Facebook agrees to stop using non-users’ personal information in users’ address books

PIPEDA Report of Findings #2018-003^{Footnote 1}

May 24, 2018

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act” or "PIPEDA") against Facebook Inc.

1. In this report, “Facebook” refers to the Facebook website and platform, as provided by Facebook Inc. (“FB Inc.” or “FB”).
2. FB Inc., a California company, advised our Office on June 20, 2013 that it had suffered a privacy breach related to the disclosure of contact information uploaded by Facebook users through the 'Contact Importer' process (the “breach”).
3. On June 23, 2013, a complaint was filed with our Office against FB Inc., alleging that FB Inc. collected, and then disclosed via the breach, the personal information of Facebook users and non-users without consent.
4. On July 5, 2013, our Office and the Office of the Data Protection Commissioner of Ireland advised FB that we would be coordinating our investigations into the breach. The breach raised issues relating to whether FB was appropriately safeguarding contact information uploaded by its users and also whether FB’s process of matching contact information across address books is in compliance with PIPEDA. Our Office’s investigation therefore focused on the following issues:
   1. whether FB is collecting contact information of users and non-users with consent;
   2. whether FB had the appropriate safeguards in place prior to the breach to protect the contact information of users and non-users and if not, whether FB has now implemented appropriate safeguards to protect this personal information;
   3. whether FB is using the personal information of users and non-users during the process of matching across address books and if so, whether FB is obtaining meaningful consent from users and non-users for the use of personal information during the process of matching across address books; and
   4. whether FB is providing users and non-users the ability to obtain access to and correct their personal information/data, as required under PIPEDA.

Facebook features

(a) Contact Importer tool (also known as “Friend Finder”) and the Friend Finding Process

5. FB’s Contact Importer tool is a feature that allows users to choose to upload and store their contacts as part of their accounts, and use such contacts to (i) invite other users to become their friends on Facebook, (ii) get friend suggestions and (iii) invite their contacts who are not users to join Facebook.
6. It is our Office’s understanding that prior to April 2012, the Friend Finding process worked by first searching FB’s database to see if the exact imported contact information as uploaded was already registered to an existing user on Facebook. If the exact imported contact information was registered to an existing user, Facebook presented the importing user with an “Add Friend” button to add the user as a friend. If the exact imported contact information was not registered to an existing user, FB allowed the importing user to initiate an email invitation to the contact to join Facebook.
7. The following example highlights our Office’s understanding of the Friend Finding process prior to April 2012:

   Mark registers his Facebook account using mark@gmail.com. Jeanne is a Facebook user, who uploads Mark’s other email address mark@yahoo.com to her Facebook account. Facebook searches its database to see whether mark@yahoo.com is registered on Facebook. As Mark did not register his Facebook account using mark@yahoo.com, nor did he add mark@yahoo.com to his Facebook profile, Jeanne is not presented with a button to add Mark as a friend. As Mark’s Facebook account does not include mark@yahoo.com, even though he is a registered user with mark@gmail.com, Facebook offers Jeanne the option to send an email invitation to Mark at mark@yahoo.com to join Facebook. This would occur irrespective of the fact that Steve, a third person, imported Mark’s email addresses mark@yahoo.com and mark@gmail.com together.

(b) Process of matching across address books

8. In April 2012, according to FB, its engineers began considering ways to improve the user experience by decreasing the number of email invitations that Facebook users might send to their imported contacts who were already Facebook users. As explained in the example above, this could occur when the contact information that a user added to their Facebook profile was different from the contact information that other Facebook users had imported for them using the Contact Importer tool.
9. FB engineers designed a process that associates pieces of contact information uploaded by different Facebook users to the same individual. The process works by "matching" information across all address books imported by FB users in order to identify pieces of information that different imported contacts may have in common (i.e., email addresses and/or telephone numbers). Through this process, FB can associate different and separate contact information with a single individual. This enables FB to more accurately determine whether a contact is already an existing Facebook user to avoid sending that user an email invitation to join Facebook.
10. The following example highlights our Office’s understanding of the Friend Finding process after April 2012 as a result of the process of matching across address books:

    Mark registers his Facebook account using mark@gmail.com. Jeanne is a Facebook user, who imports her contact information for Mark to her Facebook account. Jeanne’s information for Mark only includes his other email address, mark@yahoo.com. Facebook searches its database to see whether mark@yahoo.com is registered to an existing Facebook account or whether Facebook has associated mark@yahoo.com to an existing Facebook user through the process of matching across address books.

    In this case, Steve had already imported Mark’s email addresses mark@yahoo.com and mark@gmail.com together. As a result, Facebook is able to determine that mark@gmail.com and mark@yahoo.com likely both belong to Mark, who is a Facebook user. Accordingly, instead of Jeanne sending Mark an unwanted email inviting him to join Facebook, Facebook presents Jeanne with a button to add Mark as a friend, even though Mark did not add mark@yahoo.com to his Facebook profile.

11. According to FB, the matching process does not result in additional information being added to a Facebook user’s profile or imported contact information. In the example above, even though FB has associated mark@yahoo.com with Mark, “[FB] is not storing [mark@yahoo.com] as part of [Mark’s Facebook] account.”

(c) Download Your Information (“DYI”) tool

12. The DYI tool is designed to provide Facebook users with the ability to access their personal data, as stored by FB in their Facebook profile, and download all of the information they have contributed to Facebook and which is associated with their profile. In May 2012, a different set of FB engineers from those responsible for the changes to the Friend Finding process made additional categories of Facebook user profile data accessible through the DYI tool, and in so doing, provided Facebook users with access to a copy of all their imported contacts.

Breach and FB’s response

13. According to FB, when their engineers implemented the process of matching contact information across address books, a portion of the code they used to determine which pieces of contact information could be associated with each other inadvertently caused the matched contact information to be stored in the same place in Facebook’s database as the Facebook user’s imported contacts in their address book.
14. As a result of what FB characterizes as ‘an inadvertent coding error’, the DYI tool began pulling not just the contact information the person using the Contact Importer tool had imported, but also the contact information that had been matched across address books by Facebook.
15. Specifically, the breach occurred when Facebook users accessed the DYI tool and requested their information. The downloaded results included any contacts that the Facebook user had imported into their Facebook account, as well as any contact information that Facebook had associated to each of those imported contacts (i.e. additional telephone numbers and email addresses) through the process of matching across address books.
16. In early June 2013, a security researcher reported the breach via FB’s White Hat Bounty Program. This program is part of FB’s information security program and encourages external security researchers to report potential security vulnerabilities on Facebook. FB provides financial compensation for identifying certain vulnerabilities.
17. According to FB, it disabled the DYI tool while it investigated the breach. Upon confirming the issue, it corrected the code that was causing the additional data to appear in the DYI downloads and then re-enabled the DYI tool within 24 hours.
18. The breach resulted in about 1.1 million user downloads between May 2012 and June 2013 inadvertently containing at least one additional email address or telephone number that the person using the DYI tool did not themselves import to Facebook. FB advised that in more than 99% of the downloads, the additional contact information was received by no more than two other Facebook users. According to FB, the bug resulted in the inclusion of additional contact information in a much larger data report and most people that received the extra data points were likely unaware of their existence.
19. Starting on June 21, 2013, FB sent email notifications to approximately six million Facebook users globally whose additional contact information was disclosed as a result of the breach. In Canada, a total of approximately 142,000 Canadian Facebook users were affected by having a piece of additional contact information included in a DYI download in error. The email notified the Facebook user which piece of his or her contact information was disclosed (partially obscured) and the number of downloads containing that information. FB decided not to disclose to affected Facebook users which other Facebook users had received their contact information as a result of the breach.
20. FB also indicated that, globally, approximately 14 million pieces of contact information (i.e., email addresses and telephone numbers) that could not be connected to any Facebook users were also inadvertently disclosed as a result of the breach. FB decided it would not be appropriate to contact non-FB users with the limited contact information available.
21. FB also published a blog post on its website discussing the incident on June 21, 2013.^{Footnote 2} According to FB, it did not receive any complaints about misuse of data, nor did it detect any anomalous behavior on the DYI tool or Facebook site to suggest wrongdoing or any harm to affected individuals in connection with the coding error.

Collection of personal information without consent

22. The complaint to our Office alleged that the breach revealed that FB is collecting the personal information of Facebook users and non-users without consent. Our Office found no indication that FB’s process relating to how its users import contact information into their Facebook accounts had changed substantively since our Office last examined this issue.^{Footnote 3} In particular, we did not see any grounds for concluding that FB was contravening PIPEDA by allowing its users to upload and store contact information as part their Facebook accounts. As a result, the current investigation focused on whether FB had appropriate safeguards in place to protect the contact information that Facebook users had imported, whether its process of matching contact information across address books was in compliance with PIPEDA and whether it was providing users with a means to access and correct the contact information that FB had matched to them.

Safeguards

Issue

23. Our Office investigated whether FB had appropriate safeguards in place prior to the breach to protect the contact information of Facebook users and non-users, and if not, whether FB has now implemented appropriate safeguards to protect such personal information following the breach.

Summary of investigation

24. It is FB’s position that the breach occurred due to an isolated mistake that could not have been detected easily, not because of a lack of process or a lack of processes being followed. FB maintained that its comprehensive approach to quality assurance and security resulted in the discovery of the coding error because it was identified through its White Hat Bounty Program. It also noted the fact that a bug occurred in this instance does not necessarily lead to the legal conclusion that the safeguards in place at the time of the breach were not appropriate to satisfy FB’s legal obligations under the safeguarding provisions of PIPEDA.
25. FB provided our Office with an overview of its information security program and its software development process to demonstrate its position that data security and privacy concerns are identified and addressed throughout this process. For example, according to FB, its product review process is designed to facilitate privacy reviews at the earliest stages of product development and it holds regularly scheduled meetings, attended by a cross-functional group of privacy stakeholders, to review key product-related privacy decisions.
26. With respect to FB’s development process for tools and functions involved in the breach, FB claimed that its engineering department followed a rigorous review process during which the features involved in the breach had been reviewed, refined and agreed upon. In general, this process provides that engineers implement the new or updated feature, conduct tests of the feature independently and in integration with other features, and then send those implementations to other engineers for review. After review, feedback, improvements and discussion, the changes are accepted and then committed. The changes are then merged for test-group review then rolled out more widely if issues do not appear.
27. While FB advised that its engineering teams that develop products remain responsible for ensuring that the development and testing of their products and features follow FB’s established process, its security team also works with the engineering teams to ensure products and features are appropriately integrated. FB advised our Office that development and testing are not the responsibility of different teams within FB as it is critical that the developers responsible for writing, reviewing and troubleshooting the code also remain responsible for testing the code.
28. According to FB, the following remediation measures were taken in response to the breach:
    1. the underlying coding error that caused the matched contact data to be stored improperly was fixed;
    2. the DYI tool was audited for similar unexpected data and no similar coding errors were found;
    3. the extraneous pieces of contact information were removed from the existing address book storage of all users;
    4. FB’s systems were initially migrated to a new associated data store that did not store actual associated email addresses and phone numbers, but instead stored hashes of these contact points; and
    5. the DYI tool was moved to use a different application programming interface than the one that was incorrectly storing data.
29. FB advised that following the breach, it implemented the hash of the contact information in the repository of hashed contact points as a safeguard to protect information in the unlikely event the data was inadvertently disclosed again, as an additional, remedial step to protect the data from future unauthorized disclosure.
30. FB also stated to our Office that it had:
    1. reviewed key portions of the existing contact importer code;
    2. Initially re-architected the matching process to use hashes of email addresses rather than actual email addresses;
    3. simplified and centralized the logic for mapping an email address or telephone number to an account; and
    4. increased the frequency of review of the relevant code while these changes and other functional changes were being made.
31. In response to our question as to why this technical issue was not detected despite FB’s review processes, FB provided the following reasons:
    1. FB uses synthetic data for testing operations, which, in this instance, did not accurately mirror how the proposed code change would function with real data. This resulted in a failure to identify the bug during testing;
    2. the coding error arose from the interaction of two systems – the contact importer code that stored data in a particular place and the DYI code that independently disclosed to users whatever information was stored in their address books. Because the two sets of code for the two systems operate separately, code review on each of them individually did not reveal any issue; and
    3. it was not obvious on a visual inspection that the imported contact information in the DYI tool contained contact information that was not part of the original imported contact list of the downloading user because contact information exposed was typically associated with an individual whose contact information was already contained in the downloading user’s address book.
32. FB submitted that, prior to the breach, it had a robust suite of safeguards and quality assurance processes designed to protect the contact information imported by Facebook account holders, including:
    1. a comprehensive security program;
    2. a set of specific processes and controls that are built into Facebook’s operations and that ensure privacy and security risks are identified at virtually every stage of the product development lifecycle;
    3. a process for automated testing, manual testing, and peer review of software changes to validate functionality and identify potential bugs;
    4. a White Hat Bounty Program; and
    5. a cross-functional and highly collaborative team that facilitates a rapid response to bugs and other issues.
33. FB believes that, at the time of the breach, these security measures were appropriate, especially given, in its view, the ‘non-sensitive’ nature of the data involved with the breach, and met the safeguard requirements under Principles 4.7 and 4.7.1 of Schedule 1 of PIPEDA.

Application

34. In analyzing the facts and making our determinations, our Office applied the following provisions from PIPEDA.
35. Principle 4.7 of Schedule 1 of PIPEDA states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Specifically, Principle 4.7.1 states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying use, or modification.

Analysis and findings

36. The breach occurred as a result of the interaction between two features – the contact importer code that stored data in a particular place and the DYI code that independently disclosed to Facebook users whatever information was stored in their accounts, including their address books. The breach, for the extended period during which it remained undetected, resulted in the unauthorized disclosure of contact information to Facebook users using the DYI tool. These users were effectively given access to contact information which they had not imported into their Facebook accounts.
37. In our Office’s view, the testing conducted by FB with respect to the update to the DYI tool was inadequate. While FB submits that the storage error could not have been detected easily via testing, that is not to say that the error could not have been detected with the appropriate measures in place. This may reflect limitations in the synthetic data used for the testing, or the means by which it was compiled.
38. For example, since the change to the DYI tool added access to further categories of Facebook user profile information, including telephone numbers and email addresses from a user’s address book, FB should have had processes in place to ensure that the information displayed by the DYI tool was equivalent to that in the user’s address book. FB holds significant information about its users – not just limited to email addresses, telephone numbers and associations – and its product development and testing processes should ensure that information made available through a feature does not exceed that which was intended to be made available.
39. Our Office finds that FB did not have appropriate safeguards in place prior to the breach in order to protect the personal information of users and non-users, as required by Principles 4.7 and 4.7.1 of Schedule 1 of PIPEDA. Prior to the breach, FB’s safeguards were not appropriate in the circumstances, given that they did not verify whether the information displayed by the DYI tool was equivalent to that in the Facebook user’s address book.

Recommendations and response

40. Accordingly, our Office’s Preliminary Report of Investigation (“PRI”), recommended that FB implement new measures to improve the testing and review of the interactions between features on Facebook, especially when adding a new feature to its existing system. We recommended that these measures should be able to detect the storage error that caused the breach and also ensure that information disclosed pursuant to the DYI tool is equivalent to that in the Facebook user’s address book. In this regard, we recommended that FB may wish to consider ways to ensure that the data used as part of its testing is more appropriately designed and/or selected to reflect the feature being tested and more reflective of the data contained on Facebook.
41. In response to our recommendations, FB advised that it was deprecating the repository of hashed contact points and had implemented a Privacy Framework, based on the security principle of “least privilege”^{Footnote 4}. This process assigns an audience designation to each contact data object uploaded through the use of the Contact Importer tool, such that when someone accesses their contacts through the DYI tool, the Privacy Framework identifies the relevant Facebook user ID; runs a check on the audience setting of each contact data object in an address book before it is presented to a Facebook user to ensure they have the rights to see each contact disclosed; and only retrieves stored contact data uploaded to that user’s address book. According to FB, this improved system provides an automated process, designed specifically to prevent the inadvertent disclosure of data.
42. According to FB, the Privacy Framework applies a series of clear rules governing access to uploaded contact information and provides tools to construct automated tests with suitable data sets to verify that these rules are enforced correctly. The DYI tool accesses the contact importer data through the Privacy Framework, which, according to FB, guarantees that only appropriate data is accessible and that changes to the DYI tool can be more effectively tested.
43. As a result, FB submitted that its “technical and administrative safeguard measures, robust quality assurance and testing processes, White Hat Bounty Program and new Privacy Framework comprise a very thoughtful and highly-effective information security framework to help prevent the type of inadvertent error similar to the one related to the breach.”

Conclusion

44. In light of the changes made by FB since the breach, our Office concludes under PIPEDA, that the issue of safeguards is well-founded and resolved. As claimed by FB, the new Privacy Framework ensures only appropriate data is accessible through the DYI tool and permits testing to verify that rules governing access to uploaded contact information are enforced correctly – elements missing from FB’s safeguards prior to the breach. FB has made changes that are designed to prevent an incident similar to the breach in the future.
45. Our Office continues to encourage FB to improve the testing and review process of interactions between features on Facebook, in general, especially when adding a new feature to its existing system. Systematic and well-maintained documentation and demonstration of both the test procedures and test coverage will assist in compliance assessments during internal or external audit or inspection.

Issue of consent for the process of matching across address books

Use of personal information

Issue

46. Before turning to the issue of consent, our Office considered whether FB is using the personal information of Facebook users and non-users during the process of matching across address books.

Summary of investigation

47. FB advised that in addition to storing the email addresses and telephone numbers imported by Facebook users as part of their accounts, it also maintained such imported contact information in locations separate from, but associated with, the users’ address books. This was done for the purposes of associating contact information imported by various Facebook users to existing Facebook users, and ultimately, to help Facebook users find friends already on Facebook and to invite other contacts to join Facebook while avoiding sending Facebook users unwanted and unnecessary invitations to join Facebook.
48. Specifically, when a Facebook user imports an address book to Facebook, that data was written as a structured address book that forms part of that user’s Facebook account. In addition, to prevent unwanted and unnecessary invitations to join Facebook from being sent to existing Facebook users, FB maintained a specific entry for each imported email address or telephone number along with a list of the Facebook users who have imported that given piece of contact information. For each piece of contact information, FB also stored potentially related email addresses and telephone numbers that it has associated to the contact information via the process of matching across address books. In addition, FB separately maintained hashes of email addresses that have unsubscribed from receiving email invitations from Facebook (the “Opt-out Store”).
49. For clarification, FB advised that it does not maintain a “Central Store”, rather it maintained associations between given pieces of imported contact information to avoid sending Facebook users unwanted and unnecessary invitations to join Facebook.
50. FB advised that it “uses contacts imported by [Facebook] users to help users find friends, not to “identify associations”…. [and it] makes associations in order to help [Facebook] users find their friends when they are both users of Facebook.” According to FB, identifying associations is a technical means to serve the purpose of finding friends, as well as improving and enabling users to send invitations. According to FB, this statement was intended to clarify that Facebook users uploaded contact information for the purpose of helping users find friends, which requires that it identify associations among contacts. According to FB, it has drawn associations among uploaded contact points and existing Facebook accounts – the act of identifying associations, in and of itself, is not a new or separate purpose.
51. FB further advised that “the only processing of imported email addresses before an invitation is sent is performed to ascertain whether the email address belongs to a Facebook account or not (and this includes the ‘matching step’).” Building on the example outlined above in paragraph 10, FB advised that:

    When [Jeanne] imports [her] contacts [to Facebook], [FB] process[es] the contacts to be able to offer [Jeanne] the ability to invite a contact to connect on Facebook. [W]here the email address is [registered to] a Facebook account, or where through the matching process, [FB] ha[s] a high degree of certainty that the email address belongs to a particular Facebook user, [FB] offer[s Jeanne] the ability to send a friend request instead.

52. According to FB, it does not maintain associations regarding Facebook non-users. Instead, it “takes a piece of contact information that [it] can (to a high degree of confidence) associate with an existing Facebook user for the purposes of facilitating friend requests from one [Facebook] user to another. If [it] do[es] not have sufficient confidence whether particular information is associated with an existing Facebook user, then [it] may choose not to associate it”.
53. During this investigation, FB advised of further changes to its process for matching across address books. In particular, address book data is now copied from the address book database in the production environment to the processing environment. Once the data is in the processing environment, FB conducts a sophisticated analysis to identify whether the uploaded address book contacts are associated with existing Facebook accounts. This allows FB to distinguish between uploaded contacts that are associated with a Facebook account versus those that presumably represent non-user data.
54. When an uploaded contact is associated with an existing Facebook account, that contact is now included in the “User Matches” data set. The “User Matches” data set contains dimensional metadata about the users’ relationship to the contact. Importantly, the “User Matches” data set does not include the uploaded contact points that are not associated with an existing Facebook user.
55. FB submitted that the fact that Facebook must copy address book data (i.e., make a duplicate) to achieve the product purposes does not mean that information is being used for a separate purpose. For clarity, FB indicated that contact information that people upload through the Contact Importer tool is processed for the purpose of helping them more easily connect with their friends, family and other contacts – which is the primary and core purpose of Facebook as a social media platform – and which requires that FB identify associations among contacts.
56. According to FB, it believes that it is using personal information for the purposes for which it was collected – consistent with Principle 4.5 of PIPEDA – and there is consequently no requirement for an additional consent for either Facebook users or non-users in these circumstances.

Application

57. In analyzing the facts and making our determinations, our Office applied the following provisions from PIPEDA.
58. Principle 4.5 of Schedule 1 of PIPEDA states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. It also states that personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Analysis and findings

59. The use of imported contact information by FB for the purpose of helping Facebook users find friends on Facebook and invite others to join Facebook has previously been investigated by our Office, and, with modifications, was found to be compliant with PIPEDA.^{Footnote 5} FB Inc. has previously advised our Office that it was not keeping non-user email addresses for its own use, apart from a list of non-users who opted out of receiving emails from Facebook and the email addresses of non-users were only stored in the address books of the Facebook users who uploaded their contact lists to Facebook.
60. However, the current investigation centers on the changes made by FB to its Friend Finding process in April 2012. After April 2012, FB implemented the process of matching across address books to identify and associate contact points belonging to the same Facebook user for the purpose of helping Facebook users find friends already on Facebook and to invite other contacts to join Facebook. In addition, it was processing, storing and maintaining all imported contact information for both Facebook users and non-users in a data store, separate from its users’ address books. Such data stores contained a specific entry for each imported email address or telephone number, irrespective of whether it belonged to a Facebook user or non-user, along with any related email addresses and telephone numbers that FB had associated to the contact information.
61. Accordingly, our Office finds that the process of matching across address books constitutes a use of the personal information of Facebook users and non-users for which FB must obtain meaningful consent, as required by Principle 4.3 of Schedule 1 of PIPEDA. Our Office appreciates that while the purpose has not changed, the manner in which FB is using the address books of Facebook users has changed and is more extensive than it was prior to April 2012.
62. Our Office’s finding is not based on the fact that FB is copying address book data or storing it in multiple instances in order to support the processing required; rather it is based on the fact that FB is using the personal information differently: by “conduct[ing] a sophisticated analysis to identify whether the uploaded address book contacts are associated with existing Facebook accounts” via the process of matching across address books.

Meaningful consent and openness – Facebook users

Issue

63. In light of the finding above that FB is using the personal information of users during the process of matching across address books, our Office looked at whether FB is obtaining meaningful consent from users for this use of personal information during the process of matching across address books and whether it was meeting its obligation to be open about its policies and practices.

Summary of investigation

64. FB indicated that it offers Facebook users robust, multi-layered notice about this use in its Contact Import User Flow, Data Policy^{Footnote 6} (previously entitled Data Use Policy) and Help Center^{Footnote 7}, and as such, it obtains clear consent for the use of imported contact data.
65. With respect to the notice in its Contact Import User Flow, FB advised that it provided “contextual” or “just in time” disclosures to Facebook users in the form of a pop-up window stating:

    Import contacts from your account and store them on Facebook’s servers where they may be used to help others search for or connect with people or to generate suggestions for you or others. Contact info from your contact list and message folders may be imported. Professional contacts may be imported but you should send invites to personal contacts only. Please send invites only to friends who will be glad to get them. You can always manage your imported contacts [hyperlink] or remove them completely [hyperlink]. [Emphasis added]

66. Our Office notes that this notice has now been amended slightly from that outlined above, where the last sentence has been changed to “To manage the contacts that you’ve imported, you can visit facebook.com/invite_history.php at any time.” This notice is also available to people already using Facebook through the “Find Friends” tool in their profile.
67. The notice displayed when people register through the Facebook app is as follows:

    See Who’s on Facebook – When you choose to find friends on Facebook, we’ll use and securely store information about your contacts, including things like names and any nicknames; contact photo; phone numbers and other contact or related information you may have added like relation or profession; as well as data on your phone about those contacts. This helps Facebook make recommendations for you and others, and helps us provide a better service. You’re always able to manage or delete [hyperlink] contacts you share with Facebook. You can turn off contact uploading in settings. You may have business and personal contacts in your phone. Please only send friend requests to people you know personally who would welcome the invite. [Emphasis added]

68. On the Manage Invites and Imported Contacts page, it stated the following:

    The contacts listed here include the information you've imported or synced to Facebook. To remove a contact, select it and press "Delete Selected". You can also remove all your imported contacts [hyperlink]. Only you can see your contacts, but this info may be used to make friend suggestions for you and others… [Emphasis added]

69. Our Office notes that this notice has also been amended from that outlined above, as follows:

    The people listed here are contacts you’ve uploaded to Facebook. If you have chosen to continuously upload your address book, you may have uploaded information about these contacts beyond just the emails or phone numbers shown below. You can view other data you’ve uploaded to Facebook by visiting our Help Center [hyperlink].

    To remove one or more contacts, select it and press Delete Selected. You can also delete all of your imported contacts. If you delete all of your contacts from this page and if you have continuous uploading turned on, your contact information will be uploaded again. To turn off continuous uploading, go to Settings in your Facebook app.

    Only you will be able to see your contacts and info about them, but Facebook will use the info you’ve uploaded about your contacts to make friend suggestions for you and others and to help us provide a better service for everyone. [Emphasis added]

70. On Facebook’s Remove All Imported Contacts page, its states the following:

    Only you can see your contacts on Facebook, but this info may be used to make friend suggestions for you and others, and in accordance with Facebook's privacy policy. If you choose to remove your imported contacts, friend suggestions for you and your friends may become less relevant. [Emphasis added]

71. FB initially referred to the following from its Data Use Policy, in effect at the beginning of our Office’s investigation:

    Friend finder
    We offer tools to help you upload your friends' contact information so that you and others can find friends on Facebook, and invite friends who do not use Facebook to join, and so we can offer you and others better experiences on Facebook through suggestions and other customized experiences. If you do not want us to store this information, visit this help page at: https://www.facebook.com/contact_importer/remove_uploads.php. [Emphasis added]
    …
    Information others share about you
    We receive information about you from your friends and others, such as when they upload your contact information, post a photo of you, tag you in a photo or status update, or at a location, or add you to a group. When people use Facebook, they may store and share information about you and others that they have, such as when they upload and manage their invites and contacts. [Emphasis added]

72. Our Office notes that the above notices no longer appear in FB’s current Data Policy. According to FB, this was part of its broader goal of making the Data Policy more streamlined and easier for people to understand, including the removal of product-specific notices available to users in others ways, such as through the Help Center or in-product notice.
73. Additional examples of notices from its current Data Policy include:

    Things others do and information they provide – We also collect content and information that other people provide when they use our Services, including information about you, such as when they share a photo of you, send a message to you, or upload, sync or import your contact information.

    Your networks and connections – We collect information about the people and groups you are connected to and how you interact with them, such as the people you communicate with the most or the groups you like to share with. We also collect contact information you provide if you upload, sync or import this information (such as an address book) from a device.
    …
    We are passionate about creating engaging and customized experiences for people. We use all of the information we have to help us provide and support our Services. Here’s how:

    Provide, improve and develop Services – We are able to deliver our Services, personalize content, and make suggestions for you by using this information to understand how you use and interact with our Services and the people or things you’re connected to and interested in on and off our Services.

74. Some examples of how Facebook provides information about connecting with people in its Help Center include:

    How do I find friends on Facebook? After you join Facebook, there are a few ways to find your friends:

    Search for friends – You can search for your friends by typing their names or email addresses in the search bar. When you find a friend, you can add them [hyperlink].

    Import your contacts – You can import your list of contacts [hyperlink] from other places (ex: your email account, your phone) and we'll find your friends for you. After Facebook imports your contacts, you'll have the option to send a friend request to any of your friends that already have a Facebook account or send an invitation to join Facebook to friends that don’t have an account.
    Note: You can always manage your list of contacts [hyperlink] and the invitations & reminders those friends receive.^{Footnote 8}

    How do I manage the contacts I imported to Facebook (ex: remove contacts, send reminder invitations)? If you import contacts and invite them to join Facebook, we'll save a list of the people you've invited and send them reminders to join. Review your contacts [hyperlink] to see which friends have joined, remove contacts and send additional reminders. You can also delete all of your contacts, canceling any scheduled invite reminders, by clicking remove all contacts [hyperlink].^{Footnote 9}

    If I import my contacts, will the contact info I import be saved? When you import contact info, we may store that info and use it to suggest friends for you and others in the future.^{Footnote 10} [Emphasis added]

    What is People You May Know? People You May Know are people on Facebook that you might know. We show you people based on mutual friends, work and education information, networks you’re part of, contacts you’ve imported [hyperlink] and many other factors. You might occasionally see people you don’t know or don’t want to be friends with. To remove them from People You May Know, click x next to their names. Facebook doesn't send friend requests to anyone that shows up in this list on your behalf. Keep in mind that you should only send friend requests to people you have a real-life connection to, like your friends, family, coworkers or classmates.^{Footnote 11} [Emphasis in the original]

    How does Facebook suggest people I may know in email invitations and reminders when I don’t have an account? When your friends join Facebook, they can invite their friends to join too. Their invitation emails can include suggestions of other people you may know who may have invited you in the past. This helps you find your friends on Facebook quickly so you can start sharing with them if you decide to join.

    • To join Facebook, click the link in your friend's invitation email, or go to facebook.com [hyperlink] to sign up.
    • To opt out of these invitations, click the opt-out link at the bottom of the email. We'll save your email address to make sure that we don't send you friend invitations in the future.^{Footnote 12} [Emphasis in the original]

75. FB submitted that “the current notices strike the right balance by making key information immediately and clearly available, with additional information also readily available. The layered framework provides users with a meaningful description of the core purposes of the contact importer functionality. The notices are very clear and explicit and, based on such notice and the users’ interaction and experience on the platform, people on Facebook would expect imported contact data to be used in this fashion to help them find connections on the platform.”
76. According to FB, “through the notice provided and made available to people on Facebook and their [sic] way in which they find and connect with their friends on the platform, people on Facebook understand how their personal information is used in connection with the Contact Importer tool and do provide their consent for the use of their data for these purposes”.
77. In response to whether Facebook users are able to opt-out of the process of matching across address books, FB advised that the primary purpose of the Contact Importer tool is to enable Facebook users to find friends on Facebook and invite their friends to join Facebook. As a result, our understanding is that Facebook users are not permitted to opt-out of the matching. However, Facebook users are not required to import their contacts and may delete their imported contact information at any time.

Application

78. In analyzing the facts and making our determinations, our Office applied the following provisions from PIPEDA.
79. Principle 4.3 of Schedule 1 of PIPEDA states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal of personal information, except where inappropriate. Specifically, Principle 4.3.1 states that consent is required for the collection of personal information and the subsequent use or disclosure of this information, while Principle 4.3.2 states that organizations shall make a reasonable effort to ensure that the individual is advised of the purpose for which the information will be used and that to make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
80. Section 6.1 of PIPEDA, which came into effect in June 2015, states that for the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
81. Principle 4.8 of Schedule 1 of PIPEDA states that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Analysis and findings

82. There is no express description of FB’s matching process or how the process works in the various notices outlined above provided to Facebook users. In particular, these notices do not explain how a Facebook user’s various pieces of contact information, including those imported by other Facebook users, will be used in the matching across address books process. The only allusion to the matching of contact information in the notices is a reference to contact information uploaded by a user being used by FB to help “others” find friends on Facebook, as emphasized above. The reference to “others” in these notices provides little information and does not explain how contact information imported by Facebook users will be used in the process of matching across address books.

Recommendations and response

83. Our Office recommended that FB provide Facebook users with information about the process of matching across address books, such that Facebook users are adequately informed of FB’s use of their personal information and can reasonably understand what they are consenting to in this context, including how the process works, how contact information imported by Facebook users will be used in this process and the nature and consequences of this use of their personal information.
84. This information should, at the very least, be provided to Facebook users upon joining Facebook, in Facebook’s Data Use Policy and during the contact import user flow. Our Office encouraged FB to use creative means to provide this information in a conspicuous and apparent fashion to Facebook users.
85. Our Office noted that Facebook users are able to add email addresses for themselves to their Facebook profile. We suggested that FB may wish to consider other ways in which to use this feature to improve the user experience and to decrease the number of email invitations sent to individuals who are already Facebook users.
86. FB disagreed with the above recommendations, submitting that Facebook users are provided with multi-layered notices about the collection and use of personal information in connection with the invite and friend suggestion functionality related to the Contact Importer tool, which are made available on the platform in a conspicuous fashion as part of the user experience. Moreover, it submitted that Facebook users join the platform for the purpose of connecting with friends and they understand that the whole point of the platform is to help people connect. In addition, FB also submitted that it is very open and transparent about its personal data practices in this regard.
87. Informed consent requires an understanding of the purpose, nature and consequences of the collection, use and disclosure of personal information. In the present situation, FB’s use of contact information is aimed at enhancing and making more efficient the primary, core service it offers, i.e. connecting people on its social network. After considering FB’s submissions, we agree that FB has not changed its purpose for using FB users’ contact information; it is simply using the contact information in a different way. In the circumstances, a FB user would still generally expect that contact information will be used to make friend suggestions.
88. Accordingly, our Office finds that FB is not contravening the consent principle, Principle 4.3 of PIPEDA, when using personal information during the process of matching across address books.
89. This said, we are not convinced that FB is being sufficiently open about its practices with respect to how it handles contact information. While our Office appreciates that FB provides notices to its Facebook users about the Contact Importer tool, specifically that uploaded contacts will be used by Facebook to help “you and others” find friends and send invitations, FB does not explain what “others” means. FB submits that this language may set the expectation that not only would a Facebook user’s address book be used to help others connect with people on Facebook, but that the Facebook user may be able to more easily connect with others as a result of contact information uploaded by others. However, the language is unclear and does not adequately explain the address matching process (i.e., that FB combines and matches the contact information for a particular user that has been uploaded by other users).
90. Our Office believes that FB is not doing enough to describe the practice of matching contact information across address books in an open and transparent fashion. This process is largely unknown to Facebook users, potentially first becoming known to FB users as a result of the breach. Accordingly, our Office finds that FB is not being sufficiently open and transparent with Facebook users about this particular use of their personal information, as required by Principle 4.8 of Schedule 1 of PIPEDA.
91. FB advised that, while it still respectfully disagreed with our Office’s conclusions on this issue, it agreed to revise the notice regarding the contact importer and matching process. Such revisions to this notice are to be implemented by no later than May 25, 2018, to coincide with FB’s wider General Data Protection Regulation (“GDPR”) preparation, whereby FB is reviewing all notices it gives to Facebook users.

Conclusion

92. Accordingly, our Office concludes that under PIPEDA the consent issue is not well-founded and the openness issue is well-founded and conditionally resolved. FB will provide our Office with an update within fifteen (15) days of May 25, 2018.

Meaningful consent and openness – Facebook non-users

Issue

93. Our Office also considered whether FB is obtaining meaningful consent from Facebook non-users for the use of personal information during the process of matching across address books.

Summary of investigation

94. FB advised that uploaded contact data of non-users is processed for limited purposes on behalf of people who upload their address books via Facebook’s Contact Importer tool, and as such, consent is not required under PIPEDA. Specifically, FB submitted that it must conduct limited processing of all contact data uploaded by a Facebook user to determine or identify, with sufficient confidence, whether each contact point is associated with an existing Facebook account.
95. In response to whether Facebook non-users are able to opt-out of the process of matching across address books, FB made reference to the notice provided to Facebook non-users who receive email invitations to join Facebook. This notice states:

    This message was sent to [non-user’s email address]. If you don’t want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please unsubscribe [hyperlink]. [Emphasis added]

96. In terms of the in-product notice provided to Facebook non-users, FB submitted that when they click on the “unsubscribe” link in the email invitation, the following is displayed:

    Receiving emails from people through Facebook – From time to time, people may send emails to you through Facebook. Examples include when they invite you to an event, tag you in a photo or add you as a friend. If you continue, you’ll no longer receive any of these emails. Also, Facebook will no longer use your email address to generate friend suggestions for you and others. We’ll still keep a secure record of your email address so we can make sure you don’t receive these emails. Do you want to stop receiving these notifications at [email address]?

97. FB also made reference to the notice provided to Facebook users in the contact importing and invitation sending process, which states:

    Facebook will automatically send one invite and up to 2 reminders in your name to each friend you invite. The reminders may be different from the original invite and can be canceled on the Invites and Imported Contacts [hyperlink] page where you can manage your contacts. We will store the email addresses you provide as contacts, on your behalf, and may use them later to generate friend suggestions for you and others. You can remove all of your contacts on the Remove all your contacts [hyperlink] page. [Emphasis added]

Application

98. In analyzing the facts and making our determinations, our Office applied the following provisions from PIPEDA.
99. Principle 4.3 of Schedule 1 of PIPEDA states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. Specifically, Principle 4.3.1 states that consent is required for the collection of personal information and the subsequent use or disclosure of this information, while Principle 4.3.2 states that organizations shall make a reasonable effort to ensure that the individual is advised of the purpose for which the information will be used; furthermore, to make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
100. Section 6.1 of PIPEDA, which came into effect in June 2015, states that for the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
101. Principle 4.8 of Schedule 1 of PIPEDA states that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Analysis and findings

102. It is important to note that, as a result of the breach, pieces of contact information (i.e. email addresses and telephone numbers) that could not be connected to any Facebook users were also inadvertently disclosed. This occurred because, prior to the breach and at the time of the breach, FB was matching the contact information of Facebook non-users and storing such matches.
103. With respect to FB’s submission that notice is provided to Facebook non-users in the email invitation to join Facebook, our Office is of the view that this notice is vague and inconsistent with section 6.1 of PIPEDA and Principles 4.3 and 4.8 of Schedule 1 of PIPEDA. The notice in the email invitation does not adequately inform non-users about FB’s process of matching across address books so that non-users can reasonably understand this use of their personal information.
104. Also, FB’s submission fails to consider that, prior to a non-user receiving an email invitation to join Facebook, the non-user’s contact information has already been used by FB during the process of matching across address books and is already maintained in FB’s data stores. It is also important to note that such notice to Facebook non-users is only provided if and when a Facebook user chooses to send such an invitation to a non-user – essentially, it is possible that a Facebook non-user may never receive an email invitation to join Facebook and therefore, never be provided with this notice.
105. Our Office finds that, at the time of the breach, FB was using personal information/data without the consent of Facebook non-users during the process of matching across address books, in contravention of section 6.1 of PIPEDA and Principles 4.3 and 4.8 of Schedule 1 of PIPEDA.

Recommendations and response

106. Our Office recommended that, unless FB is able to obtain a Facebook non-user’s meaningful consent to use their personal information in the process of matching across address books prior to processing their personal information, FB should:
     1. remove from the repository of hashed contact points, the personal information of individuals whom FB has not identified, with sufficient confidence, as Facebook users; and
     2. refrain from using, in the process of matching across address books, the personal information of individuals whom FB has not identified, with sufficient confidence, as Facebook users.
107. The personal information of Facebook non-users should only be stored in the address books of the Facebook users who imported it, and in the Opt-out Store, if they have opted-out of receiving future email invitations from Facebook.
108. In response to this recommendation, FB advised that its repository of hashed contact points is in the process of being deprecated, as it is no longer used to support product functionality, and it is working to delete the data therein. As noted above, its replacement, the “User Matches” data set, which is part of the Privacy Framework, does not contain associations for contact information that has not been associated with an existing Facebook account with sufficient confidence.

Conclusion

109. In light of the fact that FB, as part of its revised process, is no longer maintaining the matched contact information of Facebook non-users, our Office concludes that under PIPEDA this issue is well-founded and resolved.

Ability to obtain access to and correct Personal information/data

Issue

110. Our Office also investigated whether FB is providing Facebook users and non-users with the ability to obtain access to, and correct, their personal information/data, as required under PIPEDA.

Summary of investigation

111. FB advised that people on Facebook have multiple ways to easily access their personal information in full compliance with the right of access in Principle 4.9 of PIPEDA. It believes that no other service offers as much access to one’s information and that it has gone to extraordinary lengths to make information readily and easily available to all Facebook users.
112. In response to clarification on how Facebook users can learn about matched contact information about them, FB advised our Office that it does not provide Facebook users with access to the imported contacts of other users, which according to FB, is third-party data.
113. Specifically, FB advised that each Facebook user controls the contact information stored in their Facebook account, similar to how individual users control contact information that they store in address books on their mobile devices or in their email accounts, and FB does not enable other people to modify the contacts that a Facebook user stores in his or her address book, nor does it share a Facebook user’s imported contact information with another Facebook user, unless such users intentionally shared that information.
114. Specifically, FB advised that providing access to such information may reveal information about another individual, and FB has no way of knowing when this may occur. As such, it is prohibited under the mandatory exemption of subsection 9(1) of PIPEDA from responding to an access request for inferred data as it could disclose personal information about a third party.
115. FB outlined that it is concerned that a disclosure of a Facebook user’s imported contacts to another Facebook user would constitute a disclosure of personal information that a reasonable person would not consider appropriate in the circumstances and thus a contravention of subsection 5(3) of PIPEDA.
116. Moreover, FB submitted that inferred contact information raises significant safety and security concerns based on the potential exploitation of the access mechanism which would be inconsistent with FB’s obligations under Principle 4.7 of PIPEDA.

Application

117. In analyzing the facts and making our determinations, our Office applied the following provisions from PIPEDA.
118. Principle 4.6 of Schedule 1 of PIPEDA states that personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
119. Principle 4.9 of Schedule 1 of PIPEDA states that an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. Specifically, Principle 4.9.1 states that upon request, an organization shall allow the individual access to personal information about the individual and Principle 4.9.5 states that when an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required.
120. Subsection 9(1) of PIPEDA states that, despite Principle 4.9, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

Analysis and findings

121. In accordance with Principles 4.6, 4.9, 4.9.1 and 4.9.5 of Schedule 1 of PIPEDA, FB is required to ensure that personal information about an individual is accurate and complete, provide an individual with access to their personal information, upon request, and amend such personal information if inaccurate or incomplete.
122. Given that FB is not simply leaving the contact information imported by Facebook users undisturbed in a Facebook user’s address book, but rather is storing and using such information in a data store, which is stored separately and apart from Facebook user’s address book, our Office's view is that FB is required by PIPEDA to provide individuals with access to this matched information. For instance, if FB has, as a result of the process of matching across address books, associated five separate email addresses with a Facebook user, even though these email addresses are not part of that Facebook user’s profile, FB must provide that Facebook user, upon request, with access to the addresses FB has determined are linked to him or her. Moreover, if such information is inaccurate or incomplete, FB must also allow the user to amend the personal information. Our Office is not requiring FB to reveal who uploaded the contact information to Facebook, nor requiring FB to update Facebook users’ address books.
123. With respect to FB’s submission that providing access to personal information as a result of the process of matching across address books would likely disclose the personal information of third parties, our Office is not convinced. The information that would be disclosed to a Facebook user would simply be a Facebook user’s own contact information (e.g. an additional email address that FB believes is associated to the Facebook user through the process of matching across address books). In the circumstances, our Office does not see how it is likely that this limited information would expose the identity or other personal information of an unknown third party.
124. Likewise, our Office acknowledges the importance of safety concerns and ensuring the access mechanism is not exploited to reveal a user’s contact information to a third-party. However, FB has not persuaded us that providing a user with access to the contact information that FB holds regarding the user triggers safety concerns, provided of course that an effective authentication mechanism is in place. While the potential for exploitation is theoretically possible, this potential would not meet the standard of “would likely reveal personal information about a third party” pursuant to subsection 9(1) of PIPEDA, provided appropriate measures are in place. In this regard, it seems that the focus should be on preventing the exploitation of the access mechanism, not on denying individuals the right to access their personal information. In this respect, our Office believes that FB could develop mechanisms to minimize concerns relating to the exploitation of the access mechanism.
125. Our Office finds that FB is not providing Facebook users and non-users with the ability to obtain access to, and correct, their personal information/data, as required under Principles 4.6, 4.9, 4.9.1 and 4.9.5 of Schedule 1 of PIPEDA.

Recommendations and response

126. Accordingly, our Office’s PRI recommended that FB develop a system whereby a Facebook user can obtain access, upon request, to all of the contact information associated with that user as a result of the process of matching across address books, as well as make corrections to such information where necessary.
127. Our Office’s PRI did not make any specific recommendations with respect to this issue as it relates to Facebook non-users. Given that FB’s data set “User Matches” excludes the contact data objects that are not associated with a known Facebook account, our Office’s recommendation is not applicable to the personal information of Facebook non-users.
128. In response to our Office’s recommendation, FB advised that purposefully, people do not have access to others’ address books. It believes that the recommendations made by our Office are not legally required and would in some ways actually undermine the safeguards it has put in place. FB also initially stated that it cannot implement our Office’s recommendation, as providing a right of access to inferred contact information is inconsistent with user expectations, not necessary, appropriate or safe for Facebook users, and inconsistent with its obligations under PIPEDA.
129. Following further discussions with FB, the company, while reserving its position on the scope and extent of its legal obligations on this issue, developed an interim solution whereby it agreed to: (a) respond to specific access requests seeking matched data, subject to (and in accordance with) the exemptions to the right of access; and (b) address specific requests to correct data by deleting specific matches. FB confirmed that it is using an existing Personal Data Request process to facilitate the review and correction (through deletion) of matched data, via a form available through its Help Center on the “Personal Data Requests” page^{Footnote 13}.
130. In addition, FB advised that it is also considering what longer-term solution may be appropriate as part of its comprehensive review of its approach to access and data portability that is being conducted as part of its GDPR compliance efforts. Our Office anticipates that such an interim solution will be maintained until it is replaced by a long-term, permanent solution, ensuring no interruption of customer access and correction ability in this regard.
131. Our Office sought additional clarification with respect to the interim solution implemented by FB. For example, the “Accessing Your Facebook Data”^{Footnote 14} page in the “Where can I find my Facebook data?” section does not indicate the process by which FB users can obtain access to their “matched contact information.” Also, the “Accessing Your Facebook Data”^{Footnote 15} page in the “What categories of my Facebook data are available to me?” section does not reflect that “matched data” is available to FB users. In addition, the existing Personal Data Request form is not readily accessible to FB users on the “Personal Data Requests” page^{Footnote 16}.
132. In response, FB updated the “What categories of my Facebook data are available to me?” table on the “Accessing Your Facebook Data” page to add a reference to the “Matched Accounts” information and added a hyperlink in that row (in the “Where can I find it?” column) in order to make it transparent to users that matched contact information can be made available upon request by filling out the form and to make the Personal Data Requests page more accessible to users.

Conclusion

133. In light of this, our Office concludes that under PIPEDA this portion of the investigation is well-founded and resolved.
134. We understand that, as part of FB’s comprehensive review of its GDPR compliance efforts, the company is also considering what longer-term solution may be appropriate. Accordingly, in addition to following up with FB with respect to its implementation of recommendations related to the openness issue, our Office will also be following up with the company on its progress toward a longer-term solution of providing access to, and correction of, matched data for FB users. FB advised that it is continuing to evaluate additional options, including making matched contact information available through the DYI tool, as part of a longer-term solution.

Update

As a result of FB’s commitment to revise the notice regarding the contact importer and matching process, our Office followed up and has confirmed that revisions have been made.