What can I do about this clause?

{'method': 'IN_APP', 'recipient': 'https://www.facebook.com/settings?tab=applications', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': "Go to Facebook Settings > Security and Login > Apps and Websites, find the app you want to remove, click 'Remove', then contact the app directly to request data deletion and confirm it will be completed within 90 days.", 'deadline_days': 90, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'FTC enforces COPPA data deletion obligations and has general jurisdiction over deceptive data retention practices under FTC Act Section 5.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this 90-Day Platform Data Deletion Obligation clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

90-Day Platform Data Deletion Obligation — Meta

Share 𝕏 Share in Share

What it is

When a user asks a developer to delete their data or removes app permissions, the developer must delete that data within 90 days — and must also delete data if Meta removes their API access.

Consumer impact (what this means for users)

If you revoke a third-party app's access to your Facebook data, that app is contractually required to delete your data within 90 days — giving you a meaningful data erasure right enforced through Meta's developer terms.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data
Within 90 days
Go to Facebook Settings > Security and Login > Apps and Websites, find the app you want to remove, click 'Remove', then contact the app directly to request data deletion and confirm it will be completed within 90 days.

How other platforms handle this

Shopify Medium

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. When we no longer need to use your personal information, we will take steps...

Grindr Medium

We retain your Personal Information for no longer than is necessary to fulfill the purposes for which the information was collected or as otherwise permitted or pursuant to Legal Obligations or pursuant to the Grindr Terms and Conditions of Service and/or the Grindr Community Guidelines. We also ret...

Dropbox Medium

When you sign up for an account with us, we'll retain information you store on our Services for as long as your account exists or as long as we need it to provide you the Services. If you delete your account, we'll initiate deletion of this information after 30 days.

See all platforms with this clause type →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

This creates a legally enforceable 90-day deletion window that is stricter than many developers' standard data retention practices and imposes deletion obligations triggered by platform-side events beyond the developer's control.

View original clause language

If a User requests that you delete their data or withdraws their consent for you to access or use their data, you must promptly comply and, in any event, within 90 days of their request. You must also delete Platform Data you have received if your app's access to the relevant permission or feature is removed, unless we tell you otherwise or applicable law requires retention.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: This provision directly implicates GDPR Art. 17 (right to erasure/'right to be forgotten'), which requires deletion without undue delay and generally within one month, making the 90-day window potentially non-compliant for EU users unless the 'complex request' extension under Art. 12(3) applies. CCPA/CPRA §1798.105 requires businesses to delete consumer personal information upon verifiable request within 45 business days (with one 45-day extension), making the 90-day period potentially non-compliant for California residents. COPPA 16 CFR §312.10 requires deletion of children's personal information when no longer needed. Enforcement authorities include: Irish DPC and EU SAs (GDPR), CPPA and California AG (CCPA/CPRA), FTC (COPPA). (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

FTC enforces COPPA data deletion obligations and has general jurisdiction over deceptive data retention practices under FTC Act Section 5.
File a complaint →