Privacy Policy for Social Login Buttons


A social login provides a myriad of straightforward solutions for your website or mobile application. The login is effortless for users (one less password to memorize), and will provide you with easy access to both login credentials and social sharing mechanisms for your services. The option may seem like a no-brainer, but don't forget the fine print!

Yes, you will need a Privacy Policy in order to implement a social login, and it should feature specific wording depending on the type of social platform connections you offer.

The Basics

You may wonder why most online businesses go through the trouble of creating pages of fine-tuned legal print to offer even the simplest of services. Here are a few basics of what a Privacy Policy covers and why it's necessary:

  • A Privacy Policy is a statement that lays out any private information your website/app collects about users, why the data is collected, what it is used for, and how it is managed.
  • If your website/app collects any personal data whatsoever from users, even if it's just a name or email address, a Privacy Policy is required by law. See below for more information on privacy law.
  • Most third-party software providers, including social login platforms like Facebook and Twitter, require a Privacy Policy with specific wording to be placed prominently on the website or mobile app before their services may be utilized.

Facebook Platform Policy menu

The Facebook Platform Policy outlines a wide range of regulations for using their API technology.

Privacy Laws

Although privacy laws may vary slightly according to which country your business is based in, the idea is essentially the same worldwide: Let users know what information you collect about them and how you use it.

Here are a few specific regulations that will likely apply to your business:

1. California Online Privacy Protection Act (CalOPPA):

Although this is technically a state law implemented by California, its jurisdiction reaches any business that collects personal information from a California resident. In other words, it applies to most businesses in the USA and beyond.

  • CalOPPA requires any online business that collects personal data from consumers to state a clear, easily-accessed Privacy Policy that details which information is collected and how it is used or shared.

2. The General Data Protection Regulation (GDPR):

This new and far-reaching regulatory measure will go into effect in May 2018. It applies to any organization that collects personal information from EU citizens.

  • The GDPR requires any business that collects personal information from EU citizens to inform them of all information collected, including data collected automatically via cookies.

Facebook Connect

Login with Facebook icon

The Facebook login feature offers more than just an easy login process. The application programming interface (API) software also provides multiple connection features so that users can connect with their Facebook friends or share content directly from within your website or mobile app.

In order to implement Facebook Connect features, you will need not only a thorough Privacy Policy, but also specific language that lets users know which information you will be collecting about them through Facebook.

Facebook Platform Policy excerpt

As shown in Facebook's Platform Policy above, Facebook Connect requires the following provisions to be met before using the API software:

  • The Privacy Policy must be publicly available and easily accessible to users, explaining "what data you are collecting and how you will use that data."
  • In the case of a mobile app, you must display links to the Privacy Policy within the App Dashboard and app store.
  • You must comply with your Privacy Policy.
  • You may only use the user's "Account Information" (as defined by Facebook) unless you have obtained explicit consent from the user to collect more data.

Meetup offers links to a Privacy Policy and a Cookie Policy from the initial Facebook Connect registration screen:

Meetup

Within the Privacy Policy, Meetup describes their use of "Social Media Services," which information is collected, and lets users know that they can disable the connection at any time:

Meetup Privacy Policy: Social Media Services clause

Facebook also offers various marketing and advertising solutions that can be used within your website and mobile applications.

Facebook Platform Policy: requirements for ad solutions clauses

As shown in the above screenshot, Facebook's Platform Policy includes requirements for the use of their ad solutions as well.

If you plan to use these services, here are a few basic rules to follow:

  • Inform visitors before collecting advertising or analytics data that will be used for advertising purposes. In most cases you will need to obtain consent as well.
  • Let users know which cookies Facebook uses to collect advertising and analytics data.
  • Include resources for users who wish to opt-out of targeted ads by Facebook.

Wondery describes the use of information from third-party social networks and how it is used:

Wondery Privacy Policy: Third Party Services clause

Trivago informs users of specific information they use during the registration process, requesting explicit consent from the user:

Trivago

Basware describes how it uses personal data for Facebook marketing ads and where to find opt-out information:

Basware Privacy Policy: Facebook Remarketing clause

Twitter

Twitter also offers API software for connecting your website or mobile app with Twitter. Through this interface, users can login to your website with Twitter, connect with followers, and share your content, depending on the functionality you desire for your business.

Login with Twitter icon

Twitter also requires an easily accessible Privacy Policy to be posted on your website or mobile app, according to their Developer Policy:

Twitter Developer Policy: Clause requiring Privacy Policy to be displayed when using social login

As indicated above, Twitter calls for the following conditions in regard to your Privacy Policy before using their login or API software:

  • Must comply with the basic statutes of the Twitter Privacy Policy
  • Must comply with "all applicable laws" (e.g. CalOPPA & GDPR)
  • Must explain which information is collected from users, how it is used, and how users may contact you with questions about their information
  • Must include information on the use of cookies, which third-party affiliates collect cookies from your users, and how users may opt-out of cookies
  • You must comply with your own Privacy Policy
  • Must display Privacy Policy to users "before download, installation or sign up of your application"

Periscope clearly links to their Privacy Policy within the Twitter login registration form. They also describe in detail the personal information they gather about users through Twitter:

Periscope

Within the Periscope Privacy Policy, they go on to describe how they use the personal data collected from Twitter:

Periscope Privacy Policy: What personal information is collected by Twitter login

As for Twitter's requirements regarding cookies, the University of Reading sets a good example of how to list the Twitter third-party cookies that are used on their site:

University of Reading Privacy Policy: Third party cookies placed by Twitter

Google

Google Sign-In also provides an easy login process and various ways to implement the social network's features into your website or mobile app. You can use the API to view a user's connections and make suggestions based on those connections' activities within your app.

Login with Google icon

Google goes into even further detail outlining developer guidelines within their User Data Policy:

Google User Data Policy: Developer guidelines for implementing social login API

Although the above policy covers quite a few regulations, here are the basics you'll need to remember for your Privacy Policy if you plan to use Google Sign-In:

  • You must display a Privacy Policy throughout your website or mobile app that appears prominently in multiple locations.
  • Detail every type of personal information you gather from users, how you use it, and why.
  • If you change the way you use the personal data of users, you must inform them of the changes in a timely manner.

The New York Times offers a quick and easy Google sign-in feature that links to the Privacy Policy within the login process:

New York Times

Within their Privacy Policy, the New York Times goes on to describe the data they collect through Google Sign-in and how to disassociate the account:

New York Times Privacy Policy: Social login clause

Instagram

Instagram is another login API that offers unique social functions to your website or mobile app. The rich resource of photos and hashtags may be used to create dynamic image feeds, among other things.

Login with Instagram icon

Since its features and user information are more simple than most social networks, Instagram's privacy requirements are less involved:

Instagram Platform Policy: Social login privacy requirements

According to the policy above, Instagram only has four simple requirements for its API developers:

  • Display a Privacy Policy publicly.
  • Let users know which information is collected and how it is used.
  • Disclose any use of cookies, third-party sharing, or targeted advertising.
  • Comply with your Privacy Policy.

Bumble uses one short paragraph to encompass all of the information they collect from social media connected accounts, including Instagram:

Bumble Privacy Policy: Information collected clause

ThisMoment specifically mentions Instagram cookies in its Cookies Policy:

ThisMoment Cookies Policy: Instagram social login clause

Although the requirements are slightly different for each social network, the idea is very similar for all: maintain an open, honest disclosure of all personal information you plan to use from social media API platforms.

As long as you follow the Developer Policies provided by the social network you plan to work with, your login API integration should be a smooth and uncomplicated process.