Earlier this month, the Office of the Privacy Commissioner of Canada (“OPC”) released its first report of findings for 2012. This first report concerned a complaint regarding the privacy practices at a on-line “open community” social networking site popular with youth.
The original complaint against the social networking site was filed in January 2010 by a public interest advocacy group. According to the OPC, the social networking site described itself as an “open community” platform used primarily for youth to “show off to the world”.
The OPC report is lengthy. In this summary, I focus on five areas.
1. ”Visible to All” Privacy Settings
The OPC was concerned that default privacy settings were completely open — meaning that user profiles (containing what the OPC considers to be sensitive personal information) could show up in Internet search results. Some data showed up even in higher privacy settings. In response, the social networking site appears to have argued that the privacy defaults were reasonable given that very few of its users change their privacy settings to a more restrictive setting. When certain blocks of information were given a more restrictive setting by default, 5% of users had lessened the privacy restrictions.
Notwithstanding that users generally did not make their settings more restrictive, the OPC concluded that youth have special vulnerabilities and, therefore, a “reasonable person” would not consider it appropriate for the social networking site to preselect a low privacy setting for users, such that personal information would show up in Internet search results.
2. Meaningful Consent
The OPC also found that the site failed to get meaningful consent to the collection, use and disclosure of personal information. In this regard, the OPC was also influenced by the age of the typical users of the site. The OPC accepted that parental consent was not required. However, consent had to be obtained in a way that was meaningful given the demographics of the users.
3. Targeted / Behavioural Advertising
4. Sharing of User IDs for Rewards and Payment Processing
5. Retention of Information in Declined Invitations and Deleted Accounts
The OPC also had two significant concerns regarding the retention of information. The first concern related to the use of non-user e-mail addresses. As is common, users of the social networking site could invite their friends to join. Users did not have to confirm that they had their friend’s consent to this use of the friend’s email address. If a non-user did not want to receive further invitations, the non-user could opt-out but the email address will be retained (not surprising if further invitations are to be blocked). The OPC stated that the user who provides the e-mail address should have to confirm that they have the prior consent of their friend. Moreover, the OPC stated that non-users should be given a choice between opting-out and having their e-mail deleted.
A more tricky issue was the issue of what happens with information for deleted accounts. The OPC reported that when a user clicks the “Delete Account” option, they were informed that: “This will delete your account, including your profile, your pictures, friends list, messages, etc. Your forum posts, comments and messages in other users’ in-boxes will remain.” However, in practice, only the user’s “shouts” were deleted. The user’s user-name, user ID, email address, IP address and log-in information, friends list, gallery pictures, profile contents, messages and comments, and profile photos were archived.
The OPC stated that there should be a true “Delete Account” function and that the disclosure was misleading. The OPC reports that the social networking site has stated that it refuses to implement this recommendation because of the costs of doing so. The position of the social networking site, as described by the OPC, is that the information is only accessible to system administrators and recovered in the event that they receive a warrant from a law enforcement authority.
As this issue is outstanding, the OPC is considering further action.