Facebook Data Misuse Class Action
Charney Lawyers is counsel in a class action filed in Toronto against Facebook, on behalf of all persons in Canada (excluding Quebec) who had a Facebook account (“Account Users”) from 2009 to present. This is the largest data misuse class action in Canada. The plaintiff claims $2 billion in damages on behalf of some 23 million account users for Facebook’s alleged data misuse practices.
The allegations in the Claim include that Facebook represented to Account Users that they could adjust privacy settings on their accounts to restrict information to “friends only.” However, since 2007, Facebook has routinely violated and ignored these same privacy settings to provide the sensitive confidential information of account users to third-party application and device makers for profit, such as Apple and Amazon.
It is also alleged in the Claim that Facebook shared Account User data with third party applications and device makers without disclosing its practices to account users.
The Office of the Privacy Commissioner of Canada (OPC) produced a Report (“OPC Report” detailed below) pursuant to its investigation into this matter. The OPC found that Facebook shared Account User data without obtaining the informed consent of account users, contrary to privacy law including the Personal Information Protection and Electronic Documents Act (PIPEDA).
The Claim alleges that Facebook’s data misuse practices have allowed Facebook, the world’s largest social network website, to flourish as a profit-making machine. Facebook’s total reported revenue for the third quarter of 2021 alone was $29 billion USD, almost 98% of which was advertising revenue. These profits were only made possible with Account User data. According to Facebook, it earned $54.34 USD in revenue per Account User for that three-month period.
FACEBOOK’S PAST PRIVACY BREACHES AND GOVERNMENT INVESTIGATIONS
The following is pleaded in the Claim:
Facebook has been the subject of numerous government investigations into its use of data and data sharing practices. Despite numerous fines and consent orders Facebook continued its data sharing practices.
In 2009, following a complaint from the Privacy Commissioner of Canada regarding Third-Party Application Developers having access to users’ information, Facebook agreed to take steps to “prevent any application from accessing information until it obtains express consent for each category of personal information it wishes to access.” Facebook then breached its agreement with the Office of the Commissioner.
In 2012, Facebook and the United States Federal Trade Commission entered into a settlement which resulted in an FTC order against Facebook (the “2012 FTC Order”). Under the 2012 FTC Order, Facebook was to obtain Account User consent for certain changes to privacy settings as part of a settlement of U.S. federal charges that Facebook deceived consumers and forced them to share more User Account Data than they intended. The 2012 FTC Order barred Facebook from overriding users’ privacy settings without first obtaining explicit consent. Facebook then breached the terms of the 2012 FTC Order by continuing to grant Third Parties access to User Account Data leading to a further fine in 2019. During the various media interviews, public statements and testimony by Facebook CEO Mark Zuckerberg before the United States Congress, Facebook did not disclose that it had exempted certain Third Parties from such restrictions as a result of Data Sharing Agreements.
In 2018, Facebook came under scrutiny following the revelation that a political consulting firm, Cambridge Analytica, misused the private information of over 80 million Facebook users. During this scandal, Facebook said that the kind of information that was accessible by Cambridge Analytica in 2014 was cut off by 2015 when Facebook prohibited Third-Party Application Developers from collecting information from users’ friends.
During his testimony before the United States Congress, CEO Mark Zuckerberg emphasized what he said was a company priority for Facebook users: “Every piece of content that you share on Facebook you own. You have complete control over who sees it and how you share it.”
This testimony was inaccurate as it made no mention of the Data Sharing Agreements even though as early as 2012 Facebook was aware that the Data Sharing Agreements were a serious privacy issue.
It was not until Facebook delivered 747 pages of written responses to questions posed by members of the United States Congress that Facebook admitted that it continued sharing data with Third Parties after 2015.
On December 18, 2018, Facebook, in a post on its Newsroom Blog, confirmed that Data Partners did have access to various types of User Account Data, including private messages, of Facebook users and admitted:
"[w]e recognize that we've needed tighter management over how partners and developers access information using our APIs. We're already in the process of reviewing all our APIs and the partners who can access them. However, we shouldn't have left the APIs in place after we shut down instant personalization. We've taken a number of steps this year to limit developers' access to people's Facebook information, and as part of that ongoing effort, we're in the midst of reviewing all our APIs and the partners who can access them. This is important work that builds on our existing systems that track APIs and control who can access to them."
In April of 2019, the Privacy Commissioners of Canada and of British Columbia released a joint report of findings from its investigation into the Cambridge Analytica Scandal. The Commissioners found that Facebook had:
(a) Failed to obtain valid and meaningful consent of installing users for disclosure of their information;
(b) Failed to obtain meaningful consent from friends of installing users;
(c) Maintained inadequate safeguards to protect user information; and
(d) Failed to be accountable for the user information under its control.
The Commissioners noted that, although they had made several recommendations to Facebook during the course of their investigation which would permit Facebook to bring itself into compliance with Canadian privacy law, Facebook either outright rejected or refused to implement the recommendation in an acceptable manner. The Commissioners concluded that there was a high risk that Canadian’s personal information would be disclosed to apps and used in ways that Users would not know of or expect.
In July of 2019, Facebook agreed to pay a $5 billion fine to the US Federal Trade Commission, the largest ever levied by the FTC. Facebook was fined for repeatedly using deceptive disclosures and settings to undermine users’ privacy preferences in violation of the 2012 FTC Order. In the same agreement, Facebook agreed to structural changes intended to change its entire corporate culture to decrease the likelihood of continued privacy violations.
In or about 2020, Canada's Competition Bureau investigated Facebook's privacy practices and representations it made to users about Facebook’s data sharing practices between 2012 and 2018 resulting in Facebook being required to pay a $9 million penalty. The Bureau found that Facebook breached section 74.01 of the Competition Act, by making misrepresentations to the public. The Competition Bureau concluded that, among other things:
(a) Facebook gave the impression that users could control who could see and access their User Account Data on the Facebook platform when using privacy features, such as the general “Privacy Settings” page, the “About” page and the audience selector menu on posts, among others;
(b) However, Facebook did not limit the sharing of User Account Data with some third-party developers in a way that was consistent with the company’s privacy claims. This User Account Data included content users posted on Facebook, messages users exchanged on Messenger, and other information about identifiable users; and
(c) Facebook also allowed certain third-party developers to access the User Account Data of users’ friends after users installed certain third-party applications. While Facebook made claims that it would no longer allow such access to the User Account Data of users’ friends after April 30, 2015, the practice continued until 2018 with some third-party developers.
The site is not designed to answer questions about your individual situation or entitlement. Do not rely upon the information provided on this website as legal advice in respect of your individual situation nor use it as substitute for individual legal advice.
The information collected about potential class members will assist counsel in prosecuting the class action and assessing what damages were suffered by the class as a whole. Providing the information requested does not make you the client of Charney Lawyers. The court will ultimately decide who will be included as a class member.
This website will be updated from time to time to provide potential class members with information as it becomes available.