Facebook Data Deletion Request Callback (Python)

To comply with GDPR ( GDPR – Art. 17 – Right to erasure ), Facebook has recently updated its privacy policy and as per that all the apps which use user data has to provide a way to the users to delete the data captured by Facebook.

From now onwards, it is required to enter either a “Data Deletion Callback URL” or a “Data Deletion Instructions URL”, in order to make an app go live.

When a user authenticates an app using Facebook, the app stores the profile details of user. Now, user can request the app to delete the data. Read more about the Facebook documentation here.

An app user can do this by going to their Facebook profile and clicking the Send Request button on the Settings & Privacy > Settings > Apps and Websites page.

Implementing the Callback in Python

To implement the callback, the url must be mentioned in the Data Deletion Request URL field of the app’s Facebook Login > Settings page in the App Dashboard.

Next step is to create an API endpoint which will receive POST request containing a signed request.

A signed request contains payload of data that can be validated against a hash signature to ensure it is from Facebook.

In the callback function, the signed request needs to be parsed and decoded. for this purpose, Facepy library can be used.

from facepy import SignedRequest

def parse_signed_request(signed_request):
    signed_data = SignedRequest.parse(signed_request, FB_APP_SECRET)
    FB_APP_SECRET = <Your facebook app secret>
    return signed_data

Above function will parse the signed request and return a payload like below..

{
   "algorithm": "HMAC-SHA256",
   "expires": 1291840400,
   "issued_at": 1291836800,
   "user_id": "345678"
}

Below is the sample endpoint callback handle in python. This function will receive the signed request and return a JSON response that contains a URL where the user can check the status of their deletion request and an alphanumeric confirmation code.

def delete_facebook_data(request,data):
    try:
        signed_request = request.POST['signed_request']
        signed_data = parse_signed_request(signed_request)
     
        # Do User Data Deletion here

        user_obj = User.objects.filter(id=signed_data["user_id"])
        user_obj.delete()
        confirmation_code = 200   
    except Exception as e:
        confirmation_code= 403
    return_data = {
        'url': f'{APP_URL}/user_deletion_status/{confirmation_code}',
        'confirmation_code': confirmation_code
    }

The function returns a url and confirmation code as per facebook requirement.

“The url in above function is an url on the app server in the form of a webpage, where user can check his request by using the confirmation code.”

Now the question arises that what data should be deleted from app server?

This can be understood as when a user signs in an app using Facebook , the account details are coming from Facebook . So if a user would request deleting his/her Facebook details, that means the app account deletion as well.

This needs to be handled the same way, as you would handle a normal account deletion request.

How to test the callback function?

  1. Log in to your app with Facebook Login.
  2. Go to your Facebook profile’s Apps and Websites settings tab: https://www.facebook.com/settings?tab=applications
  3. Remove your app.
  4. Click the Removed sub-tab and click on your app.
  5. Click Send Request to trigger your callback.

If everything works fine , you will be able to see below response.

20 thoughts on “Facebook Data Deletion Request Callback (Python)

  1. I had already read so many blogs but this is really very helpful for me and i wil definitely share this to all of my friends.
    Waiting for your next blog.
    Thanks you for sharing .

    Like

  2. When we send response back to facebook with url and confirmation code. I want to know this url is webpage url (What will the content of this webpage) or some things else.

    Like

  3. great article on user data deletion….how can I implement this for my unity game that uses fb sdk for tracking events in the game….

    Like

    1. If you login in any application using facebook, there is a social user id which gets saved in app server. You can see your user id by visiting Settings->’Apps and websites’ ->any App in which you have logged in using facebook-> You will see your user id mentioned in the bottom of the page.
      Facebook provides this user id in payload.

      Like

Leave a Reply to shailaja Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s