45 Privacy Changes Facebook Will Make To Comply With Data Protection Law

In 2012, Facebook will be making 45 privacy-related changes to comply with the recommendations of an audit by Ireland’s Office of the Data Protection Commissioner (DPC) released today. Below I’ve compiled a roadmap of all the changes Facebook will implement based on the the 149 pages of DPC recommendations and how the social network says it will address them.

First, read my analysis of the audit’s findings from this morning. It explains why these changes won’t seriously interfere with Facebook’s business model or product development. That’s very good news for Facebook. Still, complying with the audit’s recommendations could prevent the company from building a huge stockpile of historical data for some unknown later use.

The changes mostly deal with how long Facebook retains data, and how people are educated about Facebook’s usage of that data. Some will require engineering work, such as irrevocably deleting user data within 40 days of an account deletion request. Others will simply see Facebook adding additional links or messaging within the product to improve transparency and user understanding.

Facebook avoided having to make some big changes that could have hurt its business, such as needing users to explicitly opt in to ad targeting based on their personal data. It also won’t have to discontinue its facial recognition feature, or requires users to opt into having their content used in Sponsored Stories ads.

Here are the 45 changes Facebook will implement and their due dates:

Privacy and Data Use Policy

  • Simplify the explanations of its Data Use Policy- End of Q1 2012
  • Add a mechanism for controlling personal data to the registration process – End of Q1 2012
  • Increase the size of links to the privacy policy and statement of rights in the registration process –  End of February 2012
  • Add privacy policy, statement of rights, and Help Center links to the left side of the Facebook home page – End of February 2012

Advertising Use of User Data

  • Clarify how it employs user data in ad targeting to ensure full transparency – End of Q1 2012
  • Limit data collection from social plugins, restrict access to this data, and delete it on schedule, though social plugin data is not currently used in ad targeting – Immediately
  • Move option to opt out of having one’s content shown in social ads from the Account Settings to the Privacy Settings – End of Q1 2012
  • Prior to implementation, discuss any plans to provide individuals’ profile pictures and names to third parties for advertising purposes – Ongoing
  • Switch from retaining ad-click data indefinitely to a 2 year retention period – Review in July 2012

Access Requests

  • If identifiable personal data of users or non-users is held, it must be provided in response to an access request within 40 days – Beginning in January 2012
  • Provide easier access to this data via the profile, Activity Log, and Download Your Information tool – Beginning in January 2012

Retention of Data

  • Clarify to users how deleted data such as received friend requests and removed tags is retained – End of Q1 2012
  • Provide users with the ability to delete friend requests, pokes, tages, posts, and messages on a per item basis – Begin in Q1 2012, show progress by July 2012.
  • Change Groups invitations so user won’t appear as members until they’ve visited the Group and been given an easy way to leave – End of Q1 2012
  • Delete personal data once the purpose for which it was collected has ceased – Immediate, ongoing, review in July 2012
  • Delete all social plugin impression data with 90 days of a website visit
  • For non-users and logged out users, delete social plugin impression data within 10 days
  • Anonymize data about a user’s searches on Facebook with 6 months
  • Anonymize all ad click data after 2 years
  • Significantly shorten the retention period of log-in information
  • Educate users through the Data Use Policy about recording of login activity across browsers and devices – End of Q1 2012
  • Work with the DPC to identify an acceptable retention period of data from inactive or deactivated accounts – July 2012

Third-Party Apps

  • Roll out updated granular data permissions dialog box to all applications – End of February 2012, review in July 2012
  • Clarify that use of an app is visible to friends by default (Facebook has fixed this with the audience selector of its granular data permissions dialog box) – Review in July 2012
  • Educate users on the importance of reading app privacy policies, possibly increase size of links to report an app or view app its privacy policy in the data permissions dialog box – End of February 2012
  • Implement a tool that determines if links to app privacy policies are live. First, Facebook will asses the technical feasibility of such as tool – Review progress towards implementation in July 2012
  • Examine alternative privacy controls for allowing friends to provide one’s data to applications, as currently users must turn off apps entirely to prevent friends from giving apps their data – Report back to DPC in July 2012
  • Investigate technical solutions to reduce risk of abuse of authorization tokens via one app transferring a token to another – Immediate assessment, solution by end of Q1 2012
  • Expand mesaging to developers regarding policy prohibiting sharing of authorization tokens –  End of January 2012
  • Refine automated tools that detect and prevent abuse of user data by developers – Progress review in July 2012
Disclosures to Third Parties
  • Improve system for disclosing data to law enforcement by requiring validation from a senior officer and a full explanation for why the data is needed – Commence in January 2012, review in July 2012
Facial Recognition / Tag Suggest
  • Notify users that Tag Suggest exists with a series of home page prompts and link to an explanation of how it works – First week of January 2012
  • Prior to implementation, discuss with DPC  any plans to extend tag suggest to allow suggestions beyond confirmed friends – Ongoing
  • Formally document security policies and procedures – Review in July 2012
  • Monitor employees to ensure user password resets aren’t used to gain unauthorized access to user data – End of January 2012
  • Implement a new access provisioning tool to allow for fine-grained, role-specific control of employee access to user data to ensure all access is authorized – Review in July 2012
Deletion of Accounts
  • Continue devoting engineering resources towards improving the system that irrevocably deletes user accounts and data within 40 days of receipt of a deletion request – Review in July 2012
Friend Finder 
  • Provide education about and review alternatives for reducing risks inherent in transmitting contact information via plain text for use in the contact sync feature – End of Q1 2012
  • Add text explaining that deactivating the contact sync feature does not remove previously synced data – End of Q1 2012
  • Prevent Pages that have uploaded email addresses to send messages to European users or non-users via geoblocking of major EU domains and warn businesses using the feature about ePrivacy law – Geoblocking immediately, warnings by end of Q1 2012
  • Review implications of DPC’s recommendation to allow users to prevent themselves from being tagged in photos or other content – In advance of July 2012
Posting On Other Profiles
  • Review implications of DPC’s recommendation that prior to posting, users be shown how broad the audience will be for a potential post on the wall of another user, and notify users if that wall’s owner changes that audience size – In advance of July 2012
Facebook Credits 
  • Add information to the Data Use Policy regarding Facebook’s role as a data controller and that information about a user’s use of Credits is linked to their account, and launch a privacy policy dedicated to its payments systems in approximately 6 months – End of Q1 2012
Compliance Management / Governance
  • Develop documented procedures for direct marketing by Facebook employees and train employees to ensure data protection – Completed
  • Review European data protection laws and consult with the DPC when developing new products or uses to ensure compliance with data protection law

Additionally, the DPC’s audit made statements, indicating its satisfaction with how Facebook handles these potentially controversial issues:

  • Cookies are not used for profiling or ad targeting
  • Apps were found to not be able to access user data without consent
  • Disabling Tag Suggest deletes a user’s facial recognition profile
  • User data is available to employees on a need-to-know basis
  • There is no threat to user photos during upload to Akamai or during deletion
  • The site protects against large-scale data harvesting through screen-scraping
  • User contact info, including phone numbers and email addresses, is only stored and not used unless users choose to supply email addresses for use in the Friend Finder
  • When users give Friend Finder access to their third-party email accounts and other services, their passwords are held securely and destroyed
  • Facebook has provided sufficient justification of its policy of refusing pseudonymous accounts
  • Facebook provides sufficient ways to report abuse on the site