Canada: Facebook To Make Changes To Comply With Canadian Privacy Laws

Last Updated: September 8 2009
Article by Eric J. Smith

On August 27, 2009, the Office of the Privacy Commissioner of Canada (OPC) announced that Facebook, the world's largest social networking site, has agreed to make significant changes to the manner in which it collects and safeguards the personal information of individuals. This agreement, reached over one year after the original complaint against Facebook was made, is significant not only as it relates to Facebook's operations, but also for the clear message it sends to all organizations, both Canadian and foreign, that compliance with Canada's privacy laws must not be taken lightly.


The OPC's investigation into the practices of Facebook was initiated in response to a complaint filed with the OPC by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) dated May 30, 20081. In its complaint, the CIPPIC alleged that Facebook was engaged in "unnecessary and non-consensual collection and use of personal information" and in doing so, was in violation of the Personal Information Protection and Electronic Documents Act (PIPEDA).

The complaint focused on 12 areas in which CIPPIC alleged that Facebook was not compliant with PIPEDA. Some of the areas identified in the complaint were the collection of date of birth, default privacy settings, disclosure of personal information through third party applications, account deactivation and deletion, use of personal information of deceased users, and the collection of personal information of non-users.

Report of Findings

Following the OPC's investigation into the allegations made by CIPPIC, which included consultations with and representations by Facebook, the OPC released its "Report of Findings" on July 16, 2009. In the Report of Findings, the OPC stated that, on four of the twelve subjects identified in the complaint (i.e. new uses of personal information, collection of personal information from sources other than Facebook, Facebook Mobile safeguards, and deception and misrepresentation), it found no evidence of contravention of PIPEDA. With respect to another four subjects identified in the complaint (i.e. collection of date of birth, default privacy settings, advertising, and monitoring of anomalous activity), the OPC concluded that the allegations were well-founded, but that they had been resolved by corrective actions taken by Facebook in response to recommendations made by the OPC during the investigation and consultation process. Finally, the report indicated that the four remaining subjects identified in the complaint (i.e. third-party applications, account deactivation and deletion, accounts of deceased users, and personal information of non-users) were well-founded and had not been resolved, as Facebook had not agreed to adopt the recommendations of the OPC. A closer look at these unresolved issues provides insight into the conflict between an organization's desire to use personal information for its business purposes and its legal obligation to safeguard such information and only use it with the informed consent of the individual to whom the information relates.

(i) Third-Party Applications

In May 2007, Facebook opened its platform to allow third party developers to create applications (e.g. games, quizzes, etc.) that are accessible to users within Facebook.2 By adding an application to their Facebook account, users enable such applications to access most of the personal information found in such account, including personal information related to their Facebook friends.3

In its Report of Findings, the OPC identified a number of concerns with third party applications. These include:

  • the making available of more personal information than is necessary for the purpose of the application;
  • the reliance on contractual covenants by the developers to respect users' privacy settings and safeguard their personal information in lieu of technological safeguards and effective monitoring of compliance;
  • a lack of meaningful consent to the collection and use of personal information by the user who adds the third party application; and
  • a lack of meaningful consent from users when their friends and fellow network members add applications that expose their own personal information to access the application.

In its recommendations, the OPC asked Facebook to implement measures that would limit third-party developers' access to personal information that is not required for the purposes of the application, inform users of the specific information that an application requires and for what purpose, obtain the express consent of users in each instance, and prohibit all disclosures of personal information of users that are not themselves adding the application.4 Facebook declined to implement such measures.

(ii) Account Deactivation and Deletion

Facebook allows users to deactivate or delete their account. When a user deactivates an account, his or her personal information is retained indefinitely, a practice which the OPC concluded is a contravention of Principle 4.5 and 4.5.3 of PIPEDA. In addition, while a user can find information concerning how to delete an account, such option is not given the same exposure as the deactivation option, making it less obvious to users as to how their accounts and personal information can be deleted from the service.

To address these concerns, the OPC recommended in a preliminary report that Facebook set a cutoff date after which Facebook would no longer retain the personal information of users who had deactivated accounts. The OPC did not suggest what a reasonable period of time would be, rather it suggested that the period of time be a period "that a reasonable person would consider appropriate in the circumstances and based on [Facebook's] experiences with user reactivation patterns"5. The OPC also recommended that Facebook include an account deletion option on the users' Account Settings pages, as is the case with the deactivation option. Facebook declined to act on these recommendations.

(iii) Accounts of Deceased Users

When Facebook is notified that a user has died, it generally keeps such user's profile active in a "memorialized" status (i.e. with certain information removed and only confirmed friends provided access) for a period of time. Such a practice is not referred to in Facebook's Privacy Policy6. In its Report of Findings, the OPC concluded that the failure to advise users of this potential use of their personal information was a contravention of Principles 4.2.1, 4.2.3, 4.3.2 and 4.8 of PIPEDA which, in essence, require organizations that collect personal information to advise individuals as to the purposes for which such information is collected. Facebook declined to follow OPC's recommendation of referencing such use in its Privacy Policy.

(iv) Personal Information of Non-Users

Facebook allows users to post personal information of non-users to their Facebook pages, thereby making it available to anyone who has access to the applicable portions of that user's Facebook account. While the majority of such postings are made for the personal use of the user, and therefore outside the scope of PIPEDA, the OPC determined that, in some instances, Facebook uses such non-user personal information for its own purposes.

For example, when a user 'tags' a non-user in a photograph that has been uploaded to his or her Facebook account, Facebook gives the user the option of providing to Facebook the non-user's email address, which is then used by Facebook to send a notification to the non-user of the tagging and an invitation to join Facebook. While the notification of tagging is for the benefit of the non-user, the invitation to join Facebook is for the benefit of Facebook.

In addition, Facebook allows users to provide Facebook with the email addresses of non-users that Facebook uses to send invitations to non-users to join Facebook. Facebook retains such information for an indefinite period of time. In addition to using the email addresses to deliver invitations, Facebook uses the email addresses to provide users with a history of invitations sent out on their behalf and for tracking the success of the referral program.

The OPC concluded that in instances where personal information about an individual (i.e. the non-user) is being collected from another individual (i.e. the user), it is reasonable to allow Facebook to rely on the user to obtain the direct consent of the non-user, provided that Facebook takes reasonable measures to ensure that such consent is obtained. In the opinion of the OPC, merely referencing the requirement for the user to obtain the non-user's consent in the Privacy Policy is not sufficient, and Facebook should include a reminder each time that a user discloses a non-user's email address to Facebook. Facebook should also take action against those users who violate such consent requirements.

In addition, the OPC concluded that the retention of non-users' email addresses for the purpose of invitation history and tracking without informing non-users of such use is a contravention of PIPEDA's informed consent requirement. Retaining such addresses indefinitely beyond the time necessary for the initial purpose of collection was also a violation of PIPEDA.

Resolution of Outstanding Issues

As part of its Report of Findings, the OPC requested that Facebook reconsider the OPC recommendations that it had declined to adopt, and that the OPC would give Facebook 30 days in which to do so. We do not know what actions the OPC would have taken had Facebook not satisfied the OPC's request, as, on August 27, 2009, the OPC announced that the outstanding matters had been resolved to its satisfaction.

In a letter to CIPPIC dated August 25, 2009, the OPC advised CIPPIC of the outcome of its discussions with Facebook regarding the CIPPIC allegations that it determined were well-founded, including those that remained unresolved at the time that the OPC issued its Report of Findings. With respect to the previously unresolved matters, the OPC reported as follows:

(i) Third-Party Applications

Facebook agreed to redesign its API so that users will have greater control over the type of personal information that third party application developers may access, and the purposes for which such information can be used. While access to the personal information of friends and fellow network members may still be accessed by the third party applications, users will be able to control whether such information is made available to developers. Users will also be presented with a link to a statement of the developer explaining how it will use such personal information. The introduction of this new model for information sharing with third-party applications is to take place on or before September 1, 2010.

(ii) Account Deactivation and Deletion

On the basis that most users reactivate accounts and expect to have access to their personal information when they do so, Facebook has not accepted the OPC's recommendation that a finite retention period be instituted for deactivated accounts. The OPC accepted this position, provided that users are well informed of the differences between deactivating and deleting an account. To this end, Facebook has undertaken to include a more complete explanation of the differences between the two options in its Privacy Policy and Help Center, and include links to each option.

(iii) Accounts of Deceased Users

In accordance with the recommendations of the OPC, Facebook has agreed to include a reference to the use of accounts to memorialize deceased users in its Privacy Policy within 10 weeks time.

(iv) Personal Information of Non-Users

Facebook has agreed to include additional language in its Statement of Rights and Responsibilities that informs users of their obligation to obtain the consent of non-users before providing the non-user's email address to Facebook. Facebook further undertook to follow up on any complaints by non-users with respect the use of their email address. Facebook also confirmed that it does not retain the email addresses of non-users in order to track the success of its invitation feature.

While the CIPPIC may take further action if it is not satisfied that the actions taken by Facebook adequately address its concerns, the OPC letter indicates that, so long as Facebook follows through on its undertakings, the OPC is satisfied with Facebook's response.


The investigation into the practices of Facebook, and the resulting changes that Facebook has agreed to make to its service, were the result of a lengthy and, no doubt, costly process. While some suggest that individuals should resign themselves to the fact that privacy does not exist in the on-line world, the CIPPIC complaint and its apparent resolution illustrate the power that users have to change the behaviour of on-line business organizations, even if they are located outside of the country in which the users reside. This matter also demonstrates the seriousness with which Canadian regulators treat well-founded complaints. The Facebook complaint is a strong reminder that all businesses should be proactive in examining their practices in relation to the collection, use and safeguarding of personal information. Failing to do so can be costly, not only in time and money, but also with respect to the damage it can cause to relationships with customers.


1. A copy of the complaint, as well as the report of findings and other announcements by the OPC referenced below can be found on the website of the Office of the Privacy Commissioner of Canada at

2. As of June 4, 2009, Facebook stated that there were over 350,000 Facebook applications from over 950,000 developers in over 180 countries – see Paragraph 148 of the Report of Findings.

3. To illustrate the sharing of personal information with third-party applications, the Northern California chapter of the American Civil Liberties Union (ACLU) created a Facebook application that allows users to see personal information that the ACLU application can access on the user's Facebook account. See

4. See Report of Findings, paragraph 211.

5. Ibid, paragraph 245.

6. As noted in Paragraph 275 of the Report of Findings, the practice of using accounts for memorial purposes was, at the time of complaint, identified in Facebook's Terms of Use. In the time between the filing of the complaint and the issuance of the Report of Findings, Facebook replaced its Terms of Use with a Statement of Rights and Responsibilities (SRR). The SRR does not include a reference to using accounts for memorial purposes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
16 Oct 2018, Other, Calgary, Canada

Dentons and SheEO are coming together for a morning of #radicalgenerosity on October 16, 2018. Meet Vicki Saunders, Founder of SheEO, and learn about how SheEO is changing the landscape for female entrepreneurs.

17 Oct 2018, Webinar, Toronto, Canada

With the continued focus on Bill 148’s significant changes to the Employment Standards Act, Dentons’ Toronto Employment and Labour group is pleased to launch a new webinar series focusing on Bill 148.

17 Oct 2018, Webinar, Toronto, Canada

Dentons and SheEO are coming together for an evening of #radicalgenerosity on October 17, 2018. Meet Vicki Saunders, Founder of SheEO, and learn about how SheEO is changing the landscape for female entrepreneurs.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions