Google API Services is a set of tools known as application programming interfaces. These are official technical ways for third-party applications to access Google services and data. The idea is that third-parties can use the APIs to incorporate Google's data into their own services
Some possible examples include adding a customized Google search box to a website, using Google Drive to add cloud-based working to an app, and using Google Maps to help website visitors find their nearest outlet of a retail chain and then plot directions from home.
Compliance With Google API Terms and User Data Policy
To use Google API Services you must agree to, and follow, several sets of requirements. These include the general Google APIs Terms of Service and any specific terms for accessing individual Google services.
They also include the Google API Services User Data Policy. This covers the way that using a Google API can involve accessing Google data relating to a specific user, which has privacy implications.
Complying with the User Data Policy is mandatory. If you do not comply, Google has the right to suspend or revoke your access not only to the API in question, but to all Google APIs and even to all Google products and services. If you rely on the API, this suspension or revocation could mean your own product or service is no longer available to the public.
Meeting Google's Rules
The policy is broken down into several themes, most of which are relevant to privacy. Let's take a look at each requirement.
You must accurately convey three key pieces of information to both Google and any specific Google users whose data you want to access through an API:
- Who you are
- What data you want to access
- Why you want to access the data
Here's the specific wording in the Google API Services User Data Policy:
The policy requires that you provide whatever information is needed to be "clear and accurate" rather than just doing the bare minimum to meet a checklist. For example, just giving the name of your application may not be enough: You should make clear who operates the application.
Another example is that you must list all the purposes for which your application will use the data rather than just the main one.
This list from Overpass is an example of doing this in a detailed but clear way:
When selecting permission requests, you should always ask for both the minimum scope and the minimum amount of data that is strictly necessary for your application's current needs.
Here's how Google explains this point:
Here's the specific wording:
- Tell Google and its users about any ways in which you will interact with their data.
- Tell Google and its users who you are and (if different) who manages your application.
This clause from Hop & Up gives specific details about who operates the relevant apps:
This legislation is largely about who you allow to access your services and the restrictions you must follow if your application is aimed at users aged under 13 or you know people aged under 13 are using it.
- It must be displayed prominently
- It must detail the types of information you collect, how you collect it and how you use it
- It must detail any third-party access to data you collect
- It must be written in a clear and simple manner
Remember that breaching COPPA can not only mean violating Google's Terms and Conditions, but is also considered an "unfair or deceptive trade practice" that can attract heavy fines.
When your application accesses some Google APIs in specific ways, known as Restricted Scopes, the rules are tighter. At the time of writing, this affects access to Gmail that involves reading or creating any part of an email or accessing settings.
The additional rules include limitations of which types of applications can use the API, how they can use it, and how you prove to Google that your security is adequate.
This is the specific wording of what using Restricted Scopes entails: