Social networking site for youth, Nexopia, breached Canadian privacy law
PIPEDA Report of Findings #2012-001
Table of contents
Complaint under the Personal Information Protection and Electronic Documents Act (the Act)
Section 1: Disclosure of user profiles to the public and default privacy settings
Section 2: Purposes and consent for the collection and disclosure of personal information
Section 3: Information sharing between Nexopia and advertisers/marketers
Section 4: Information sharing between Nexopia and third parties
Update
Following the release of the Report of Findings, the Privacy Commissioner filed an application in the Federal Court seeking an order requiring Nexopia to stop retaining personal information indefinitely by adopting a delete function. Subsequent to the filing of the application, Nexopia underwent a change in ownership. Nexopia's new owner committed to addressing all of the recommendations set out in the Report of Findings by April 30, 2013, including with respect to the issues raised in the court application. The OPC has since confirmed that Nexopia has implemented corrective measures to address all of the OPC’s recommendations. The court application was discontinued on May 29, 2013.
Executive Summary
The Complaint
A complaint against Nexopia.com Inc. (Nexopia or the “website”) by individuals from the Public Interest Advocacy Centre (PIAC or the “complainants”) comprised 19 allegations ranging over six distinct issues.
PIAC’s complaint focused on the protection of youth privacy in an online world. It alleged that Nexopia was failing to protect the privacy of individuals using its youth-oriented social networking site, in contravention of its obligations under the Personal Information and Protection of Electronic Documents Act (the Act).
Key Issues
The six key issues addressed by PIAC’s allegations are as follows:
- Nexopia’s disclosure of users’ personal information to the general public did not meet the reasonable expectations of users;
- Nexopia’s default privacy settings were inappropriate and unreasonable and Nexopia did not adequately inform users about the settings;
- Nexopia was not obtaining adequate consent for the collection of personal information at the time of registration;
- Nexopia did not adequately explain its advertising practices, particularly how personal information is shared for advertising purposes;
- Nexopia did not provide adequate notification to users about how their personal information was being shared with third parties, and
- Nexopia retained non-Nexopia users’ personal information without their knowledge and consent, and retained users’ and non-users’ personal information on an indefinite basis, with no option to permanently delete this information.
Findings and Conclusions
The investigation indicated that Nexopia is in breach of the Act regarding several aspects of the key issues raised by PIAC. As a result, our Office has made 24 recommendations to Nexopia to bring it into compliance with various provisions of the Act.
With respect to issues pertaining to Nexopia’s disclosure of user profiles to the public, default privacy settings, collection, use and disclosure of personal information collected at registration, sharing of personal information with advertisers and other third parties and the retention of the personal information of non-users, we have concluded that Nexopia is in contravention of the Act and the allegations are well-founded and conditionally resolved.
We arrive at this conclusion based on Nexopia’s commitment to demonstrate its implementation of corrective measures relating to 20 of our recommendations, within specified time periods.
In support of its commitment , Nexopia has agreed to provide our Office with regular progress reports, copy documentation and demonstrations of changes to the website, as it addresses the 20 recommendations.
With regard to issues pertaining to Nexopia’s retention of users’ personal information, we have concluded that Nexopia is in contravention of the Act and the allegations are well-founded. These matters remain unresolved as Nexopia has not, at this time, agreed to adopt 4 of our recommendations, or presented any acceptable alternative measures. We will proceed to address these unresolved issues in accordance with our authorities under the Act.
Complaint under the Personal Information Protection and Electronic Documents Act (the Act)
- On January 18, 2010, representatives of PIAC filed a complaint against Nexopia.com Inc., pursuant to subsection 11(1) of the Personal Information Protection and Electronic Documents Act (the Act).
- For the purposes of this report, the key elements listed in the Executive Summary under 1. and 2., have been merged together into Section 1 of this report – “Disclosure of user profiles to the public and default privacy settings”.
- We received three formal submissions from PIAC and five submissions from Nexopia between January 18, 2010 and August 14, 2010. Additional information was provided by the respondent between August and December 2010.
- A site visit to Nexopia’s head office in Edmonton was conducted on April 7, 2010. During the site visit, we met the company’s Chief Operating Officer (now the company’s President and Chief Executive Officer) and the website’s Director of Community Management and received a detailed demonstration of the website.
- Our Office has conducted its own extensive reviews of the website. The reviews included visiting the website as a visitor or non-registered user, e.g. to search for user profiles and review its Help pages, User Guides and Frequently Asked Questions.
- We established temporary test, or “dummy”, accounts, with the knowledge and co-operation of Nexopia, to experience the website’s services as a user would. This included promoting one test account to the website’s Plus service, so that we could investigate the additional features associated with this level of service.
- Our Office also conducted a review of domestic and international, academic and government research into youth online privacy.
- We issued a preliminary report of investigation to both parties on August 3, 2011. In our report to Nexopia, we highlighted numerous concerns and made 24 recommendations.
- Nexopia was asked to provide a response to the recommendations within 30 days of the date of the preliminary report of investigation, outlining how it intended to implement them, or provide adequate alternative compliance measures (with any supporting evidence showing why implementing our recommendations was not possible). After an extension to the deadline, Nexopia provided its response to our recommendations on October 3, 2011.
- This report of findings is the culmination of our investigation and consultations with Nexopia.
Introduction
Scope of the investigation
- The complaint represents our Office’s first investigation of a social networking site targeted specifically towards youth.
- This is a departure from earlier investigations we have conducted against social networking sites, which have not focused on users under the age of 18. By way of example, Facebook users under the age of 18 are subject to different privacy defaults and searchability and this approach was the result of a business decision taken by the company itself. Nexopia has taken the position that its website has always been open and is for young people to “show off” to the world.
- While the Act does not single out youth, some of the Act’s requirements may call for special considerations in the youth context. For example, organizations may need to take extra care to ensure that young people can reasonably understand their privacy practices, so that any consent obtained from youth is “meaningful”, as required by the Act.
Company Profile
- Nexopia.com describes itself as Canada’s largest youth-oriented social networking site. It has over 1.6 million registered users, of which 80% are resident in Canada. Some 50% of users are from Alberta and British ColumbiaFootnote 1.
- Individuals wishing to register with Nexopia must be at least 13 years of age. Close to 23% of users are self-declared youth between the ages of 13 and 18. These individuals represent over 34% of the active users of the site. The second largest user demographic group on the site are individuals aged 19-22 years, perhaps users who joined the site as teenagers in its earlier daysFootnote 2.
- Nexopia.com was founded in 2003 and predates many other popular social media sites. It considers itself an open network, comparable to other “community-driven” Internet services open to public viewing, such as Bebo, DailyBooth, LiveJournal, MySpace, Netlog, SkyRock, and Tumblr. Nexopia states that its users come to the website to meet new people, express themselves and achieve social prominence.
- Users express themselves on Nexopia.com by establishing individual user profiles, participating in free-form blogs and user forums, creating photo galleries and posting articles, artwork, music, poetry and video.
- The website does not charge a fee for regular membership. It generates income through advertising revenue and offers its users the option of subscribing to a service (“Plus”) that allows members more options and privileges on the website. Nexopia has confirmed that 7% of users subscribe to the Plus service.
Definitions
- The following terms used throughout this report are defined as follows:
- User — an individual registered with Nexopia who is logged into the system;
- Visitor or Non-user — an individual not registered as a user with Nexopia;
- Friend — an individual registered with Nexopia who is part of another user’s social network;
- User profile — a profile containing the personal information of a user: e.g. age, gender, location, real name, email address, interests, etc. which can be edited by the user and searched by others; and
- “Core” profile information — personal information that is required at registration by the website. The information is the minimum visible to other Nexopia users and visitors in a user profile: username; gender; age and location.
Section 1
Disclosure of user profiles to the public and default privacy settings
Allegations
- The complainants expressed concerns about how easily Nexopia users’ personal information could be accessed by the public at large via (i) external search engines and, (ii) the website’s own embedded search engine.
- Specifically, they alleged that Nexopia had no system in place to block public searches of the profiles of its youth users (when compared to another popular social networking site), and that Nexopia did not give users the option to hide their profiles from the general public.
- They alleged that the site required certain pieces of personal information to be disclosed to the public and that even when a user restricted their privacy settings to the most privacy-protective option, this personal information would always be disclosed to the general public in a search.
- PIAC also claimed that the website’s default privacy setting of “visible to all” (the widest setting possible) for users’ personal information exceeded the reasonable expectations of Nexopia members and was in contravention of the Act.
- They argued that the default setting of “visible to friends’ would be more appropriate and more privacy protective of the youth who use the website.
- PIAC asserted that Nexopia was not providing adequate notification of the “visible to all” default privacy setting and failed to make it clear to users that profile information and personal information posted on Nexopia was accessible to the general public, unless a user changed his or her settings.
- They submitted that it was difficult for users to change their visibility and privacy settings, as these settings did not exist in a single place. If users wished to edit their settings to be more privacy protective, they were required to edit the settings under several different profile editing panels or had to access multiple tabs under the Preferences function. The complainants believed that a centralized page for users to view and modify their privacy settings, in addition to the current ability to change settings at a granular level, was preferable.
- Overall, PIAC claimed that a reasonable person would not consider Nexopia’s practices appropriate with respect to youth.
Summary of Investigation
External search engines display personal information from Nexopia.com
- Our testing confirmed that external search engines can be used to obtain direct access to users’ information posted on Nexopia.com. We were able to access the full content of many of the user profiles obtained from these searches.
- We conducted searches using three well-known search engines. Simple search criteria was adopted in each case, e.g. site:nexopia.com Ottawa female lonely.
- By way of illustration, one search using the above criteria yielded 114 results. The results allowed us direct access to users’ profiles, photo galleries, blogs, comments and “shouts”. We were not required to log-in or enter the website in order to access the users’ profiles. When we selected individuals from these users’ friends lists, we were able, in many instances, to access the content of their friends’ user profiles as well.
Visitors to Nexopia.com can also access user personal information
- We observed that visitors to the website (i.e., individuals with Internet access who are not registered as a Nexopia user but are on the site) can also search and access user profiles in more than one way.
- For example, from the “Users” tab on the website’s home page, a visitor can use Nexopia’s embedded search engine to search by certain limited criteria: male or female; age; online users and whether a user may be a person that you know (friends of friends are displayed first).
- As well, by selecting the “More Options” link, the visitor can search user profiles with more refined and revealing criteria: location; school; sexuality; interests; new users; profiles with pictures; recently active users; birthday and single users.
- One search can generate many corresponding user profiles. Selecting the “view all” option reveals a summary of the first twelve. Depending on the number of profiles identified in a search, visitors can then look at additional pages of profile summaries. Up to 999 profiles can be generated and displayed in a single search.
- When a visitor clicks on the username of a profile, the entire profile is visible, unless that user has selected restrictive privacy settings.
- For example, during one search conducted using Nexopia’s search engine, we were presented with the user profile of a teenage male. His user profile revealed his unique username; age; gender; a profile picture (with a link to others); comments about drug use, height, weight, date of birth; sexual orientation; dating status; living situation; his location (city and province); the date he joined Nexopia; when his profile was last updated; when he was last active on the site; his favourite movies, animals, celebrities, music and activities; what musical instrument he plays; what outdoor activities he likes; free-format comments added to his profile; and links to his friends’ profiles.
- Our testing revealed user profiles that contained foul language and sexual references. Other user profiles revealed details about users: comments about drug and alcohol use, references to loneliness and depression, and other information that we deem to be of a very sensitive nature.
How Nexopia notifies users of the accessibility of their personal information
- Nexopia argues that its Privacy Policy is explicit in stating that personal information provided by users, and collected by the website, is accessible not only to other users, but also to members of the general public. In “Collection and Use of Personal Information by Nexopia.com”, the Policy states:
When you register with and use Nexopia.com, you create your own profile and privacy settings and the information you submit/post, such as personal information, comments, messages, photos, etc., may be shared with other members and visitors in accordance with the privacy settings you select. Therefore, it is important that you understand what information is displayed to the public. Except as described in this Privacy Policy, any information included in your Profile or posted to blogs, forums and classifieds is accessible to the general public and not just registered members.
- In the same section, Nexopia explains that the site allows embedded searches by real name, usernames and email addresses. It states that the default setting allows searches by usernames and email addresses, but this option can be disabled through the user’s preferences. The Privacy Policy adds that if the setting allows the username and email address to be searchable, the individual performing the search will have access to the user’s profile.
- The “Blogs, Forums, Message Boards and Classifieds” section of the Privacy Policy also states that,
When you voluntarily post comments, including your personally identifiable information to blogs, forums, classifieds or any other public forums, the information can be accessed by the public.
- Nexopia also has a Safety Page, which provides advice for users of online communities. In one section it states the following:
Don’t ever post personal information on your profile or in areas visible to the general public and strangers. Profiles are publicly visible, so don’t include your last name, phone numbers, addresses, or anything else that can lead someone to you. Comments are also visible to the public and are not the place to share any personal information – use private messages instead.
Visibility of “core” profile information and profile pictures
- Users may adjust their personal privacy settings to reduce the visibility of their personal information. Our testing revealed that if the privacy settings for a user’s profile are set to “visible to all”, a visitor can view the entire contents of the user profile.
- Nexopia could not explain the initial rationale for the “visible to all” default setting for users’ personal information. It stated that the approach has been consistent since the website’s founding in 2003. At the time, all social networks were open in this manner and it has remained an open network to this day.
- We observed that even when a user sets privacy preferences for each block of information in their user profile to the most restrictive setting, i.e. “not visible”, certain “core” profile information (username; age; gender and location) remains visible to other users and visitors.
- The exception to this is where a user selects the “Hide profile from non-logged in users” function (the “hide profile function”) from the privacy preferences section of the website. The hide profile function blocks a user profile from visitors in its entirety. “Core” profile information however, is always visible to registered Nexopia users when they are logged in, regardless of whether the hide profile function is activated.
- During our investigation, we found that users’ profile pictures are visible to others, in the same manner as “core” profile information.
- Users are allowed to insert up to 8 official “profile pictures” in their user profile (12 if they subscribe to the ‘Plus’ service). It is not mandatory for a user to include a profile picture in their profile. However, users wishing to take advantage of the facility and add profile pictures must adhere to certain Nexopia guidelines, in order for their pictures to be accepted.
- All profile pictures are moderated by Nexopia against the guidelines and the website’s Terms of Use. They must be recognizable pictures of the user. Profile pictures containing personal information such as school identity, drivers licences, full names, addresses and telephone numbers are not acceptable. Pictures of celebrities, landscapes, pets, or groups of individuals are only acceptable if the user is included in the picture, is clearly identifiable and the picture has not been computer edited.
- Once added, a user can remove a profile picture from their profile at any time, without difficulty.
- Nexopia argued that requiring profile pictures to be of real people, encourages greater security on its site, e.g. it is more difficult for users to act in an inappropriate and abusive manner, in breach of their Terms of Use, if they are identifiable to other users.
- We reviewed Nexopia’s Privacy Policy. While it advises users of the continued visibility of certain “core” personal information, it makes no mention of the similar treatment of users’ profile pictures:
You may change or remove any of your Profile Data at any time by logging into your account and clicking on the “Profile” and “Preferences” tabs in the top menu, except for your username, age, sex and location which are all publicly visible to all members and visitors (non-members).
Nexopia’s privacy options and default settings for information blocks
- Nexopia offers four privacy settings to its registered users: 1) “visible to all” (visible to the Internet); 2) “visible to logged-in users” (visible to any registered users who are logged-in to the website); 3) “visible to friends” (visible only to the user’s designated friends), and; 4) “not visible” (visible only to the user).
- The four privacy settings, generally set at the “block” level, affect entire sets of information at a time. The three principal blocks of information in a user profile are Basics, Contact and Interests.
- In addition to being able to set privacy settings at the block level, Nexopia allows users to establish more refined control over the visibility of certain individual items of personal information contained within a single block.
- The default privacy setting for the Basics block is “visible to all”.
- Users posting information into the Basics block can choose to input their real names, height, weight, sexual orientation, dating status, living situation, location and school. The name fields are left blank by default. The website allows users the ability to hide some information: first and last names; school; birthday; the date the user joined the site; the date the user last updated his or her profile, and the date the user was last active on the site.
- For the Contact block, the original default privacy setting was “visible to all”. During the course of our investigation, Nexopia changed this setting to the more restrictive “visible to friends” because it felt that the latter was more appropriate.
- The Contact block allows users to post up to 26 user identifiers for instant messaging programs, social networking websites, sites featuring media content, personal blog and gaming sites. Users are not able to override the overall block privacy setting in favour of customized privacy protection for specific items.
- The default privacy setting for the Interests block is “visible to all”.
- In the Interests block, users build their profile by choosing from a variety of interests listed under 14 different categories. For example, under “Art”, users may choose drawing, graphic design, painting, pottery, etc. As with the Contact block, the Interests block does not allow users to override the overall block setting in favour of customized privacy protection for specific items.
- Privacy settings can also be selected by users when they post other personal information to their user profiles, including their friends’ list, tag lines, picture galleries and freeform content. In each case the default setting is set to “visible to all”.
- During the course of our investigation, we noted that a user could establish privacy settings for their friends list. However, unlike its description of the other forms of personal information stated above, Nexopia does not indicate that establishing privacy settings for a friends list is possible within its Help function, Frequently Asked Questions, or its User Profile user guide. We brought this matter to Nexopia’s attention and they agreed to make appropriate changes to address the issue.
Changing privacy settings
- At any time, a user may adjust the default privacy settings and choose their own settings (in Nexopia’s terminology, their “privacy preferences”).
- Nexopia provides guidance on how to amend the privacy settings in its user guide, Using Your Profile, and in the website’s Frequently Asked Questions.
- A user can change their privacy preferences in two ways: from their user profile itself, by using the profile editing function to edit and remove information from within the various blocks; or by using the Preferences tab visible at the top of each page of the website.
- During our investigation, we tested both methods to amend the privacy settings of the user profiles we created for our test accounts.
- From the Preferences tab, there are a large number of controls to manage privacy and these are found under the following tabs: General, My Pages and Accounts. We noted that some privacy controls are only available to users who subscribe to “Plus”, a special paid service.
- For all of the privacy controls within the Preferences function, the default settings were set by Nexopia to the widest visibility possible.
- Under the General tab, users can control publishing content to public pages of the site, only accept messages from friends, ignore messages from individuals outside a designated age range and control the parameters used when browsing the user search facility.
- Under the My Pages tab, individuals can hide their user profile from ignored users, set the visibility of blog posts, control shout replies, choose who can comment in a user’s profile comment section, and be notified when someone adds or removes them as a friend.
- Also located under the My Pages tab, is the hide profile function which provides a “master override” option that blocks a user profile from visitors, in its entirety, regardless of the individual privacy settings established by the user at the block level.
- If the hide profile function is activated, any visitor or non-user trying to search for the user profile is immediately directed to Nexopia’s registration page and is required to log into the website.
- If the hide profile function is deactivated, the visibility of the user’s profile is subject to the individual privacy settings the user established for each information block within their profile. The “core” profile information becomes accessible again to users and visitors alike.
- The default for the hide profile function is for it to be deactivated, so that user profiles can be found and viewed by visitors.
- Under the Accounts tab, users can allow others to search them by either their real name or their email address.
- Forum postings are visible to everyone and cannot be deleted.
Notification of default privacy settings
- Nexopia did not respond to the complainants’ allegation that the website fails to adequately notify users of the default settings, what the different settings mean, the purposes for the settings and their impact on users.
- When editing a profile, there is no explanation to users what each setting means, the reason for the selection of the “visible to all” setting, or what the implications or risks are to a user who wishes to choose a different setting. No notification is given either before a selection is considered, or through a confirmation message, once a block of information has been completed.
- We asked Nexopia if it has ever used pop-ups, click-through agreements, or help icons to explain the default privacy settings on the website. Nexopia responded that it had never used any of these techniques to explain their privacy settings, or any other privacy issues.
- We reviewed the site’s Preferences function, Help pages and Frequently Asked Questions and could find no content notifying users about the default settings.
- The Privacy Policy explains that certain personal information is accessible to the general public. In the section “Collection and Use of Personal Information by Nexopia.com”, it states that certain personal information is always visible to users and visitors:
You may change or remove any of your Profile Data at any time by logging into your account and clicking on the “Profile” and “Preferences” tabs in the top menu, except for your username, age, sex and location which are all publicly visible to all members and visitors (non-members). You may restrict your Profile from being viewed by visitors (non-members) and those users placed on your “ignore list”. In addition, you may choose to hide your birth date. However, this information is still used to calculate your age.
- The Privacy Policy provides some detail about the visibility of users’ personal information on the site. The site’s default privacy settings are displayed to the user through drop-down lists. However, the Policy does not provide a clear description of the default settings, describe the implications of choosing a particular setting, or of selecting an alternative default.
Nexopia user trends in privacy settings
- Based on our analysis of statistics that Nexopia provided during our investigation, it appears that a very small percentage of users change the default privacy settings for the Basic, Contact and Interests blocks.
- For example, from the approximately 1,666,000 registered users of the site on November 5, 2010, less than 1% had changed the “visible to all” default privacy setting for either the Basics or Interests blocks to a more restrictive setting. On the other hand, for the Contacts block, which has the more restrictive default setting of “visible to friends”, approximately 5% of users eased this restriction (so as to include wider visibility) by widening their setting to either “visible to logged-in users” or “visible to all”.
- Among the 333,000 registered youth users (i.e., those who self-identified as being 13 to 18 years of age), slightly more than 1% changed the “visible to all” default privacy settings to a more restrictive setting for the Basics block, while 0.5% chose a more restrictive setting for the Interests block. For the Contacts block, slightly more than 5% of youth chose a less restrictive privacy setting than the default of “visible to friends”.
- Nexopia qualified the accuracy of the information they provided, as some youth self-certify at an age above their true age; e.g. the 19-22 or 40-60 age groups. These individuals are not accounted for in the above statistics.
- Nexopia does not regularly monitor the number of users who change their privacy preferences from the default privacy settings.
Nexopia’s views on the visibility of user profiles and its privacy settings
- The company contends that because the website has been in operation since 2003, it is well aware of its users’ reasonable expectations regarding both the visibility of their personal information and their privacy preferences.
- The company claims that its website is an open network which competes in the same market as other community-driven sites open to public viewing.
- Nexopia believes that Facebook is not a comparable social networking site. It argues that information on Facebook is shared with “friends”. Nexopia claims that while about 90% of its own users are Facebook users, the websites serve two very different purposes: “Facebook is where they communicate and share with their real life friends and … (Nexopia)… is where they communicate with their online friends and “show off” to the world.”
User Profiles
- Nexopia contends that as most people join its site to obtain a public space on the Internet, the ability of visitors to be able to freely search and access user profiles is an important element of its vision of an open community.
- Nexopia also asserts that the practice of promoting users, their content and profiles is a very common practice on all “open” networks.
- Based on its experience, Nexopia claims that barriers to prevent non-members and adults from accessing the information of youth or adults on social networking sites provide a false sense of security. Youth who believe the claims that a particular website is “closed and safer” may actually reveal more about their identities and may share more personal information with others.
- Furthermore, the company asserts that it has always provided users with the option to prevent external visitors from viewing their profiles. Users can choose to protect their user profile from other registered Nexopia users by placing these other users on an “ignore” list. In addition, two core items—age and user location—can be changed by modifying a section of the user profile.
- For their part, the complainants referred to Nexopia’s Terms of Use, where, in the section entitled “Membership and Eligibility”, the company defines itself as follows:
Nexopia.com is a social networking service that allows those individuals who register to become members to receive the Nexopia Services (the “Members”) and to create unique personal profiles online in order to find and communicate with friends.
- The complainants argue that the above purpose does not require Nexopia to disclose and publish entire user profiles to the general public.
Privacy Settings
- Nexopia notes that open community sites generally have larger populations of youth users and less restrictive default settings. It holds the view that the reasonable expectations of a young person using the website are very different from those of an adult. More restrictive default settings for the site would actually fail to meet the expectations of youth users.
- Nexopia believes that the default privacy setting of “visible to all” is the most appropriate within the context of an open community site. Once again, Nexopia pointed out that it is easy for a user to change the default, if they want a stricter setting for a particular piece of content.
- On a final point, Nexopia expressed the view that it would be difficult to make large-scale changes to its philosophy. By setting more restrictive default privacy settings and reducing the visibility of user profiles, the Nexopia community and the company’s product position in the marketplace would be decimated.
Application
- In analyzing the facts, we applied subsection 5(3) and Principles 4.3.2 and 4.3.5 from Schedule 1 of the Act.
- Subsection 5(3), allows an organization to collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
- Principle 4.3.2, noting that Principle 4.3 requires “knowledge and consent”, states that organizations shall make a reasonable effort to ensure that an individual is advised of the purposes for which the information will be used. To make consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
- Principle 4.3.5 states in part that, in obtaining consent, the reasonable expectations of the individual are also relevant. It also requires that consent is not obtained through deception.
Findings
February 29, 2012
- Nexopia describes itself as being closely aligned with other “open community” or “open forum” networking sites on the Internet. It asserts that the principle purpose of “open community” sites is to create a platform for individuals to “show off to the world”, by allowing them to post their poetry, music, photographs and other creative endeavours, and to participate in blogs and forums.
- For this type of “open community” website, Nexopia argues that there is an expectation on the part of users that the information they post will be accessible and visible to the general public. Nexopia informs visitors of this fact in its Privacy Policy.
- Nexopia further argues that it understands its users’ true preferences and reasonable expectations with regard to optimal privacy settings. It has stated that the default privacy setting of “visible to all” is within the reasonable expectations of its users.
- We acknowledge that users who participate in “open community” websites may expect to share some of their personal information with the world-at-large. However, this sharing is dependent on users being fully informed about, and understanding the nature of, the open community which they have joined and a recognition that users may wish to change what and how much they share at any one time.
- A predominant feature that distinguishes Nexopia from other “open community” sites, however, is its focus on youth users who may not be aware of the differences between an open community site and one which is geared towards the sharing of personal information with friends and other members.
- Individuals who wish to join Nexopia are prompted to read and agree with Nexopia’s Terms of Use. The Terms of Use state that Nexopia.com is a:
“…social networking service that allows those individuals who register to become members to receive the Nexopia Services (the “Members”) and to create unique personal profiles online in order to find and communicate with friends. If you wish to become a Member, communicate with other Members and make use of the Nexopia Services, you must read these Terms and communicate your acceptance of these Terms…”
- In our view, these Terms do not clearly indicate that Nexopia is an “open community” such that individuals who join Nexopia would expect to be sharing personal information with anyone on the Internet. Rather, the Terms talk about communicating with “friends” or “other members” of Nexopia. Given this, it is difficult to conclude that Nexopia is meeting its users’ expectations by recommending default privacy settings that promote users’ sharing of personal information to the general public.
- Our Office has previously found that pre-selecting users’ privacy settings may be appropriate, provided such settings are reasonable and users are properly informed of the implications of choosing one setting over another. In the circumstances of this complaint, we note that what is considered reasonable must be viewed in the context of a social networking site that is oriented towards youth users.
- While online networking services can provide a good opportunity for youth users to engage socially, placing one’s personal information on a social networking site has many implications from a privacy perspective. Frequent media reports have demonstrated how individuals’ personal information posted online for purposes of sharing with friends and family has been used for a number of secondary purposes – from marketing, to college recruitment, employment decisions, civil litigation and on the more nefarious end, identity theft, cyber-bullying and stalking. We have seen how what an individual posts online can impact their reputation, their job and in some cases, their personal safety.
- We believe these issues are particularly significant in the youth context, where online communications are increasingly becoming an essential part of young peoples’ social world. Yet some youth can lack the knowledge and life experience to be able to effectively evaluate and manage the privacy risks associated with revealing personal information in an online environment.
- Research indicates a number of factors affecting youths’ online privacy behaviours. From a developmental perspective, youth users are motivated to disclose personal information to express themselves, present a positive self image and connect with real world friendsFootnote 3. In this context, young people often reveal sensitive personal information online to achieve these ends. Personal information may also be disclosed to register for online services and to obtain benefits (e.g. prizes, game points and quizzes), or simply because a site has an entry field for the informationFootnote 4.
- At the same time, due to the technology and design of some social networking sites, young people tend to perceive their online activities to be private in natureFootnote 5.
- All too often on social networking sites, users’ personal information is public by default and individuals have to make a concerted effort to make it private again. Yet many youth are not fully cognizant of the open and permanent nature of posting information online, or the extent to which their personal information can potentially be viewed, shared and used at a later point in time to embarrass or harm them.
- To the extent that young people do understand the privacy risks, they may not know how to mitigate those risks. For example, young people do not always understand the implications of privacy settings and how to use them, particularly when they are presented in various parts of a website and under confusing names.
- Accordingly, online youth privacy issues have been recognized as a priority concern both nationally and internationally. This is evidenced by concerns expressed by Canada’s privacy commissioners and ombudspersonsFootnote 6, and international data protection agencies, to work towards ensuring that young people have access to a safe online environment which is respectful of their privacy.
- In expressing our concerns about online youth privacy, we are aware of the work being undertaken in the European Union towards the adoption of Safer Social Networking Principles (the “SSN Principles”)Footnote 7. A collaborative project between the providers of Social Networking Services, the European Commission (the “Commission”), non-government organizations and other interested stakeholders, the SSN Principles offer providers a self-regulatory approach that seeks to balance the benefits of the Internet while managing the potential risks to children and young people online.
- The seven SSN Principles form part of the Commission’s larger Safer Internet Plus Programme. Of these Principles, Principle 3 – “Empower users through tools and technology” is of particular interest to our investigation, as it seeks to “minimize the risk of unwanted or inappropriate contact between children, young people and adults”Footnote 8.
- Some of the measures mentioned in SSN Principle 3 include:
- ensuring that the private profiles of users that are registered under the age of 18 are not searchable;
- setting the default for full user profiles, or to the user’s approved contact list, to “private” for those under 18, and;
- setting a user profile to “private” so that a user profile cannot be viewed, or the user contacted, except by “friends”, although users may choose to later change their settings to public, or an equivalent setting.
- The movement towards safer social networking for youth must also be considered in the wider context of younger and younger individuals joining such social networking sites and their tendency to post personal information on publicly accessible profiles.
- In April 2011, the EUKidsOnline network published the results of a survey that questioned 25,000 young people throughout Europe about their use of social networking sites (SNS)Footnote 9.
- The survey examined the self-assessed ability to use privacy settings. For those aged 11 to 12, just over half knew how to change their privacy settings. This increased to over three-quarters of those aged 15 to16. The ability to manage privacy settings varied according to the sites examined. As a substantial minority of young users do not appear to be able to handle privacy settings, it is possible that those whose profiles are set to public (or “visible to all” on Nexopia) have not done so deliberatelyFootnote 10.
- Of particular concern, the survey identified that young people are more likely to post personal information when their user profiles are public rather than private. It quoted a worrying result that one fifth of those surveyed whose user profiles are public, posted their address and telephone number. This is twice the number of those whose profiles were privateFootnote 11.
- Given the special circumstances surrounding youth users and privacy, we have difficulty concluding that a reasonable person would consider it appropriate for Nexopia to pre-select settings for its users that push users towards disclosing their personal information, in some cases very sensitive personal information, for potentially everyone on the Internet to see. Therefore, in the circumstances, we find Nexopia’s purposes for pre-selecting users’ privacy settings to “visible to all” to be inappropriate and in contravention of subsection 5(3) of the Act.
- Our investigation also revealed that Nexopia does not adequately notify its users of default privacy settings, or explain the differences between various settings, their purposes and impact on users. The site’s Preferences function, Help pages and Frequently Asked Questions do not provide users with any information about the default privacy settings. Our review of Nexopia’s Privacy Policy showed that it does not provide a description of the default settings, describe the implications of choosing a particular setting, or of selecting an alternative default.
- Thus, in our view, Nexopia cannot be said to be making a reasonable effort to inform users of how their information is shared according to the various settings, as required by Principle 4.3.2 of Schedule 1 of the Act.
- Regarding the privacy controls Nexopia does have in place, we find that more could be done to inform users about the available privacy settings and privacy preferences, to ensure that users can make informed decisions about how they can control access to their personal information. We believe that it should be up to the individual user to actively decide whether or not to make his or her personal information more widely available on the Internet.
- Nexopia users should be expected to opt-in to the “visible to all” setting, having full regard for what this setting means and the implications of choosing this setting over more restrictive ones. More restrictive default settings, coupled with increased information available to users in a format that is appropriate to youth, would strike an appropriate balance between ensuring young people can enjoy the benefits of social networking, while protecting their privacy. It would also be more consistent with the provisions of Principle 4.3.2.
- On a positive note, we commend Nexopia for changing the default privacy setting of the Contact block from “visible to all” to “visible to friends”. The current possibility of Nexopia users customizing their privacy controls over specific information contained in their user profiles (e.g., affecting tag lines, picture galleries and freeform content) is an option that we strongly endorse. In fact, Nexopia should allow more privacy control customization over other types of personal information that individuals may only want to share with a limited audience. In our view, users would reasonably expect to have more control over the amount and type of information they choose to make available to the public.
- Our investigation revealed that, even when users opt for the most restrictive privacy settings in their user profile, such as “visible to friends” and “not visible”, their “core” profile information and profile pictures remain accessible to visitors via external search engines and the Nexopia search engine, unless an individual activates the hide profile function. We note that the hide profile function is not activated by default and is not readily apparent, or fully explained, to users.
- We do not consider making portions of a user’s profile available to anyone on the Internet to be consistent with users’ reasonable expectations, particularly when a user has clearly indicated his or her preference to share information on a more limited basis. In this respect, we do not find that Nexopia is meeting users’ expectations, as envisaged by Principle 4.3.5, by promoting broad disclosures of “core” profile information and profile pictures outside the Nexopia community and by generally not providing users with the opportunity to actively decide what information is made available to the general public.
- Finally, our sampling of the e-mail addresses of 100 new Nexopia users revealed that a substantial proportion of e-mail addresses contained complete, or portions of, users’ real names or user names, contrary to assertions made by Nexopia. The current default setting that allows searches of users by visitors, through e-mail addresses, is in contrast to the privacy setting adopted by Nexopia of “visible to friends” for such addresses and ID log-ins in the Contact blockFootnote 12. We believe that this apparent contrast in positions will be resolved with the adoption of the recommendations made in this Section on the searchability of user profiles and default privacy settings.
Recommendations and Response
Recommendations
- In our preliminary report of investigation, we recommended that Nexopia:
Recommendation 1
Change its default privacy settings to ensure that the website’s default privacy setting for all new users upon registration is set to “visible to friends”.
Recommendation 2
Inform existing users of their privacy setting options (linked to relevant information on the website), which requires them to opt-in to renew the setting they currently have, or choose an alternative setting.
Recommendation 3
Ensure that users who have their privacy settings set to “visible to friends” or “not visible” are not searchable through external search engines, or through Nexopia’s embedded search engine.
Recommendation 4
Ensure that users who have their privacy settings set to “visible to logged-in users” are not searchable through external search engines and are only searchable through Nexopia’s embedded search engine by other registered Nexopia users logged-in to the site.
Recommendation 5
Ensure that users are granted control, via privacy settings, over all categories of their personal information including “core” profile information and profile pictures, i.e. at the level of specific information items rather than just at the block level. This control should be afforded to both new and existing users.
Recommendation 6
Explain, using language and means appropriate to its core users, the available privacy settings and the implications of choosing each setting.
Response
- Nexopia agreed to comply with Recommendation 1, by adopting the standard default privacy setting of “visible to friends” for all new users upon registration. It will complete the change by June 30, 2012.
- In response to Recommendation 2, Nexopia explained that it does not have the ability to issue customized messages to existing users based on their individual privacy settings.
- However, Nexopia agreed to issue a community-wide update on its privacy settings and preferences to all existing users. It confirmed that on opening the update, users will be directed to a thorough overview of the privacy settings and preferences and the options available to them. They will then be taken to the appropriate section of the website to review their own settings and edit their profile. We asked Nexopia to ensure that any such solution is comprehensive and addresses the situation where an existing user chooses to ignore the update. Nexopia agreed to comply with Recommendation 2, by September 30, 2012.
- With regard to Recommendation 3, Nexopia agreed to change the default setting of its hide profile function for new accounts, so that visitors are not able to search user profiles, unless users themselves choose to deactivate this “master override” function. It also agreed to make the function more prominent and visible and provide users with clear information as to how the function works.
- Nexopia stated that it would be challenging to comply with Recommendation 3, by setting the same hide profile function default for existing accounts, based on users’ profile default settings. Some users make certain blocks of information public and hide others. Other profiles are deliberately set up as public pages.
- We suggested that the organization consider adopting the same approach for the “hide profile” function as it has committed to doing for its privacy settings and preferences, i.e. a community-wide update directing existing users to a thorough overview of the function, how it works, the implications of choosing either option and asking them to confirm their selected setting. We asked that Nexopia ensure that the proposal adopted requires existing users to give active consent for their profiles to be accessible to the public. Nexopia stated that it would comply with the recommendation by September 30, 2012.
- Nexopia also agreed to comply with Recommendation 4 by September 20, 2012. It argued that the privacy setting “visible to logged in users” can only be selected for certain areas of a user profile. It proposed a solution where if the setting was selected for certain blocks on a user profile, the hide profile function could be triggered.
- With respect to Recommendation 5, Nexopia asserted that the website’s architecture makes “core” profile information and profile pictures a component of every profile for visual and navigational consistency. Allowing granular privacy controls over this information would require considerable development resources and was an investment that the company was not prepared to make at this time.
- However, given Nexopia’s commitments to activate the hide profile function by default for new users, make the hide profile function more visible and provide users with clear information as to how the hide profile function works, and given that users can choose not to include any profile pictures, we are satisfied that users will be better able control whether their personal information (including “core” personal information and profile pictures) is made widely available to anyone on the Internet. Accordingly, our concerns relating to Recommendation 5 have been substantially resolved.
- We would strongly encourage Nexopia to continue to review its practices regarding profile pictures, and consider granting users more granular control over this material, should users opt to post a profile picture.
- Nexopia agreed to add a page to its Help section to describe the website’s privacy settings and preferences, and the implications for users of choosing each, to meet the requirements of Recommendation 6. We asked Nexopia to ensure that the page describes the settings and preferences in an objective and neutral manner, i.e. not promoting one setting or preference over another. Nexopia acknowledged our request and stated that it would comply with this recommendation in full by June 30, 2012.
Conclusions
- We are satisfied that, once implemented, Nexopia’s proposed corrective measures as set out above will meet our recommendations. Nexopia has committed to demonstrating its implementation of these measures within the timeframes specified above. Accordingly, we find the allegations in this regard are well-founded and conditionally resolved.
Section 2
Purposes and consent for the collection and disclosure of personal information
Allegations
Personal information
- PIAC claimed that Nexopia’s definition of “personal information” did not align with the definition of “personal information” found in the Act.
- Specifically, they argued that Nexopia’s definition of “profile data” as not constituting “personal information” was in conflict with the definition of “personal information” under subsection 2(1) of the Act. They claimed that a user’s weight, height, sexual orientation and interests was clearly information about an identifiable individual and, when linked to a particular user, met the Act’s definition of “personal information”.
Identifying purposes and obtaining consent
- PIAC also alleged that Nexopia was failing to adequately notify prospective users of the purposes for the collection, use and subsequent disclosure of their personal information collected at registration. As a result of this, prospective users were not providing valid consent for these purposes.
- By way of example, the complainants referred to Case Summary #2009-008 Report of Findings into the Complaint filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. (“CIPPIC vs. Facebook Inc.”)Footnote 13, in which the Privacy Commissioner asserted that it is appropriate and reasonable to collect users’ dates of birth for the purposes of:
…enforcing the site’s age minimum so as to protect the safety of minors and…ensuring that users use their real identities on the site so as to lessen the incidence of inappropriate content and behavior and promote a safe and respectful environment for all users.
- Furthermore, PIAC claimed that Nexopia’s Privacy Policy failed to identify specific purposes to users for which their personal information is collected, used and disclosed.
- With regard to consent, PIAC stated that the language used in Nexopia’s Privacy Policy needed to be understandable and appropriate for youth, if meaningful consent was to be obtained.
- Also concerning consent, PIAC asserted that Nexopia users should not have to allow disclosure of their registration information, to the general public through the Internet, to use the website. Nexopia’s disclosure of the information in this way went beyond users’ reasonable expectations.
- PIAC believed that since Nexopia had underage users, and permitted teen users, it needed to verify prospective users’ ages and have age-level barriers restricting interaction with the site, as would any other “reasonable” social networking site.
- Lastly, they claimed that Nexopia’s commitment to “protecting the privacy of minors” was misleading, as a “minor” in law denotes someone under the age of majority and not simply someone under 13 years of age (i.e., Nexopia’s minimum registration age).
Summary of Investigation
Nexopia’s definition of “personal information”
- Nexopia’s Privacy Policy defines “personal information” as follows:
When opening an account, Nexopia.com collects identifiable information submitted by you (Personal Information), including but not limited to: name, email address, username (that you create), sex (gender), location and age.
- The same section then goes on to state the following:
…you may submit and post additional profile data (“Profile Data”) including but not limited to the following: weight, height, sexuality (i.e. sexual orientation), dating and living situation and information regarding your interests through the “Profile” tab. In addition, you have the ability to post photographs. Profile Data is not Personal Information collected by Nexopia.
- Nexopia responded that, in the Privacy Policy, it is trying to differentiate between personal information it collects from individuals at registration (i.e., mandatory information required to enable an individual to join the website), as opposed to personal information that is voluntarily provided to Nexopia by its users when, for example, they wish to create or edit their user profiles, or participate in blogs.
Identifying purposes for the collection of personal information at registration
- With regard to the collection of age information at registration, Nexopia states that it collects identifiable information submitted by users when they register with the site and this includes, but is not limited to, their ageFootnote 14.
- Nexopia’s Privacy Policy provides a rationale for collecting a user’s age in the section entitled “Our Commitment to your Privacy”:
“We are particularly committed to protecting the privacy of minors. For that reason, we will refuse to open an account for a person under the age of 13…
For persons between the age of 13 and 18, we require parental or guardian consent prior to opening an account and we reserve the right to verify the existence of that consent.”
- Nexopia explained that the website collects a user’s date of birth for the purpose of enforcing the site’s minimum age requirement. It is also collected to set the default age range, when a user wants to select users that can be communicated with, searched and browsed, and wishes to ignore the rest. We note that the Privacy Policy is not explicit as to the purposes why this information is collected.
- The complainants also refer to the Privacy Policy and the collection of more identifiable personal information at registration. They state that Nexopia gives no indication as to why this information must be collected in order to use the website, and makes no additional effort to explain that this information can be used for the purposes of searches by other users, or any visitor to the site.
- The Nexopia registration page “Join Nexopia” requires an individual to provide the site with the following information:
- a username (a unique name created by the individual);
- a password (created by the individual);
- an email address;
- an email address retyped;
- the individual’s location (with a default of “world”);
- date of birth (month/day and year from drop-down lists), and;
- sex (gender).
- Our testing revealed that when inputting this mandatory information, the site seeks to verify if the username has already been selected, the strength of the password and whether the email address is valid.
- Just above the “Join” button, the individual registering is notified of the following: “By clicking join, you agree to the Terms of Use.” The individual is provided with a link to the Terms of Use, but is not obliged to open the link before joining the website.
- On clicking “Join”, the individual receives a registration confirmation, which explains that the account activation has been sent to the email address provided at registration and that the email contains a link that should be clicked on to activate the account.
- Once the account is verified, the user is presented with a welcome screen that confirms they are a member and that they should see who is already on the website. The welcome screen also provides the user with an opportunity to “Find and Add Friends on Nexopia”.
- Nexopia disagreed with the complainants’ allegation that the website fails to identify the purposes and reasons for which personal information is collected. Its position, particularly in relation to the registration process, is that the website follows industry norms.
- The complainants stated that a link to the website’s Terms of Use is provided on the registration page, just above the “Join” button. The Privacy Policy can be accessed only by clicking through to the Terms and using the link there.
- However, we noted that this was not the complete picture. While there was no direct link to the Privacy Policy alongside the link to the Terms of Use and the “Join” button, it was possible for us to access the Privacy Policy by scrolling down the registration page and clicking on the Privacy Policy tab, found at the bottom of each page of the website.
Consent to the collection, use and disclosure of personal information
- In its representations and discussions with this Office, Nexopia recognized the need to improve its Privacy Policy. In doing so, the company stated that a 2008 revision of the document had been written by lawyers and the language used in it to notify users of their privacy rights was not wholly appropriate for youth.
- In Nexopia’s view, pop-ups, click-through agreements, and privacy or help icons create “brutal user experiences”. It claimed that it previously employed check boxes in the registration process to obtain a user’s consent and compliance with its Terms of Use, Privacy Policy and age restrictions, but later removed them. Nexopia contended that applicants were annoyed by them, would overlook them and would fail to understand why they could not register on the website.
- Nexopia claimed that when the check boxes were removed, the rate of individuals successfully registering for the site increased threefold. It argues that social networking services cannot afford the “… negative effects of placing large barriers of entry in order to aggressively reveal privacy policies.”
- Nexopia added that when it was more aggressive in encouraging users to read and comply with its Privacy Policy, the number of users that actually complied was next to none. In its experience, privacy policies and other site regulations need to be easily accessible to users, but cannot be forced upon them.
- Nexopia’s Privacy Policy can be accessed via a link at the bottom of every page on the website. The company states that this is a common industry practice and familiar to users of social networking sites.
Verification of Age and Parental Consent
Verification of age
- The complainants claim that what is “reasonable” collection, use and disclosure of personal information must be viewed in the context of the age of the individual, at least when that person is under 18 years of age.
- The complainants recommend age-graduated levels of consent when adopting a “reasonable” approach to the processing of young users’ personal information.
- Nexopia confirmed that it changed the minimum age from 14 to 13 in late 2008, to reflect the industry standard. It explained that in almost all cases where underage users posted that they were 13 or younger on their profiles, they had set their accounts to the age range of 14-18 or 60+.
- Nexopia stated that although it works diligently to remove underage users, it suspects that many lie about their age. In the past, stricter controls to keep minors from registering led to users setting their age to 18+. Some users set their age to 60 (the maximum allowed on the site) to avoid age restrictions on the website. Nexopia contends that age verification is an industry-wide problem with no current solution.
- The website’s Abbreviated Terms of Use, full Terms of Use and Privacy Policy are explicit in stating that the minimum age to register with the website is 13 years, and that parental or guardian consent is required when a registrant is between 13 and 18 years.
- However, our investigation noted that these explicit statements are only accessible on the registration page, via a direct link to the Terms of Use and via an indirect link through the Terms to the Privacy Policy, or by accessing the Privacy Policy tab at the bottom of the page. Individuals wishing to register are not obliged to confirm via a more active process—such as a click-through agreement, a pop-up, or any other such arrangement—that they are aware of the age restriction.
Minimum age enforcement
- Nexopia identifies underage users through two principal methods:
- a user posts this information on their profile, in a blog, or in a comment to another user and it is discovered by a site administrator, or is reported by another user via the “Report Abuse” link.
- an underage user or a parent of an underage user contact the company. This is done through the “Contact Admin” link at the bottom of each page of the website.
- After clicking on the “Help” link at the bottom of each page of the website, a section called “Reporting of Abuse” instructs users on how to report any abuse to Nexopia. The site requires that those reporting underage users provide some proof of their claim.
- Nexopia explained that parents of “underagers” may report to the website that their child is too young. In these cases, Nexopia freezes the account(s) immediately. Freezing accounts assures that the username and email address cannot be used again. According to Nexopia, this serves as a roadblock for underage users who may try to re-register.
- Nexopia relies on staff and volunteer moderators to detect and enforce its age-restriction policy. These authorized moderators monitor the site to ensure that users comply with the website’s Terms of Use and code of conduct. Moderators must follow a training program and they are tested for their skill in identifying unacceptable content. Senior-level moderators closely monitor the performance of more junior-level ones.
- Our investigation was provided with a detailed demonstration and explanation of Nexopia’s moderator and “report abuse” functions during our April 2010 visit to Nexopia’s business premises.
Parental consent
- Nexopia asserted that the lack of a mechanism to verify parental consent is an Internet problem that goes beyond the scope of its website. Nexopia stated it currently follows industry standards in this respect, but did not explain what it meant by this term.
- Our testing indicated that there is no mandatory field on the registration page requiring a parent or guardian’s contact details (e.g., a telephone number or email address), if the individual has declared that they are between the ages of 13 and 18 years.
- Neither is there on the registration page (for example, near the button used to join the website) any declaration about parental consent.
- However, Nexopia’s Privacy Policy, Abbreviated Terms of Use and Terms of Use all indicate that parental or guardian consent is required to join the website when an individual is between the ages of 13 and 18. The Privacy Policy advises that the company reserves the right to verify consent.
- If a young user’s parent or guardian informs Nexopia the user does not have their permission to be on the website, the account is immediately frozen and the user is notified. Nexopia also offers to ban the IP address so the child cannot create accounts from home any longer. However, Nexopia believes this may be problematic since dynamic IP addresses make IP tracking difficult and young users may try to re-access the site away from home.
Application
- In analyzing the facts, we applied subsection 2(1) as well as Principles 4.2, 4.2.3, 4.3, 4.3.2, 4.3.3 and 4.3.6 from Schedule 1 of the Act.
- Subsection 2(1) defines “personal information” as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
- Principle 4.2 states that the purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
- Principle 4.2.3 states that the identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected.
- Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use and disclosure of personal information, except where inappropriate.
- Principle 4.3.2, noting that Principle 4.3 requires both knowledge and consent, states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
- Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
- Lastly, Principle 4.3.6 states in part that consent can be given by an authorized representative (such as a legal guardian or person having a power of attorney).
Findings
February 29, 2012
- In our view, the sentence in Nexopia’s Privacy Policy “Profile Data is not information collected by Nexopia” is confusing, as members could interpret this to mean that content posted on their user profiles is not personal information under subsection 2(1) of the Act. Nexopia has clarified that its reference to Profile Data is intended to draw a distinction between personal information that it actively requires and collects from its new users as part of the registration process, from the personal information users voluntarily post on the site for the purposes of sharing with others.
- However, we are concerned that users could interpret this part of the Privacy Policy to mean that content posted to their user profiles is not personal information and would encourage Nexopia to amend the wording in its Privacy Policy to remove any confusion.
Knowledge and consent for collections and disclosures of personal information collected during the registration process
- In practice, Nexopia requires registrants to provide their dates of birth to enforce its minimum age requirements and to determine the users’ default age. While we find the purposes for which the date of birth is collected and used are reasonable, we note that these purposes are not identified in Nexopia’s Privacy Policy, or elsewhere on the site.
- While Nexopia’s Privacy Policy explains that email addresses collected upon registration will be used to contact users to respond to inquiries, or send updates and news regarding Nexopia services, it is unclear as to why gender and location are collected for the purposes of registration. However, with respect to location, we note that the default is “world” and that users are not required to provide a specific location.
- We also find that Nexopia is not clear in its Privacy Policy or elsewhere on the site, that some information it collects at registration will be included in users’ profiles (i.e. username; gender; age (derived from the user’s date of birth) and location). Equally unclear in our view, is the extent to which this “core” profile information and any profile pictures (should a user choose to post profile pictures) will remain visible to users within the Nexopia community and anyone on the Internet, by default.
- As a result of the above, we find that Nexopia has failed to adequately identify and inform users of its purposes for the collection, use and disclosure of the personal information it requires users to provide at registration. It is therefore, in contravention of its obligations under Principles 4.2, 4.2.3 and 4.3.2.
- We note that during the registration process, Nexopia prompts users to agree to its Terms of Use, and within the Terms of Use, users are required to agree with Nexopia’s Privacy Policy. However, we observed that individuals are not obliged to read the Terms of Use before joining, nor are they otherwise directed to Nexopia’s Privacy Policy at registration.
- Nexopia has acknowledged that the current version of its Privacy Policy was not necessarily drawn up with the needs of youth in mind. We also note that the complainants themselves had difficulty understanding what Nexopia considers personal information, based on the language used in the Privacy Policy.
- Recent research into youth Internet usage, as well as the consistent messages our Office hears from young people through our outreach work, indicates that while some youth users read online privacy policies, more interactive and innovative techniques devised specifically with youth in mind, and with the goal of informing them of the privacy implications of their decisions before they click, are more effective in obtaining consent than links to user agreements and privacy policies.
- To the extent that Nexopia is passively relying on users to read and agree to the terms of its lengthy and formal Privacy Policy as a means of obtaining user consent to the collection, use and disclosure of their personal information, we cannot conclude that Nexopia is making a reasonable effort to obtain appropriate knowledge and consent, in accordance with the requirements of Principles 4.3 and 4.3.2.
- We find that in the circumstances, a mere link to its Privacy Policy at the bottom of the registration page is not sufficient to obtain appropriate consent from Nexopia’s target youth audience.
Verification of Age and Parental Consent
- The complainants claim that Nexopia should verify the age of its users and implement age-level barriers to govern and restrict the collection, use and disclosure of the personal information of users between 13 and the age of majority.
- Our investigation confirmed that Nexopia restricts registration to those aged 13 and over, but has no formal mechanism to verify an applicant’s age at registration. Nexopia admitted that accurately verifying an individual’s age during on-line registration is a major challenge faced by the industry as a whole. Consequently, it relies on its moderator program to detect and track any users whose on-line behaviour and postings create suspicions about their real age.
- The Act does not require age-based consent, nor does it specifically address the issue of age verification for consent purposes.
- Regarding parental consent, Nexopia’s Abbreviated Terms of Use and Terms of Use both state that users between 13 and 18 must obtain the permission of their parent or legal guardian before using Nexopia services or accessing the website. However, we observed that there is no provision on the site for parents or guardians to indicate their consent, nor is there a mechanism to prohibit users who self-declare between the ages of 13 and 18 from joining without parental consent. As with Nexopia’s age verification, the honour system is the modus operandi here.
- Under Principle 4.3.6 of Schedule 1, the Act permits consent to be given by an authorized representative (such as a legal guardian or person having a power of attorney). However, it does not specify under what circumstances this is to occur and, as noted previously, the Act contains no special provisions that speak directly to obtaining the consent of minors.
- While we recognize there may be value in young users involving their parents in their online interactions, the Act does not require the parents of all minors to consent on their behalf. As noted above, the Act requires organizations to obtain meaningful consent to the collection, use and disclosure of personal information. Organizations who handle youths’ personal information must explain their information handling practices in such a manner that youth can reasonably understand how their personal information will be used or disclosed. Accordingly, we have addressed issues relating to age and consent pursuant to this requirement.
Recommendations and Response
Recommendations
- In our preliminary report of investigation, we recommended that Nexopia:
Recommendation 7
Amend its Privacy Policy to clearly identify the purposes for which it collects, uses and discloses users’ personal information at registration.
Recommendation 8
Review its Privacy Policy and other site material to ensure that they are presented in a language and format that is appropriate for its user base.
Recommendation 9
Having regard for its youth audience, develop ways to inform users of the purposes for the collection, use and disclosure of their personal information, and require pro-active action on the part of users to consent to these purposes, at the time of registration.
Response
- Nexopia agreed to update its Privacy Policy to clearly identify the purposes for which it collects, uses and discloses users’ personal information by June 30, 2012.
- Nexopia also confirmed that it would review its Privacy Policy and other site material and ensure that they are presented in a language and format appropriate to its user base, by the same date.
- With respect to Recommendation 9, Nexopia agreed to amend its registration process so that individuals seeking to register on the website will be required to click on a check box to confirm their agreement to the Terms of Use and the revised Privacy Policy. A link to the revised and clear language Privacy Policy will now appear alongside the check box and current link to the Terms of Use. The changes will be made by June 30, 2012.
- While this step addresses what we believe to be the minimum requirements to provide users with knowledge of the website’s privacy practices and obtain appropriate consent, we would strongly encourage Nexopia to go further and explore more innovative methods of presenting its Privacy Policy, e.g. presenting it in theme-based pieces and in an incremental manner, so that users can click after reading small portions of the Policy.
Conclusions
- We are satisfied that, once implemented, Nexopia’s proposed corrective measures as set out above will meet our recommendations. Nexopia has committed to demonstrating its implementation of these measures within the timeframes specified above. Accordingly, we find the allegations in this regard are well-founded and conditionally resolved.
Section 3
Information sharing between Nexopia and advertisers/marketers
Allegations
- PIAC alleged that while Nexopia was relatively open about its use of targeted advertising, it did not adequately explain its practices in this regard and how they impacted users and visitors through the collection, use and disclosure of their personal information.
- They stated that Nexopia needed to be more transparent about its advertising practices. Individuals had to be more clearly informed of the collection, use and disclosure of their personal information for the purposes of targeted advertising, so that any consent obtained could be considered meaningful.
- Specifically, PIAC claimed that Nexopia was failing to adequately clarify and describe a) the concept of targeted advertising; b) how such advertising worked (such as whether cookies were being placed on the user’s browser in order to collect information about the websites they visit); c) who was managing the process; d) what information was being given to advertisers to fulfill the purpose of targeted advertising, and; e) whether users’ “Profile Data” (as defined in the Privacy Policy) were being used to target advertisements.
- They also alleged that Nexopia did not give users the ability to opt out of targeted advertising. PIAC believed that users should have been able to do so, since the users were being subjected to this type of advertising as a condition of service for joining the website.
- PIAC argued that Nexopia should have adhered to the Canadian Marketing Association’s Code of Ethics and Standards of Practice with respect to the collection, use and disclosure of personal information of its teenage users. In their view, Nexopia should have obtained the opt-in consent of teenage users for targeted advertising.
Definitions
Terminology
- There are many terms used when talking about online advertising: demographically targeted, location, behavioural/interspace and interest-based advertising. These are all variations on behavioural advertising.
- Behavioural or targeted advertising can best be described as advertising that involves the tracking of consumers’ online activities over time, often through devices such as cookies or web beacons. The data collected is used to build profiles of consumers, so as to determine consumer interest categories. Advertisements are then delivered in a targeted manner to the consumers based on demographics and inferred user interestsFootnote 15.
Cookies
- A cookie is a small piece of text that is placed on a computer when an individual visits a website. Cookies were created so that information could be saved between visits to a website. They collect and store information about individuals based on their browsing patterns and information they provide to a site. Cookies record language preferences, for example, or let users avoid logging in each time they visit a site. Almost all of the most popular websites use them. Cookies can be very useful because, without them, individuals would have to enter certain bits of their personal information each time they visit their favourite sites.Footnote 16.
- First party cookies are cookies set by the website (the “first party”) being visited (or a sub-domain of that website) and shared with the user (the “second party”).
- Third party cookies are cookies typically placed by advertising companies that display advertisements on certain websites. When an individual visits a website that has an advertisement on it, a cookie may be passed from the advertising company (the “third party”) to the individual’s computer. When the individual revisits the same website, or another website that uses the same advertising company, the third party cookie can be read by the advertising company. If the cookie contains a unique identifier, then information about the individual’s visits to different websites can be linked together. In this way, a detailed profile can be built up about the individual (or others using the same computer) and their browsing habits. This information can then be used to target advertising to the individual.
Summary of Investigation
Nexopia’s use of advertising on its website
- Nexopia explained that most of the site’s services are free of charge to users (with the exception of the “Plus” service). To ensure sufficient revenue-generation to maintain its business model and continue providing no-cost services to users, targeted advertising on the site is essential.
- The company stated that it uses multiple advertising networks to serve targeted advertisements on its website. It asserted that such advertising is not invasive. It maintained that none of the advertising networks are involved in obtaining users’ information and that Nexopia does not pass such information on to them.
- Nexopia explained how advertising works on the site: An advertiser or advertising network will contact it to serve an advertisement, defined with a target age, sex and possibly a user interest. Nexopia then checks to see if there are suitable users to serve the advertisements to. If the advertising network selects the service, Nexopia then serves the advertisement to the requested demographic group of users. Nexopia only informs the advertiser whether the advertisement is served or not.
- Nexopia justified its own use of targeted advertising as currently the only way to generate revenue from “remnant advertisement inventory” (advertising space that a website has been unable to sell itself at a premium) on social networks. It argued that its users would prefer to see an advertisement that was relevant to them, rather than an advertisement that they had no interest in. Moreover, it called attention to the fact that that all of Nexopia’s advertising is age sensitive (i.e., appropriate advertisements are delivered based on each user’s self-declared age).
How Nexopia informs users about advertising
- Nexopia believes that its Privacy Policy informs users in clear terms that their personal information is not given to advertisers.
- In the section entitled “Collection and Use of Personal Information by Nexopia.com”, the Privacy Policy states that:
“Aggregate information may be shared with third parties to provide more relevant services and advertisements to members. For example, we may tell an advertiser that X number of individuals visited a certain area on our website, or that Y number of men or Z number of women filled out our registration form. Nexopia.com also records user IP addresses for the purposes of security and monitoring.”
- In the section entitled “Advertising”, the site’s Privacy Policy explains that personal information is used by Nexopia to deliver targeted advertising, but that Nexopia does not provide user’s personal information to advertisers:
“Ads that appear on Nexopia.com may be sent to members and visitors by us. Nexopia.com uses personal information from your Profile to deliver targeted advertisements that we think will most interest you. Nexopia.com does not provide Personal Information to advertisers…”
- It goes on to qualify this statement by adding:
“…however, if you click on an ad appearing on Nexopia.com, you may be taken to an advertiser’s or other third’s party web-site. Your use of these other web-sites is subject to the privacy policies of those web-sites and Nexopia.com expressly disclaims all representations and responsibilities in relation to those web-sites.”
- Nexopia provides a further disclaimer regarding third-party advertising in the section entitled “External Links” of its Terms of Use:
“Inclusion of an external link on the Nexopia Services does not imply approval or endorsement of that website by Nexopia.com. Furthermore, Nexopia.com is not responsible for third party advertisements which are posted on this Nexopia website or through the Nexopia services, nor is it responsible for the goods and services provided by its advertisers.”
Cookie placement on Nexopia’s site
- Cookies can be used to track what an individual does on the web for advertising purposes; the websites visited, what is viewed on a particular site, how long is spent viewing a particular part of a site, offers taken up and so on. This type of information is of particular interest to social networking sites like Nexopia and advertisers seeking to serve advertisements on such platforms.
- The complainants identified the presence of cookies on the Nexopia site for two well-known domains used by companies involved in behavioural advertising. Nexopia acknowledged that it used these applications on its site and that one domain is an industry standard used to place text, video and image advertisements on websites.
- Our testing revealed that the Nexopia site uses first-party cookies, including a session key. We identified additional third-party cookies on the website from advertisement servicing networks.
- As explained to us in its submissions, Nexopia does not provide users’ personal information to advertisers, but rather places targeted advertisements on the site to its users on behalf of advertising networks, based on the demographic target profile set out by the networks. While this may be the case in the serving of some advertisements on the site, we identified that third party advertisements are also delivered by advertising networks and that cookies are placed on the site.
- In the process of placing the third-party advertisements, two calls are typically made to an advertising network’s servers: the first is to set a cookie and the second is to call and display the advertising content. The result is that tracking cookies are placed along with the advertisements displayed and they are used to track users and visitors around the web.
- For example, we visited the Nexopia home page as a visitor and selected the “Users” tab to browse a list of users. Two advertisements were shown on the resulting page. One advertisement promoted obtaining one’s credit score. The advertisement was served by a domain site used by a company (“company A”) that engages in behavioural advertising. The request sent to the domain made reference to an earlier visit to company A’s own website and placed a cookie in our browser.
- The second advertisement was a promotion for a vacation offer to a Caribbean island. The advertisement was served by a different advertising company (“company B”) that also engages in behavioural advertising. An earlier request made to company B when we were assembling the same page resulted in a cookie being placed in our browser.
- In our testing therefore, two advertisements were shown to us and two advertising networks started to track our online behavior. Additional tracking cookies were set by three other domains used by advertising companies engaging in behavioural advertising, although no advertisements were placed on our test pages.
How Nexopia informs users about cookies
- Nexopia’s Privacy Policy provides limited information on the site’s use of cookies:
“…Nexopia.com uses cookies to store visitors’ preferences, record session information, and allows communications, advertising and web page content to be customized according to browser type and member profile information…”
- The Privacy Policy goes on to state that while cookies may be rejected by users, they remain essential to the operation of the site:
“You may be able to configure your browser to accept or reject all or some cookies, or to notify you when a cookie is set, however, cookies must be enabled in order to access most functions on the site.”
- We note that the Privacy Policy does not state the type of cookies used on the site (e.g., session, first-party, third-party, flash or super-cookies), how they are used, why such cookies must be enabled to access the site’s functions, whether the sharing of personal information is involved and the extent of any sharing that takes place.
Opting out of targeted advertising
- Users who subscribe to the basic Nexopia service are not able to opt-out of targeted advertising. They are required to accept such advertising as a condition of using the Nexopia site free-of-charge. Users of the basic service can avoid participating in contests and other offers by choosing not to select them.
- In contrast, we observed that those users subscribing to the Nexopia Plus service can opt to receive fewer advertisements. The website’s Plus User Guide states the following:
“Choose to disable most advertising on the site.
To disable ads you need to visit our Preferences page and check off “show fewer ads”. This is shown under the General section of your preferences.” - Nexopia confirmed that on selecting this option, a Plus user no longer sees any “display advertising” when on the website. It did not explain what it meant by “display advertising” i.e. whether they were referring to contextual advertising on their website, or targeted advertising. The company did not indicate to us how it ensures advertising is disabled in practice.
- We noted that Nexopia’s Plus User Guide and the Preferences page do not provide an explanation as to what advertising is blocked and what advertising a Plus user will continue to see, when the user chooses to disable advertising in this manner. There is no reference to this opt-out option within the Privacy Policy.
The Canadian Marketing Association’s Code of Ethics and Standards of Practice
- The complainants state that the Canadian Marketing Association has published a Code of Ethics and Standards of Practice (CMA Code) that puts in place special considerations for marketing to children. In particular, the CMA Code puts in place special consent provisions for the collection, use and disclosure of personal information from children and teenagers for the purposes of advertisements.
- Nexopia.com Inc. confirmed that it is not a corporate member of the Canadian Marketing Association.
Application
- In analyzing the facts, we applied Principles 4.2.3, 4.3.2, 4.3.3, 4.3.8 and 4.8.1 of Schedule 1 of the Act.
- Principle 4.2.3 states that the identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected.
- Principle 4.3.2 requires “knowledge and consent.” It states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
- Principle 4.3.3 states that an organization shall not, as a condition of a supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
- Principle 4.3.8 notes that an individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the obligations of such withdrawal.
- Principle 4.8.1 states that organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
Findings
February 29, 2012
Advertising on Nexopia’s website
- In Case Summary # 2009-008 CIPPIC vs. Facebook Inc., our Office recognized that:
“The site is free to users but not to Facebook, which needs the revenues from advertising in order to provide the service. From that perspective, advertising is essential to the provision of the service, and persons who wish to use the service must be willing to receive a certain amount of advertisingFootnote 17.”
- Facebook had two types of advertising models, one of which – “Facebook Ads” – is relevant to this investigationFootnote 18. In the case of Facebook Ads, our Office was satisfied that the information given by the site to advertisers was in aggregate form and as such, the site did not disclose users’ personal information to advertisers. However, the serving of advertisements to users based on data within their profiles, even if rendered into aggregate form before being given to advertisers, was considered a use of personal information under the Act.Footnote 19
- The previous Assistant Commissioner acknowledged that the site needed to have a means of generating revenue and that most Facebook users would reasonably expect to receive advertisements. In the context of Facebook’s ostensibly “free” service, she found it reasonable that users were required to accept Facebook Ads as a condition of serviceFootnote 20.
- For the previous Assistant Commissioner, the key problem lay in determining whether the advertising purposes are “explicitly specified” as required under Principle 4.3.3 of Schedule 1 and whether the site was making a reasonable effort to notify users of those purposes as required under Principle 4.2.3.Footnote 21
- The position of this Office regarding that case in 2009 would appear to apply equally to the case of Nexopia’s advertising model in which it uses members’ profile information to serve advertisements on behalf of third-party advertisers.
- This position is supported by the fact that Nexopia’s site is, likewise, largely free-of-charge to users and Nexopia states that it provides only aggregate information to advertisers.
- Therefore, consistent with this Office’s decision in the Facebook case, we believe that Nexopia’s own use of personal information for advertising purposes and its serving of targeted advertisements to its users is acceptable as a condition of service, provided individuals are made fully aware of how this practice works.
- However, there is another advertising model on the site that is not reflected in Nexopia’s Privacy Policy. Nexopia allows third parties, such as advertising networks, to place cookies in the browsers of users and visitors to its site in order to collect their information through the advertisements that they serve.
- The complainants allege that Nexopia does not inform users whether third-party cookies are placed on their web browser in order to collect information about their IP address and their browsing habits.
- Third-party cookies are frequently utilized to collect detailed information about users and visitors by tracking their use of the web. This tracking can sometimes be over an extended period of time and far beyond the immediate visit to a particular website. Given that third parties collect users and visitors’ web usage across the Internet, and that this can be used to build profiles of individuals, we are inclined to the view that the information being collected by such tracking cookies may constitute personal information.
- In our experience, the presence and activities of such cookies on social networking sites like Nexopia are still, to a large extent, invisible to users and visitors alike. We have recently expressed our concern that organizations are not being transparent with users and visitors about tracking practices on their sites and that more needs to be done to make it easier for individuals to block such tracking.
- To this end, our Office released guidelines on “Privacy and Online Behavioural Advertising” in December 2011. We believe that the guidelines - which look at the tracking of individuals’ browsing activities across different websites over time, for the purpose of serving targeted advertisements - will help bring transparency to this activity and offer users a real opportunity to express their consent (or not) to the practice.
- We are of the opinion that individuals should be able to opt-out of being tracked by third-parties – which are typically unknown to them - in contrast with the first model of advertising discussed, in which Nexopia is serving the advertisements. In the Nexopia delivered advertising model, Nexopia is only providing advertisers with aggregate information. Therefore, the number of parties involved is limited, and there is a direct relationship between the user and the company delivering the advertisement.
How Nexopia informs users about advertising and cookies
- We reviewed Nexopia’s description of targeted advertising in its Privacy Policy. While the targeted advertising it serves to its users and visitors is generally described in language that is easy to read and accessible, in line with the requirements of Principle 4.8.1 of Schedule 1 of the Act, we are of the opinion, that the content of the Privacy Policy is fragmented.
- Content regarding Nexopia’s use of advertising is spread over three different sections of the Privacy Policy and one section of its Terms of Use. As such, we would encourage Nexopia to consolidate the content regarding advertising, within a single section of its Privacy Policy, to bring it into clearer compliance with Principle 4.8.1.
Nexopia Advertisements
- We concur with the complainants that while the site is open about its own use of targeted advertising, the information is incomplete. Nexopia does not fully explain what targeted advertising is and how such advertising works. For example, the site does not explain why users can expect to receive some targeted advertising as a condition of using the site. We recommend, therefore, that Nexopia update its Privacy Policy to ensure that its users are better informed about the use of Nexopia served advertising on its site, as required by Principles 4.2.3 and 4.3.2.
Third-party Advertising
- Moreover, Nexopia needs to provide a clear and explicit explanation as to how users’ and visitors’ information may be shared with third parties, such as advertising networks, who serve targeted advertisements on the site, along with tracking cookies. Nexopia should update its Privacy Policy, to ensure that its users are better informed about the presence of such cookies, how they work on the site, and how users can opt-out of such tracking, as required by Principles 4.2.3 and 4.3.2.
- Our Office is very conscious of the need to raise awareness amongst the public about the tracking, profiling and targeting of people online through the use of cookies. We published a Fact Sheet entitled “Cookies: Following the Crumbs”Footnote 22 (updated in May 2011) to help Canadians better understand the purpose and nature of cookies. We would encourage Nexopia to consider how this and other educational material on cookies may be used to help inform its users about these important online tools. We would also encourage Nexopia to review our guidelines on “Privacy and Online Behavioural Advertising” in this regard.
- Our Office is also well aware that many individuals who visit social networking sites may not choose to read a site’s privacy policy. With that in mind, we would recommend that Nexopia use alternative methods on its website to explain, in language understandable to its user base, the implications of third party targeted advertising and tracking cookies with respect to users’ information, and how users can opt-out of such tracking, e.g. by adjusting their browser settings.
- These recommendations will help Nexopia address the issue of transparency in communicating with its users and will assist it to determine the most appropriate form of consent required from its users for third party targeted advertising.
Nexopia Plus
- With regard to the complainants’ assertion that Nexopia users should be allowed to opt out of targeted advertising, we have recognized that such advertising may, based on Nexopia’s own business model, be deemed a condition of service and in compliance with Principle 4.3.3.
- Notwithstanding our position, we recognize that Nexopia offers Plus users the option to disable some advertising, by checking the “Show fewer ads” option in the Preferences section of the site.
- No explanation is given to Plus users as to the form of targeted advertising that is blocked and what, if any, advertising a Plus user will continue to see if the option is chosen. This would appear to be a breach of Principle 4.3.8’s requirement to inform individuals of the implications of withdrawing consent to such advertising. Therefore, we recommend that if Nexopia plans to continue offering this option, it must clearly explain how the option works in practice.
Canadian Marketing Association’s Code of Ethics and Standards of Practice
- Lastly, the complainants would like Nexopia to adhere to the Code of Ethics and Standards of Practice of the Canadian Marketing Association (CMA) with respect to the collection, use and disclosure of personal information of its teenage users. While we acknowledge the CMA’s role in applying certain ethical principles to its member organizations during their marketplace activities, a requirement to adhere to this Code is beyond the scope of the Act.
Recommendations and Response
Recommendations
- In our preliminary report of investigation, we recommended that Nexopia:
Recommendation 10
Consolidate and update its Privacy Policy, to ensure that its users are better informed about all uses of personal information for the purposes of targeted advertising on the site.
Recommendation 11
Update its Privacy Policy, to ensure that its users are better informed about the presence of third party served advertisements and tracking cookies, how they work on the site and the practical steps users can take to opt-out of receiving them.
Recommendation 12
Use alternative methods on its website to explain, in language understandable to its user base, the implications of third party targeted advertising and tracking cookies with respect to users’ information and their ability to opt-out of such tracking.
Response
- Nexopia agreed to consolidate and update its Privacy Policy, as required by Recommendation 10, by June 30, 2012.
- Nexopia also confirmed to our Office that it will update its Privacy Policy to better inform its users of the presence of third party served advertisements and tracking cookies, by June 30, 2012. In its commitment to Recommendation 11, Nexopia stated that it would provide links to pages showing how cookies work and how to practically remove them.
- Nexopia agreed to comply with Recommendation 12, by placing a link in a prominent position on its website, close to its advertising, which would be regularly seen by users and non-users. The link will direct users to where they can learn more about advertising and cookies on the website. Users will be able to click on the link at any time and be taken directly to the revised advertising section of Nexopia’s Privacy Policy. The change will be implemented by June 30, 2012.
Conclusions
- We are satisfied that, once implemented, Nexopia’s proposed corrective measures as set out above will meet our recommendations. Nexopia has committed to demonstrating its implementation of these measures within the timeframes specified above. Accordingly, we find the allegations in this regard are well-founded and conditionally resolved.
Section 4
Information sharing between Nexopia and third parties
Allegations
- PIAC alleged that Nexopia did not adequately notify its users about its information-sharing practices with third parties, nor did it obtain proper consent to do so.
- Specifically, they alleged that the mention made in Nexopia’s Privacy Policy about third parties (some located in the United States) storing or processing personal information,
- did not explain why this occurred;
- did not provide enough detail about the information that would be shared and with whom it would be shared;
- formed a condition for the use of Nexopia’s service for which there should have been an opt-in option, if the sharing of this information was not mandatory for the proper functioning of the website, and;
- did not adequately obtain an individual’s meaningful consent, especially that of minors, who may have been unaware of the consequences of providing their consent.
- Further, PIAC claimed that any consent provided by minors to such a broad disclosure should not have been considered as valid, in the absence of express parental consent.
Summary of Investigation
- Nexopia informed our investigation that it did not have an internal policy or procedures regarding its sharing of users’ personal information with third party organizations.
- In the section of its Privacy Policy entitled “Disclosure of Personal Information”, Nexopia informs users that it shares or discloses their personal information for the following reasons:
- Billing and payment processing;
- Verifying credit card information provided;
- In the event of a merger, acquisition or sale of Nexopia’s assets;
- Where legally required to do so, e.g. to report child pornography, respond to a warrant or subpoena, or other legal process;
- To enforce the Terms of Use and protect Nexopia’s rights, and;
- To protect the safety of the public, users and visitors to the website.
- The Privacy Policy explains that Nexopia will share or disclose users’ personal information with its third-party credit card processor, affiliates (a collective term for any parent company, subsidiary, joint venture or company under common control), contractors and business partners. The Privacy Policy does indicate that some of these third parties may be located in the United States.
- It would appear that some of the sharing of users’ personal information stated in the Privacy Policy is a “transfer for processing” to entities that are contracted to provide certain services on behalf of Nexopia for the provision of the site’s services and its proper functioning, e.g. the billing and payment processing and the verifying of credit card information.
- However, certain forms of information sharing identified in the Privacy Policy, and one instance of information sharing not included within the Privacy PolicyFootnote 23, appear to be disclosures to third parties for purposes that are unrelated to the provision of the site’s services and its management.
- Nexopia stated that each third party to which it transfers or shares users’ personal information has a privacy policy that is of the same standard as Nexopia’s Privacy Policy. Nexopia confirmed that it had also entered into contractual agreements with each of the third parties it deals with, to ensure compliance with its privacy obligations.
Content Distribution Network (CDN)
- When queried, Nexopia informed us of a contractual arrangement between itself and a well-known US based Content Distribution Network (CDN), to ensure the fast delivery of data and adequate website performance. This is achieved by keeping caches of static data on the CDN’s network server infrastructure in various locales around the world. Nexopia explained that CDN’s are as essential to a large-scale web service (such as Nexopia) as are the Internet service providers that allow Nexopia’s users their Internet access.
Functional management of the website
- Nexopia confirmed that its database maintenance, network monitoring, network security and other infrastructure service tasks are all performed in-house. It also confirmed that there is no third-party cloud hosting, as the Nexopia server infrastructure is contained within a data centre located in Alberta.
Payment processing
- Nexopia informed us that it uses a third-party to process payments (the “payment processor”) made by users through their credit cards, debit cards or payment applications on mobile devices.
- In its Privacy Policy, Nexopia states that it will:
…disclose Personal Information about payment and member Profile Data to our third party credit card process provider for billing and payment purposes and where there is suspicious credit card use or a dispute concerning a charge. We may also contact financial institutions directly to verify credit card information provided. In doing so, we may share the information we received about the credit card and member.
- Our investigation noted that when a user submits an action to make a purchase on the Nexopia website (e.g., for a Plus membership or Nexopia merchandise), Nexopia sends the payment processor the user’s unique user ID and the amount of the purchase. Once the transaction is completed on the payment processor’s site, the processor sends back the user ID to Nexopia and confirms that the transaction was successful. Nexopia explained that this avoids the transfer of any personal or financial information in both directions, such as debit or credit card details.
“Earn Plus”
- When we began our investigation, Nexopia informed us that it only shared user and visitor data “at the demographic level” with advertising networks, i.e. aggregated data such as its users’ age, gender, location and interestsFootnote 24.
- Nexopia later informed us of a feature called “Earn Plus”. This feature allows non-Plus users the opportunity to gain limited periods of Plus membership. The feature also allows current Plus users to extend their existing subscriptions to the Plus serviceFootnote 25.
- Launched in July 2010, users can avail themselves of offers promoted by various companies by going to the Earn Plus page. In exchange for selecting or purchasing certain products or services, they are then provided with fixed periods of Plus subscription.
- Earn Plus is managed on behalf of Nexopia through a US based company that is a leader in the monetization (i.e. revenue generation) of online gaming and social networking sites (the “rewards company”).
- Nexopia explained that the rewards company is not an advertiser in the strict sense of the term, but an intermediary service acting between advertisers and the client to whom the advertising is delivered (in this case, the platform www.nexopia.com), and ultimately through to the client’s users.
- On entering the Earn Plus offers page, users are advised to:
“Note that some of the offers require you to make a purchase, download an app or subscribe to a service, so make sure you read the fine print.”
At the bottom of the page, there is a link to the reward company’s privacy policy.
- Nexopia users are presented with various offers for advertisers’ products and services available through the rewards company. According to Nexopia, offers may require a user to subscribe to an instant movie-streaming website, have a game installed on their Facebook page, or provide written feedback on a video clip. Many of the offers require the user to provide some personal information, or download certain data from a website such as software or a toolbar.
- During our investigation, we noted the following examples of offers requiring the user to provide their personal information:
- Join a music and DVD club with a paid membership (registration of personal information by the user required on application);
- Subscribe to free comics via e-mail (user’s email address and user’s confirmation of a request sent to that e-mail address required), or;
- Complete an IQ test (user’s valid mobile number and confirmation of a PIN code required).
- Once the user has complied with the requirements stated in the offer and the offer is completed, there is normally a short delay before the user receives the Nexopia Plus days. Typically where a mobile number and PIN is requested the selected offer reports on a 15 minute delay. For a paid membership for an advertiser’s product or service, the delay may be 4 or 5 days to allow for payment to clear.
Nexopia’s disclosure of information to the rewards company
- Nexopia advised us that once a user selects a particular Earn Plus offer, it will share the user’s age, gender and unique user ID with the rewards company. This allows Nexopia and the rewards company to ensure appropriate delivery and confirmation of the offer. Nexopia explained this is done as a condition for the rewards company to extend its offers to Nexopia, and to ensure that offers posted are relevant to individual users.
- Nexopia claims that when it sends this information to the rewards company, the specific user cannot be identified and traced back to Nexopia. Moreover, Nexopia asserts that when a user’s personal information is shared with the rewards company, the user’s privacy becomes subject to that company’s own privacy policy.
- Nexopia does not inform users on the Earn Plus page that, if they choose to take up an Earn Plus offer, it will provide selected personal information to the rewards company, in addition to any personal information the user is directly asked to provide as a condition of the offer. Furthermore, no consent is sought from users to this disclosure of additional personal information by Nexopia.
- Our investigation discovered that the rewards company is part of a large privately-owned Internet advertising network, also based in the USA. Upon reviewing the parent company’s website, we learned that the organization stores and maintains individual information in a database on its servers, and that its global operations may transfer individual information to the parent group’s operations in the United States.
- We examined the joint privacy policy of the rewards company and its US parent group on the rewards company’s website. We noted the assertion made by both entities that they do not collect information from minors. The joint policy indicates that minors under the age of 18 should not provide any personal information, including their email address, to the US parent group. The policy continues that if the parent group is notified it has personal information about a minor under the age of 18, the information will be promptly deleted from its database.
- Nexopia did not indicate to this Office what its practice is with regard to the transfer of a user’s personal information to the rewards company, if the user seeking to take up an Earn Plus offer is under the age of 18. Likewise, we are not aware if, upon receiving such information, the rewards company seeks to process the transaction, or simply returns the information to Nexopia and blocks the user’s acceptance of the selected offer.
The unique user ID
- We investigated Nexopia’s claim that the type of information sent to the rewards company and the payment processor could not be used to identify an individual user. Concentrating on the unique user ID specifically, we went on to the Nexopia site and attempted searches using the user ID numbers to see if they revealed the profiles and identities of actual Nexopia users.
- For example, on the right-hand side of Nexopia’s “Users” web page, a search function exists to find users. This function comprises a “User Search” field.
- To search for a user, the web page indicates that a user’s name, username or email address is required. However, our testing revealed that when a unique user ID (i.e., a number) is entered into this field, this numeric value also brings up the corresponding user’s profile page and identifying information about that individual.
- Moreover, our testing revealed that when one adds a user ID in Nexopia’s website URL (i.e., the website address), this leads directly to a user’s profile page and all the information about the user that their profile contains. What is more, when this occurs, the URL that was input immediately re-writes itself so that the corresponding user name now appears in the re-written URL.
- For example, we tested the address “http://www.nexopia.com/users/#######” in the field reserved for URLs (“#######” represents here a real user ID that we used for the purposes of our test). As the new page loaded, we observed how the URL changed to http://www.nexopia.com/users//USERNAME (“USERNAME” represents a real user name that corresponds to the user ID).
- When we confirmed to Nexopia that unique user IDs could be used to identify an individual and potentially gain access to the user’s full user profile (if their privacy settings are “visible to all”), the company stated that it was unaware of this capability.
Application
- In analyzing the facts, we applied section 2(1) and Principles 4.1.3, 4.3, 4.3.2 and 4.5 of Schedule 1 of the Act.
- Section 2(1) defines “personal information” as “information about an identifiable individual”, excluding “the name, title or business address or telephone number of an employee of an organization.”
- Principle 4.1.3 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third-party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third-party.
- Principle 4.3 states the knowledge and consent of the individual are required for the collection, use and disclosure of personal information, except where inappropriate.
- Principle 4.3.2 requires “knowledge and consent.” It states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
- Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Findings
February 29, 2012
Sharing user information with third-party processors
- Our review of Nexopia’s Privacy Policy identified six purposes for which Nexopia may use or disclose user’s personal information to third parties. Some of the purposes listed involve the sharing of information with third-party processors, for the provision of services and the proper functioning of the website, e.g. the payment processor for billing and payment processing. We note that sharing information with the CDN for the purpose of the fast delivery of data and website performance is not a reason listed in the Privacy Policy.
- Sharing information with the payment processor and CDN is considered by this Office to be a “transfer for processing”, i.e. it is deemed to be a use of individuals’ personal information for the purposes for which the information was originally collected: the provision of site services and the proper functioning of the site.
- Sharing information in this way is reasonable providing users are clearly informed of the purpose and nature of such transfers and Nexopia takes appropriate steps to ensure compliance with the provisions of Principle 4.1.3 of Schedule 1. Such uses or transfers of personal information are not to be confused with the disclosure of information to a third-party, for entirely new purposes unrelated to the essential functioning of the site.
- Nexopia confirmed that it has entered into contractual agreements with each third-party processor, to ensure a comparable level of protection for the information being shared by Nexopia. Our Office reviewed extracts of the contractual agreements in question.
- We note that Nexopia’s Privacy Policy states that some personal information may be stored or processed by third parties located in the United States. As a result users’ information may be processed and stored in that country and that the US government courts, law enforcement and regulatory agencies may be able to obtain disclosure of this information through that country’s laws. This description is consistent with this Office’s guidance to organizations contained in the “Guidelines for Processing Personal Data Across Borders” (issued in January 2009).
- The Privacy Policy describes how Nexopia interacts with its payment processor and how it may share information for billing and payment purposes, where there is suspicious credit card use or a dispute concerning a charge. The Policy does not reveal the general nature of the personal information that may be provided to the processor in these circumstances.
- During the investigation, Nexopia revealed that it regularly discloses users’ unique user IDs to the payment processor when a user makes a purchase on the site.
Nexopia disclosing personal information to the rewards company
- Nexopia also divulged that they disclose a user’s age, gender and unique user ID to the rewards company, each time a user participates in “Earn Plus” offers.
- At present, the site does not explain to users the potential disclosure of their personal information to the rewards company, or that such disclosure may be provided over and above any information the user provides directly to the rewards company as a condition of a particular “Earn Plus” offer.
- When they notified us of their business relationship with the rewards company in July 2010, Nexopia admitted that their online statements and actual disclosure practices were at variance and had become misleading.
- Nexopia asserted that the information provided to the payment processor and the rewards company could not be used to identify and obtain more information about individual users. We must disagree with this claim.
The unique user ID is personal information
- Either by inserting a user’s unique ID in the User Search function of the website, or by including it in the Nexopia URL, we were able to instantly link to the user’s profile and access all the personal information that the user has chosen to display there. At a minimum, this information will constitute a user’s “core” information. In many instances, it will reveal a user’s complete profile. Consequently, that individual is identifiable. Therefore, we consider the user ID to be “personal information” as defined in section 2(1) of the Act.
- It is feasible that the payment processor, or the rewards company, could access a user’s complete profile (by manual or automated means). The process would simply require either company to know the user’s unique user ID or username, as supplied by Nexopia, and conduct a search of the website, either through an external search engine, or Nexopia’s own proprietary search engine. This would be all the easier if the user’s privacy setting is left at the current default mode of “visible to all”.
- A Nexopia unique user ID is, therefore, a valuable piece of data that acts as a potential “gateway” to personal information placed by a user on the site. Acknowledging the content of many of the profiles we saw during our testing, this user profile information is often extensive in scope and of a sensitive nature.
- While we understand Nexopia’s motive in providing the payment processor with a user’s unique user ID, so as to avoid the transfer of a user’s financial information, we cannot agree that providing the processor with access to unique user IDs, with their potential for granting access to more extensive and sensitive personal information contained in user profiles, is an acceptable practice. Nexopia is transferring information far beyond that needed for billing and payment processing. We believe that the site is currently in contravention of Principle 4.5 of Schedule 1, which requires that personal information shall not be used for purposes other than those for which it was collected.
- In our view, Nexopia could use another unique code or identifying number that limits the amount of personal information that passes between the parties and yet would allow efficient billing and payment processing.
- By disclosing unique user IDs to the rewards company, Nexopia is likewise disclosing personal information beyond that required for the direct purpose of processing “Earn Plus” offers. This is also a contravention of Principle 4.5 of Schedule 1.
- In addition, since the rewards company’s privacy policy states that it does not collect the personal information of individuals under the age of 18, “Earn Plus” offers should not be made available to such users. Nexopia should also take prompt steps to cease disclosing the personal information of users aged 13 to 17 to the rewards company.
- We also believe that the current failure to identify the disclosure of users’ personal information, and the extent of the relationship between Nexopia and the rewards company, before or at the time that the user selects an “Earn Plus” offer, is a breach of the company’s obligations under Principles 4.3 and 4.3.2 of Schedule 1. Consent to such disclosure is required.
Recommendations and Response
Recommendations
- In our preliminary report of investigation, we recommended that Nexopia:
Recommendation 13
Amend the “Disclosure of Personal Information” section of its Privacy Policy to:
- refer to the sharing of personal information with a content distribution network for the purpose of prompt delivery of data and adequate website performance, and;
- explain the disclosure of users’ personal information to the rewards company, resulting from the selection of “Earn Plus” offers, and explain how such disclosure is in addition to any information disclosed by the user as part of any offer conditions.
Recommendation 14
Cease providing the payment processor with unique user IDs and only transfer the information needed to process billing and payments. If some sort of unique identifier is required, it should adopt appropriate technological measures to ensure a more privacy respectful identifier is used.
Recommendation 15
Cease providing the rewards company with unique user IDs and review what personal information, if any, needs to be disclosed to process offers. If some sort of unique identifier is required, it should adopt appropriate technological measures to ensure a more privacy respectful identifier is used.
Recommendation 16
Take prompt action to cease offering “Earn Plus” offers to site users who are under the age of 18 and stop disclosing the personal information of such users to the rewards company, in line with the rewards company’s stated policy position.
Recommendation 17
Obtain the express consent of a user to the disclosure of their personal information to the rewards company, before or at the time that the user chooses to conduct a transaction with the company.
Response
- Nexopia agreed to comply with Recommendation 13, by updating its Privacy Policy to refer to the sharing of users’ personal information with a Content Distribution Network. This change will be completed by June 30, 2012.
- In response to Recommendation 14, Nexopia indicated that it will cease providing the payment processor with Nexopia users’ unique ID numbers. It will construct a hash table to provide the payment processor with unidentifiable ID numbers for each user. It committed to make the changes by September 30, 2012.
- In response to Recommendations 15, 16 and 17, Nexopia stated that it will completely remove the “Earn Plus” offer service from its website no later than June 30, 2012. It will, therefore, no longer share any users’ personal information with the rewards company from the date the service is removed.
Conclusions
- We are satisfied that, once implemented, Nexopia’s corrective measures as set out above will meet our recommendations. Nexopia has committed to demonstrating its implementation of these measures within the timeframes specified above. Accordingly, we find the allegations in this regard are well-founded and conditionally resolved.
Section 5
Retention of personal information
Allegations
- PIAC alleged that Nexopia collected, used and retained the personal information of non-users without their knowledge and consent and retained this personal information on an indefinite basis. PIAC argued that Nexopia should have implemented a more “active” deletion procedure and informed non-users that they could request the removal of their email addresses from the Nexopia database.
- PIAC also claimed that Nexopia was retaining the personal information of its users indefinitely. PIAC believed that Nexopia should have ensured the timely deletion of a user’s personal information if a user specifically requested it.
Summary of Investigation
- Nexopia admitted having no internal policy and procedures for the retention, back-up and destruction of records. It also confirmed that it had been retaining users’ and non-users’ personal information on its database and in its archive since the website’s inception in 2003.
NON-USERS: Collection and retention of their email addresses
- Nexopia stated that it retains non-user email addresses indefinitely. According to Nexopia, no individual had inquired about this nor had anyone asked that their email address be permanently removed from the site.
- We note that Nexopia’s Privacy Policy indicates that non-users may request the deletion of their information from the website, or unsubscribe from such invitations.
- The section entitled “Communication with Non-Members” states the following:
Using our automated invitation system, Nexopia members can send emails to invite friends to join the service. Nexopia.com stores the email addresses that members provide so that the respondents may be added to a friend’s list of the member sending the invitations, and also to send reminders of the invitations. Nexopia does not sell these email addresses or use them to send any communication except for invitations and invitation reminders. Recipients of invitations from Nexopia.com may request the removal of their information from our database by contacting Nexopia.com. Non-members may stop Nexopia.com email invitations and other messages from being sent to any email address you control by clicking the unsubscribe link in the invitation email.
- Our investigation revealed that non-users’ email addresses are collected through invitations initiated by users. Users can invite friends (non-users) to register with Nexopia in two ways. One way is to complete a “Find and Add Friends on Nexopia” page by providing the user’s own email and instant messenger contacts.
- The second way is for users to input their friends’ email addresses on the “Invite Friends” page. The website then uses that information to generate and send emails to the users’ friends, inviting them to register. Inviting a friend generates an email to all invitees.
- Users are not required to confirm to Nexopia that they have their friend’s consent for the purposes of sending an invitation to join the website, prior to providing the friend’s email address to the company.
- The invitation email informs the friend or non-user that a named user wishes to befriend them on Nexopia and it gives them an opportunity to become that person’s friend. The invitation also allows the recipient to stop receiving future invitation emails by clicking on a link. The link takes the non-user to a page entitled “Opt out of Nexopia.com invites”. The message on this page confirms that the individual will no longer receive invitations.
- However, the non-user is not informed on this page that their email address will be retained by Nexopia, the reason why their address is retained, the fact that they can request deletion of their email address and that if the address is deleted, they may receive more invitations from site users.
- Nexopia asserts that it retains the email addresses of non-users for the non-users’ own benefit; for example, if they choose to unsubscribe from all future invitations. For the unsubscribe feature to be effective, Nexopia must retain for an indefinite period a subset (a “blacklist”) of email addresses to which no further messages will be sent in the future. Our investigation learned that such lists are commonly referred to as “suppression lists”.
- In Nexopia’s view, this practice is a risk-management tool that is used to prevent the sending of unsolicited invitations.
- Regarding the frequency of invitation emails, Nexopia advised that each time it receives a request from a single Nexopia user to send an invitation to a friend, the website sends out one invitation per nomination (non-user). It does not have any automated process to issue reminder or follow-up invitations at a later date.
- Notwithstanding the above, Nexopia acknowledged that was possible for a non-user to receive additional invitations, if the non-user did not choose to unsubscribe and a user repeated the invitation process, or different Nexopia users invited the same non-user to join the site.
USERS: Retention of their personal information
- As stated above, Nexopia confirmed that it had been retaining all users’ and non-users’ personal information on its database and in its archive since the website’s inception in 2003.
- In their complaint, the complainants drew attention to the “Access to Personal Information” section of the Nexopia’s Privacy Policy, which we reproduce in part below:
An individual may also request that Nexopia delete an individual’s Personal Information from Nexopia’s system and records. However, due to technical constraints and the fact that Nexopia backs up its systems, Personal Information may continue to reside in Nexopia's systems after deletion. Individuals, therefore, should not expect that their Personal Information would be completely removed from Nexopia systems in response to an accepted request for deletion.
- The Privacy Policy clearly denotes that an individual’s personal information may be retained long after they request its deletion.
- However, our investigation observed that when users clicks on the “Delete Account” link under the “Account” tab within the website’s Preferences function, they are presented with a different message:
This will delete your account, including your profile, your pictures, friends list, messages, etc. Your forum posts, comments and messages in other users inboxes will remain.
- Nexopia clarified that when a user selects the link to delete the account, the only information that is in fact deleted are the user’s “shouts”. Meanwhile, all of the following information from the account is stored indefinitely in Nexopia’s archiving system:
- username;
- user ID;
- email address;
- date of account creation and deletion;
- IP address and log-in information;
- friends list;
- abuse records;
- gallery pictures;
- profile contents for each block of information;
- polls submitted;
- messages to and from the user;
- photographs marked as profile pictures, and;
- comments to and from the user.
- Further, any messages, comments and forum posts by the user continue to be visible on the website, with the username attached (although no longer hyperlinked back to the user).
- Nexopia states that the problem of retained information from deleted accounts stems largely from the website’s infrastructure. It explained that actual deletion would be an enormous task, requiring very substantial rewrites and the targeting of specified content within a large data set extending across multiple databases.
- As well, changes over time to the website architecture have resulted in a build-up of unused code and obsolete information, which Nexopia claims would be virtually impossible to navigate through.
- In Nexopia’s view, attempts at deleting information would not only lead to errors (e.g. deleting the wrong data) but would also increase complexity to the systems running, as well as tax the server and network loads. Nexopia advised that for this reason, a risk-mitigation practice adopted by many Internet services is to specifically not delete content. Nexopia contends that archive storage is inexpensive when compared to the serious risks involved in selective data deletion.
Account deactivation
- Instead of deleting an account, Nexopia may freeze it (i.e., deactivate it).
- When an account is frozen, the username is no longer available to individuals creating a new account. As well, if a frozen account is called up on the website, the result is a customized “404 Not Found” page that displays the message “Frozen user: This account has been temporarily disabled.”
- A user may freeze their account, but they must make the request through the website. We noted that in the Preferences section of the website, the name of the option the user must select to freeze their account is “Delete Account”.
- If Nexopia receives such a request, it usually complies. When the account is frozen, it is not accessible to anyone except authorized senior-level Nexopia staff moderators. Previously posted public content and private messages remain on the site and also remain on the caches of all Internet search engines, as the latter are beyond Nexopia’s control.
- Nexopia will also freeze accounts on its own initiative in certain circumstances (e.g., if it becomes clear that the user is below the minimum age of 13). Nexopia informed us that since 2006, it has frozen over 24,000 user accounts because the users were underage. Nexopia may indefinitely freeze an account if its user is flagged for engaging in abusive activity contravening the site’s Terms of Use.
- Nexopia stated that freezing the account (as opposed to deleting it) facilitates the tracking of underage users attempting to create multiple accounts. Freezing also prevents previous abusers of the website from re-creating accounts using the same username as before. When there is a report of ongoing harassment, Nexopia can check the offending user’s IP address against previous accounts. If it turns out there are frozen accounts linked to that individual’s IP address, this information can support Nexopia’s decision to quickly freeze their active account.
- Nexopia began the practice of freezing accounts in 2004, and as of June 28, 2010, over 63,000 were frozen indefinitely. Only four were frozen temporarily at the request of users.
- Unless a user appeals the freezing of an account, the personal information contained in frozen user accounts remains inactive on Nexopia’s servers indefinitely and is not subject to any periodic review.
Use and retention of user personal information for law enforcement purposes
- Nexopia receives Law Enforcement Requests (“LERs”) and warrants requesting the disclosure of users’ personal information from law enforcement agencies across Canada. The disclosure of users’ personal information to such agencies is included within both the site’s Privacy PolicyFootnote 26 and Terms of UseFootnote 27. Such requests can be in respect of active or deactivated user accounts.
- Nexopia claims that it has received more than 1,000 such requests over the past seven years. It cited compliance with these requests as one reason for the retention of user records. We reviewed a Nexopia-generated “random subset” list of 24 requests received between February 2008 and January 2010. We noted that, with one exception, all the requests targeting a deactivated account had been issued less than 24 months after Nexopia had deactivated the account.
- The information typically requested by an LER is limited to an email address, IP addresses used, log-in information and abuse records. Nexopia provided our investigation with a list of the information that it typically provides in these cases. The information provided was more substantial than that typically requested.
- Nexopia has adopted security measures to protect the stored information. It restricts employee access to its archive. Furthermore, it records and reports on the actions of the authorized employees when they access the archive. During our investigation, Nexopia referred us to two individuals from Ontario and Alberta it deemed to be authorities on law enforcement and social networking.
- We talked to the two individuals, both serving officers in metropolitan police forces. Both spoke in favour of retaining archived user information for lengthy or even indeterminate periods and presented the case that such websites are sometimes the only sources of information that a police investigation can follow.
- Nexopia stated that it favours a minimum data retention period of five years.
Application
- In analysing the facts, we considered Principles 4.1.4(d), 4.3, 4.3.8, 4.5, 4.5.2 and 4.5.3 from Schedule 1 of PIPEDA.
- Principle 4.1.4(d) states in part that organizations shall implement policies and practices to give effect to the Principles, including developing information to explain the organization’s policies and procedures.
- Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use and disclosure of personal information, except where inappropriate.
- Principle 4.3.8 states that an individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, and that the organization shall inform the individual of the implications of such withdrawal.
- Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual, or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
- Principle 4.5.2 states that organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.
- Principle 4.5.3 states that personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.
Findings
February 29, 2012
NON-USERS: Consent to Nexopia’s collection and use of personal information
- We are concerned that Nexopia does not obtain the consent of non-users to the receipt of invitations to join the website. The lack of such consent inherent in the Nexopia “Find and Add a Friend” and “Invite Friend” features is a contravention of Principle 4.3.
- For situations where a website (the first party) collects from a user of its site (the second party) the personal information of a non-user or friend (the third party), our Office has determined that, depending on the circumstances, it may be incumbent upon the user to directly obtain consent from the non-user or friend. We have also determined in previous cases that the first party website (in this case Nexopia), although not responsible for directly obtaining consent, must nevertheless take reasonable measures to ensure that consent is obtained by its users. In other words, the website must itself exercise due diligence to ensure that the requirement for consent is met.
- To bring the company into compliance with Principle 4.3, we recommend that Nexopia adopt appropriate measures to ensure that its users obtain a friend’s prior consent to the collection and use of their email by Nexopia for invitation purposes.
NON-USERS: Retention of their e-mail addresses
- The other issue regarding non-users’ e-mails is whether Nexopia’s policy of retaining non-users’ email addresses contravenes Principle 4.5. While the Act is silent on the length of time that personal information should be retained, Principle 4.5 states that it should be retained only as long as necessary to fulfill the purposes for which it was collected.
- E-mail addresses of individuals who do not wish to receive further invitations from Nexopia are not deleted, but are stored in the website’s “blacklist”.
- Nexopia argued that maintaining such a “blacklist”, is both a reasonable and effective way of ensuring that non-users do not receive future, unsolicited, invitations to join the website. Our research showed that maintaining such “suppression lists” is a common industry practice adopted to prevent unsolicited e-mails or spam.
- Principle 4.3.8 states in part that an individual may withdraw their consent for the use and disclosure of their personal information. When this occurs, the organization must inform the individual of the implications of such a withdrawal.
- When a non-users’ e-mail address is provided to Nexopia by one of its users (and not the e-mail address owner), we acknowledge that the owner may not have given their express consent for it to be collected by Nexopia. Thus, as we have indicated earlier, it is important for the user who provides the e-mail address to ensure that they have obtained prior consent from the e-mail address owner, their friend, for the invitation e-mail to be issued by Nexopia.
- A non-user who indicates their wish to “unsubscribe” from receiving future invitation e-mails is, in effect, withdrawing consent for the use of their e-mail address for this purpose.
- However, it is clear from our investigation that non-users who “unsubscribe” are not informed that their email address will continue to be retained by Nexopia. The confirmation e-mail sent by Nexopia to individuals who have selected to “unsubscribe” from future invitations also makes no mention of this fact, or Nexopia’s purpose for the retention of the e-mail address. This lack of explanation would appear to be in contravention of Principle 4.3.8.
- Our review of Nexopia’s Privacy Policy noted that Nexopia stores non-users’ email addresses in order to send invitation reminders and so that non-users replying to invitations may be added to a friend’s list. We found this statement to be in part, incorrect, since Nexopia admitted to our Office that it does not send out any reminder invitations.
USERS: Retention of their personal information
- Nexopia admitted it has not deleted account information since 2004, either from “deleted” or frozen accounts. Yet, the messages that Nexopia provides its users in this regard do not reflect its actual practice.
- It is clearly misleading to provide a “Delete Account” option—which states that specific personal information will be deleted—when in fact the information will be retained indefinitely in the website’s archive.
- Further, as the complainants point out, Nexopia’s Privacy Policy indicates that:
“Individuals should not expect that their Personal Information would be completely removed from Nexopia systems in response to an accepted request for deletion.”
This is a rather confusing message that does nothing to demystify for the user what actually happens to all or any of their personal information.
- The “Delete Account” option is clearly a consent withdrawal mechanism for the use or disclosure of personal information associated with that account. By not informing users of the real consequences to their personal information when they choose “Delete Account”, Nexopia is in contravention of Principle 4.3.8.
- Regarding a retention period, we do not underestimate the technical challenges presented in permanently deleting users’ personal information. However, in our view, Nexopia’s practice of archiving indefinitely all of an individual’s personal information is in contravention of Principle 4.5. Our investigation has not been presented with a compelling argument to justify the indefinite retention of this account information.
- For Nexopia to comply with Principle 4.5.2 of Schedule 1 of the Act, it should develop procedures for the retention of personal information, with guidelines on minimum and maximum retention periods, in respect of personal information held in user accounts. The procedures and retention periods should be based on the length of time the information is required to fulfill the original purposes for which it was collected.
- In our view, Nexopia users assume that they are providing their personal information for the central purpose of social networking. While we recognize there will be circumstances where Nexopia will have to comply with requests for information from law enforcement agencies, the retention of information held in tens of thousands of deactivated or frozen accounts for such purposes, on an indefinite basis, is unacceptable.
- As Nexopia is sometimes required to disclose users’ personal information to law enforcement agencies, it should inform its users of this fact, at the time it first collects their personal information. We note that while the site’s Privacy Policy and Terms of Use do inform users and visitors of this fact, the content is split between different sections and paragraphs and as a result, is somewhat fragmented in nature.
- Indefinitely retaining personal information that is no longer required to fulfill the purpose for which it was collected clearly conflicts with Principle 4.5.3. This principle sets out that the information should be destroyed, erased or made anonymous when the original purpose has expired.
- By way of illustration, our Office conducted an investigation of the retention policy and procedures of a well-known online dating siteFootnote 28. In that investigation, the complainant contacted our Office when it became clear that the dating site had not deleted her account as requested, but had rather ‘closed’ or deactivated her profile and intended to keep her personal information indefinitely.
- The dating site informed our Office that the reason it deactivated accounts and indefinitely retained the data – as opposed to deleting the accounts and the information in them – was that 40 percent of its members reactivated their accounts within a two year period. If the account information had been deleted members would face a lengthy and onerous task in re-applying to the site and re-populating their personal information into their new account.
- However, we argued that if 40 percent of members tended to reactivate their dormant or frozen accounts, then 60 percent of its members did not. Thus, the indefinite retention of their personal information would be excessive.
- The matter was finally resolved to this Office’s satisfaction, when the dating site agreed to introduce a true account deletion option, provided members with a clear description of the difference between the deactivation and deletion of an account and established a default retention period of two years for inactive accounts.
- In Nexopia’s case, we noted that, in addition to all the personal information held within inactive user profiles, more than 63,000 accounts had been frozen by the website’s administrators for reasons such as underage membership and abuse of the website’s Terms of Use.
- Of these accounts, only a modest number have been the subject of law enforcement inquiries during the last eight years and we were informed that only four users had chosen to voluntarily have their profile and account frozen and then reactivated. The original purpose for collecting this personal information has long expired, yet all the records are retained indefinitely and are not subject to periodic review and destruction.
- Taking into account the specific matters cited above, we believe that Nexopia should adopt a clear retention and destruction policy and procedures and offer its users a true deletion option.
Recommendations and Response
Recommendations
- In our preliminary report of investigation, we recommended that Nexopia:
Recommendation 18
Implement appropriate policies and practices for the retention and destruction of personal information, including defined retention periods for non-user and user personal information.
Recommendation 19
Develop and make available on its website appropriate information to explain these policies and procedures to non-users and users alike.
Recommendation 20
Advise users that before visiting the invitation feature (“Find and Add Friends”) and sending an invitation, they should have their friend’s permission to give Nexopia their email address and that by providing the email address to the website, they confirm that they have their friend’s consent to do so.
Recommendation 21
Offer non-users a clear choice between a) unsubscribing from join-the-site invitation emails, or b) permanent deletion of their email address. The consequences of each option for the non-user should be explained to them using language understandable to Nexopia’s user base.
Recommendation 22
Provide a true delete option for the accounts and personal information of users.
Recommendation 23
Offer users a clear choice between a) temporarily deactivating their user accounts, or b) permanently deleting them from the website’s database and archive. The consequences of each option should be explained using language understandable to Nexopia’s user base.
Recommendation 24
Provide users with greater clarity as to why and how it may disclose their personal information to law enforcement authorities, at the time it first collects their personal information.
Response
- In response to Recommendations 18 and 19 above, Nexopia replied that, as it is not viable to implement a technical solution to ensure the destruction of users’ personal information, it did not need to implement a retention and destruction policies and practices. It suggested that a greater explanation of how it archives data and confirmation that such data is only accessible to its system administrators could be pursued.
- In making Recommendation 18, our Office requested that Nexopia develop guidelines and implement procedures for the retention and destruction of personal information, to ensure that the company is compliant with Principles 4.5.2 and 4.5.3 of Schedule 1 of the Act. The difficulty in finding a solution to the permanent deletion of users’ data and accounts does not obviate the need for such guidelines and procedures.
- Indeed, retaining vast amounts of former users’ personal information, long after it has served its original purpose, represents a real and ongoing security risk. Old information retained in its database and archive could be accessed by unauthorized third-parties. Nexopia needs to develop appropriate retention and destruction guidelines and procedures to minimize and mitigate the risk of a privacy breach.
- Turning to Recommendation 19, our Office requested that Nexopia comply with its obligation under Principle 4.1.4(d) of Schedule 1 to implement policies and practices to give effect to the Principles in Schedule 1 of the Act. This includes developing information to explain the organization’s policies and procedures and making it available to non-users and users on the website. Nexopia’s offer to describe how it archives data, and the limited accessibility to archived information, is insufficient to meet the requirements of Recommendation 19, particularly in the absence of compliance with Recommendation 18.
- Responding to Recommendation 20, Nexopia agreed to add additional text to its “Find and Add Friends” feature by June 30, 2012. The text will emphasize that users should have a non-user friend’s permission to give the website the friend’s e-mail address, and that by providing the e-mail address the user confirms this consent has been obtained.
- In reply to recommendation 21, Nexopia agreed that, in the future, non-users who receive invitation e-mails from users will be able to request the permanent deletion of their e-mail address from Nexopia’s database. The new process will explain to non-users how they can request deletion, provide them with the option to do so and inform them of the consequences of selecting the option. This change will be completed by September 30, 2012.
- Responding to Recommendation 22, Nexopia explained that a true deletion option for the accounts and personal information of users is not currently possible. It added that it is also not possible to track down every piece of information that a user has entered on the website. It pointed out that not every piece of user data and information can be tied back to a user’s unique user identification. Therefore, the ability to search through the entire database is limited.
- It explained that a “best effort” approach would be to write unique scripts to search through the database and delete data which could be identified and linked back to a unique user identification number and account. They argued that the development costs of adopting this approach would be prohibitively high.
- It justified its current practice of account “deletion” where all data and personal information is made invisible on the website. The information stored in the archives is only accessible to system administrators and recovered in the event that they receive a warrant from a law enforcement authority.
- In our opinion, Nexopia’s current practice of storing personal information in its archives indefinitely, on the small possibility it may be the subject of an information request or warrant from a law enforcement agency is not acceptable. While such requests or warrants may justify a longer retention period for those specific cases affected, they do not justify wholesale and indefinite retention of all records.
- In addition, besides the security risks already outlined in paragraph 74, we are concerned that all of Nexopia’s users are being misled into thinking they can delete their personal information at some point, if they want to. In this respect, Nexopia is retaining personal information without users’ knowledge and consent.
- Nexopia agreed to comply with Recommendation 23, by improving the language on its website to communicate the action and consequences of deleting an account. The changes will be completed by June 30, 2012.
- However, Nexopia’s commitment does not meet the full requirements of Recommendation 23, which states that Nexopia must offer users a clear choice between temporarily deactivating their user account, or permanently deleting them from the website’s database and archive. Nexopia states that it cannot offer a true deletion option. It follows therefore, that attempting to describe the action and consequences of deactivating an account, as if it is the deletion of an account would be misleading.
- Nexopia agreed to update its Privacy Policy to satisfy Recommendation 24. It will provide greater clarity as to why and how it may disclose a user’s personal information to law enforcement authorities, by June 30, 2012.
Conclusions
- We are satisfied that, once implemented, Nexopia’s proposed corrective measures as set out above will meet our Recommendations 20, 21 and 24. Nexopia has committed to demonstrating its implementation of these measures within the timeframes specified above. Accordingly, we find the allegations in this regard are well-founded and conditionally resolved.
- The allegations as they pertain to Recommendations 18, 19, 22 and 23 are well-founded.
Summary of our Conclusions
Well-Founded and Conditionally Resolved Allegations
- With respect to issues pertaining to Nexopia’s disclosure of user profiles to the public, default privacy settings, collection, use and disclosure of personal information collected at registration, sharing of personal information with advertisers and other third parties and retention of the personal information of non-users, we have concluded that Nexopia is in contravention of the Act and the allegations are well-founded and conditionally resolved.
- We have come to this conclusion based on Nexopia’s commitment to demonstrating its implementation of the corrective measures identified in this report, in relation to Recommendations 1-17, 20, 21 and 24, within specified time periods.
- In support of its commitment, Nexopia has agreed to provide our Office with regular progress reports, copy documentation and demonstrations of changes to the website, as it addresses the above recommendations.
- We understand that fully implementing these measures, many of which require significant technical changes to the Nexopia website, may take some time. Accordingly, Nexopia has agreed to fully implement a portion of these measures by June 30, 2012 and the rest by September 30, 2012.
- Our Office has a continuing interest in ensuring that Nexopia adopts the measures needed to bring it into compliance with the Act and follows through on the express commitments it has made to the Office in this regard. Over the coming months, we will be monitoring and reviewing the corrective actions Nexopia has committed to undertake and demonstrate to us pursuant to the agreed timeframes. At such time, we will gauge whether Nexopia has fully complied with our recommendations and, if necessary, we will address any outstanding concerns in accordance with our authorities under the Act.
Well-Founded Allegations
- With respect to issues relating to Nexopia’s retention of users’ personal information, we have concluded that the allegations are well-founded. These matters remain unresolved issues as Nexopia has not at this time agreed to adopt our Recommendations 18, 19, 22 and 23, nor has Nexopia presented any acceptable alternative measures. We will proceed to address these unresolved issues in accordance with our authorities under the Act.
Appendix A: Recommendations and responses
Section 1
Disclosure of user profiles to the public and default privacy settings
We recommended that Nexopia:
Recommendation 1
Change its default privacy settings to ensure that the website’s default privacy setting for all new users upon registration is set to “visible to friends”.
Nexopia agreed to comply with the Recommendation by June 30, 2012.
Conclusion: well-founded and conditionally resolved.
Recommendation 2
Inform existing users of their privacy setting options (linked to relevant information on the website), which requires them to opt-in to renew the setting they currently have, or choose an alternative setting.
Nexopia agreed to comply with the Recommendation by September 30, 2012.
Conclusion: well-founded and conditionally resolved.
Recommendation 3
Ensure that users who have their privacy settings set to “visible to friends” or “not visible” are not searchable through external search engines, or through Nexopia’s embedded search engine.
Nexopia agreed to comply with the Recommendation by September 30, 2012.
Conclusion: well-founded and conditionally resolved.
Recommendation 4
Ensure that users who have their privacy settings set to “visible to logged-in users” are not searchable through external search engines and are only searchable through Nexopia’s embedded search engine by other registered Nexopia users logged-in to the site.
Nexopia agreed to comply with the Recommendation by September 30, 2012.
Conclusion: well-founded and conditionally resolved.
Recommendation 5
Ensure that users are granted control, via privacy settings, over all categories of their personal information including “core” profile information and profile pictures, i.e. at the level of specific information items rather than just at the block level. This control should be afforded to both new and existing users.
Nexopia argued that the website’s architecture makes “core” profile information and profile pictures a component of every profile for visual and navigational consistency. Allowing granular privacy controls over this information would require considerable development resources and was an investment that the company was not prepared to make at this time.
However, given Nexopia’s commitments to activate the hide profile function by default for new users, make the hide profile function more visible, and provide users with clear information as to how the hide profile function works, and given that users can choose not to include any profile pictures, we are satisfied that users will be better able control whether their personal information (including “core” personal information and profile pictures) is made widely available to anyone on the Internet. Accordingly, our concerns relating to Recommendation 5 have been substantially resolved.
We would strongly encourage Nexopia to continue to review its practices regarding profile pictures, and consider granting users more granular control over this material.
Conclusion: well-founded and conditionally resolved.
Recommendation 6
Explain, using language and means appropriate to its core users, the available privacy settings and the implications of choosing each setting.
Nexopia agreed to comply with the Recommendation by June 30, 2012.
Conclusion: well-founded and conditionally resolved.
Section 2
Purpose and consent for the collection and disclosure of personal information
We recommended that Nexopia:
Recommendation 7
Amend its Privacy Policy to clearly identify the purposes for which it collects, uses and discloses users’ personal information at registration.
Nexopia agreed to comply with this Recommendation by June 30, 2012.
Conclusion: well-founded and conditionally resolved.
Recommendation 8
Review its Privacy Policy and other site material to ensure that they are presented in a language and format that is appropriate for its user base.
Nexopia agreed to comply with this Recommendation by June 30, 2012.
Conclusion: well-founded and conditionally resolved.
Recommendation 9
Having regard for its youth audience, develop ways to inform users of the purposes for the collection, use and disclosure of their personal information, and require pro-active action on the part of users to consent to these purposes, at the time of registration.
Nexopia agreed to comply with this Recommendation by June 30, 2012.
Nexopia agreed to amend its registration process so that individuals seeking to register on the website will be required to click on a check box to confirm their agreement to the Terms of Use and the revised Privacy Policy. A link to the revised and clear language Privacy Policy will now appear alongside the check box and current link to the Terms of Use. The changes will be made by June 30, 2012.
While this step addresses what we believe to be the minimum requirements to provide users with knowledge of the website’s privacy practices and obtain appropriate consent, we would strongly encourage Nexopia to go further and explore more innovative methods of presenting its Privacy Policy, e.g. presenting it in theme-based pieces and in an incremental manner, so that users can click after reading small portions of the Policy.
Conclusion: well-founded and conditionally resolved.
Section 3
Information sharing between Nexopia and advertisers/marketers
We recommended that Nexopia:
Recommendation 10
Consolidate and update its Privacy Policy, to ensure that its users are better informed about all uses of personal information for the purposes of targeted advertising on the site, as required by Principles 4.2.3 and 4.3.2.
Nexopia agreed to comply with this Recommendation by June 30, 2012.
Conclusion: well-founded and conditionally resolved.
Recommendation 11
Update its Privacy Policy, to ensure that its users are better informed about the presence of third party served advertisements and tracking cookies, how they work on the site and the practical steps users can take to opt-out of receiving them.
Nexopia agreed to comply with this Recommendation by June 30, 2012.
Conclusion: well-founded and conditionally resolved.
Recommendation 12
Use alternative methods on its website to explain, in language understandable to its user base, the implications of third party targeted advertising and tracking cookies with respect to users’ information and their ability to opt-out of such tracking.
Nexopia agreed to comply with this Recommendation by June 30, 2012.
Conclusion: well-founded and conditionally resolved.
Section 4
Information sharing between Nexopia and third parties
We recommended that Nexopia:
Recommendation 13
Amend the “Disclosure of Personal Information” section of its Privacy Policy to:
- refer to the sharing of personal information with a content distribution network for the purpose of prompt delivery of data and adequate website performance, and;
- explain the disclosure of users’ personal information to the rewards company, resulting from the selection of “Earn Plus” offers, and explain how such disclosure is in addition to any information disclosed by the user as part of any offer conditions;
Nexopia agreed to comply with Recommendation 13(i) by June 30, 2012.
With regard to Recommendation 13(ii), Nexopia stated that it will remove the “Earn Plus” service from the website by June 30, 2012.
Conclusion : well-founded and conditionally resolved.
Recommendation 14
Cease providing the payment processor with unique user IDs and only transfer the information needed to process billing and payments. If some sort of unique identifier is required, it should adopt appropriate technological measures to ensure a more privacy respectful identifier is used.
Nexopia agreed to comply with this Recommendation by September 30, 2012. It will construct a hash table and provide its payment processor with unidentifiable ID numbers.
Conclusion: well-founded and conditionally resolved.
Recommendation 15
Cease providing the rewards company with unique user IDs and review what personal information, if any, needs to be disclosed to process offers. If some sort of unique identifier is required, it should adopt appropriate technological measures to ensure a more privacy respectful identifier is used.
Nexopia stated that it will remove the “Earn Plus” service from the website by June 30, 2012. It will, therefore, no longer share any users’ personal information with the rewards company from the date the service is removed.
Conclusion: well-founded and conditionally resolved.
Recommendation 16
Take prompt action to cease offering “Earn Plus” offers to site users who are under the age of 18 and stop disclosing the personal information of such users to the rewards company, in line with the rewards company’s stated policy position.
Nexopia stated that it will remove the “Earn Plus” service from the website by June 30, 2012. It will, therefore, no longer share any users’ personal information with the rewards company from the date the service is removed.
Conclusion: well-founded and conditionally resolved.
Recommendation 17
Obtain the express consent of a user to the disclosure of their personal information to the rewards company, before or at the time that the user chooses to conduct a transaction with the company.
Nexopia stated that it will remove the “Earn Plus” service from the website by June 30, 2012. It will, therefore, no longer share any users’ personal information with the rewards company from the date the service is removed.
Conclusion: well-founded and conditionally resolved.
Section 5
Retention of personal information
We recommended that Nexopia:
Recommendation 18
Implement appropriate policies and practices for the retention and destruction of personal information, including defined retention periods for non-user and user personal information.
Nexopia replied that, as it is not viable to implement a technical solution to ensure the destruction of users’ data and personal information, it did not need to implement a retention and destruction policies and practices. It suggested that a greater explanation of how it archives data and confirmation that such data is only accessible to its system administrators could be pursued.
We reminded Nexopia of the importance of developing guidelines and implementing procedures for the retention and destruction of personal information under Principles 4.5.2 and 4.5.3 of Schedule 1 of the Act. The difficulty in finding a solution to the permanent deletion of users’ data and accounts does not obviate the need for such guidelines and procedures.
Indeed, retaining vast amounts of former users’ personal information, long after it has served its original purpose represents a real and ongoing security risk. Nexopia needs to develop appropriate retention and destruction guidelines and procedures to minimize and mitigate the risk of a privacy breach.
Conclusion: well-founded.
Recommendation 19
Develop and make available on its website appropriate information to explain these policies and procedures to non-users and users alike.
Our Office requested that Nexopia comply with its obligation under Principle 4.1.4(d) of Schedule 1 to implement policies and practices to give effect to the Principles in Schedule 1 of the Act.
This includes developing information to explain the organization’s policies and procedures regarding the retention and destruction of personal information and making it available to non-users and users on the site. Nexopia’s offer to describe how it archives data, and the limited accessibility to archived information, is insufficient to meet the requirements of Recommendation 19, particularly in the absence of compliance with Recommendation 18.
Conclusion: well-founded.
Recommendation 20
Advise users that before visiting the invitation feature (“Find and Add Friends”) and sending an invitation, they should have their friend’s permission to give Nexopia their email address and that by providing the email address to the website, they confirm that they have their friend’s consent to do so.
Nexopia agreed to comply with this Recommendation by June 30, 2012.
Conclusion: well-founded and conditionally resolved.
Recommendation 21
Offer non-users a clear choice between a) unsubscribing from join-the-site invitation emails, or b) permanent deletion of their email address. The consequences of each option for the non-user should be explained to them using language understandable to Nexopia’s user base.
Nexopia agreed to comply with this Recommendation by September 30, 2012.
Conclusion: well-founded and conditionally resolved.
Recommendation 22
Provide a true delete option for the accounts and personal information of users.
Nexopia was not prepared to comply with this Recommendation.
It explained that providing a true deletion option for the accounts and personal information of users is not currently possible. It pointed out the limitations of adopting such an option and justified its current practice of account “deletion” where all data and personal information is made invisible on the website. The information stored in the archives is only accessible to system administrators and recovered in the event that they receive a warrant from a law enforcement authority.
Nexopia argued that the development costs of adopting a “best practice” approach for the deletion of user data and personal information would be prohibitively high.
In our opinion, Nexopia’s current practice of storing personal information in its archives indefinitely, on the small possibility it may be the subject of an information request or warrant from a law enforcement agency is not acceptable. While such requests or warrants may justify a longer retention period for those specific cases affected, they do not justify wholesale and indefinite retention of all records.
In addition to the security risks inherent in retaining vast amounts of former users’ personal information, long after it has served its original purpose, we are concerned that all of Nexopia’s users are being misled into thinking they can delete their personal information at some point, if they want to. In this respect, Nexopia is retaining personal information without users’ knowledge and consent.
Conclusion: well-founded.
Recommendation 23
Offer users a clear choice between a) temporarily deactivating their user accounts, or b) permanently deleting them from the website’s database and archive. The consequences of each option should be explained using language understandable to Nexopia’s user base.
Nexopia agreed to comply with Recommendation 23 by improving the language on its website to communicate the action and consequences of deleting an account.
This does not meet the full requirements of the Recommendation, which states that Nexopia must offer users a clear choice between temporarily deactivating their user account, or permanently deleting them from the website’s database and archive. Nexopia states that it cannot offer a true deletion option. It follows therefore, that attempting to describe the action and consequences of deactivating an account, as if it is the deletion of an account would be misleading.
Conclusion: well-founded.
Recommendation 24
Provide users with greater clarity as to why and how it may disclose their personal information to law enforcement authorities, at the time it first collects their personal information.
Nexopia agreed to comply with this Recommendation by June 30, 2012.
Conclusion: well-founded and conditionally resolved.
- Date modified: