As Facebook continues to evolve and mature, some of its decisions lead to significant repercussions for organizations building apps linking to the Facebook platform. Many apps use Facebook to ease registration (fine) or as an age-gating mechanism to restrict children under thirteen (not so reliable). And it did not take long, based on the defaults and permissions that Facebook had enabled, for apps to start requesting access to full details of an app user’s friends within Facebook. Last week, on April 30th, Facebook started to fully enforce a change to its API that governs the access an app may have to information about the app user’s friends. And with that, organizations whose apps try to pull data from a user’s Facebook account must now consider updating their privacy policy so that it remains accurate and consider new ways in which to recoup any revenue hit or business model changes from the new API restrictions.

The problem that Facebook confronted was that simply because I might be your friend on Facebook does not necessarily mean that I trust your judgment about which apps I might want to have my data. As with apps that pulled geolocation or other data without any obvious purpose, the default sharing of all your friends’ Facebook activity struck some as presumptuous and creepy.

So a year ago, in April 2014, Facebook announced on its developer platform pages that beginning a year later no apps would be able to pull such broad swaths of personal information. Specifically, the current Facebook API gives users more control over the information they share with an app:

  • Users of the app are able to accept and to decline specific information permissions, rather than an all or nothing choice.
  • Asking for access to a person’s friend list now must be presented as a specific item within the permissions requested.
  • The friend list that an individual agrees the app may pull is limited to the app user’s Facebook friends who have already authorized the app.
  • And the default permission setting for an app user has been changed from “basic info” to “public profile.”

The practical implication of this last point is that an app user can now control whether the app can collect more than whatever the public profile contains. This means that apps are no longer by default able to pull details such as the user’s “likes,” checkins, subscriptions, events, and so on.

Furthermore, Facebook has tasked a team to audit during the app submission process those that do request more than public profile, email address, and list of friends before the app will be approved. Apps created before April 30, 2014 (when this was originally announced) have had a year to adjust their data collection, while all apps must now be reviewed under the new criteria.

Finally, as with privacy policies generally, apps that have collected personal data under the former rules may continue to use that information and are not required under the new API to delete that data. However, if a user communicates a request for the app owner to remove the information, the entity controlling the app must honor that request.