Canada’s Office of the Privacy Commissioner (the Commissioner) has released its findings after investigating complaints against Facebook relating to its “Suggested Friends” feature (Feature). The three complainants were non-users of Facebook, who each received an email from Facebook with an invitation to join. The email was sent on behalf of a Facebook user they knew. The invitation included a list of “suggested friends.” Given the accuracy of the “suggested friends” list, the complainants alleged Facebook improperly accessed their (or their friends’) private information, and appeared to be maintaining personal profiles of non-users without their knowledge and consent.

It was found that Facebook does not, and cannot, access the address books of non-Facebook users through its Feature. There was also no evidence that Facebook tracked or stored the personal information of non-users, or shared information of non-users with third parties. Nevertheless, the Commissioner found Facebook’s initial implementation of the Feature had violated knowledge and consent requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA).

Facebook’s initial version of the Feature involved Facebook users uploading a non-user’s email address to their Facebook account and clicking the “Invite” button on the platform. Thereafter, Facebook sent an initial email invitation to non-users that included a list of suggested friends. The invitation had little information about the Feature or about how non-users’ information was being used to generate the list of suggested friends. Facebook generated the lists by using the non-users’ email addresses without first providing them with any of the above information. The Commissioner found Facebook did not properly disclose to the non-user the intended use of his/her email address or provide any opportunity to give meaningful consent to such use – Facebook’s initial opt-out mechanism was found to be inadequate.

Facebook subsequently overhauled its Feature. Facebook agreed to remove the list of suggested friends from its first invitation, opting to send friend suggestions only in subsequent reminder emails. In addition, in both the initial invitation, and subsequent reminder emails, Facebook included a prominent unsubscribe button notifying the non-user that his or her email address can be used for generating friend suggestions, along with a link providing information about (a) how friend suggestions are generated and sent; and (b) how to avoid receiving future invitations. The Commissioner found these changes sufficient to address the above concerns.

The Commissioner accepted the opt-out approach to consent was appropriate in the circumstances, noting that PIPEDA favours a contextual approach in assessing whether personal information is sensitive for the purpose of determining the appropriate form of consent. While email addresses may be sensitive in unique circumstances, the Commissioner found they were not sensitive since they were used to suggest social connections only seen by the non-user. The Commissioner commented that “the interpretation of PIPEDA calls for a reasonable, pragmatic approach… [T]here is a need to balance the privacy rights of individuals with the need to facilitate the use of personal information for appropriate commercial purposes.”

The Commissioner first investigated Facebook’s practices relating to different features in July 2009, following a complaint filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC). That complaint prompted Facebook to add significant privacy safeguards and other changes to address the Commissioner’s concerns.