Data Protection Assessment 101

While you cannot use User Data for advertising or marketing in general, there are some scenarios where you can use that data to improve your app or promote certain related apps or features. These questions help determine whether you're only using Meta Horizon User Data to improve or promote your content and experiences. Here's what to keep in mind.

First, you can let your users know about your own products. This includes new or existing features and functionality in an app they have already purchased from you or another one of your apps. If it's not an app the user has already purchased, make sure that it's distributed by your legal entity or affiliate as defined in the Meta Developer Distribution Agreement.

Next, you can use Meta Horizon User Data to promote other Meta Horizon apps if they're distributed by the same portfolio of apps as yours. You cannot, however, use Device User Data for that purpose, and you cannot sell access to the Meta Horizon User Data or the data itself.

Finally, you can use both Meta Horizon User Data and Device User Data to conduct analytics and draw insights about your product. This is a great way to identify ways to improve your app. As long as the data you use is aggregated, de-identified, or anonymized.

By working together, we can create an ecosystem where apps thrive while respecting user privacy.

These questions ensure you only leverage User Data to improve the overall experience, and never to single out users based on their individual characteristics. Simply put, you cannot create profiles or discriminate against users based on factors like race, religion, or sexual orientation. Imagine you're developing a VR fitness app that tracks behavior like exercise preferences and progress. This data is key to crafting a personalized routine within the app, but that same data could be used to exclude users based on age or ability.

A well-intentioned plan to personalize your app's experience could unintentionally disadvantage entire groups of users. There are some cases in which you can provide a different experience driven by user characteristics. For example, you can enforce an age restriction to limit access to mature content, or you can use anonymized, aggregated data to improve the app experience for all your users.

Think of it as tailoring your app to better suit your user base, not to single out individuals. User Data should never be a tool for exclusion. Instead, focus on building a VR world where everyone feels welcome.

VR should be a gateway for users to experience a new world, not give you a window into theirs. So these questions are included in the DPA to ensure your app is not used for any kind of surveillance activity. That includes collecting and using User Data for your own purposes, or sharing that data with law enforcement, national security agencies, and intelligence services.

There is one exception to keep in mind. If you receive a valid court order, you can submit the order along with a written notice to Meta. Once Meta grants you permission, you can fulfill that order. But regardless, user privacy must remain your default. These restrictions help ensure your app doesn't become a tool for unauthorized user monitoring. You want users to feel confident that their VR activity stays within your app.

This fosters trust and encourages users to engage freely with your VR experience.

These questions ensure that any information you collect from or about your users is for your app and your app only. Meta Horizon wants users to trust that anything they share while using your app stays within the VR world. Think of it as keeping your VR experience secure and self-contained. The key here is that you can't sell, license, rent, or lend User Data for any reason.

While you are allowed to share User Data with the service providers that help make your experience possible, you must have a written agreement in place that meets Meta's requirements to do so, and those service providers cannot use User Data for their own purposes.

When users know their information stays within the confines of your app and the integrations they have authorized, they can feel comfortable exploring the world you've created.

These questions ensure you follow Meta's policies for what kinds of User Data you share with other third parties, like your service providers, and how they can use it. There are only three specific situations where you can share User Data with third parties.

First, you can share User Data if the user explicitly tells you in writing to share their data with another company. Make sure you hold on to the proof of this request in case we ask for it later.

Second, you can share User Data with the service providers that help your app function, like cloud storage providers. But before you do, you need a written agreement with them that ensures that the third party only uses User Data to provide the necessary services to your app, and that they comply with Meta's policies, and that they keep User Data secure and confidential.

At the end of the day, you are responsible for your users' data. It's your job to make sure your service providers, and any subcontractors they use, understand and agree to handle User Data according to Meta's policies.

Third, and finally, if you are legally required to share User Data, such as in response to a valid court order, you can do so. But make sure to keep records of these requests in case we need them later.

This policy ensures User Data stays safe and sound even when you need to bring in third parties. By following these guidelines, you play a key role in fostering a VR ecosystem that users can trust.

When unencrypted data travels through untrusted networks, it becomes an easy target for bad actors. Encryption is essential to preventing unauthorized access like man-in-the-middle attacks. To that end, these questions ensure you encrypt User Data whenever it leaves your app's infrastructure.

There are a few factors that help determine the level of encryption required. Let's take a closer look.

First, data you send to end user devices should be protected by the strongest encryption available. Use TLS 1.2 or an alternative that provides equivalent network communication security. Only consider TLS 1.0 and 1.1 in rare cases, like when you're using outdated devices that can't handle stronger encryption, and never opt for older and weaker protocols like SSL versions 2.0 and 30.

Second, whenever data is moving between your app and other services like a cloud infrastructure or a remote server, you must enforce TLS 1.2 or equivalent.

And finally, while it's not mandatory, we do recommend that you encrypt transfers within your own private networks to add an extra layer of protection.

The bottom line? You must encrypt data whenever it is transmitted over public networks. Opt for the strongest level of encryption and disable older, insecure encryption methods whenever possible. You'll deliver a great experience, and you'll keep your users' data safe.

When you're handling data from or about our shared users, the most important thing to remember is that data needs a strong layer of protection. These questions determine whether you are securing the User Data stored on your servers or cloud-based apps according to Meta's requirements.

If you're storing data server-side, you have two options. The first option is encryption at rest, which scrambles the data using industry standard algorithms like AES or Blowfish. This helps protect against things like unauthorized access to database backups, which are not always as secure as live databases. There is some flexibility here. You can encrypt specific data fields within the database or opt for full disk encryption.

Your second option is to use an alternative Meta-approved security measure. These protections are explained further in our developer docs. If you opt for one of the alternative protections over encryption at rest, be prepared to describe how these protections adequately protect User Data.

While either option is acceptable, encryption at rest is our preferred method for securing stored User Data. But regardless of which method you choose, make sure that protecting User Data remains your top priority.

These questions ensure you meet Meta's security requirements for protecting User Data, either by technical interventions like multi-factor authentication or administrative controls like employee policies. You don't have to follow any particular standard, but the safeguards you enforce should at least be as protective as standards like ISO, NIST, and GDPR. We can't talk about security without mentioning data minimization, the practice of storing as little data as possible to get the job done.

To that end, Meta requires you and your service providers to delete User Data when it's no longer needed. This happens for a few different reasons. If a user specifically requests that their data be deleted, if you are required by Meta or by law to delete a user's data, or if a user deletes their account entirely, you must delete that user's data without unreasonable delay.

Generally speaking, you should delete any data that's not essential for running your VR app. If an account is inactive, you should still delete the associated data, unless it's been anonymized in a way that makes it impossible to identify the user. This reduces the scope of potential incidents. If you don't have the data, it can't be exposed in a breach.

If you do discover that User Data might have been compromised, you need to notify Meta as soon as possible. Use the designated form to provide us with the details. We can investigate the situation and take any necessary action. On your end, you're responsible for fixing the problem right away and keeping us updated on your progress. When users put on the headset, they're trusting all of us to take care of their data.

By following these guidelines, you help make the metaverse a safer place.