If having an affect on 250 million users around the world weren’t enough, upcoming changes to Facebook Inc.’s privacy policies and practices are likely to spawn a chain reaction among all the other major social media sites, impact business marketing practices and address everyone who doesn’t have a Facebook account.
In a press conference from the Office of the Privacy Commissioner of Canada (OPC) announcing that an agreement with Facebook had been reached, Privacy Commissioner Jennifer Stoddart thanked the company for its cooperation throughout the 14-month investigation.
“I am very pleased to be able to tell you that – following further discussions with Facebook – the company has now agreed to make several changes which address the issues uncovered during our investigation,” said Stoddart.
Facebook’s plans to adapt its privacy policies and practices to comply with Canadian federal privacy law are scheduled to take place over the next 12 months. “With these changes, Facebook could show other online companies that you can have an incredibly successful online company that’s responsible and respectful of privacy rights,” said Stoddart.
The question-and-answer period that followed revealed another major social networking site may already be following suit. “I’m very happy to say that another major networking site has also contacted us and will be coming to our office to be meeting very soon to discuss compliance with Canadian law,” said Stoddart.
Facebook expects to set an example for other online companies. “We truly feel these improvements to the Facebook platform will bring a new privacy standard to the social Web, the interaction with social applications online and we’re confident our users and developers will see the benefits,” said Dave Morin, senior platform manager, in Facebook’s press conference following the one held by the OPC.
Meeting Canada’s requirements does well to satisfy the requirements of other countries, according to Facebook, as the laws resonate with those of Europe, Australia and New Zealand.
David Young, privacy lawyer and co-chair of the Privacy Law Group at Lang Michener LLP in Toronto, expects Facebook will eventually become the best practice standard for social networking sites globally. Facebook has already been “pushed, nudged and negotiated” along to provide what you could almost call a best practice model, he said.
Young doesn’t criticize the Palo Alto-based company for taking five years to adopt the intended model and believes they made “good faith attempts.” The U.S. doesn’t have a general privacy law, he pointed out. “We have a much deeper and somewhat granular approach to privacy because we have a law that has rules in it,” he said.
But the changes wouldn’t have happened in Canada either if the complaint wasn’t filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC), Young noted. “The federal Commissioner might investigate of her own volition, but in fact it took a complaint to launch the thing,” he said.
Independent technology industry analyst Carmi Levy expects to see fewer investigations over the long term as a result of the Facebook inquiry. The agreement is a “bellwether event in the evolution of social media,” he said. “I don’t think any provider of social media services like Facebook wants to be put in the position that Facebook has been in for the past number of months. Nobody wants to be on the wrong end of a firing squad.”
Levy expects changes from major social media platforms like Twitter, Google, MySpace and Microsoft over the next few months. “[They] will all very concretely and very proactively be addressing their own privacy policy and will be introducing upgrades to their services to make it more transparent and controllable by the end user,” he said.
But the ultimate responsibility will continue to lie with the end users, Levy pointed out. “Companies and employees using these tools need to revisit their acceptable use policies to make sure they are reflecting that,” he suggested.
Tim Hickernell, lead analyst at Info-Tech Research Group Ltd., advises organizations not to jump the gun as the model may not be good for business. “I would wait to see what actually gets implemented by Facebook and that will likely be a final round of approval by the government. As a business leveraging public social networking, I would not make any strategy changes yet and would continue to follow all existing marketing laws and best practices,” he said.
The Facebook privacy issue exposed a huge hole that the government needs to address, according to Hickernell. “If total deletion of a person’s presence and historical impact on a social network is indeed deleted in a cascade-like fashion, then any organization’s marketing or service integration with social networks could be impacted. Organizations asking for permission to connect to people through these networks need to import what data they need and have been given permission to access, into their customer systems if long-term analysis is required,” he said.
“This also then raises some disturbing questions of government meddling in private industry,” Hickernell added. “If a social network user opts-in with a marketer as part of a social network, does a cancellation of the user’s account with that network constitute a legal ‘opt-out’ for each and every business connection voluntarily made by the user? To do so in my opinion would conflict with both existing Canadian and EU privacy laws concerning online marketing.”
The changes will also impact users who have nothing to do with Facebook, as a key area of the investigation was the way Facebook handles the personal information on non-users. The Privacy Commissioner’s particular concerns included whether non-users were aware that Facebook might be collecting, using and retaining their e-mail addresses. Facebook obtains the e-mail addresses when users enter them to send invitations from Facebook and let their non-user friends know when they have been tagged in a photo.
As part of the agreement, Facebook plans to add language to its Statement of Rights and Responsibilities reminding users that they are obligated to obtain consent from non-users before using their e-mail addresses. Facebook also promised to follow-up on any complaints it might receive from non-users regarding this issue and stated that it does not maintain a list of e-mail addresses of non-users, according to Elizabeth Denham, Assistant Privacy Commissioner, in a letter from the OPC to CIPPIC outlining its resolutions with Facebook.
Stoddart’s office plans to publish a further document in the upcoming weeks that will outline the privacy settings for the most popular sites in Canada and the implications they have on the personal information of users.
Harley Finkelstein, who filed the Canadian Internet Policy and Public Interest Clinic (CIPPIC) complaint with fellow University of Ottawa student Jordan Plener in May 2008, is pleased with the announcement. “We think it is a huge success, not just for Facebook in Canada but also worldwide social networking sites,” he said.
“It’s sort of nice that Canada has been the one to set the tone for it and the only reason we have been able to do it is because we have this privacy legislation called PIPEDA that nobody else has,” said Finkelstein, student-at-law at Chaitons LLP.
The decision to file a complaint was prompted by concern over their younger sisters using the site, said Finkelstein. “If we were having trouble navigating through the privacy settings and privacy concerns, you can imagine what it would be like for someone 15 years old,” he said.
As senior law students, entrepreneurs and “techies by nature,” Finkelstein and Jordan felt there wasn’t enough transparency in the settings. “Whereas Facebook called these privacy settings, these were actually publicity settings,” he said.
Almost immediately after filing the complaint, Facebook began implementing changes. A major success was the changes made to the default settings, said Finkelstein. “If a user wants to make their profile more public, he or she can do so, but by no means is it completely public at the onset,” he said.