What can I do about this clause?

{'method': 'IN_APP', 'recipient': 'https://www.facebook.com/settings?tab=applications', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': "Go to Facebook Settings > Apps and Websites, review each connected app's permissions, and remove any app that you did not explicitly authorize to access sensitive data such as location or health information.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': "FTC enforces COPPA against apps collecting children's data and has general authority over deceptive sensitive data collection practices under FTC Act Section 5.", 'complaint_url': 'https://reportfraud.ftc.gov/'}, {'agency': 'HHS_OCR', 'reason': 'HHS Office for Civil Rights has jurisdiction where health information accessed through Meta APIs constitutes protected health information under HIPAA, applicable to covered entities or business associates.', 'complaint_url': 'https://www.hhs.gov/ocr/complaints/index.html'}

What is the severity of this clause?

ConductAtlas classifies this Restrictions on Sensitive Data Collection clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Restrictions on Sensitive Data Collection — Meta

Share 𝕏 Share in Share

What it is

Developers using Meta's APIs are prohibited from collecting sensitive personal information — including health data, financial data, biometric data, children's data, and precise location data — unless they have explicit user consent and it's genuinely necessary for the app's core function.

Consumer impact (what this means for users)

Apps connected to your Facebook or Instagram account are contractually prohibited from collecting your health information, financial details, biometric data, or precise location without your explicit consent — providing a layer of protection beyond what many privacy laws require.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Go to Facebook Settings > Apps and Websites, review each connected app's permissions, and remove any app that you did not explicitly authorize to access sensitive data such as location or health information.

How other platforms handle this

Apple Medium

Apps must include a privacy policy and must comply with the App Store's privacy information requirements. On the App Store product page, developers must provide information about some of their data collection practices.

Stash Medium

Stash does not respond to general web browser "Do Not Track" settings and/or signals.

PayPal Medium

If you Pay without a PayPal account, we may link your transaction information with your PayPal account if you create a PayPal account later.

See all platforms with this clause type →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

This provision creates a categorical prohibition on sensitive data collection via Meta APIs, which directly protects users' most sensitive personal information from being accessed through Facebook or Instagram integrations without meaningful consent.

View original clause language

You must not use Platform to collect, access, request permissions for, or process: health or medical information; financial information (including credit card or bank account information); biometric information; information from or about children under 13 (or the applicable age of digital consent in the relevant jurisdiction); precise geolocation information unless you have the user's explicit consent and need it for a core feature of your app; government identification numbers; information relating to racial or ethnic origin, religious or philosophical beliefs, sexual orientation, trade union membership, or criminal history, unless you have explicit consent and it is necessary for a core feature of your app.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: This provision engages GDPR Art. 9 (processing of special categories of personal data, including health, biometric, racial/ethnic origin, religious, and political data), which requires explicit consent or another Art. 9(2) exception; COPPA 16 CFR Part 312 (children's data under 13); HIPAA 45 CFR Parts 160 and 164 (health information where a covered entity or business associate is involved); Illinois BIPA (740 ILCS 14) for biometric information; CCPA/CPRA §1798.121 (sensitive personal information, including racial origin, health, financial, and biometric data); and GLBA for financial information. Enforcement authorities include: EU DPAs (GDPR Art. 9), FTC (COPPA, HIPAA in some contexts), HHS OCR (HIPAA), Illinois AG (BIPA), CPPA/California AG (CCPA/CPRA). (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

FTC enforces COPPA against apps collecting children's data and has general authority over deceptive sensitive data collection practices under FTC Act Section 5.
File a complaint →
Hhs Ocr

HHS Office for Civil Rights has jurisdiction where health information accessed through Meta APIs constitutes protected health information under HIPAA, applicable to covered entities or business associates.
File a complaint →