Facebook has agreed to pay a $9 million fine after the federal Competition Bureau found the company made false or misleading claims over six years about the privacy of Canadians’ personal information on Facebook and Messenger.
Facebook will also pay an additional $500,000 for the costs of the bureau’s investigation.
“Canadians expect and deserve truth from businesses in the digital economy, and claims about privacy are no exception,” Competition Commissioner Matthew Boswell said in a statement. “The Competition Bureau will not hesitate to crack down on any business that makes false or misleading claims to Canadians about how they use personal data, whether they are multinational corporations like Facebook or smaller companies.”
The payments are part of a settlement registered today with the Competition Tribunal in which Facebook has agreed not to make false or misleading representations about the disclosure of personal information. This includes representations about the extent to which users can control access to their personal information on Facebook and Messenger.
The investigation looked into Facebook’s practices between August 2012 and June 2018. The Bureau concluded that:
- Facebook gave the impression that users could control who could see and access their personal information on the Facebook platform when using privacy features, such as the general “Privacy Settings” page, the “About” page and the audience selector menu on posts, among others.
- However, Facebook did not limit the sharing of users’ personal information with some third-party developers in a way that was consistent with the company’s privacy claims. This personal information included content users posted on Facebook, messages users exchanged on Messenger, and other information about identifiable users.
- Facebook also allowed certain third-party developers to access the personal information of users’ friends after users installed certain third-party applications. While Facebook made claims that it would no longer allow such access to the personal information of users’ friends after April 30, 2015, the practice continued until 2018 with some third-party developers.
Facebook recently estimated it has 2.6 billion monthly active users globally, including around 24 million monthly active users in Canada. About 1.3 billion people use the Messenger service monthly.
The fine comes a year after the federal privacy commissioner found Facebook committed serious violations of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians stemming from the 2016 Cambridge Analytica scandal.
In that incident, an app called “This Is Your Digital Life” created by an American developer that posed as a personality quiz collected information about users and their Facebook friends. The data of about 87 million users, including 600,000 Canadians was then shared with Cambridge Analytica, which used it to create psychographic models for the purposes of ad targeting in several U.S. political campaigns.
Facebook has disputed the findings and refuses to implement the privacy commissioner’s recommendations for it to address deficiencies. That forced the commissioner in February to ask the Federal Court to declare Facebook has violated the Personal Information Protection and Electronic Documents Act (PIPEDA) and require the company to correct its practices so users can give meaningful consent when they disclose personal information.
That’s the second time Facebook came afoul of the privacy commissioner’s office. In 2009 it found Facebook contravened privacy law by seeking overly broad, uninformed consent for disclosures of personal information to third-party apps, as well as inadequate monitoring to protect against unauthorized access by those apps.