Canada’s Competition Bureau determined Facebook Inc. made false or misleading claims about the privacy of Canadians’ personal information on Facebook and Messenger. Facebook Inc. will pay a $9 million penalty in a settlement as a result, and pay an additional $500,000 for investigation costs.
This settlement is an important indicator of the shift that Canada’s Competition Bureau is making towards policing false or misleading privacy statements. The Bureau has substantial enforcement powers under the Competition Act to levy significant fines and penalties for deceptive online practices.
Organizations should take note that their privacy statements, consents and policies cannot be false or misleading. The Bureau is investigating false claims that mislead consumers into giving away their personal data. For Facebook, it primarily derives its revenues from advertising which is, in part, targeted based on personal information derived from users.
The issues behind the Facebook settlement arise from inflated promises about privacy protection; unmet assurances to consumers about how they can control their information; and information sharing with third parties without adequately bringing it to the attention of users. The Commissioner concluded Facebook made representations to the public that created a general impression about who could see or access users’ personal information and about users’ ability to control who could see or access their personal information. However, Facebook did not limit information sharing in a manner consistent with those representations.
In a news release about this decision, the Commissioner stated that the Competition Bureau “will not hesitate to crack down on any business that makes false or misleading claims to Canadians about how they use personal data, whether they are multinational corporations like Facebook or smaller companies”.
Organizations should be reviewing and scrutinizing their privacy statements, policies and practices. A privacy review should include analysis to confirm what information the organization is collecting and why, as well as how it is used, with whom it is shared, and whether it is properly secured and destroyed. A real risk assessment will be vital for the defence of any action by the Competition Bureau.
If we can be of any assistance to you in implementing any aspect of your privacy program, please contact a member of our Privacy & Data Management Group.
You may find our organizational Risk Assessment Outline useful.
Ryan Berger is a leading privacy and employment lawyer, with a primary focus on providing strategic advice to businesses and employers.
Ryan leads the firm’s Privacy Group and routinely advises public and private sector ...
Cory Sully is an associate in our Labour, Employment and Human Rights Group and Privacy and Data Management Group in Vancouver. She advises and represents clients in all areas of workplace law. Cory provides practical and strategic ...
Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.