45 Privacy Changes Facebook Will Make To Comply With Data Protection Law
by Josh Constine
In 2012, Facebook will be making 45 privacy-related changes to comply with the recommendations of an audit by Ireland’s Office of the Data Protection Commissioner (DPC) released today. Below I’ve compiled a roadmap of all the changes Facebook will implement based on the the 149 pages of DPC recommendations and how the social network says it will address them.
First, read my analysis of the audit’s findings from this morning. It explains why these changes won’t seriously interfere with Facebook’s business model or product development. That’s very good news for Facebook. Still, complying with the audit’s recommendations could prevent the company from building a huge stockpile of historical data for some unknown later use.
The changes mostly deal with how long Facebook retains data, and how people are educated about Facebook’s usage of that data. Some will require engineering work, such as irrevocably deleting user data within 40 days of an account deletion request. Others will simply see Facebook adding additional links or messaging within the product to improve transparency and user understanding.
Facebook avoided having to make some big changes that could have hurt its business, such as needing users to explicitly opt in to ad targeting based on their personal data. It also won’t have to discontinue its facial recognition feature, or requires users to opt into having their content used in Sponsored Stories ads.
Here are the 45 changes Facebook will implement and their due dates:
Privacy and Data Use Policy
Simplify the explanations of its Data Use Policy- End of Q1 2012
Add a mechanism for controlling personal data to the registration process – End of Q1 2012
Increase the size of links to the privacy policy and statement of rights in the registration process - End of February 2012
Add privacy policy, statement of rights, and Help Center links to the left side of the Facebook home page – End of February 2012
Advertising Use of User Data
Clarify how it employs user data in ad targeting to ensure full transparency – End of Q1 2012
Limit data collection from social plugins, restrict access to this data, and delete it on schedule, though social plugin data is not currently used in ad targeting – Immediately
Move option to opt out of having one’s content shown in social ads from the Account Settings to the Privacy Settings – End of Q1 2012
Prior to implementation, discuss any plans to provide individuals’ profile pictures and names to third parties for advertising purposes – Ongoing
Switch from retaining ad-click data indefinitely to a 2 year retention period – Review in July 2012
Access Requests
If identifiable personal data of users or non-users is held, it must be provided in response to an access request within 40 days – Beginning in January 2012
Provide easier access to this data via the profile, Activity Log, and Download Your Information tool – Beginning in January 2012
Retention of Data
Clarify to users how deleted data such as received friend requests and removed tags is retained – End of Q1 2012
Provide users with the ability to delete friend requests, pokes, tages, posts, and messages on a per item basis – Begin in Q1 2012, show progress by July 2012.
Change Groups invitations so user won’t appear as members until they’ve visited the Group and been given an easy way to leave – End of Q1 2012
Delete personal data once the purpose for which it was collected has ceased – Immediate, ongoing, review in July 2012
Delete all social plugin impression data with 90 days of a website visit
For non-users and logged out users, delete social plugin impression data within 10 days
Anonymize data about a user’s searches on Facebook with 6 months
Anonymize all ad click data after 2 years
Significantly shorten the retention period of log-in information
Educate users through the Data Use Policy about recording of login activity across browsers and devices – End of Q1 2012
Work with the DPC to identify an acceptable retention period of data from inactive or deactivated accounts – July 2012
Third-Party Apps
Roll out updated granular data permissions dialog box to all applications – End of February 2012, review in July 2012
Clarify that use of an app is visible to friends by default (Facebook has fixed this with the audience selector of its granular data permissions dialog box) – Review in July 2012
Educate users on the importance of reading app privacy policies, possibly increase size of links to report an app or view app its privacy policy in the data permissions dialog box – End of February 2012
Implement a tool that determines if links to app privacy policies are live. First, Facebook will asses the technical feasibility of such as tool – Review progress towards implementation in July 2012
Examine alternative privacy controls for allowing friends to provide one’s data to applications, as currently users must turn off apps entirely to prevent friends from giving apps their data – Report back to DPC in July 2012
Investigate technical solutions to reduce risk of abuse of authorization tokens via one app transferring a token to another – Immediate assessment, solution by end of Q1 2012
Expand mesaging to developers regarding policy prohibiting sharing of authorization tokens – End of January 2012
Refine automated tools that detect and prevent abuse of user data by developers – Progress review in July 2012
Disclosures to Third Parties
Improve system for disclosing data to law enforcement by requiring validation from a senior officer and a full explanation for why the data is needed – Commence in January 2012, review in July 2012
Facial Recognition / Tag Suggest
Notify users that Tag Suggest exists with a series of home page prompts and link to an explanation of how it works – First week of January 2012
Prior to implementation, discuss with DPC any plans to extend tag suggest to allow suggestions beyond confirmed friends – Ongoing
Security
Formally document security policies and procedures – Review in July 2012
Monitor employees to ensure user password resets aren’t used to gain unauthorized access to user data – End of January 2012
Implement a new access provisioning tool to allow for fine-grained, role-specific control of employee access to user data to ensure all access is authorized – Review in July 2012
Deletion of Accounts
Continue devoting engineering resources towards improving the system that irrevocably deletes user accounts and data within 40 days of receipt of a deletion request – Review in July 2012
Friend Finder
Provide education about and review alternatives for reducing risks inherent in transmitting contact information via plain text for use in the contact sync feature – End of Q1 2012
Add text explaining that deactivating the contact sync feature does not remove previously synced data – End of Q1 2012
Prevent Pages that have uploaded email addresses to send messages to European users or non-users via geoblocking of major EU domains and warn businesses using the feature about ePrivacy law – Geoblocking immediately, warnings by end of Q1 2012
Tagging
Review implications of DPC’s recommendation to allow users to prevent themselves from being tagged in photos or other content – In advance of July 2012
Posting On Other Profiles
Review implications of DPC’s recommendation that prior to posting, users be shown how broad the audience will be for a potential post on the wall of another user, and notify users if that wall’s owner changes that audience size – In advance of July 2012
Facebook Credits
Add information to the Data Use Policy regarding Facebook’s role as a data controller and that information about a user’s use of Credits is linked to their account, and launch a privacy policy dedicated to its payments systems in approximately 6 months – End of Q1 2012
Compliance Management / Governance
Develop documented procedures for direct marketing by Facebook employees and train employees to ensure data protection – Completed
Review European data protection laws and consult with the DPC when developing new products or uses to ensure compliance with data protection law
Additionally, the DPC’s audit made statements, indicating its satisfaction with how Facebook handles these potentially controversial issues:
Cookies are not used for profiling or ad targeting
Apps were found to not be able to access user data without consent
Disabling Tag Suggest deletes a user’s facial recognition profile
User data is available to employees on a need-to-know basis
There is no threat to user photos during upload to Akamai or during deletion
The site protects against large-scale data harvesting through screen-scraping
User contact info, including phone numbers and email addresses, is only stored and not used unless users choose to supply email addresses for use in the Friend Finder
When users give Friend Finder access to their third-party email accounts and other services, their passwords are held securely and destroyed
Facebook has provided sufficient justification of its policy of refusing pseudonymous accounts
Facebook provides sufficient ways to report abuse on the site
