Competition Bureau Brings Big Stick to Privacy Claims – $9.5 Million Penalty for Privacy Claim
The Competition Bureau (the “Bureau”) recently concluded that Facebook Inc. made false or misleading claims to the public about the privacy of Canadians’ personal information on Facebook and Messenger. Facebook disagreed with the conclusion of the Bureau, but wished to resolve the matter by entering into a consent agreement and not contesting the conclusions for purposes of the agreement. As a result, Facebook is required to pay a $9 million penalty, plus an additional $500,000 for the costs of the Bureau’s investigation.
Canadian privacy regulators have not historically had significant tools to financially penalize companies for breaching the privacy rights of individuals. The Bureau is stepping into that gap, at least in part.
In light of this recent decision, organizations should take a good look at their privacy policies, statements and notices and consider whether any of the statements contained therein are or may be considered inaccurate or misleading.
The Bureau’s investigation looked at Facebook’s practices between August 2012 and June 2018. While Facebook disagrees with the Bureau’s conclusion, the Bureau concluded that:
- “Facebook gave the impression that users could control who could see and access their personal information on the Facebook platform when using privacy features, such as the general “Privacy Settings” page, the “About” page and the audience selector menu on posts, among others.
- … Facebook did not limit the sharing of users’ personal information with some third-party developers in a way that was consistent with the company’s privacy claims. This personal information included content users posted on Facebook, messages users exchanged on Messenger, and other information about identifiable users.
- Facebook also allowed certain third-party developers to access the personal information of users’ friends after users installed certain third-party applications. While Facebook made claims that it would no longer allow such access to the personal information of users’ friends after April 30, 2015, the practice continued until 2018 with some third-party developers.”
When assessing privacy obligations and risks in Canada, most people look at the more traditional pieces of privacy legislation across Canada, such as PIPEDA, PIPA (British Columbia and Alberta) and Quebec’s private sector privacy act. However, one must remember that the Competition Act prohibits companies from making false or misleading claims about a product or service to promote their business interests. This includes statements made in privacy policies and other public facing privacy statements. The Bureau further confirms that their jurisdiction includes claims made by organizations about the information they collect, why they collect it and how they use it, and that it applies to “free” digital products the same way it applies to regular products or services purchased by consumers.
In a foreboding quote about what we can expect in the future, the Bureau made it clear that they will be using this stick on large and small companies alike. “Canadians expect and deserve truth from businesses in the digital economy, and claims about privacy are no exception. The Competition Bureau will not hesitate to crack down on any business that makes false or misleading claims to Canadians about how they use personal data, whether they are multinational corporations like Facebook or smaller companies.”
Take this opportunity to review all of your privacy policies, notices and statements. Reflect on whether the statements contained therein remain true, whether any important terms on the business’s information handling practices are omitted, or whether any terms could give a misleading impression to the individuals to which it applies.
If you have any questions about privacy compliance or data security matters, please contact a member of the Aird & Berlis Privacy & Data Security Group.