Facebook Fleshes Out Privacy Policy To Comply With Data Protection Audits, Will Hold Q&A On Monday

Today Facebook will start sending the first of three billion notices to users about proposed changes to its privacy policy, which were made to comply with a Spring deadline for implementing recommendations from an audit by the Irish Data Protection Commissioner. The three biggest changes Facebook’s Chief Privacy Officer for Policy Erin Egan told me about when we spoke this morning are several clarifications of existing but sometimes vague policies:

  • A clarification regarding Facebook’s existing policy that it may use your data to serve you ads outside of Facebook.com while you’re on other websites
  • A detailed new chart of how Facebook uses cookies to improve Facebook but not track you across the web
  • A more detailed explanation of how in some cases Facebook will “retain [your] data as long as necessary to provide you services” whether that’s less or more time

Facebook’s goal is to make it as easy as possible for users to understand how their data is used, and how that’s changing. So Facebook is also launching the “Facebook Terms and Policies Hub” to house its 10 policy documents, including a redlined changes version of today’s privacy policy (known as the Data Use Policy), and explanations of those changes. Facebook will hold a live-streamed Q&A about the changes on May 14th. Users will have seven days from now to give feedback on the changes before they’re implemented barring major objections.

Now that the changes are available for review, Facebook will start delivering alerts to check them out to both its web and mobile interfaces. It expects to serve 3 billion impressions of these notices, which CPO Egan tells me is in hopes of showing all 900 million+ users an alert three times.

Facebook has redesigned the Data Use Policy itself to include additional tips marked with light bulbs, new links to the Help center, and examples of how the policy influences the actions you take on the site. Many portions of the policy have received small updates to explain how new features like Timeline and Activity Log work.

From a business standpoint, the most interesting change is the clarification that Facebook may show you standard ads while you’re off-site, not just ads with social context as the policy already stated. This is intriguing because Facebook does not show any ads offsite right now, beyond helping to run ads on Zynga’s standalone web properties. Many have speculated that Facebook will eventually launch an offsite ad network that could be embedded on any other site to show ads targeted with Facebook data to Facebook-logged in users who visit. Facebook has never publicly admitted to this plan, but today’s Data Use Policy changes give it more freedom to launch an off-site ad network.

Overall, the changes should make users feel more comfortable browsing Facebook because if they ever have questions or are confused about how their data is being used, they’ll have a single place to find answers. By complying with the audit recommendations, Facebook shows it’s willing to work with government agencies to protect its user base of over 900 million people. The detailed documentation, and the Facebook Terms and Policies Hub should inspire other companies to provide easier access to data use and privacy information.

As Facebook only provides the documents for download right now, I’ve embedded the redline changes, explanation, and cookies documents below, followed by my notes about the most important changes. You can submit your feedback on the proposal here until 5:00PM PDT on May 18, 2012

Redlined Version Noting Today’s Proposed Changes To The Data Use Policy

Explanation Of Today’s Proposed Changes To The Data Use Policy

“How Cookies Work” Information Sheet

Most of the redlined changes are really just clarifications to existing policies, but here are the ones I think are particularly important. To make them easier to reference I’ve noted their location in the redlined privacy document using the format 4.3 to indicate a change is one third of the way down the fourth page:

1.3 – Contact info you upload is covered by the Data Use Policy

2.1 – Facebook may retain the GPS coordinates of your last location-tagged post to send you relevant notifications

3.5 –  Your data may be used “internal operations, including troubleshooting, data analysis, testing, research and service improvement”

3.8 – Some of your data is stored for as long as it is “necessary to provide products and services to you and others, which is “typically…until your account is deleted”

3.9 – Facebook can make photo tag suggestions based on your data

4.2 – Friends will still see themselves in your Friend List while you’re deactivated

4.5 – Some data isn’t stored in your account, like Group posts or messages you’ve sent, so it’s not deleted, even after you delete your account

4.9 – If you comment on something public, your comment will be public

5.1 – People can change the privacy setting of posts you’ve commented on, which could reveal previously private comments to the public

5.3 – People can find you using your contact information, even if you haven’t shared that contact info with them. You can control this, though

6.1 – Other users can save and sync your content and contact info to their devices, and that info can then potentially be accessed through unauthorized third-party apps, so understand this before sharing contact info with friends

6.3 – Additions about Activity Log, including that content you hide isn’t deleted

6.5 – Details about how people tagged in posts can always see those posts.

7.3 Page admins may use Insights to find out if you Liked or visited their Page

7.8 – Apps you visit receive your age so they can provide you with age appropriate content

8.9 – Facebook has always hashed your email when you log in to other sites and your email is transmitted to Facebook to identify you, but now it uses the term “hashed” instead of “encrypted”

9.3 – If you share from a social plugin and do see an indicator of that post’s privacy settings, assumed the post is being shared publicly

10.5 – All of the things you do and share on Facebook may be used to target you with ads

11.5 –  Game developers and other companies looking to target ads to certain demographics of users, such as their highest scoring players, may provide Facebook with the email addresses or User IDs of those users so Facebook can point the advertiser’s ads towards them. Facebook already has this data from when you sign up, but will delete these instances passed to it by advertisers when its no longer necessary for the ad campaign

12.2 – A big new section clarifying cookie use, including what they help Facebook improve, and that you can block or delete them but to the potential detriment to your Facebook service

12.9 – Facebook lists its European Union Safe Harbor certification on the U.S. Department of Commerce’s Safe Harbor website

13.1 – Facebook now lists an addresses where you can contact it by mail with questions, concerns, or inquiries about California privacy law (14.8). For U.S. and Canada residents: 1601 Willow Road, Menlo Park, CA 94025. For everyone else Facebook Ireland Ltd., Hanover Reach, 5-7 Hanover Quay, Dublin 2 Ireland, or you can use this contact form

13.3 – Facebook may retain your data for extended periods if its subject to a legal request or obligation, governmental investigation, or investigations” into violations of Facebook’s policies

14.3 – Facebook doesn’t guarantee it can protect you from spam