Sarit Mizrahi est étudiant dans le cadre du cours DRT 6929-O.

According to certain sources, Facebook is planning on launching an entirely new platform this week, aimed at better profiling the personal interests and desires of Facebook users : Read, Listened, Watched and Want buttons. Akin to the “Like” button, each time a user comes across an item that they have read, listened, watched or may want on the Internet, they need only click on the appropriate button to exude this information. What does this mean on a practical level ? It means that Facebook will have the opportunity to create even more detailed profiles about their users and offer that information to advertising agencies who will more accurately be able to target users with ads that specifically appeal to their interests.

It is no secret that Facebook has, up until the present, targeted its users with ads that fall into the categories of interests outlined by users in their profiles. What is not as widely known, however, is how far Facebook’s tentacles really do extend. Not only does Facebook have access to whatever information is made available by a user on their Facebook profile, but the company also has access to information regarding the users’ use of the Internet when these users frequent websites containing Facebook content such as the “Like” button or Facebook Connect. The accumulation of this information therefore makes it possible for Facebook to create unbelievably detailed profiles regarding a user’s interests and browsing habits, and ultimately use that data to target users with advertisements that pertain to their personal taste. Facebook’s tentative emission of these new buttons, however, will render it possible for them to further increase the detail contained within these profiles and therewith more accurately target users with advertisements.

Facebook’s tracking and targeting practices are, however, not only limited to Facebook users, but actually extend to even those Internet users who do not possess a Facebook account – the only difference is that the information collected will not be linked back to a particular Facebook account. Facebook achieves this feat by essentially emitting cookies onto the computers of these individuals when they visit any website containing a “Facebook Connect” option. After this occurs, whenever these individuals frequent a website that contains Facebook content, such as the “Like” button, that information is added into the cookie. Considering the proliferation of Facebook content across the Internet, this ultimately results in a hoard of data being collected regarding the browsing habits of these individuals.

All of this boils down to one thing : privacy on the Internet is becoming scarcer by the day. The ability for entities like Facebook to create such detailed user profiles unbeknownst to Facebook users, and even individuals who are not Facebook users, is quite alarming and essentially poses a great number of legal ramifications, namely with regards to privacy law.

Privacy in Canada is quite highly protected by the Personal Information and Electronic Documents Act (“PIPEDA”). The PIPEDA, in its Schedule 1, essentially sets forth ten different principles that must be followed so as to ensure that privacy is protected and that the PIPEDA itself is respected. This blog will, however, only explore the three particular principles which render Facebook’s practices questionable from a legal perspective.

The PIPEDA, in the second principle of its Schedule 1, requires that an organization divulge the purposes for which they are collecting an individual’s information prior to or at the time of collection. Facebook, in its Data Use Policy, does not go into a significant amount of detail regarding the purposes for which it collects personal information. It only provides a few examples regarding their use of that data, such as to provide users with location features and services, to measure or understand the effectiveness of ads viewed by their users, or to make suggestions to Facebook users. Nowhere in their privacy policy, however, do they actually outline their ad targeting practices. Though the list they provided in their Data Use Policy may not be limitative, considering the prominence of their use of ad targeting and the fact that a significant amount of the information they collect is, in fact, used for ad targeting, they would be required to clearly divulge these practices in order to efficiently comply with this second principle of Schedule 1 of the PIPEDA. Though it might be argued that their statement regarding their use of the personal information of their users “to measure or understand the effectiveness of ads viewed by their users” could potentially imply their use of that data for ad targeting purposes, I would not consider this statement as satisfying their obligation under principle 2. The reason for this is because that statement lacks the clarity required so as to properly inform individuals about how their information is used – which is essentially the objective of the PIPEDA in the first place.

The third principle outlined in Schedule 1 of the PIPEDA states that “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information […]”. While this principle may be fulfilled by Facebook with respect to Facebook users, who are required to accept the terms and conditions of the website as well as the terms set out in its Data Use Policy, this principle is most definitely not respected with regards to Internet users who do not possess Facebook accounts but who are still tracked by Facebook throughout the Internet. The consent of these individuals was clearly not apprehended by Facebook, nor do many of them actually possess the knowledge that their information is being collected in such a manner. The privacy rights of these individuals are therefore unequivocally being violated by Facebook.

Finally, the fourth principle outlined in Schedule 1 of the PIPEDA requires that the personal information of an individual collected by an organization “be limited to that which is necessary for the purposes identified by the organization”. The above discussion regarding the second principle illustrates the manner in which Facebook is deficient in their identification of the purposes for which they collect the personal information of their users. If Facebook’s only purposes for using personal information were “to provide users with location features and services, to measure or understand the effectiveness of ads viewed by their users, or to make suggestions to Facebook users”, it would not require nearly as much information as it collects from its users. Facebook can therefore not be said to limit their collection of information to that which is required for their stated purposes ; the information they collect extends far beyond what is, in fact, required for the reasons they have outlined.

It cannot be denied that Facebook is in clear violation of Canadian privacy law, nor can it be denied that the launching of their new platform will render it possible for them to extend their tentacles far beyond what anyone could have imagined and further violate the privacy rights of Canadian citizens. Though Facebook’s Mark Zuckerberg is apparently under the impression that “privacy is no longer a social norm” , in Canada, it is the law, and as such, the privacy rights of all Canadian citizens should be respected by Facebook.