Previously the rules only permitted storage of some data for 24 hours. Notice I said “rules”. The truth is that there is no technical means of enforcement that I can find. This is done on the honor system. Facebook in theory could look at usage and wonder “how are they doing this without refetching data?”, but monitoring all the apps in that way seems highly impractical. You’d need good knowledge of how the every app actually functions to make that decision. That still doesn’t cover the case of not deleting data when a user removes the application or changes privacy settings.
I’m sure there are some shady application vendors who have forever ignored this requirement. I’m sure some have also captured data they weren’t supposed to store. It seems naïve to think otherwise. That’s not to say everyone does it, or even a sizable number. I suspect most companies are honest and follow the rules. The change to remove the limit is actually more honest and straight forward. It is a step closer to reflecting reality.
Facebook should really have some sort of audit policy for apps over X number of users, or make it clear that there’s no real technical means limiting what an application can store once you share data with it. They don’t know for certain that just because a user deleted an application that the application has purged the data. There’s no technical means behind it, and that’s not something that’s easy to fix.
This is an important thing to clarify. Just because they had a policy of a time limit, that doesn’t equate to a technical solution. This is akin to passing a law that says “no identity theft”. It’s a novel thing to do, but it doesn’t prevent theft. It simply clarifies the official position on the activity. If this method worked, we wouldn’t need law enforcement or a legal system, just a few clever people with pens to write laws.
Facebook can obviously shut down anyone who it feels violated their policies, and can likely take legal action against such parties. I’m pretty sure they shut down applications, I’m not sure about legal action.
Bottom line: only share data if you’re willing to accept this risk. Their clarification of warning dialogs before you authorize an application is a good step in this direction.