How To Create Privacy Policy Url For Facebook App

This post mainly answers the question of how and why you have to include a privacy policy in your Facebook application.

Do you have to include a privacy policy when maintaining a Facebook app?

In short, YESyou do. There are both legal and third-party requirements to be met here.

Legal

Web apps, like most apps, often collect some sort of personal data as a rule of thumb for various reasons. Personal data might be used for testing, providing insight into how the application is being used, monetization or for any number of other reasons. Under most countries' legislations, if processing any kind of personal data, you're required to have a compliant privacy policy made easily available to your users. Depending on your law of reference, personal data can include even ip addresses – and there are often hefty penalties (including fines, loss of services, audits and potential law suits) for non-compliance.

You can find out how to determine your law of reference here.

Facebook's requirement/terms of use

Facebook requires users of their app platform to use a privacy policy for an app as soon as you collect data from their users. In Facebook's developer platform policies you will find the following:

Provide a publicly available and easily accessible privacy policy that explains what data you are collecting and how you will use that data.

Your privacy policy must not modify, supersede, or be inconsistent with Facebook policies. For example, user data obtained from us cannot be transferred to a data broker or sold, even if you disclose this in your privacy policy.

Include your privacy policy URL in the App Dashboard.

Link to your privacy policy in any app store that allows you to do so.

Comply with your privacy policy.

As well as:

Don't knowingly share information with us that you have collected from children under the age of 13.

Web sites or services directed to children under 13: If you use Social Plugins or our JavaScript SDK for Facebook on sites and services that are directed to children under 13, you are responsible for complying with all applicable laws. For example, if your web site or service is directed to children in the United States, or knowingly collects personal information from children in the United States, you must comply with the U.S. Children's Online Privacy Protection Act.

Note

As mentioned in the quote above, if your app is directed towards children based in the US, you'll be required to comply with the U.S. Children's Online Privacy Protection Act which introduces more stringent rules for your apps when you target children under the age of 13. Similarly, if you fall under the scope of the GDPR, you'll need to comply with the GDPR's guidelines for processing the data of minors.

Facebook also further states via their GDPR developer FAQ (emphasis ours).

Facebook is the data processor of data that developers pass to Facebook for analytics and measurement purposes. Facebook's Platform Policy and Business Tool Terms require developers to notify individuals when they are using Facebook technology (including pixels, SDKs, and APIs) that enables Facebook to collect and process data about them and obtain users' prior informed consent for their use of such tools. Developers must also comply with all applicable laws and regulations in the jurisdictions where they operate, including laws and regulations governing notice to individuals whose personal information is being used or disclosed. The developer is the data controller of all data they send to Facebook for measurement and analytics purposes and they are responsible for establishing a legal basis for the use of such data.

From the above quote, Facebook makes it explicitly clear that as the data controller, you (the developer) bear all responsibility for complying with applicable law, including obtaining the prior informed consent of users and having a legal basis for processing user data.

Important

Regarding legal bases, even if you have determined, with the help of a lawyer, that a legal basis outside of consent such as "legitimate interest" applies to your situation, processing user data via cookies (e.g those used in FB analytics) still fall under the ePrivacy Directive and therefore the consent requirement will most-likely still apply.

What happens if you don't comply with these requirements?

Your Facebook App will not go live without a public and accessible Privacy Policy. Also keep in mind that Facebook doesn't offer any kind of hosting service for this.
You may face legal consequences.

Meeting Facebook's (and your legal) requirements

Meeting your requirements here is actually quite straightforward:

Create a compliant and valid privacy policy that makes all the legally required disclosures about your processing activities, including a clause that explicitly mentions the processing that facebook does on your behalf and provide an easily accessible link to the policy from within the app (read about how to do this in the section below).
If your app is accessible to people based in the EU, include a cookie policy and implement a system that notifies users of your use of cookies, blocks cookies prior to obtaining your users' consent and be able to prove consent.
Respect what you've stated in your privacy policy and ensure that you handle users' data in a way that is compliant with applicable law.

How to create a privacy policy for a Facebook app

Here's where our Privacy and Cookie Policy Generator comes in very handy: with 1600+ available clauses, our generator lets you easily include all elements commonly required across many regions and third-party services, while applying the strictest standards by default – giving you the option to fully customize as needed.

All our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal changes and third-party requirements.

The generation process is easy and intuitive:

Click on Start Generating, select Facebook app, fill in your app name, select your language and generate.
Add all services collecting personal data including the Facebook permissions you are using to your policy. Once that is done, iubenda now takes care of your policy and generates it for you.
Fill out your app owner and contact details and save.
Lastly, get the link to your policy via direct link or embed the policy into your site and add the resulting link to your facebook app.

How to add your policy links to your app

Adding your links to your app is easy. VisitFacebook for Developers > My Apps and create/edit your app. Once you're in the app's settings you'll find thePrivacy Policy URL field under Settings > Basic:

Simply paste your privacy policy link here and the required link to your privacy policy will appear on the login dialog and inside the app details.

How to create a cookie policy and manage cookies for a Facebook app

Thecookie policy is a section of the privacy policy dedicated to cookies. It details all legally required information including the categories of cookies used, their purposes, names the third parties who install or may install cookies through the website and provides links to said third parties' respective privacy policy and possible consent forms.

The Generator features aone-click set-up for the cookie policy which then automatically pulls all the relevant cookie information from the services indicated in your privacy policy. If using iubenda's Cookie Solution to manage your cookies, the link to this cookie policy will be included in your cookie banner by default once activated.

Managing cookies

As previously mentioned (under the section on Facebook requirements), in addition to your cookie policy, you'll need to notify users about your use of cookies (via something like a site banner), block scripts prior to obtaining consent and be able to show proof of the consent.

Our Cookie Solution makes this task simple. Just click to activate, then integrate the script into your app (or website).

The solution lets you block scripts prior to consent, gives you a customizable banner that links to your cookie policy, lets you remember consent for individual users and indicates proof of consent. It's also is integrated with IAB Europe's transparency framework to facilitate preference management (if you choose to activate this feature).

You can read more about setting up your app for the Cookie Law here or just start generating below (you can easily activate the Cookie Solution from within your site dashboard area).