The Office of the Privacy Commissioner's report found that Facebook continues to breach the Personal Information Protection and Electronic Documents Act in four ways and it made recommendations to correct the problem. It found:
- Facebook doesn't have enough safeguards to prevent 950,000 third-party developers around the world from getting unauthorized access to users' personal information, nor does it ensure users have given "meaningful consent" to allow their personal information to be disclosed to the developers. Recommendation: Developers should only get the information needed to run the application. Users would have to specifically consent to the release of that information after being told why it is needed. Information about anyone other than the user would not be disclosed.
- Facebook keeps information from accounts deactivated by users indefinitely. Recommendation: Facebook should have a policy to delete the information after a reasonable length of time, and users should be informed of the policy.
- Facebook allows users to provide personal information about non-users without their consent. For example, it allows them to tag photos and videos of non-users with their names, and provide Facebook with their email addresses to invite them to join the site. It keeps the addresses indefinitely. Recommendation: Facebook should only keep non-users’ email addresses for a reasonable, specific length of time and should make its users aware that they need to seek consent of non-users before posting information about them.