After more than a year of being in the hot seat, to answer questions about sloppy privacy practices, Facebook has recently flexed its privacy muscle in order to secure compliance from apps that have access to Facebook’s platform, such as those that allow users to log in through Facebook’s single sign-on feature, with the GDPR’s right to erasure (GDPR – Article 17) and the CCPA’s right to deletion (CCPA – Cal. Civ. Code 1798.105) even if neither law applies. Specifically, Facebook has updated its Platform Terms to require that the Privacy Policy for all apps which access Facebook user data must provide a way for the users to request deletion of their data. Facebook broadly defines what constitutes an “app” – an app is any technical integration with Facebook’s platform or to which Facebook has assigned an app identification number, and it includes any code, APIs, SDKs, tools, plugins, bots, websites, applications, specifications, and other technology made available in connection with Facebook’s platform. Apps that do not comply with this new requirement may be suspended from use of the Facebook platform.
Companies (that access Facebook through an app) can satisfy this requirement in one of two ways:
- Implement a Data Deletion Request Callback.
- The data deletion callback is called whenever an app user removes your app and requests that you delete their data. Your app users can do this by going to their Facebook profile and clicking the Send Request button on the Settings & Privacy > Settings > Apps and Websites page.
- Provide a URL with explicit instructions for app users on how to delete their data by way of a third-party website or tool.
The new requirement means that companies need to consult their app developers for assistance with either option, make appropriate updates to their Privacy Policies, and also consult outside counsel to determine if the solutions satisfy legal requirements and Facebook’s new policy. Facebook has published this resource for developers.
Beyond deleting a user's personal data a company receives from Facebook, companies also need to be prepared for Facebook to expand the scope of what data may become subject to a deletion request. The Platform Terms specifically require that an app’s Privacy Policy accurately and clearly explain how users can request deletion of the data the app processes. This requirement can be interpreted broadly to include all data the app processes, as it is not expressly limited to the data the app receives from Facebook.
The attorneys in Michael Best’s Privacy & Cybersecurity practice group have extensive experience in assessing compliance with global and domestic laws which regulate the collection, processing, storage and deletion of personal data through website and mobile applications. Please reach out to any of our attorneys if you are in need of a legal risk assessment or the need to implement compliance solutions.
Related People
Preview Attorney's BiographyClients benefit from Elizabeth’s extensive experience with a variety of regulatory, cybersecurity compliance, and technology-specific privacy matters. A former Chief Privacy Officer and General Counsel, she brings a unique and informed in-house perspective to her practice.
Preview Attorney's BiographyGuy counsels clients on privacy and data security matters including compliance with U.S. and E.U. data protection and privacy laws, the development of company privacy programs, and responding to and mitigating data breaches.