Although the Commissioner's Office made several recommendations which were resolved, the Assistant Privacy Commissioner of Canada found that in the subjects of third-party applications, account deactivation and deletion, accounts of deceased users, and non-users' personal information to be in contravention of PIPEDA. The Assistant Commissioner determined that Facebook did not have adequate safeguards in place to prevent unauthorized access by application developers to users' personal information, and furthermore was not doing enough to ensure that meaningful consent was obtained from individuals for the disclosure of their personal information to application developers.

The Commissioner's Office made several suggestions to Facebook. The Office advised the social networking firm to limit application developers' access to user information, inform users specifically about the nature and use of shared information, and share information after obtaining consent of only users who add an application. The Office also
said that deactivated account information should be deleted after a reasonable length of time, and that the privacy policy be amended to include all intended uses of personal information. Facebook was given 30 days. Facebook updated its privacy policy on August 11, 2009 to include "clarifying changes and minor updates."

The updated policy asks developers, operators of platform applications, and websites to respect user privacy settings. The modified policy directs developers to use the data received only to operate the specific applications, inform readers on what data is being collected, how it would be used, and whether it would be shared. The policy also states that developers must delete user data if their application is deleted by the user. The updated policy also made some clarifications in terms regulating advertisements and in the special provisions applicable to advertisers.

Facebook is complying with the Commissioner's Officer and revising its Privacy Policy to better describe a number of practices, including the reasons for the collection of date of birth, account memorialization for deceased users, the distinction between account deactivation and deletion, and how its advertising programs work.

It will also educate users about reviewing their privacy settings to make sure the defaults and selections reflect the user's preferences. The social networking firm has also undertaken the task of increasing the understanding and control a user has over the information accessed by third-party applications. Facebook plans to introduce a new
permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. Further, users would also have to specifically approve any access to their friends' information, which would still be subject to the friend's privacy and application settings.

In June, the Article 29 Working Party warned about the dissemination and use of information available on Social Networking Sites for other secondary, unintended purposes. The officials issued an opinion requiring robust security, privacy-friendly default settings. The European Privacy Commissioners recommended that controllers take
"appropriate technical and organizational measures, 'both at the time of the design of the processing system and at the time of the processing itself' to maintain security and prevent unauthorized processing, taking into account the risks represented by the processing
and the nature of the data." Earlier, in January, EPIC had suggested the regulation of Social Network Service partners, including advertisers and application developers.