• Categories

  • Archives

    « Home

    Canada Privacy Commissioner: Social networking site for youth breached Canadian privacy law

    An investigation of social-networking site Nexopia reveals that it has violated Canadian privacy law, says Jennifer Stoddart, the Privacy Commissioner of Canada, in a news release. “Our investigation found Nexopia has inappropriate default privacy settings; provided inadequate information about a number of privacy practices; and keeps personal information indefinitely – even after people select a ‘Delete Account’ option,” Stoddart said.

    Prompted by a complaint by the Ottawa-based Public Interest Advocacy Centre, the investigation identified several areas where Nexopia was in breach of federal private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).  These included:

    • Default settings that were particularly inappropriate for Nexopia’s target youth audience, and a lack of clarity about available privacy settings;
    • A lack of meaningful consent for the collection, use and disclosure of personal information collected at registration;
    • The sharing of personal information with advertisers and other third parties without proper consent; and
    • The indefinite retention of personal information.

    The investigation resulted in a total of 24 recommendations.

    The Privacy Commissioner was satisfied with Nexopia’s response to 20 of those recommendations.  In those cases, the allegations are well-founded and conditionally resolved.  This finding, which the Office of the Privacy Commissioner of Canada introduced on January 1, 2012, is used when the Office has found that an organization has contravened PIPEDA, but the organization has made an express commitment to demonstrate its implementation of corrective measures within a specified time period after the Office’s findings are issued.

    The unresolved issues involve four recommendations aimed at addressing concerns about Nexopia’s retention of users’ personal information. Nexopia keeps personal information indefinitely, even though federal privacy law requires companies to develop retention policies. […]

    “We are disappointed with Nexopia’s position with respect to these outstanding issues.  We are addressing these unresolved issues in accordance with my authorities under PIPEDA, which include the option of going to Federal Court to seek to have the recommendations enforced,” says Commissioner Stoddart.

    Leave a Reply