FAQ

Completing data access renewal is a requirement for:

• Apps that request or have any access to use cases, permissions and/or features (for some apps this is called advanced access).

• Apps that have been published live with a use case, or that have advanced access to permissions and/or features

Data access renewal consolidates individual assessments into one, marking the process more straight forward. It will only need to be completed once per year.

You have 60 calendar days from first notification to complete the assessment.

The form is auto-saved. If you leave the questionnaire and come back, it will reload the previous auto-saved state.

This is an annual requirement.

If you do not complete the assessment by your deadline, your app will be deactivated until data access renewal is completed. Extensions will not be provided.

For the purposes of the data handling questions, “personal data” is any data you receive from Meta that is related to an identifiable person. For examples, refer to the definitions in the General Data Protection Regulation (GDPR) and the UK Information Commissioner’s Office.

“Platform Data” means any information, data, or other content you obtain from us, through Platform or through your App, whether directly or indirectly and whether before, on, or after the date you agree to these Terms, including data anonymized, aggregated, or derived from such data. Platform Data includes app tokens, page tokens, access tokens, app secrets, and user tokens. All data you receive from Meta through the app is considered Platform Data. For example, UserID, User email and User friends are all Platform Data.

Access levels are an additional layer of Graph API authorization that apply to permissions and features for Business, Consumer, and Gaming apps. There are two access levels: Standard and Advanced.

Apps can request permissions with Advanced Access from any app user, and features with Advanced Access are active for all app users. Permissions with Standard Access, however, can only be requested from app users who have a role on the requesting app, and features with Standard Access are only active for app users who have a role on the app.

If your app will only be used by people who have a role on it, the permissions and features your app requires will only need Standard Access. If your app will be used by people who do not have a role on it, the permissions and features that your app requires will need Advanced Access

Meta verifies the organization is a registered business through business connection. Business verification helps us ensure that the business is a legitimate entity and that the developer is an authorized representative of the business. If the developer is already associated with one, this step will be a confirmation.

A data controller is the entity that exercises overall control over the purposes and means of the processing of personal data. Refer to definitions in the General Data Protection Regulation (GDPR) and the UK GDPR for details and examples. Please ensure that you work with your legal team to understand this definition and how it applies to your business.

​​A data processor is a person or business that provides you with services to help you process personal data you obtain from Meta. This may include Service Providers as defined in Meta’s Platform Terms as well as your own companies. Please ensure that you work with your legal team to understand this definition and how it applies to your business.

We are unable to disclose specific details about our review process or provide examples of responses. We encourage you to carefully review our Best Practices and ensure that your app meets our guidelines before submitting it for review.

Your responses will be evaluated collectively. If your data handling practices are found to have an unacceptable level of risk, then your assessment will not be accepted and you will be asked to make changes to your data handling practices and re-submit the data handling questions.

No, Meta will not request any documentary evidence.

You can see usage levels for each permission in the “Permissions and Features” section of the App Dashboard. Once you log in, click “App Review” on the left side of the page, then select “Permissions and Features” from the dropdown. You’ll see a column for “API calls,” which will have a green check mark if our logging shows that you’re actively using the permission. Please remember this is just an estimate — you should consult with your development team to see if the permission is required for your integration.

If you are not using a permission, you should first remove the permission using the App Dashboard. Then you can certify the remaining permissions and features you are still using. However, there are some auto-granted permissions that cannot be removed and you may be asked to certify for. If you haven’t used this data, you should still feel comfortable completing this process, since certifying indicates that any use of the permission is in compliance, which includes no use.

No. After you remove the permission in the App Dashboard, you can refresh the data use questions page and the permission you removed should disappear.

You will be prompted to certify for all permissions you had access to.

Meta requires developers to certify for these auto-granted “basic” permissions because they are widely used and provide access to user data. However, if you haven’t used this data, you should still feel comfortable completing this process, since certifying indicates that any use of the permission follows our Terms and Policies, which includes no use.

The questions in the assessment are designed to determine whether developers are complying with our Platform Terms as it relates to the use, sharing and protection of Platform Data.

With the ever-changing privacy regulatory landscape and continuously evolving threats to people’s privacy, we all have a responsibility to ensure we are working to build the trust of people who use our products and services, beginning with how their data is being used, shared and protected across the internet.

The Data Protection Assessment is required for developers who have apps that access certain types of data on our platform.

We have already seen success stories of developers implementing new data security measures because of our standards. If we partner on this together, we’ll raise the standards across the internet and gain the trust of the billions of people who use our services around the world.

Reviewer instructions are needed for ongoing reviews, where Meta verifies that applicable apps are using permissions and features as originally claimed and if the data access and user experience is not violating any terms.

Our review team must thoroughly examine how your app utilizes FB Platform data across various layers. Therefore, it's crucial to ensure that we have access to all relevant authentication points within your app.

If there are multiple layers, such as a secondary login before or after Facebook Login, please provide the necessary username and password. This includes credentials for testing or demo servers, secondary logins, or any email registration flows associated with your app.

Additionally, for apps hosted on staging or development servers, consider that an extra layer of login might be required to access your server. Clarifying these authentication needs will significantly expedite the review process.

If you're still not sure what credentials are missing, you can opt to include a video in your next submission for further clarification.

It can take 10 days before you hear back from reviewers.

The status of your submission can be found on the overview page for data access renewal. You can learn more about the types of results you may receive here.

If based on your response, Meta reviewers need more information, we will reach out with clarifying questions and you will be notified in the following ways:

Notifications:

• An email is sent to the developer or business account contact email. Edit your personal developer notification settings here.

• A message is sent to the Alert Inbox on the App Dashboard.

• A notification is sent to the App Admin via the App Dashboard.

Required Actions:

• On your My Apps page, you will see a ‘Required Action’ on the app information card called data access renewal.

• On the App Dashboard, you will see a ‘Required Action’ at the top Status: Action Required

The notifications you received (described above) will have a link to the assessment, where you will see information at the top of the page that provides details on what additional information Meta reviewers are looking for. Please respond in the form and upload documentation if needed. Make sure you click ‘Submit’ after you have completed your response.

If you do not respond to Meta reviewers by the provided response deadline, your app will be deactivated.

Yes. If based on your responses to the assessment, Meta reviewers identify a violation, you will be notified in the following ways:

Notifications:

• An email is sent to the developer or business account contact email. Edit your personal developer notification settings here.

• A message is sent to the Alert Inbox on the App Dashboard.

• A notification is sent to the App Admin via the App Dashboard.

Required Actions:

• On your My Apps page, you will see a ‘Required Action’ on the app information card

• If the violation stems from failure to submit assessment by the deadline, the information card will say ‘Past due’

• If the data access renewal was submitted and a violation was found, the information card will say ‘Violations found’

• On the App Dashboard, you will see a ‘Required Action’ at the top Status: Violations found

If a violation is found and the app has been restricted, you will be able to resolve the violation by providing a response with submitting evidence showing the violation has been remediated. Once a response has been submitted, a Meta reviewer will review this and respond directly in the ‘Resolve violations’ form under Required Actions.

Extensions are not provided. Please respond to the violation by the provided deadline to avoid disruption to your app.

Yes. Depending on the violation, different restrictions could be placed against the app.