Privacy Matters is a series that takes a closer look at changes we’ve made to improve our privacy approach and protect people’s information.
Developers play an important role in protecting people’s data, just like everyone at Facebook. As part of the improvements we’ve been making to our platform over the past several years, we have restricted the types of data available to third-party apps and helped partners meet our higher standards for protecting people’s privacy. We’re also requiring developers to be accountable for the ways they use data and comply with our policies as part of our recently formalized agreement with the FTC. Our review of apps on our platform is ongoing, and we will continue to make improvements.
One of our goals is to communicate more openly about the issues that we identify as we’ve increased our rigor around identifying, mitigating and preventing privacy issues that may impact people. Today we’re announcing two updates to make people’s experience on our platform better.
Improving Data Limits for Infrequently Used Apps
In 2014, we introduced more granular controls for people to decide which non-public information — such as their email address or their birthdate — to share when they used Facebook to sign into apps. Later, in 2018, we announced that we would automatically expire an app’s ability to receive any updates to this information if our systems didn’t recognize a person as having used the app within the last 90 days.
But recently, we discovered that in some instances apps continued to receive the data that people had previously authorized, even if it appeared they hadn’t used the app in the last 90 days. For example, this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn’t recognize that some of their friends had been inactive for many months.
From the last several months of data we have available, we currently estimate this issue enabled approximately 5,000 developers to continue receiving information — for example, language or gender — beyond 90 days of inactivity as recognized by our systems. We haven’t seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook.
We fixed the issue the day after we found it. We’ll keep investigating and will continue to prioritize transparency around any major updates.
Simplifying Platform Terms and Developer Policies
As part of our efforts to provide developers with clearer guidance around data usage and sharing, today we’re also introducing new Platform Terms and Developer Policies to ensure businesses and developers clearly understand their responsibility to safeguard data and respect people’s privacy when using our platform.
These new terms limit the information developers can share with third parties without explicit consent from people. They also strengthen data security requirements and clarify when developers must delete data.
These changes are just some of the ways we’re improving our platform and making more trustworthy experiences for people using apps on Facebook. You can read more on Facebook for Developers. You can also learn about updates to our Business Terms on Facebook for Business.