Information & Ethics Committee on Nov. 27th, 2012

That's an important point. I think the relationship you have with your friends is different from what Facebook has with service providers and other kinds of entities with which we interact. We do provide controls in many cases. For example, we have application controls that let you choose the circumstances under which applications and websites can get access to your information.

You may be in a situation where you would like your friends to see information but would like only certain apps to see it. Those are things we enable you to chose on an app-by-app basis.

When I say “apps” I am really referring to mobile applications and also web-based applications.

With regard to your music interests, for example, we allow advertisers to make a judgment that they want to show advertisements to people who like a particular type of music. In those instances we may show the advertisement; we may identify that you like that music because you have told us on your timeline, but we won't then tell the advertisers “this particular person likes this kind of music” unless you have chosen to make that information public.

We do have a relationship with the Canadian Privacy Commissioner. In fact, we find that relationship to be very productive and positive. We're able to talk with them about decisions that we make from a privacy standpoint and get their feedback, which I think helps us make a better product and helps us better protect the privacy of Canadians.

I think when you look back at the relationship that we've had with the Privacy Commissioner's office over the years, you see that many of the innovations that we've had are on privacy. Many of the things that are hallmarks of the way privacy works on Facebook came out of those consultations, so I think it's been an incredibly positive relationship.

I'm not an expert on Canadian privacy, but I'm familiar with the study, and I should say that I appreciate, and Facebook appreciates, the work the committee is doing to study these issues.

With regard to the question of whether the Privacy Commissioner's power needs to be expanded, I think my sense is that if you look at a company like Facebook, we're a good example of the fact that the existing regime works quite well. We've had consultations with the Privacy Commissioner on an ongoing basis and we've made changes to our product, in fact, in response to her feedback. We've made those judgments based on the fact that the Privacy Commissioner has suggested ways that we can better protect the privacy of Canadians.

I think those are things that, if you were designing a privacy regulatory regime, would be the outcome that you would seek to create.

We think user control, user trust, is an essential part of the Facebook experience, and it's an issue that we spend a lot of time thinking about. We understand that people won't feel comfortable using our site if they don't trust us, so we want to do everything we can to be transparent about how Facebook works and how people can have control over their data.

So when you use the deletion function, whether it's the account deletion function or just the function to delete a particular piece of content, that starts what we call an “active deletion” process, where it removes it immediately from accessibility on the site from our active servers. It then goes to the various places and backups and things like that in alternative servers, where we keep the information, and sends the command to those servers that indicates that the information should be deleted.

That process takes a bit of time, because we do have backups and so on, but we do try to have a process in place to make sure that information is deleted in a way that's reasonable and consistent with the instructions we receive from users.

You mentioned deactivation, and I do want to distinguish between deactivation and deletion. Deactivation is not a situation in which a user requests deletion of their information. We actually just suspend their account, but maintain it.

Thank you very much.

I think with regard to all of these tools, we try to be transparent with users and provide them with information. We hope they are written in a way that's reasonably easy to understand, and we've received feedback from people in a number of different ways that they are able to understand it.

We try to present the data use policy in what we call a layered format. Essentially what that means is if you go to our privacy page, you can get the high-level information and drill down if you want to do that. With regard to cookies specifically, which you mentioned, one of the pieces of information we provide to people is a special “frequently asked questions” about cookies, which is written in plain English and includes detailed information about how we use cookies and the purposes for which we use them.

So we try to make that information accessible. I don't have statistics on how many people read it or don't read it, but we think, through the feedback we have received, that people understand that.

We try to provide information about how Facebook works, how information is shared in a number of different ways, in addition to the data use policy. Obviously we provide the data use policy to every user of Facebook before they can access our site. We require them to accept it, and we hope they do read it.

We also provide information about how information is shared in a number of different ways, including in our interface. For example, we have the inline privacy controls, which, if you have used our site, you're familiar with: when you're posting, you get to make a judgment about who will see that information.

We think there are a number of different ways that we provide information to people. We also have a help centre where you can search for information if you want to know about how we do a particular thing and hope that makes the information accessible. We do try to provide a readable data use policy.

Yes. When people agree to the data use policy, we understand that they have agreed.

We do have a set of advertising guidelines, which I think covers the areas you're referring to. You can read them on our site. If you go to the bottom of any page, there's a link called “terms”, and that leads you to a place that provides all of our governing documents, including our advertising policies. There is also additional information in our help centre about that.

We do have policies that restrict advertisers' ability to target based on certain sensitive characteristics—for example, based on race or ethnicity—and we limit them on that basis. There are other content-based restrictions as well on how advertising can work.

One of Facebook's policies is that you have to be age 13 older to gain access to our site. That's because our view is that our site is designed for people who are above that age. So we take a number of different steps to prevent children, including ages 12 and 8, as you mentioned, from gaining access to the site.

Those tools aren't perfect. One of the things we do is we delete the accounts of children under 13 once we've verified that they in fact belong to people who are under 13. If you go into our help centre, you can find information on how to contact us. We would obviously want to verify that you are the parent of the person who created the account before doing so.

I think the portion of the policy that you're referring to is information that's received in connection with advertising. In that case, we say we receive information in connection with advertising, and then we delete it when we no longer need it. That is a general policy that applies regardless of whether you delete your account.

When you delete your account on Facebook, then we will remove any personal identifiers from data that we've collected or deleted so that you're not identified by any information we have.