Thursday, September 10, 2009

Facebook Agrees to Privacy Safeguards After Canadian Investigation

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Online social networking site operator Facebook has agreed to add significant new privacy safeguards and make other changes in response to the Privacy Commissioner of Canada’s recent investigation into Facebook’s privacy policies and practices, the Privacy Commissioner announced on August 27.

On July 16, Privacy Commissioner Jennifer Stoddart issued a report on an in-depth investigation triggered by a complaint from the Canadian Internet Policy and Public Interest Clinic (CCH Privacy Law in Marketing ¶60,350).

Stoddart was particularly concerned about the risks posed by the over-sharing of personal information with third-party developers of Facebook applications, such as games and quizzes.

Facebook was given 30 days to respond to the Commissioner’s report and explain how it would address the outstanding concerns. Following a review of Facebook’s formal response and discussions with company officials, Stoddart said she is now satisfied that Facebook is on the right path to addressing the privacy gaps on its site.

Changes to Privacy Practices

Facebook has agreed to make changes to help users better understand how their personal information will be used and, ultimately, make more informed decisions about how widely to share that information. The Commissioner’s office will follow up with Facebook as the changes are implemented.

With regard to third-party application developers, Facebook has agreed to retrofit its application platform to prevent any application from accessing information until express consent is obtained for each category of a user’s personal information the developer wishes to access.

According to Facebook, implementing the necessary significant technological changes to its application platform will take one year.

Facebook also agreed to make it clear to users that they have the option of deleting their accounts, rather than merely deactivating them. In addition, Facebook agreed to change the wording of in its privacy policy to explain what will happen in the event of a user’s death.

Further information on the agreement is available here on the Privacy Commissioner’s website.

No comments: