described itself as an “open community” platform used primarily for youth to “show off to the world”.

The OPC report is lengthy.  In this summary, I focus on five areas.

1.  ”Visible to All” Privacy Settings

The OPC was concerned that default privacy settings were completely open — meaning that user profiles (containing what the OPC considers to be sensitive personal information) could show up in Internet search results.  Some data showed up even in higher privacy settings. In response, the social networking site appears to have argued that the privacy defaults were reasonable given that very few of its users change their privacy settings to a more restrictive setting. When certain blocks of information were given a more restrictive setting by default, 5% of users had lessened the privacy restrictions.

Notwithstanding that users generally did not make their settings more restrictive, the OPC concluded that youth have special vulnerabilities and, therefore, a “reasonable person” would not consider it appropriate for the social networking site to preselect a low privacy setting for users, such that personal information would show up in Internet search results.

2.  Meaningful Consent

The OPC also found that the site failed to get meaningful consent to the collection, use and disclosure of personal information. In this regard, the OPC was also influenced by the age of the typical users of the site. The OPC accepted that parental consent was not required. However, consent had to be obtained in a way that was meaningful given the demographics of the users.

The “take-away” on this point is that the standard privacy policy hyper-link at the bottom of a website may not always be adequate. Given the target audience, the OPC did not consider that the social networking site’s reliance on users to read a lengthy and formal privacy policy was a reasonable way to obtain consent. A more interactive privacy disclosure at point of click was better-suited to the audience. Nevertheless, the OPC accepted a process where a user had to review the privacy policy as part of the registration process.

3. Targeted / Behavioural Advertising

The OPC accepted that the nature of the free social networking service being offered meant that the use of personal information for the purposes of advertising was an acceptable  condition of service, provided there was proper disclosure of information use and sharing practices. The OPC wanted more robust disclosure. Although the OPC did not require the social networking site to permit users to opt-out of third-party tracking cookies, the OPC required enhanced disclosure of third-party cookies in the social networking site’s privacy policy.

4.  Sharing of User IDs for Rewards and Payment Processing

The social networking site disclosed user IDs to its third-party payment processor when users made purchases. In addition, the site disclosed user IDs, age and gender to a rewards company when users participated in certain offers. Apart from deficiencies in the privacy policy disclosure regarding these practices, the OPC had concerns that more information was being shared than was necessary. The OPC was not convinced that the user ID could not be linked back to a user profile. The OPC tested the site using a search function and was able to link to user profiles. Accordingly, OPC recommended that the social networking site use another unique code for payment processing. The social networking site discontinued the rewards program during the course of the investigation.

5.  Retention of Information in Declined Invitations and Deleted Accounts

The OPC also had two significant concerns regarding the retention of information. The first concern related to the use of non-user e-mail addresses. As is common, users of the social networking site could invite their friends to join. Users did not have to confirm that they had their friend’s consent to this use of the friend’s email address. If a non-user did not want to receive further invitations, the non-user could opt-out but the email address will be retained (not surprising if further invitations are to be blocked). The OPC stated that the user who provides the e-mail address should have to confirm that they have the prior consent of their friend. Moreover, the OPC stated that non-users should be given a choice between opting-out and having their e-mail deleted.

A more tricky issue was the issue of what happens with information for deleted accounts.  The OPC reported that when a user clicks the “Delete Account” option, they were informed that: “This will delete your account, including your profile, your pictures, friends list, messages, etc. Your forum posts, comments and messages in other users’ in-boxes will remain.” However, in practice, only the user’s “shouts” were deleted. The user’s user-name, user ID, email address, IP address and log-in information, friends list, gallery pictures, profile contents, messages and comments, and profile photos were archived.

The OPC stated that there should be a true “Delete Account” function and that the disclosure was misleading. The OPC reports that the social networking site has stated that it refuses to implement this recommendation because of the costs of doing so. The position of the social networking site, as described by the OPC, is that the information is only accessible to system administrators and recovered in the event that they receive a warrant from a law enforcement authority.

As this issue is outstanding, the OPC is considering further action.