Data Deletion Request Callback

To be compliant with General Data Protection Regulation (GDPR), applications that access user data must do one of the following:

  • Implement a Data Deletion Request Callback.
  • Provide a URL with explicit instructions for app users on how to delete their data by way of a third-party website or tool. The third-party website may be the relevant section in the application's Privacy Policy.

If your app type is Consumer or Gaming, either the callback or the URL is required for App Review and for Live mode.

The data deletion callback is called whenever an app user removes your app and requests that you delete their data. Your app users can do this by going to their Facebook profile and clicking the Send Request button on the Settings & Privacy > Settings > Apps and Websites page.

Screenshot of app being removed via Apps and Websites page with Send Request button visible

This generates a POST with a signed request that is sent to your app. The signed request contains an app-scoped ID identifying the user making the request. For an example of how to parse the request and the structure of the parsed request, see the following section.

In response to the user request, you should acknowledge receiving a user data deletion request through the technical means we provide, and provide a link and a confirmation number. The link and confirmation number must give the user access to a human-readable explanation of the status of their request, including a legitimate justification for any refusal to delete (where legitimate will vary based on jurisdiction and our case-by-case interpretation of our policy as it relates to their stated reasons).

Implementing the Callback

To parse and respond to the request, you should implement a "data deletion request" callback. Your callback must use the secure HTTPS protocol and must be listed in the Data Deletion Request URL field of your app's Facebook Login > Settings page in the App Dashboard.

Screenshot of Data Deletion Request URL field in the Facebook Login > Settings section of the App Dashboard

The Data Deletion Request callback that you implement must do the following:

  • Initiate the deletion of any data your app has from Facebook about the user.
  • Return a JSON response that contains a URL where the user can check the status of their deletion request and an alphanumeric confirmation code. The JSON response has the following form:
    { url: '<url>', confirmation_code: '<code>' }

Failure to comply with these requirements may result in your callback being removed or your app being disabled.

You can implement this callback in any language, but the following code is an example of the callback in PHP.

<?php
header('Content-Type: application/json');

$signed_request = $_POST['signed_request'];
$data = parse_signed_request($signed_request);
$user_id = $data['user_id'];

// Start data deletion

$status_url = 'https://www.<your_website>.com/deletion?id=abc123'; // URL to track the deletion
$confirmation_code = 'abc123'; // unique code for the deletion request

$data = array(
  'url' => $status_url,
  'confirmation_code' => $confirmation_code
);
echo json_encode($data);

function parse_signed_request($signed_request) {
  list($encoded_sig, $payload) = explode('.', $signed_request, 2);

  $secret = "appsecret"; // Use your app secret here

  // decode the data
  $sig = base64_url_decode($encoded_sig);
  $data = json_decode(base64_url_decode($payload), true);

  // confirm the signature
  $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
  if ($sig !== $expected_sig) {
    error_log('Bad Signed JSON signature!');
    return null;
  }

  return $data;
}

function base64_url_decode($input) {
  return base64_decode(strtr($input, '-_', '+/'));
}
?>

This produces a JSON object that looks like this, in which user_id is the relevant field for your callback.

{
   "algorithm": "HMAC-SHA256",
   "expires": 1291840400,
   "issued_at": 1291836800,
   "user_id": "218471"
}

For more information on signed requests, see Using a Signed Request in the Login for Games on Facebook topic.

Testing Your Callback

To test your callback:

  1. Log in to your app with Facebook Login.
  2. Go to your Facebook profile's Apps and Websites settings tab: https://www.facebook.com/settings?tab=applications
  3. Remove your app.
  4. Click the Removed sub-tab and click on your app.
  5. Click Send Request to trigger your callback.