Platform Resources

Platform Resources

FPF staff has reviewed Facebook’s platform requirements and have collected privacy relevant material on this page. Click on the links below to see the related requirements in full context at the Facebook Developer website.

App Authentication

“Authentication gives your app the ability to know the identity of a Facebook user, and to read and write data via Facebook APIs.” The authentication flow also allows you to explain to users what information you need to access and the purposes for which it will be used. Make note of these fields in the authentication flow where you can notify users of your privacy practices:

• Description: Description of your app which will be shown in the “About this app”

• Privacy Policy URL: Your privacy URL

• Terms of Service URL: Your terms of service URL

• Permissions Explanation: When a user authenticates your application, by default, your app only has access to the user’s basic information. If you want access to additional data or if you want to publish data back to Facebook, you need to request additional permissions.

• If your app requires extended permissions, a second Auth dialog screen will appear after the user authorizes the initial Auth Dialog. This is the text to explain why you need the additional permissions. Check out Facebook’s for Permissions Reference Page for more information.
  

 

Best Practices for Publishing Controls

• Timing and Visibility
• Be clear about how, what and when you’ll publish to a user’s Timeline. You should publish users’ actions on your site the moment they occur.
  

• User Permission
• Ask permission to share especially sensitive content. For example, an exercise app that involves weight or calories consumed would be considered sensitive information. Ask users to confirm before publishing that content or limit the privacy of those posts to the user only.
  

• Timeline Aggregations
• Accurately convey the functionality of Timeline aggregations. Make sure users are aware that a Timeline aggregation can share actions and metadata from your application to their Timeline after they grant permission, and give users control on what exactly will be shared.
  

• Removal
• After actions are published, give users the option to remove the action or manage their sharing settings in your app.
  

Best Practices for In-App Controls

• Provide sharing controls when necessary

• Sharing controls may or may not be needed depending on the nature of the app. For example, an app might not need sharing controls if all activity is understood to be public.
  

• However, if an app lets people customize the visibility of certain content (e.g. photos and location check-ins) the sharing control should be implemented at an account-level, in the settings menu.
  

• Use explicit sharing controls with Open Graph apps

• For example, an app that automatically shares a story every time a user reads an article or watches a video may want to show a sharing toggle to remind users that they’re connected to Facebook and give them the ability to temporarily disable sharing. See below for more auto-sharing guidance.
  

• Consider providing an “incognito” mode

• Certain types of apps may want to give users the option to temporarily enter an “incognito” mode where their activity isn’t posted to their Timeline.
  

• Use appropriate form for sharing controls

• Sharing controls can take a variety of forms (e.g. green/red indicators, toggles, radio buttons, etc.), and they should always reflect your website’s design, not the design of Facebook.
  

• Respect users’ sharing decisions

• If a user turns off sharing on your site, carefully consider the user’s objectives to determine if you should give them the ability to delete the last action and the state of the feature the next time the user returns.
  

• Some sites build a way for users to see all the actions published from the app and give users the ability to delete or change the privacy of specific posts. If you choose to do this, you must update Facebook so the changes are properly reflected on user Timelines.
  

• Developers are responsible for respecting the privacy of users’ posts in their apps (e.g., surfacing friends-only posts to only a users’ friends) and restricting personal information from being scraped by search engines.

Automatic Sharing

• If you have a reading or video app, and your app automatically shares users’ activity to their Timelines, you are subject to Facebook’s auto-sharing rules:

• 10-second Read action requirement – “Read actions should only be published when there is a strong indication that the user is actually reading an article. Facebook recommends gauging for this by detecting that the user has been reading the article for a minimum of 10 seconds. A few examples of when the publication of a Read action should be delayed:

• A multi-page article where a user has to click ‘Next’ – the action should only be published when the user is at the last page.

• Article content that only displays a few preview sentences and asks a user to click for more to read – the action should only be published when the user gets to the full content.”

•  10-second Watch action requirement – According to Facebook Open Graph guidance, you may only publish a story to Open Graph after the user and has viewed a particular video content for at least 10 seconds.
  

• Video sharing notification and opt out – “Always provide users with a clear, ongoing, and in-context message that their watch actions will be published to Facebook.” Notification must be:

• “Clear – a plain, easy-to-understand informative message

• Ongoing – this message should appear every time a user watches a video (e.g., on the page where the user watches the video)

• In-context – this message should be visibly close to the video that the user is watching”
  

• Activity removal – Provide users with the ability to remove any reading or video stories that your app publishes to Open Graph, and the ability to turn this sharing on or off at any time. User sharing preferences should be persistent.

Desktop Web Games

• Desktop web games off of Facebook may only use Facebook Login (Authentication, excluding user connections such as friend list), Social Plugins and publishing (e.g., Feed Dialog, Stream Publish, or Open Graph). When authenticating, these games may not request additional permissions other than age, email, and Facebook’s Publishing Permissions.

• Games on Facebook and mobile must not share the same app ID with desktop web games off of Facebook. You must not use Canvas apps to promote or link to game sites off of Facebook, and must not use emails obtained from Facebook to promote or link to desktop web games off of Facebook.

Unique Identifiers

• If you need an anonymous unique identifier to share outside your application with third parties such as content partners, advertisers, or ad networks, you must use Facebook’s UID mechanism.
  

• You are prohibited from sharing this anonymous UID with data brokers, information brokers, or any other service that Facebook may define as such under their sole discretion.
  

• Developers can obtain a third-party identifier through either the Graph API or FQL.

 

Facebook Resources

• Facebook’s Developer pages– Easy to navigate starting point for app developers

• Facebook’s Privacy Policy – General data use policy

• Facebook’s Platform Policies – Facebook’s platform rules

• Facebook’s Platform Checklist – Simple checklist for developers to consult prior to application launch

• Facebook‘s Open Graph Publishing Checklist – Comprehensive checklist to ensure compliance with Facebook’s publishing rules

• Facebook’s Examples and Explanations – Specific examples of how the its policies and principles are implemented in live applications