Canadian privacy law may protect social media users who don't read a site's terms of use policies and unknowingly or unwittingly agree to have their information shared with other sites.

"This overriding provision in our federal privacy legislation actually does provide protection for unexpected, unreasonable uses, even with consent," said Barry Sookman, a Toronto-based lawyer and expert on internet law. "So I actually think there is a standard here that applies that is fairly useful and is consumer friendly."

CBC's Go Public reported the story of Mari Sherkin, who complained that her personal information from Facebook had ended up on the popular dating website to create a profile for her.

Sharon Polsky, who heads up the independent advocacy group Privacy and Access Council of Canada, told Go Public that in Canada, "there's nothing to stop an organization from gathering that information about you and doing pretty much as they please with it as long as you're notified." 

Just by visiting another website, you have agreed to their terms of service, she said.

'Person has to agree to the terms'

However, according to Canada's Personal Information Protection and Electronic Documents Act, "an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances."

This means that "the person has to agree to the terms," Sookman said. "So a person who simply accesses a social networking site and hasn't seen or hasn't had a reasonable opportunity to review the terms wouldn't be bound by them."

If, for some reason, that person did consent to the terms, then they could be bound in law to the privacy policy. However, if the policy had terms that a reasonable person wouldn't consider appropriate, then those terms may not be binding. 

"There’s two good examples of when that kind of privacy policy wouldn't be enforceable: either when a person hasn’t been put on notice that there’s going to be a policy that’s binding, [or], when it’s an unreasonable term."

Sookman said that when somebody accesses a site, many website operators automatically collect basic information to know, for example, where people are coming from and to know if they’re coming back.

"Those kinds of uses are innocuous and they're automated and they're really to facilitate the proper operation of their site," he said.

'Whether it goes over the line'

But other terms, where there is some completely unexpected use of one's personal information, may go over the line.

"So the test in Canadian privacy law is whether it goes over the line," Sookman said.

Most people probably don't read the terms of service when they decide to join a social media website. In fact, years ago, researchers at Carnegie Melon University reportedly calculated it would take an average user 76 working days to read all the privacy policies they have agreed to. 

Facebook appears to be trying to make it a bit easier, having introduced "Privacy Basics" to its policy so that, as the Washington Post's The Switch blog recently wrote, "humans can understand it."

Pam Dixon, executive director of advocacy group World Privacy Forum, told the Wall Street Journal, that the new Facebook statement is a step in the right direction and said the Privacy Basics tutorial is “a huge improvement.”

"Many experts now realize that consent is not ... the linchpin that is the right standard for internet governance of use because of that fact that many people don’t actually read [the privacy policies] as well," Sookman said. 

However, social website users should realize that these services are free, and the only way it makes sense to continue to offer them for free is by finding a way to monetize their usage, Sookman said.

"The currency that individuals pay for the privilege for the free use is giving up some usage of their personal information, he said.

"On the one hand some uses are legitimate, and without those uses, users would be deprived of something they really love. But with that said, they don’t have unrestricted rights to do whatever they want because they are bound by privacy laws and by reputation."