Facebook Data Deletion Callback URL: The App Review Requirement Most Apps Miss
If your app uses Facebook Login or touches user data, Meta requires a working way for users to delete that data. Get it wrong and your App Review stalls — or a live app gets restricted. Here is what it actually involves.
Most developers focus their App Review preparation on permissions, the screencast, and the privacy policy. Then the submission comes back flagged for something they never set up: a Data Deletion Callback URL or Data Deletion Instructions URL. It is one of the most overlooked requirements in the whole Meta review process, and it blocks otherwise-ready apps.
This guide explains what the requirement is, the difference between the two options Meta accepts, and why so many apps get stuck on it. The exact implementation is the part we handle as a service — but you will leave knowing why it matters and what is at stake.
What Meta actually requires
Any app that accesses Facebook user data must give users a way to request deletion of that data. Meta will not let you complete App Review for data-accessing permissions without one of these two in place, and it can review your app again after it is live. You configure it under App Dashboard → Facebook Login → Settings → Data Deletion Requests.
Option 1 — Callback URL
A live HTTPS endpoint. When a user removes your app, Meta sends a signed request containing an app-scoped user ID. Your server must start the deletion and reply with a JSON object containing a status url and a confirmation_code.
Option 2 — Instructions URL
A public web page that clearly explains how a user can request deletion of their data from your app. Lower-tech, but it must be reachable, specific, and match what your app really does.
Why it is harder than it looks
On paper it is "add a URL." In practice, this is where projects stall:
The callback is a real integration
It is not a static link. It must parse a signed request, verify it against your app secret, trigger an actual deletion, and return a correctly shaped JSON response — over HTTPS only.
The response format is strict
Meta expects a precise JSON response with both a tracking url and a confirmation_code. A malformed or missing field makes the callback look broken to the reviewer.
It must match your privacy policy
Reviewers cross-check your deletion method against your privacy policy and the permissions you requested. Inconsistencies between the three are a common rejection trigger.
It has to keep working
This is not a one-time checkbox. Meta can re-test it after launch. A callback that silently fails later can put a live app at risk of restriction.
How the process works (high level)
- Confirm whether your app needs a Callback URL or whether a properly written Instructions URL is enough for your use case.
- Set up the endpoint or page so it is publicly reachable over HTTPS and tied to the correct app.
- Make sure the deletion flow actually does something — and returns the response Meta expects.
- Align the privacy policy, requested permissions, and deletion method so they tell one consistent story.
- Register the URL in the App Dashboard and verify it passes Meta's test before submitting for review.
We deliberately keep the wiring details out of this post — getting the signed-request verification, response shape, and dashboard configuration exactly right is the part clients hire us to do, because a small mistake here quietly fails review.
What a clean setup gets you
Common reasons this requirement fails review
- No Data Deletion Callback URL or Instructions URL set at all.
- The URL is not publicly reachable, is HTTP not HTTPS, or returns an error when Meta tests it.
- The callback returns the wrong JSON shape or is missing the
confirmation_code/ statusurl. - The deletion method does not match what the privacy policy or requested permissions describe.
- An Instructions page that is vague, generic, or copied from another site rather than describing your app's real process.
Related reading: my Facebook App Review service covers the full submission, and if you have already been rejected, the Meta App Review Rejection Fix service diagnoses exactly why. Questions first? Get in touch here.