1601 S. California Avenue, Palo Alto, CA 94304 650.543.4800 – tel 650.543.4801 - fax

September __ 2011 Bjorn-Erik Thon, Director The Data Insp ectorate of Norw ay P.O. Box 8177 Dep, N-0034 Oslo NORWAY Re: Facebook’s Response to Questions from the Data Inspectorate of Norway Dear Director Thon, I write now to provide written responses to the questions asked by your Office as Part II of your report, “Social Network Services and Privacy - a case study of Facebook”. In accordance with the guidance you have given us, we are providing short replies covering the major points raised. We look forward to meeting with you at a mutually convenient time to discuss these responses in greater detail. Our response will follow the order in which the questions were asked and will provide the text of your questions verbatim.

A) When a new account is created , Facebook collects a variety of personal information, at lea st the following basic information: name, address, e-mail address and birth date.

Question:

Which basic account information do you share with other businesses in a directly identifiable manner?

When a person joins Facebook, he or she agrees that his or her name, profile picture (if one is added), networks (if any are joined), user ID, and username (if the user creates one) will be publicly available information. We state this clearly in our Privacy Policy. Facebook, however, only shares this limited set of public data with trusted partners who have entered into a contractual relationship with Facebook to provide Instant Personalization services. This sharing of basic information is described in Facebook’s Privacy Policy. Users may choose to disable the service at any time through the privacy settings, and Facebook will no longer share their basic information with the Instant Personalization websites. Users themselves share their public information with third-party applications that they choose to add. A user’s address, email address, and birth date are not classified as public information. These data items will not be shared with other businesses by Facebook, but an individual user may grant a third-party developer access to this data when he or she adds a third-party application. Question:

And what basic accoun t information do you share with others busi nesses in an indirect ident ifiable manner?