Facebook must take greater responsibility for the personal information the social networking site gathers in order to comply with Canadian privacy laws, Canada's privacy commissioner said in a press release today, concluding an investigation launched in May 2008.
“It’s clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates,” said Canadian Privacy Commissioner Jennifer Stoddart.
One of the biggest concerns was closed accounts.
The report notes that although the "account settings" page explains how to deactivate an account, there's no information on outright deleting the account to remove all data from Facebook's servers.
There's also Facebook's policy of keeping information indefinitely, which is an outright violation of Canada's Personal Information Protection and Electronic Documents Act.
The commission recommends the company adopt a retention policy where information from deactivated accounts is deleted after a "reasonable length of time."
There was also concern about access to personal information from third-party apps on Facebook, like quizzes and games.
In this case, the commission recommends Facebook take measures to ensure third-party developers can only access information necessary to run the app and also ensure that apps cannot access information from friends of users who have not installed the application.
For their part, Facebook has agreed to implement many of the measures or has suggested reasonable alternatives.
“Social networking sites can be a wonderful way to connect. They help us keep up with friends and share ideas and information with people around the globe. It is important for these sites to be in compliance with the law and to maintain users’ trust in how they collect, use and disclose our personal information," said Assistant Commissioner Elizabeth Denham, who led the investigation.
While recommendations in the report are aimed at the Palo Alto, California-based company, Denham noted that the site's users also have responsibilities.
“We asked Facebook to clearly advise users about its privacy practices, but it’s still up to the user to actually read it and use the privacy tools to control how their information is shared,” she said.
The commission will review whether or not Facebook has taken action in 30 days and can go to Federal court to have them enforced if they are not followed.
The full report from the Office of the Privacy Commission is available here