Facebook Connect (Login with Facebook) and Data Protection – What Belongs in the Privacy Policy

When a website operator uses Facebook Connect – i.e. login with a Facebook account via Meta – they regularly process profile data of the website visitor (e.g. name, email address, profile picture, Facebook user ID) for the purpose of authentication and account creation in their own online service, regularly based on contract performance and legitimate interests, supplemented by consent for any storage accesses associated with the login. This article explains which data Facebook Connect touches and which mandatory information has to appear in the privacy policy.

The following remarks are based on publicly available information from the provider and on publicly researchable sources; they do not replace a case-by-case review by the website operator.

A. Purpose and Functioning of Facebook Connect

Facebook Connect (also known as "Login with Facebook" or "Facebook Login") is a single sign-on (SSO) function of the Meta platforms. It allows website visitors to register and sign in to a website operator's online services using their existing Facebook account, without creating separate credentials there. To use it, the website operator integrates the Facebook SDK or the OAuth/OpenID Connect-based login flow of Meta.

The login flow typically runs as follows: the visitor clicks a "Sign in with Facebook" button, is redirected to a Meta authentication page, authenticates there with their Facebook credentials and decides which profile information may be released to the website operator. Meta then transmits an authentication confirmation (token) and selected profile data to the website operator. Passwords are not transmitted to the website operator.

This page focuses on the integration function "Login with Facebook" on the website operator's site (single sign-on). Other Meta products such as Meta Pixel, Conversions API, Custom Audiences, Facebook Pages or Marketing API are not covered here.

B. Mandatory Information in the Privacy Policy When Using Facebook Connect

In addition to general information (controller, data protection officer, data subject rights, supervisory authority), the GDPR requires specific mandatory information for the privacy policy with regard to the use of concrete tools, in particular under Art. 13 and Art. 14 GDPR.

Mandatory information includes:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests, the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether data is transferred to an insecure third country outside the EU/EEA and on which basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria for determining it (Art. 13(2)(a) GDPR),
• where data is not collected directly from the data subject, additionally the categories of personal data (Art. 14(1)(d) GDPR).

These mandatory items are broken down for Facebook Connect below.

In practice, it has become common to include a separate text block per tool in the privacy policy. The GDPR does not require this, and the practice regularly leads to long, redundant and poorly maintainable privacy policies that tend to conflict with the transparency principle of Art. 12(1) GDPR. A more appropriate approach is a topic-oriented one, where processing operations are described across the board (e.g. user account, SSO, tracking) and concrete service providers such as Meta are listed in a recipients appendix. This is the approach of the matterius generator.

C. Provider of Facebook Connect

According to publicly available information, the contracting party for website operators in the European Economic Area is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (EEA). The parent company is Meta Platforms, Inc., based in Menlo Park, California (USA).

According to publicly available information at https://www.dataprivacyframework.gov/s/participant-search, Meta Platforms, Inc. is listed as a participant in the EU-US Data Privacy Framework. Third-country transfers are, according to provider statements, supported by the DPF and/or EU Standard Contractual Clauses; the specific transfer mechanism is to be reviewed by the website operator.

Meta's central data protection policy is available at https://www.facebook.com/privacy/policy. Information specifically on Facebook Login can be found in the developer documentation at https://developers.facebook.com/docs/facebook-login/.

D. Data Processing by Facebook Connect – Step by Step

1. Collection: When the visitor clicks the login button, they are redirected to a Meta authentication page. There, Meta collects login data and connection data. Upon successful authentication, the website operator receives the profile data released by the visitor.
2. Storage: Meta stores the authentication and connection data on its own responsibility. The website operator stores the profile data transmitted to it in its own user account database.
3. Use: The website operator uses the transmitted data to authenticate the user and to create or maintain the user account. Meta uses the data collected in the login context in accordance with its own privacy policy.
4. Transmission: During the login flow, data is transmitted to Meta as well as to its subprocessors and, where applicable, group companies. Transmission to third parties by the website operator only occurs to the extent the website operator initiates it.
5. Deletion: The user can dissolve the link between the Facebook account and the website account at any time in the Meta account settings. The website operator deletes the profile data in accordance with the rules applicable to its user account.

E. Data Collected with Facebook Connect

Which data Meta transmits to the website operator under Facebook Connect depends on the permissions requested by the website operator and on the user's release. Typical items are: Facebook user ID, (profile) name, email address, profile picture URL, where applicable date of birth, language and region. When the login endpoint is called, additional connection data between the device and Meta servers is generated.

This data falls into the following standardised data categories:

• Web server log data: data the server receives when the login is called, e.g. IP address, date and time, URL of the login endpoint, referrer, browser, operating system and device.
• Click paths: click on the "Sign in with Facebook" button, further login steps with timestamps.
• Device data: device type, operating system, screen resolution of the device used during login.
• Browser information: browser name and version.
• Coarse location data: coarse location at city or municipality level derived from the IP address.
• User account data: user identifier stored at the website operator (e.g. Facebook user ID, email), profile data from the Facebook profile, login history.
• User profiles: characteristics derivable from login and profile data, e.g. region, language.

F. Purposes of Use When Using Facebook Connect

The website operator uses Facebook Connect to offer visitors a convenient, centralised registration and login process, to verify the user's identity, to create or maintain its own user account, and to prevent abuse (e.g. automated fake registrations).

These purposes fall into the following standardised purpose categories:

• Functional provision: provision of the login and registration function with Facebook Connect, including error detection and resolution.
• Contract performance: creation and maintenance of the user account based on the legal relationship underlying the account.
• Security and abuse prevention: authentication, protection against fake accounts, bot detection, session management.
• General product improvement: evaluation of aggregated login metrics for optimising the registration and login process.
• Communication: provision of the communication channels linked to the account (e.g. service emails to the transmitted email address).
• Compliance: compliance with statutory requirements and demonstrating such compliance.
• Legal enforcement: assertion, exercise and defence of legal claims in connection with the user account.

G. Legal Bases When Using Facebook Connect

In the website context, Facebook Connect falls primarily into the tool category SSO (single sign-on) with a connection to user account.

The following legal bases typically come into consideration:

• Contract performance (Art. 6(1)(b) GDPR) for creating and maintaining the user account and for authentication.
• Legitimate interests (Art. 6(1)(f) GDPR); relevant legitimate interests are typically efficiency (simplified login process), security and abuse prevention (protection against fake accounts).
• Consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG), to the extent the login flow triggers storage accesses (e.g. cookies, local storage, similar identifiers) that are not strictly necessary.

Which legal basis applies depends on the case and is to be reviewed by the website operator on a case-by-case basis, in particular with regard to the scope of the requested permissions and any additional tracking.

H. Special Considerations and Notes on Facebook Connect

• Meta's own controller role: For the data processing on Meta's side in the login context, Meta regularly acts, according to provider statements, as an independent controller. Meta's privacy policy then applies (https://www.facebook.com/privacy/policy).
• Joint controller constellations for other Meta tools: For other Meta business tools (e.g. Pixel, Page Insights), Meta provides a controller or joint controller addendum (https://www.facebook.com/legal/controller_addendum). Whether and to what extent this becomes relevant for pure Facebook Login is to be reviewed on a case-by-case basis.
• Scope of permissions: When configuring the app in the Meta developer console, the website operator should request only the permissions actually needed (data minimisation).
• Third-country transfer: Processing in the USA is possible. According to publicly available information, Meta Platforms, Inc. is DPF-certified; SCCs may additionally apply.
• Opt-out / disconnect: Users can dissolve the link to the website operator's app at any time in the Facebook account settings. The website operator should additionally provide an in-app option to disconnect the account.
• Profile information: Which data is actually transmitted depends on the user's privacy settings on Facebook and is shown to the user in the login dialog.

I. FAQ on Facebook Connect and Data Protection

J. Conclusion on Facebook Connect and Call-to-Action

In the website context, Facebook Connect is a classic SSO tool with a clear third-country reference to the US parent company. From a data protection perspective, the scope of the requested permissions, the boundary to Meta's own data processing, the treatment of any storage accesses under § 25 TDDDG and the third-country transfer to the USA are particularly relevant.

For the website operator, it is mostly not advisable to include a separate text block on Facebook Connect in the privacy policy. Such tool-specific blocks make the privacy policy long, redundant and hard to maintain and tend to conflict with the transparency principle of Art. 12(1) GDPR.

A structured, topic-oriented approach is recommended: the privacy policy describes SSO and user account across the board and refers in an appendix to specific recipients such as Meta Platforms Ireland Limited. This is the methodology of the matterius generator.

K. Curator