Only request and retain the user data that you really need, and clearly communicate to the user, at the point of collection, about how the data will be used and what the value exchange will be. If you collect user data through Facebook, also post your notice of collection along with your comment policy on Facebook and on your own website.
Apps on Facebook are the highest level of tie-in to the social networking site, integrating with the user's Facebook News Feed and Notifications. The user will be asked to give your application access to Facebook, providing you the basic information shared with everyone. Additional permissions must be requested for more functionality, such as posting information to the user's news feed.
Clearly communicating how you will interact with users' news feeds, with their "friends" via personalized ads, and how you will use any other data is critical. Remember, once you begin to compile consumer data, you are obligated to provide a secure environment and protections around its use. Make sure you are prepared to deal with all the responsibilities surrounding PII. Consider what you will do when something goes wrong. Prepare for the "negative event" when an unflattering story or comment goes viral. Facebook must now be a part of any corporate communications plan.
Technology is changing quickly and businesses like Facebook often have to address privacy implications in new products/service offerings without the benefit of experience or relevant guidelines. This shouldn't scare us. As you weigh your participation in social media, strive to behave in ways that generate trust and build confidence with consumers. Direct marketers should always be striving for a win-win solution.