The two largest social networks, Facebook and LinkedIn, both have platforms that let users give third-party apps permission to use their data. Both also provide users with a process to revoke that permission, but with one crucial difference: LinkedIn requires apps to delete that data when permission is revoked; Facebook does not.
Here’s what LinkedIn’s policy states:
You must delete all data collected with the user’s consent, including the Member Token and the OAuth Token, upon request by the user, when the user uninstalls your Application, or when the user closes his or her account with you. (Emphasis added)
Here’s what Facebook says:
You will delete all data you receive from us concerning a user if the user asks you to do so, and will provide an easily accessible mechanism for users to make such a request. (Emphasis added)
In my informal polling, I have yet to find a user who understood that when they revoke Facebook access to an app, the app will still retain their data unless they make a formal request to delete it. In fact, they’re more likely to get the opposite impression from this interface in the app-removal process:
This is a big hole in Facebook’s app privacy framework, which LinkedIn has handled much more effectively. Facebook should fix their policy and affirmatively require apps to delete data when permissions are terminated.