The Privacy Review process is a central part of developing new and updated products and services at Meta. Through this process, we assess how data will be used and protected as a part of new or updated products and services. We work to identify privacy risks that involve the collection, use or sharing of personal information and develop mitigations for those risks. The goal of this process is to maximize the benefits of our products and services for our community, while also working upfront to identify and reduce any risks.
The development of our new or modified products, services or practices is guided by our internal privacy expectations, which include:
- Purpose Limitation: Process data only for a limited, clearly stated purpose that provides value to people.
- Data Minimization: Collect and create the minimum amount of data required to support clearly stated purposes.
- Data Retention: Keep data for only as long as it is actually required to support clearly stated purposes.
- External Data Misuse: Protect data from abuse, accidental loss and access by unauthorized third parties.
- Transparency and Control: Communicate product behavior and data practices proactively, clearly and honestly. Whenever possible and appropriate, give people control over our practices.
- Data Access and Management: Provide people the ability to access and manage the data that we have collected or created about them.
- Fairness: Build products that identify and mitigate risk for vulnerable populations, and ensure value is created for people.
- Accountability: Maintain internal process and technical controls across our decisions, products and practices.
Privacy Review is a deeply collaborative, cross-functional process used to evaluate and comply with our obligations, and identify and mitigate privacy risks. It is led by our Privacy Review team, and is conducted by a dedicated group of internal privacy experts across legal, policy, and other cross functional teams with backgrounds in product, engineering, legal regulations, security and policy. This group is responsible for making Privacy Review decisions and recommendations.
As a part of the process, the cross-functional team evaluates privacy risks associated with the project and determines if there are any changes that need to happen before project launch to control for those risks. If there’s no agreement between the members of the cross-functional team on what needs to happen, the team escalates to a central leadership review, and further to the CEO, if needed for resolution.