Data Protection Assessment FAQs

The Data Protection Assessment is an annual requirement for apps accessing certain types of data. The questions in the assessment are designed to determine whether developers are complying with our Platform Terms as it relates to the use, sharing and protection of Platform Data.

• “Platform Data” means any information, data, or other content you obtain from us, through Platform or through your App, whether directly or indirectly and whether before, on, or after the date you agree to these Terms, including data anonymized, aggregated, or derived from such data. Platform Data includes app tokens, page tokens, access tokens, app secrets, and user tokens.

• All data you receive from Meta through the app is considered Platform Data. For example, UserID, User email and User friends are all Platform Data.

• App Review is a forward-looking process that allows you to request approval for individual permissions and features.
• Data Use Checkup is an annual process for developers to self-certify that their continued use of and access to specific data via Meta APIs is in compliance with our Platform Terms and Developer Policies.
• Data Protection Assessment is an annual questionnaire that asks developers about their data use, sharing and data security with regard to Platform Data.

1. Make sure you are reachable:

   • Update your developer or business account contact email and notification settings.
   • Update the contact email on the app’s basic settings page.
   • Review the administrators listed on the app, and consider adding your legal and data security team members as admins so they can also answer questions.

2. Review the questions in the Data Protection Assessment and engage with your teams on how best to answer these questions.

3. Review our Platform Terms, and our Developer Policies.

1. With the ever-changing privacy regulatory landscape and continuously evolving threats to people’s privacy, we all have a responsibility to ensure we are working to build the trust of people who use our products and services, beginning with how their data is being used, shared and protected across the internet.
   • The Data Protection Assessment is required for developers who have apps that access certain types of data on our platform.
   • We have already seen success stories of developers implementing new data security measures because of our standards. If we partner on this together, we’ll raise the standards across the internet and gain the trust of the billions of people who use our services around the world.

If you are an administrator for an app that requires Data Protection Assessment, you will receive notifications on your My Apps page, the App Dashboard, Alert Inbox, and the email associated with your developer account.

You will receive a notification to prepare for the assessment by completing the following steps:

a. Make sure you are reachable:

• Update your developer or business account contact email and notification settings.
• Update the contact email on the app’s basic settings page.
• Review the administrators listed on the app, and consider adding your legal and data security team members as admins so they can also answer questions.

b. Review the questions in the Data Protection Assessment and engage with your teams on how best to answer these questions.

c. Review our Platform Terms, and our Developer Policies.

1. If you are an administrator for an app that requires Data Protection Assessment, you will receive notifications on your My Apps page, the App Dashboard, Alert Inbox, and the email associated with your App Admin account.
2. If you are an App Admin, make sure you are reachable:
   • Update your developer or business account contact email and notification settings.
   • Update the contact email on the app’s basic settings page.

If you are the administrator for an app that requires Data Protection Assessment, you will be notified in the following ways:

1. Notifications:
   • An email is sent to the developer or business account contact email. Edit your personal developer notification settings here.
   • A message is sent to the Alert Inbox on the App Dashboard.
   • A notification is sent to the App Admin via the App Dashboard.
2. Required Actions:
   • On your My Apps page, you will see a ‘Required Action’ on the app information card called ‘Data Protection Assessment.’
   • On the App Dashboard, you will see a ‘Required Action’ at the top.
   • On the basic settings page for the app, you will see a ‘Data Protection Assessment’ record.

Yes. If you need clarification about the questions asked in the Data Protection Assessment, you can reach out to Meta directly.

Meta has published Data Security Requirements on our developer documentation site, but this content is only available to users who are logged into their Facebook account. If you aren’t able to open this page and access the documentation, make sure that you:

• Are logged into your Facebook account, and.
• Have accepted Facebook’s developer terms here.

You have 60 calendar days from first notification to complete the Data Protection Assessment.

This is an annual requirement.

Yes. The form will auto-save so you will be able to pick up where you left off.

Here are the definitions for all the scenarios of your assessment:

Unfortunately, you will not be able to download your answers from the previous assessment, as we have changed the questionnaire to provide more clarity. After you submit your answers for this assessment, you will be able to view and download your submission as a PDF.

If based on your response, Meta reviewers need more information, we will reach out with clarifying questions and you will be notified in the following ways:

The notifications you received (described above) will have a link to the assessment, where you will see information at the top of the page that provides details on what additional information Meta reviewers are looking for. Please respond in the form and upload documentation if needed. Make sure you click ‘Submit’ after you have completed your response.

This is an opportunity for you to work with Meta reviewers who need to be absolutely certain before making a decision on whether or not the app is complying with our Platform Terms.

If you receive a ‘More information needed’ request, you will have 5 business days to respond. If you do not respond within the initial 5-day window, you will receive two auto-extensions for a total of 15 business days.

Yes. Depending on the violation, different restrictions could be placed against the app.

Yes, if a violation is detected based on your responses to the assessment, Meta reviewers will notify you through the following methods:

1. Notifications:
   1. An email is sent to the developer or business account contact email. Edit your personal developer notification settings here.
   2. A message is sent to the Alert Inbox on the App Dashboard.
   3. A notification is sent to the App Admin via the App Dashboard.
2. Required Actions:
   1. On your My Apps page, you will see a ‘Required Action’ on the app information card
   1. If the violation stems from failure to submit assessment by the deadline, the information card will say ‘Data Protection Assessment: Past due’
   2. If the Data Protection Assessment was submitted and a violation was found, the information card will say ‘Violations found’
   2. On the App Dashboard, you will see a ‘Required Action’ at the top
3. Status: Violations found

Failure to respond is considered a Platform Term violation.

1. After 60 days of non-response, your app will be deactivated.
   1. Restore the app by completing and submitting the assessment.
   2. If you receive a ‘More information needed’ request, you will have 5 business days to respond. If you do not respond within the initial 5-day window, you will receive two auto-extensions for a total of 15 business days. After 15 business days, your app will be enforced.
   3. If you have passed these timelines the app may be restricted. You can go to the My Apps page to view any apps that are restricted due to violations.
      1. Depending on the severity of the violation, there may be an opportunity to resolve the violation prior to the restriction. However, the most severe violations do not include a warning period. To resolve a violation, look on the My Apps page for the ‘Resolve’ link, and follow the outlined steps.

For each violation, if the deadline to respond is within 3 days, a 'Request extension’ button will appear. You can request two extensions equal to the length of the warning period (which will vary depending on violation) that will be automatically approved.

If a violation is found and the app has been restricted, you will be able to resolve the violation by providing a response with submitting evidence showing the violation has been remediated. Once a response has been submitted, a Meta reviewer will review this and respond directly in the ‘Resolve violations’ form.