I have an application that listens to Facebook leadgen events using a public AWS API Gateway URL. Facebook recently sent out an e-mail saying that my app needed to be compliant with Facebook Data Deletion Requests. I am unsure of how to proceed, since the actual Data Deletion requests send a user_id through a webhook URL at the time of requested deletion, but that field cannot be mapped to my own database records containing the Facebook user data as none of my other interactions with Facebook's servers, whether through HTTP requests or Webhook requests, actually contain the user_id.
According to Facebook's official documentation, these are the fields that it sends when a lead is generated through a Facebook ad. Notice that there's no user_id in this payload:
{
"object": "page",
"entry": [
{
"id": 153125381133,
"time": 1438292065,
"changes": [
{
"field": "leadgen",
"value": {
"leadgen_id": 123123123123,
"page_id": 123123123,
"form_id": 12312312312,
"adgroup_id": 12312312312,
"ad_id": 12312312312,
"created_time": 1440120384
}
},
{
"field": "leadgen",
"value": {
"leadgen_id": 123123123124,
"page_id": 123123123,
"form_id": 12312312312,
"adgroup_id": 12312312312,
"ad_id": 12312312312,
"created_time": 1440120384
}
}
]
}
]
}
There's another payload where I ping a Facebook server with a leadgen_id, but that response also does not contain a user_id:
{
"created_time": "2015-02-28T08:49:14+0000",
"id": "<LEAD_ID>",
"ad_id": "<AD_ID>",
"form_id": "<FORM_ID>",
"field_data": [{
"name": "car_make",
"values": [
"Honda"
]
},
{
"name": "full_name",
"values": [
"Joe Example"
]
},
{
"name": "email",
"values": [
"joe@example.com"
]
},
{
"name": "selected_dealer",
"values": [
"99213450"
]
}],
...
}
Is there any way that I can map an internal record with a facebook user_id so that I can comply with the deletion requests?
Data Deletion is about deleting data you have stored, that is associated with a specific user profile. Since you aren't getting any such data with these Leadgens, I don't see anything they could want you to delete upon the user's request here.
I'm guessing this is probably rather about the fact, that you do have users logging in to your app - at least yourself, and perhaps other page admins too, to grant the necessary permissions. Facebook's systems have probably picked up on that fact, but noticed you don't have data deletion configured.
You don't have to implement a Data Deletion callback URL - you can also just specify a page on your website in your app settings, that contains instructions for users on how to get in touch, and manually request deletion of their data. If your app's use case is what I think it is (geared towards handling ads, and not providing functionality to individual Facebook users), you probably won't even ever get contacted about any such deletion. (And if you do, you can then still figure out how you handle this deletion request, manually.)
Just make sure the page you provide is reachable by Facebook's scraper (https://developers.facebook.com/tools/debug/), I think they do automated tests to check its availability. And maybe put a bit of text explaining the situation onto that page at least - in case during a future app review someone at Facebook might actually manually check.