Facebook’s Updated Platform Policies: Changes to User IDs, Ad Providers, and Iframe Page Apps

Facebook has updated its Platform Policies to control the use of iframe Page tab applications, prohibit the use of ad providers that haven’t agreed to its terms, and keep user data and User IDs from being sold, transferred, shared, or used inappropriately.

Overall, the changes should serve to increase application virality, improve security, and maintain the quality of the user experience.

The Best Practices section present in past versions has also been removed from the document.

Below we have excerpted the changes and deletions made to the Facebook Platform Policies document since its last official update on September 21st, 2010. In bold we show the policies that have been revised or removed, and accompany each with our thoughts on the trigger for the change and its impact.

Revised Policies

I. Features and Functionality

  1. You must not violate any law or the rights of any individual or entity, and must not expose Facebook or Facebook users to harm or legal liability as determined by us in our sole discretion.
  2. You must not include functionality that proxies, requests or collects Facebook usernames or passwords.
  3. You must not circumvent (or claim to circumvent) our intended limitations on core Facebook features and functionality.
  4. If you offer a service for a user that integrates user data into a physical product (such as a scrapbook or calendar), you must only create a physical product for that user’s personal and non-commercial use.
  5. If you exceed, or plan to exceed, any of the following thresholds please contact us as you may be subject to additional terms: (>5M MAU) or (>100M API calls per day) or (>50M impressions per day).
  6. Your website must offer an explicit “Log Out” option that also logs the user out of Facebook.
  7. Special provisions for apps on Pages:
    a. Apps on Pages must not host media that plays automatically without a user’s interaction.
    Our thoughts: This will keep Facebook Pages from bombarding users with unwanted audio and video — one of the most frequent criticisms of MySpace.
    b. When a user visits your Page, if they have not given explicit permission by authorizing your Facebook app or directly providing information to your Page, you may only use information obtained from us and the user’s interaction with your Page in connection with that Page. For example, you must not combine information from any other sources to customize the user’s experience on your Page and may not use any information about the user’s interaction with your Page in any other context (such as analytics or customization across other Pages or websites).
    Our thoughts: This prohibits developers from improperly repurposing user data scraped through a Page tab application to optimize their other web or Facebook presences.

II. Storing and Using Data You Receive From Us

  1. You will only request the data you need to operate your application.
    Our thoughts: This prevents developers from using a dummy application with little functionality to requests large volumes of valuable user data. Though the inappropriate use of this data is already prohibited, this more explicitly prohibits the practice of asking for unnecessary permissions.
  2. You may cache data you receive through use of the Facebook API in order to improve your application’s user experience, but you should try to keep the data up to date. This permission does not give you any rights to such data.
  3. You will have a privacy policy that tells users what user data you are going to use and how you will use, display, share, or transfer that data and you will include your privacy policy URL in the Developer Application.
    Our thoughts: This makes it easy for Facebook’s policy enforcement team to review an app’s privacy policy and determine if it is inadequate or being violated in the event of a complaint. Facebook temporarily removed this statement from the Platform Policies because it was already in its Site Governance documents, but has re-added it here for clarity.
  4. A user’s friends’ data can only be used in the context of the user’s experience on your application.
  5. Subject to certain restrictions, including on transfer, users give you their basic account informationwhen they connect with your application. For all other data obtained through use of the Facebook API, you must obtain explicit consent from the user who provided the data to us before using it for any purpose other than displaying it back to the user on your application.
  6. You will not directly or indirectly transfer any data you receive from us, including user data or Facebook User IDs, to (or use such data in connection with) any ad network, ad exchange, data broker, or other advertising or monetization related toolset, even if a user consents to such transfer or use. By indirectly we mean you cannot, for example, transfer data to a third party who then transfers the data to an ad network. By any data we mean all data obtained through use of the Facebook API, including aggregate, anonymous or derivative data.
  7. You will not use Facebook User IDs for any purpose outside your application (e.g., your infrastructure, code, or services necessary to build and run your application). Facebook User IDs may be used with external services that you use to build and run your application, such as a web infrastructure service or a distributed computing platform, but only if those services are necessary to running your application and the service has a contractual obligation with you to keep Facebook User IDs confidential.
    Our thoughts: The change comes in response to the discovery and subsequent disabling of apps by some developers that were selling User IDs to data brokers. Facebook was heavily criticized by the mainstream media for the data leak, and so it is seeking to clarify exactly how and with whom User IDs can be shared.
  8. If you need an anonymous unique identifier to share outside your application with third parties such as content partners, advertisers, or ad networks, you must use our mechanism. You must never share this anonymous unique identifier with a data broker, information broker, or any other service that we may define as such under our sole discretion.
    Our thoughts: Facebook made its unique identifier system mandatory for all applications on January 1st, 2011 in order to protect user IDs from being exposed to third-parties that weren’t explicitly permitted access.
  9. You will not sell any data. If you are acquired by or merge with a third party, you can continue to use user data within your application, but you cannot transfer data outside your application.
    Our thoughts: Facebook has had a similar statement in its developer policies before, but added the stipulation regarding mergers and acquisitions to its Site Governance documents in September to close a loophole that could be interpreted as allowing companies to buy access to data by merging with or acquiring developers with legitimate access.
  10. If you stop using Platform or we disable your application, you must delete all data you have received through use of the Facebook API unless: (a) it is basic account information; or (b) you have received explicit consent from the user to retain their data.
  11. You cannot use a user’s friend list outside of your application, even if a user consents to such use, but you can use connections between users who have both connected to your application.
  12. You will delete all data you receive from us concerning a user if the user asks you to do so, and will provide an easily accessible mechanism for users to make such a request. We may require you to delete data you receive from the Facebook API if you violate our terms.
  13. You will not include data you receive from us concerning a user in any advertising creative, even if a user consents to such use.
  14. You must not give your secret key to another party, unless that party is an agent acting on your behalf as an operator of your application. You are responsible for all activities that occur under your account identifiers.

III. Application Content