Facebook: Your action is needed

My forum has been up and running for about 9mo. Upon setup, I added social logins without issue.

Well, this morning, I received a nasty gram from Facebook.

Here’s a clip…

In working to create a great Platform experience for everyone, we ask developers to ensure the apps they build comply with our Platform Terms and Developer Policies. Your app NAME (AppId: XXX) doesn’t comply with the following:

Platform Terms 4.b: Your privacy policy must comply with applicable law and regulations and must accurately and clearly explain what data you are Processing, how you are Processing it, the purposes for which you are Processing it, and how Users may request deletion of that data.

During testing, we found that your privacy policy doesn’t explain how users can request data deletion. Update your privacy policy to include this information before you submit an appeal.

Please make the requested changes by 2023-06-26 02:00:00 PDT.

There were a few different emails, but this seems to be the heart of the matter. For the record, I’m using the standard privacy statement from when I started my forum.

Is there a new updated version I can get my hands on that would alleviate this concern? It sounds like someone at FB has too much time on their hands.

Hi Brandon :slight_smile:

Yes, you can add this part to your Privacy page:

<a name="data-deletion"></a>

## [Data Deletion](#data-deletion)

Accounts on this site can be anonymized or deleted at the users request. Contact the administrator @admin,for details.

(replace @admin by a proper admin or group)

It was proposed here: Privacy Policy Link required for Facebook login App creation is not accepted - #19 by simon

6 Likes

This is great, thanks so much.

I’m not quite sure if that will cover everything though…

Platform Terms 4.b: Your privacy policy must comply with applicable law and regulations and must accurately and clearly explain what data you are Processing, how you are Processing it, the purposes for which you are Processing it, and how Users may request deletion of that data.

I think it takes care of the portion in bold, but what about the prior statements?

I won’t dive deep into the legal stuff because I don’t know anything about it, but I think most of it is already covered in the default privacy text.

It explains what information is collected, by what means (server-side storage, cookies), and why it is used for.

Default Privacy text

What information do we collect?

We collect information from you when you register on our site and gather data when you participate in the forum by reading, writing, and evaluating the content shared here.

When registering on our site, you may be asked to enter your name and e-mail address. You may, however, visit our site without registering. Your e-mail address will be verified by an email containing a unique link. If that link is visited, we know that you control the e-mail address.

When registered and posting, we record the IP address that the post originated from. We also may retain server logs which include the IP address of every request to our server.

What do we use your information for?

Any of the information we collect from you may be used in one of the following ways:

  • To personalize your experience — your information helps us to better respond to your individual needs.
  • To improve our site — we continually strive to improve our site offerings based on the information and feedback we receive from you.
  • To improve customer service — your information helps us to more effectively respond to your customer service requests and support needs.
  • To send periodic emails — The email address you provide may be used to send you information, notifications that you request about changes to topics or in response to your user name, respond to inquiries, and/or other requests or questions.

How do we protect your information?

We implement a variety of security measures to maintain the safety of your personal information when you enter, submit, or access your personal information.

What is your data retention policy?

We will make a good faith effort to:

  • Retain server logs containing the IP address of all requests to this server no more than 90 days.
  • Retain the IP addresses associated with registered users and their posts no more than 5 years.

Do we use cookies?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow). These cookies enable the site to recognize your browser and, if you have a registered account, associate it with your registered account.

We use cookies to understand and save your preferences for future visits and compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.

Do we disclose any information to outside parties?

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our site, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

Third party links

Occasionally, at our discretion, we may include or offer third party products or services on our site. These third party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

Children’s Online Privacy Protection Act Compliance

Our site, products and services are all directed to people who are at least 13 years old or older. If this server is in the USA, and you are under the age of 13, per the requirements of COPPA (Children’s Online Privacy Protection Act), do not use this site.

Online Privacy Policy Only

This online privacy policy applies only to information collected through our site and not to information collected offline.

Your Consent

By using our site, you consent to our web site privacy policy.

Changes to our Privacy Policy

If we decide to change our privacy policy, we will post those changes on this page.

This document is CC-BY-SA. It was last updated May 31, 2013.

I’m with you on that!

That’s why I was scratching my head as to them picking that as a pain point. I’ll work with them and see what happens and report back.

Thanks for the help.

1 Like

It took some back and forth, but I did get them to sign off on the app. If you want to see the back and forth, here you go.

Summary

I responded to FB with my fix, they emailed me back saying,

We have received your email and we apologize for all the inconveniences caused to you, while reviewing, we found that your privacy policy doesn’t explain how users can request their complete personal data deletion (collected by the app) and contact us details in the Privacy Policy hence we request you to update your privacy policy to include this information so that we will review the app accordingly.

Your privacy policy only showing how user’s can delete their account. We deletion of personal data that’s being collected.

Example : Accounts on this site can be anonymized or deleted at the users request. Note : account deletion will lead to deletion of personal data and cannot be recovered.

I responded asking for more clarification.

They replied,

We wanted to follow up on our previous conversation. Your application is in its final review phase. However, we need to have statement as how users can request their complete “personal data deletion” (collected by the app) and contact us details in the Privacy Policy hence we request you to update your privacy policy to include this information so that we will review the app accordingly.

My guess, I need to modify my policy to state,

Accounts on this site can be anonymized or deleted at the users request. Contact the administrator @web, for details. Please note, account deletion will lead to the deletion of all personal data and it cannot be recovered.

This is what I needed in the policy for them to sign off. Basically, they wanted the last sentence in there.

Accounts on this site can be anonymized or deleted at the users request. Contact the administrator @admin, for details. Please note, account deletion will lead to the deletion of all personal data and it cannot be recovered.

I appreciate the help and hopefully this will help someone else down the road.

3 Likes