Meta requires all developers to have a privacy policy. Privacy disclosures tell your users what data you collect, why you collect it, what you do with that data, and how users can request deletion of collected data.
You must submit a valid privacy policy even if your app does not transfer data off of the app. In that scenario, your privacy policy can tell users that you do not collect or store data from or about them beyond what is used to provide the app.
The privacy policy you submit must meet certain requirements. This guide will help you align your privacy policy with Meta Horizon's Privacy Policy Virtual Reality Checks (VRCs). For each VRC, you will evaluate your privacy policy against Meta's requirements.
Privacy.1
Privacy 1
Requirement:
Under this VRC, Meta will confirm that the link you provide leads to a live, publicly available privacy policy specifically related to the organization and application being reviewed. If you need a refresher Review VRC.Quest.Privacy.1.
How do I meet this requirement?
To ensure your privacy policy satisfies this VRC, confirm it meets the following criteria:
Many privacy policies fail this requirement. Confirm that everywhere your privacy policy is linked from leads to a live privacy policy.
Confirm the link does not lead to a support website, the Meta Horizon Privacy Policy, or any other terms or policies
Many privacy policies fail this requirement. Confirm the correct name of the app and your organization are included in the privacy policy.
Ensure the link does not lead to a broken page (e.g., bad gateway or 404 error)
Validate the link to your privacy policy in the App Store
Ensure the link does not take users to a page that requires them to take an action such as providing data or logging in to view
If the URL is correct, but is using an invalid certificate issuer, update the certificate issuer to a trusted Certificate Authority (CA)
Many privacy policies fail this requirement. If the URL to your privacy policy is accessible, yet you continue to receive notice of privacy policy violations, check if your Privacy Policy is signed by a trusted Certificate Authority to properly create an HTTPS connection.
A website Certificate Authority is trusted if it is widely recognized and respected as a reliable issuer of digital website certificates. For more information, review the certificates information on the HTTPS-Only Standard.
Many privacy policies fail this requirement. Do not copy and paste a privacy link for another app. If your privacy policy covers other products or services offered by your company, including other applications or websites, it should be clear from the face of the policy that it also covers this app.
Examples:
Unacceptable - When users click on the URL, they are directed to a partner's site where they can download my privacy policy
Acceptable - When users click on my organization's owned and managed URL, they are directed to a live and functional, publicly accessible site dedicated to only my app's privacy policy
Privacy 2
Requirement:
Under this VRC, Meta ensures your privacy policy includes a clear explanation of what data your app is collecting from and about your users. You must submit a valid privacy policy even if you are not collecting user data off of the device. If you need a refresher Review VRC.Quest.Privacy.2.
If there are unresolved security vulnerabilities related to your team or app, your privacy policy must state that you do not collect user data. For more information, review VRC.Quest.Privacy.5.
How do I meet this requirement?
Your policy must state what data you collect, even if you only process data on-device. To ensure your policy satisfies this VRC, confirm it meets the following criteria:
Ensure your policy does not include vague statements such as, “some data is being collected”
Ensure your policy does not only state what data you do NOT collect, but clearly states exactly what data is being collected
Privacy policies sometimes fail review because developers state that they do not collect any personal information, and later in the privacy policy detail data collection practices that include personal information. Ensure your disclosures are correct, complete, and consistent
Examples:
Acceptable - Users are informed that their physical movement data is collected to use in the MR experience; this information is only used to provide the experience and is not stored
Unacceptable - Users are informed that some of their data might be collected
Unacceptable - Privacy policy states that you do not collect any information from or about users but you have requested platform features on the Data Use Checkup
Privacy 3
Requirement:
Under this VRC, Meta ensures your privacy policy includes a clear explanation of how user data will be used by your app. You must clearly articulate your processes for the use and processing of user data in your privacy policy. If you need a refresher, review VRC.Quest.Privacy.3.
If there are unresolved security vulnerabilities related to your team or app, your privacy policy must state that you do not collect user data. For more information, review VRC.Quest.Privacy.5.
How do I meet this requirement?
Your policy must state exactly how data is being processed. To ensure your policy satisfies this VRC, confirm it meets the following criteria:
Simply stating what data you collect is not acceptable; you must provide a clear explanation of how you process user data in your privacy policy
Examples:
Unacceptable - Users are informed that data is collected, but no details about usage are provided
Acceptable - Users are informed that their location data is used to provide more accurate weather information
Privacy 4
Requirement:
Under this VRC, Meta ensures that your privacy policy includes a clear explanation of how all users may request that their user data that has been collected or stored can be deleted. If you need a refresher, review VRC.Quest.Privacy.4.
How do I meet this requirement?
Your policy must include a deletion clause that applies to all users, with instructions on how users can request that you delete all data you have collected from or about them. To ensure your policy satisfies this VRC, confirm it meets the following criteria:
Many privacy policies fail this requirement. You cannot state that data will be deleted under certain circumstances, or require a user to provide an explanation that you must approve before deleting their data. If there is a legal reason why you can't fulfill certain deletion requests, your privacy policy must state those reasons.
E.g., your privacy policy cannot specify the right to deletion applies to California residents and/or children
If you mention that you comply with specific laws that require deletion including GDPR, CCPA, and LGPD, you must also state that users residing outside of those regions can delete their data as well
Many privacy policies fail this requirement. Ensure your deletion clause applies to all users.
Providing simple and immediate process like an online form or an an email address or phone number connected to your organization is preferred, but not required
While not a best practice, providing a physical address as a means for sending data deletion requests is also acceptable
Examples:
Unacceptable - “As a California resident, we guarantee your data will be removed...”
Unacceptable - “In order to request your data be deleted, submit your request fee of $5 to...”
Acceptable - “All users can request their data be deleted at any time by emailing deleteme@domain.com or by phone at 555-555-5555.”
Formatting Your Privacy Policy
Whether you're creating a new privacy policy, or revising an existing one, formatting your privacy policy well can help move your submission through the queue.
Here are four suggestions for formatting your privacy policy:
Avoid a wall of text and break up your privacy policy into individual sections.
This will make your privacy policy easier for a reviewer to navigate.
Clearly label each section.
For example, title your deletion clause “Requesting Data Deletion” so reviewers can quickly navigate there.
Make sure your policy is searchable with control or command F.
This helps your reviewers get straight to the section they need.
If you are a non-native English speaker, provide the privacy policy in your native language.
Even if you opt to translate the policy to English as well, sending it in your primary language will allow reviewers to compare the two to help ensure nothing is lost in translation.
Updating Your Privacy Policy
You are required to keep your privacy policy up to date as your data collection and handling processes evolve. To update your privacy policy URL, go to the Developer Dashboard and update the URL in Settings.
Anytime you make an update to your privacy policy, verify that the link to your privacy policy is valid on the App Store.
Your privacy policy must comply with all applicable laws and regulations
Your privacy policy may not supersede, modify, be less protective than, or otherwise be inconsistent with the DDUP or other applicable terms and policies
Remember, it's your responsibility to stay up-to-date with all relevant regulatory and Platform requirements. For more on complying with the DDUP, check out Navigating the Developer Data Use Policy.
Disclaimer: This resource does not guarantee compliance with Meta policies, nor applicable data privacy laws. Review Meta Horizon's Developer Data Use Policy for a comprehensive overview of Meta's requirements.
For more on this topic, take the Short Code:
1 Short Code
Writing Your Privacy Policy
This Short Code walks you through Meta’s Privacy Policy requirements, and provides tips for writing your policy.
