Nexopia social network found in breach of privacy law
Data kept in case law enforcement needs it, company says
The online youth social networking site Nexopia is violating Canadian privacy laws by keeping members' personal information indefinitely, Canada's Privacy Commissioner has found.
Edmonton-based Nexopia, which bills itself as "the place to be for teens looking to express themselves," is refusing to give users the option to permanently delete their data, despite Privacy Commissioner Jennifer Stoddart's recommendation that such an option was required to comply with Canadian law, said a news release from Stoddart's office Thursday.
The site claims to have 1.6 million users, and more than a third of its active users are aged 13 to 18.
"Given that so many of Nexopia's users are young, extra care is needed to ensure they understand the site's privacy practices," Stoddart said in a statement. She added that other websites targeting youth should take note of the probe.
According to the report on the investigation, the company told the Privacy Commissioner's office that it is too expensive for the company to technically make permanent deletion an option. However, Nexopia said deleted information is invisible to site users — it is only available to system administrators and "recovered in the event that they receive a warrant from a law enforcement authority."
Stoddart said her office is "disappointed with Nexopia’s position with respect to these outstanding issues" and is looking into its options, including going to Federal Court to have the recommendations enforced.
"In our opinion, Nexopia’s current practice of storing personal information in its archives indefinitely, on the small possibility it may be the subject of an information request or warrant from a law enforcement agency is not acceptable," Stoddart wrote in her report on the investigation. "While such requests or warrants may justify a longer retention period for those specific cases affected, they do not justify wholesale and indefinite retention of all records."
Stoddart's office investigated Nexopia following a complaint from the Ottawa-based Public Interest Advocacy Centre.
The investigation found that in addition to keeping users' information indefinitely, Nexopia violated Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) in three other areas:
- Its default privacy settings were "particularly inappropriate" for youth and available privacy settings weren't presented clearly.
- There was no meaningful consent for collection, use and disclosure of personal information collected when users registered.
- Personal information was shared with advertisers and other third parties without proper consent.
The Privacy Commissioner made 24 recommendations to resolve the problems, and Nexopia agreed to address 20 of them — all except those regarding the retention of users' personal information.
Janet Lo, a lawyer for PIAC who worked on the complaint, called the report "a huge step forward for online youth privacy."
"We are pleased that Nexopia has stated it will change its system to respect Canadian privacy law moving forward," she said. "We are, however, disappointed that Nexopia has said it will not comply with the Privacy Commissioner’s recommendations to change its data retention practices. Nexopia insists on archiving the personal information of its users indefinitely, even after a user deletes his or her account."