Friday, 29 February 2008

Facebook's Hotel California: ICO helps UK users check out

Social networking website Facebook has been described by many as a "Hotel California", after the famous Eagles' song of the same name ("You can check out anytime you like, but you can never leave...") - because, once you joined Facebook, you weren't able to delete your account - you could only "deactivate" your profile (via the "account" link top right, Settings tab, if you want to know). They could hang on to your personal information forever even after you tried to leave them and weren't using their services anymore, it seemed. You couldn't just automatically wipe out, permanently, all the information they held about you. So you'd be unclear about the extent to which they could still continue to make use of your data indefinitely, or for what purposes.

As The Independent recently put it, "They only agree to cancel your account if you manually delete, one by one, every event, message, Mini-Feed entry and so on that's on your profile – and, as regular users will know, that might take several hours."

Not surprisingly, this drew a lot of flak, and last year Channel 4 even quizzed Facebook about their data protection policies and use of retained data, after one of their viewers complained to the UK Information Commissioner's Office about his inability to remove his Facebook account.

As a BBC blog reported, the ICO were to meet with Facebook to discuss the issues in January. And (The Register seems to have beaten me to the punch on this) I'm pleased to report that Facebook have now agreed to change their policies. A spokesperson for the ICO told A Consuming Experience:

"Many people are posting content on social networking sites without thinking about the electronic footprint they leave behind. It is important that individuals consider this when putting information online. However, it is equally important that websites also take some responsibility. In particular they should ensure that personal information is not retained for longer than necessary especially when the information relates to a person who no longer uses the site.

"Following a complaint about Facebook's retention policy, the ICO contacted Facebook. We discussed a number of changes to their policy which they are currently implementing. Facebook is in the process of notifying with the ICO and continues to work with us to ensure compliance with the Data Protection Act. If we receive any further complaints about Facebook or any other social networking site we will consider the appropriate next steps. Organisations can ensure personal information is effectively protected by complying with the principles of the Data Protection Act."

On asking for clarification as to what sorts of changes Facebook are implementing, I was told by an ICO representative that, to accompany the infamous "Deactivate", Facebook has agreed to add the ability for users to completely delete their Facebook account for good, and all their information on Facebook. So - you'll have the choice of either deactivating, or deleting. Result! Let's see how long it will take for this feature to be available (it wasn't when I looked today, see the pic above). And I wonder if Facebook will let non-UK users delete their accounts too, or if they're only doing it in the UK because of the complaint?

If you have concerns about not being allowed to delete your account or erase other personal details from particular websites or web services, or you have any other personal data privacy issues, you can always complain to the ICO - they clearly do listen and take action where appropriate, e.g. they successfully wrought the same change in relation to deleting accounts from eBay, last year.

The eBay complaint, filed by Privacy International in 2006, was widely reported, but its resolution doesn't seem to have been: eBay were very co-operative, within days of the complaint eBay got in touch with Privacy International, and within weeks they showed them how they were going to change their services and practices to permit customer closure and account deletion (within the limits of the law of course). Facebook also changed their position due to Privacy International raising concerns with them.

The ICO are now officially my favourite regulator!

1 comment:

Mike said...

That is really very unfair for the customers who join the hotel california that they can deactivate the account and not actually delete it.