Facebook begins blocking apps from accessing user data after 90 days of non-use

Facebook has rolled out a change that limits apps’ ability to access users’ data. The change comes hours before Facebook CEO Mark Zuckerberg’s testimony before Congress where it’s expected he will have to answer questions about how the company handles its users’ personal information, in wake of the Cambridge Analytica scandal which saw the personal data of 87 million Facebook users compromised.

Among many other new restrictions to its API platform announced last week, Facebook said that it would soon introduce a stricter review process for use of Facebook Login for apps, and it would block apps from pulling users’ personal data after three months of non-use.

Now, that change to apps’ ability to access user data has begun to roll out, Facebook says.

All Facebook platform apps won’t be affected immediately – the change will roll out gradually over the weeks ahead.  Between April 9 and April 21, tokens for the users who have not actively logged into a developer’s app and granted consent to permissions in the last 90 days will expire, Facebook says.

Facebook suggests that app publishers monitor their app for any issues that may occur as a result. Apps may run into issues with regard to the expired tokens, and will need to make sure they’ve designed their app to either re-prompt the user to login again with Facebook, or show an optional user interface which allows the app to refresh its access to users’ Facebook data with consent.

The apps will have to send users through the Facebook Login process every 90 days, and the person logging in has to agree to the data permissions by tapping “Continue,” Facebook explains in its announcement.

“We believe this immediate access update helps build trust and leads to stronger connections within our ecosystem,” reads the Facebook blog post.

A number of apps over the years adopted Facebook Login to offer users an easier way to sign into their own service, while giving the app maker the ability to access users’ Facebook data. Some users preferred the Facebook Login option, as it meant they didn’t have to remember so many different passwords. Others, including those who didn’t have a Facebook account (or those who perhaps rightly didn’t trust Facebook) found the practice infuriating.

Also upsetting is that there was no sort of deprecation policy in place for the apps people no longer used. That led to users being fairly shocked to discover long lists of apps they hadn’t touched in years with lingering access to their data. Facebook recently addressed this issue as well, with the introduction of a bulk app removal tool that lets users delete apps from their account entirely. 

It also announced a series of changes to how developers can use its APIs, including Instagram APIs, which largely involve locking down its platform, then figuring out which developers actually require (and deserve) any heightened access in order for their app to function.

These sorts of changes are a critical part of what Zuckerberg will have to testify to today – because it wasn’t that Facebook directly handed over 87 million users’ personal data – it had just designed a platform that let apps easily collect it without users’ knowledge or consent.