A Privacy Policy For Google API Users

A Privacy Policy For Google API Users

If your application or service accesses Google's APIs, you'll need to comply with Google's rules on personal data. Having a clear and accessible Privacy Policy is one of the key parts of doing so.

Here's how to make sure your Privacy Policy covers everything Google needs you to cover so you can compliantly use its API services.


API Services

Google API Services is a set of tools known as application programming interfaces. These are official technical ways for third-party applications to access Google services and data. The idea is that third-parties can use the APIs to incorporate Google's data into their own services

Some possible examples include adding a customized Google search box to a website, using Google Drive to add cloud-based working to an app, and using Google Maps to help website visitors find their nearest outlet of a retail chain and then plot directions from home.

Compliance With Google API Terms and User Data Policy

Compliance With Google API Terms and User Data Policy

To use Google API Services you must agree to, and follow, several sets of requirements. These include the general Google APIs Terms of Service and any specific terms for accessing individual Google services.

They also include the Google API Services User Data Policy. This covers the way that using a Google API can involve accessing Google data relating to a specific user, which has privacy implications.

Complying with the User Data Policy is mandatory. If you do not comply, Google has the right to suspend or revoke your access not only to the API in question, but to all Google APIs and even to all Google products and services. If you rely on the API, this suspension or revocation could mean your own product or service is no longer available to the public.

Meeting Google's Rules

Meeting Google's Rules

For the most part, you should already meet many or all of the requirements of the Google API Services: User Data Policy if you have an established Privacy Policy. It's still worth reviewing the Google requirements to make sure you are indeed fully compliant. For example, some of the Google requirements may go beyond the measures you need to take to comply with the privacy legislation that affects your operation.

The policy is broken down into several themes, most of which are relevant to privacy. Let's take a look at each requirement.

Accuracy

You must accurately convey three key pieces of information to both Google and any specific Google users whose data you want to access through an API:

  • Who you are
  • What data you want to access
  • Why you want to access the data

Here's the specific wording in the Google API Services User Data Policy:

Google API Services User Data Policy: Identity and Intent requirements list

The policy requires that you provide whatever information is needed to be "clear and accurate" rather than just doing the bare minimum to meet a checklist. For example, just giving the name of your application may not be enough: You should make clear who operates the application.

Another example is that you must list all the purposes for which your application will use the data rather than just the main one.

This list from Overpass is an example of doing this in a detailed but clear way:

Overpass Privacy Policy: Use of Data clause

You also need to update your Privacy Policy if you change what data you access or how you use it. You must then tell the affected users and get fresh consent before you continue accessing and using the data.

Transparency

The User Data Policy specifically requires that you publish a Privacy Policy covering how you interact with Google user data. Here's the specific wording:

Google API Services User Data Policy: Privacy Policy and Disclosures requirements clauses

Note that you must include the URL of your Privacy Policy in the OAuth client configuration, which is the technical settings for how your application identifies itself to Google's APIs.

However, this shouldn't be the only way you promote and highlight your Privacy Policy. Instead you should display it prominently in your application so that users are sure to see it. Google stresses the goal of providing information about your data use in ways that are "timely and shown in context."

The Microsoft web app store does this by including the Privacy Policy among other key information about each app:

Microsoft App Store: EasyMail for Gmail - Additional Information with Privacy Policy highlighted

Again, you must clearly notify users about any changes to what data you collect and how you use it. You'll then need to get the user to consent to the updated Privacy Policy.

Relevant Permissions

When selecting permission requests, you should always ask for both the minimum scope and the minimum amount of data that is strictly necessary for your application's current needs.

Here's how Google explains this point:

Google API Services User Data Policy: Request relevant permissions section

Google doesn't directly require you to address this issue in the Privacy Policy itself. However, a brief line noting that you adhere to this principle can help reassure users.

The Privacy Policy for VPN service TunnelBear addresses this in more detail, which may be because VPN users are particularly concerned about privacy:

TunnelBear Privacy Policy: Personal Data Collection and Use - What is Personal Data clause

Deceptive Use

Some of the points in the Google API Services User Data Policy are about what you do rather than what you include in your Privacy Policy. For example, you can't access data and then pass it on to a "third party conducting surveillance." You also can't use undocumented Google API Services (ones which aren't publicly listed as available).

Here's the specific wording:

Google API Services User Data Policy: Don't misrepresent data collection or use section

However, Google also specifically requires that the information you give to users, including your Privacy Policy, not be misleading. This is a broad principle rather than specific, limited guidelines. The key is that "there should be no surprises for Google users."

When it comes to your Privacy Policy, Google notes two ways to abide this principle:

  • Tell Google and its users about any ways in which you will interact with their data.
  • Tell Google and its users who you are and (if different) who manages your application.

This clause from Hop & Up gives specific details about who operates the relevant apps:

Hop and Up Privacy Policy: Intro and About clause

Child-Directed Apps

The Google API Services User Data Policy notes that you must comply with the Children's Online Privacy Protection Act (COPPA):

Google API Services User Data Policy: Child-directed apps section

This legislation is largely about who you allow to access your services and the restrictions you must follow if your application is aimed at users aged under 13 or you know people aged under 13 are using it.

The main implications of COPPA for your Privacy Policy are that:

  • It must be displayed prominently
  • It must detail the types of information you collect, how you collect it and how you use it
  • It must detail any third-party access to data you collect
  • It must be written in a clear and simple manner

The Privacy Policy for Sesame Street's platform clearly details how it collects data:

Sesame Street Privacy Policy: Information We Collect Automatically clause
Sesame Street Privacy Policy: Information We Collect Automatically clause

Remember that breaching COPPA can not only mean violating Google's Terms and Conditions, but is also considered an "unfair or deceptive trade practice" that can attract heavy fines.

Security

You must do everything "reasonable and appropriate" to stop unauthorized access to your application. Again, this doesn't have to be covered by your Privacy Policy but mentioning you do this can be reassuring for users.

Restricted Scopes

When your application accesses some Google APIs in specific ways, known as Restricted Scopes, the rules are tighter. At the time of writing, this affects access to Gmail that involves reading or creating any part of an email or accessing settings.

The additional rules include limitations of which types of applications can use the API, how they can use it, and how you prove to Google that your security is adequate.

This is the specific wording of what using Restricted Scopes entails:

Google API Services User Data Policy: Limited Use and Secure Data Handling sections

Your Privacy Policy should already include the relevant points here, namely what data you access and how you use it. It may be worth mentioning in the policy that you comply with the tighter rules. Somebody using an application that comes under Google's Restricted Scopes is likely to be particularly concerned about privacy and security, so this will give them extra reassurance.

Conclusion

Let's break down what you need to do to make sure your Privacy Policy complies with the Google API Services User Data Policy:

  • Understand that your Privacy Policy is only one part of complying with Google's rules for API use.
  • Develop and publish a Privacy Policy that clearly informs users who you are, what data you collect and how you use it. Be as clear and detailed as possible rather than doing the minimum to comply. Remember that the Google rules treat privacy as a broad principle rather than just specific technicalities.
  • Remember to update your Privacy Policy if you change what data you collect or how you use it. Inform users of the changes and get fresh consent before you continue to access their data through the Google API.
  • Review the content and display of your Privacy Policy if your service is targeted at users aged under 13 or you know that people aged under 13 are using it. You may need to display the Privacy Policy more prominently and use clearer, simpler language.
Last updated on 15 May 2020

Article categories