If Facebook wants to comply with Canadian privacy laws, the company will have to make some changes to how it collects and retains information about its 12 million Canadian users. Privacy Commissioner Jennifer Stoddart singled out a number of issues her office found with Facebook’s practices. These include the fact that the company’s privacy policies are often incomplete and confusing, and that third-party applications can access far more information about a user than would be necessary for the application to work well. The complaint that triggered this investigation was filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC).

Stricter Default Privacy Settings
Among other things, the commissioner, who reports to Parliament and can force companies to make changes to their privacy practices, asked Facebook to change the default privacy settings of photo albums to “Your Networks and Friends” instead of “Everybody,” and to make sure that user profiles are inaccessible to search engines by default. Facebook is working on implementing these changes and with the per-object privacy settings that were recently introduced, most of these issues had been resolved already anyway.
Third-Party Apps
The area the commissioner focused on most, though, was third-party application and the amount of private information developers can access through these, and as of now, Facebook has not agreed to make any of the recommended changes. The commissioner recommends that Facebook should limit developers’ access to only those pieces of information that are necessary to run an application, and that the company should also implement measures to prohibit the disclosure of personal information of users who aren’t actually using an application themselves.
Deleting Accounts Will Remain Difficult
As for the retention of user information, Facebook apparently does not agree with the commission’s recommendation to add information about account deletion to its privacy policy. For the time being, actually deleting a Facebook account will remain difficult. Under Canadian law, Facebook would have to have “appropriate purposes” to keep this information.
Facebook was also asked to add a section to its privacy policy about what happens to the accounts of deceased users (they are currently kept active), but here, too, Facebook refuses to make any changes because it considers “them unnecessary under the law.”
Some Good News for Facebook
It’s important to note that the original complaint that set off this investigation also alleged that Facebook should not ask users for their date of birth, name, and email address when registering for a Facebook account. Stoddard, however, argues that this is a reasonable request, even if Facebook didn’t make the reasons for why it asks for this information very clear.
You can find more details about all the different allegations and the commissioner’s recommendations, as well as Facebook’s reaction, in the full report, as well as in this press release.
Overall, most of these recommendations seem quite reasonable, though especially with regards to third-party applications, it’s a bit puzzling why Facebook doesn’t want to do more to ensure its users’ privacy.
As Facebook expands, its privacy settings have gotten more and more complicated, to the point where most users probably are just baffled by the number of choices and decide to just leave everything in the default setting.