Facebook Data Deletion Request Callback (Python)

To comply with GDPR ( GDPR – Art. 17 – Right to erasure ), Facebook has recently updated its privacy policy and as per that all the apps which use user data has to provide a way to the users to delete the data captured by Facebook.

From now onwards, it is required to enter either a “Data Deletion Callback URL” or a “Data Deletion Instructions URL”, in order to make an app go live.

When a user authenticates an app using Facebook, the app stores the profile details of user. Now, user can request the app to delete the data. Read more about the Facebook documentation here.

An app user can do this by going to their Facebook profile and clicking the Send Request button on the Settings & Privacy > Settings > Apps and Websites page.

Implementing the Callback in Python

To implement the callback, the url must be mentioned in the Data Deletion Request URL field of the app’s Facebook Login > Settings page in the App Dashboard.

Next step is to create an API endpoint which will receive POST request containing a signed request.

A signed request contains payload of data that can be validated against a hash signature to ensure it is from Facebook.

In the callback function, the signed request needs to be parsed and decoded. for this purpose, Facepy library can be used.

from facepy import SignedRequest

def parse_signed_request(signed_request):
    signed_data = SignedRequest.parse(signed_request, FB_APP_SECRET)
    FB_APP_SECRET = <Your facebook app secret>
    return signed_data

Above function will parse the signed request and return a payload like below..

{
   "algorithm": "HMAC-SHA256",
   "expires": 1291840400,
   "issued_at": 1291836800,
   "user_id": "345678"
}

Below is the sample endpoint callback handle in python. This function will receive the signed request and return a JSON response that contains a URL where the user can check the status of their deletion request and an alphanumeric confirmation code.

def delete_facebook_data(request,data):
    try:
        signed_request = request.POST['signed_request']
        signed_data = parse_signed_request(signed_request)
     
        # Do User Data Deletion here

        user_obj = User.objects.filter(id=signed_data["user_id"])
        user_obj.delete()
        confirmation_code = 200   
    except Exception as e:
        confirmation_code= 403
    return_data = {
        'url': f'{APP_URL}/user_deletion_status/{confirmation_code}',
        'confirmation_code': confirmation_code
    }

The function returns a url and confirmation code as per facebook requirement.

“The url in above function is an url on the app server in the form of a webpage, where user can check his request by using the confirmation code.”

Now the question arises that what data should be deleted from app server?

This can be understood as when a user signs in an app using Facebook , the account details are coming from Facebook . So if a user would request deleting his/her Facebook details, that means the app account deletion as well.

This needs to be handled the same way, as you would handle a normal account deletion request.

How to test the callback function?

1. Log in to your app with Facebook Login.
2. Go to your Facebook profile’s Apps and Websites settings tab: https://www.facebook.com/settings?tab=applications
3. Remove your app.
4. Click the Removed sub-tab and click on your app.
5. Click Send Request to trigger your callback.

If everything works fine , you will be able to see below response.