On May 19, 2020, the Competition Bureau (“Bureau”) registered a consent agreement with Facebook Inc. (“Facebook”) after investigating Facebook’s privacy claims in respect of its platform and Messenger service. The Bureau found that Facebook’s claims regarding a user’s ability to control the level of personal information that can be shared with third-party application developers were false and misleading. While Facebook did not agree with the Bureau’s findings, it has agreed to pay a $9M administrative penalty as well as $500,000 in costs.
The Bureau determined that Facebook made representations to users in its various privacy control functions like “Privacy Checkup” and “Privacy Settings” that created the general impression that Facebook users could manage who could see and access their personal information. After reviewing Facebook’s claims about privacy control and its actual data sharing, the Bureau found that these representations were false and misleading in a material respect, as third -party application developers could still access users’ personal information – including details like first and last name, address, email address, mobile number, user-generated content posted on Facebook and messages exchanged on the Messenger service.
The Bureau also determined that Facebook’s 2014 announcement that it would be shutting down its Friends Data API by 2015 and shifting to a new API included a false and misleading representation about increased user control. “API” stands for Application Program Interface; it is a set of tools made available to application developers so that they can build software applications that integrate with established applications like Facebook. Facebook’s Friends Data API allowed application developers to access a user’s friend list, their status, updates and check-ins. This personal information gave developers the ability to create highly personalized products or apps. In the Bureau’s view, it found that most of Facebook’s data practices remained unchanged despite the shutdown, as Facebook continued to share personal information with developers up until 2018.
This consent agreement is significant in that it is the first that deals with misleading privacy claims, following through on the Bureau’s announcement in early 2020 that it intended to take action against such representations. Organizations should take note – regulation of the digital economy is not limited to banner ads, influencers and prices, but also includes your representations about the use of personal data, particularly when that data is being monetized. We recommend that organizations take a proactive look at their privacy representations to ensure they are accurate, including statements in product/platform descriptions and privacy policies. This is especially critical during the COVID-19 pandemic, as many organizations are now pivoting to digital offerings.
If you have any questions about your organization’s privacy claims or how this consent agreement could otherwise impact your business, please contact our Marketing, Advertising and Consumer Product Regulatory group.