Privacy Policy if You Use Instagram's API

by Jennifer L. Legal writer.
Privacy Policy if You Use Instagram's API

You must have a Privacy Policy in place if you connect to Instagram's Application Programming Interface (API). This requirement is part of Instagram's own Platform Policy.

The Privacy Policy will tell users:

  • The specific type of information you collect from them
  • What happens to that information, i.e., how it's stored, processed, and used by you

The Privacy Policy must be publicly accessible, meaning that your app users can find the Policy and read its terms. This helps give Instagram users, or Instagram app users, more awareness about what happens to their data, which is in line with evolving privacy and data protection law.

Having a Privacy Policy makes it possible for businesses using Instagram's API to continue processing customer data, whether it's for marketing purposes or simply app functionality.

We'll break down Instagram's requirements more and show you how to create a Privacy Policy that satisfies the Platform Policy.


Instagram's Platform Policy

The Platform Policy sets out what terms users and developers agree to when they use the API:

Instagram Platform Policy: Introduction clause

Section 8

Section 8 of the Platform Policy stipulates that you must provide a Privacy Policy explaining the information you collect and how you use it:

Instagram Platform Policy: Publicly accessible Privacy Policy requirement clause

8. Provide a publicly accessible privacy policy that tells people what you collect and how you will use this information.

The Privacy Policy must be free to view and easily found. It should always be available.

Let's look at Facebook. Facebook provides a link to its Privacy Policy (Data Policy) in the website footer, which means that users can view it at any point:

Facebook footer with Privacy link highlighted

When you click through to the Privacy Policy, it tells users what information the app collects and how the information is used:

Facebook Data Policy: Information Collect clause

By clicking on "Instagram Settings," users have the option to limit the information they share. Facebook and Instagram both empower users.

Facebook's Privacy Policy is twofold because it includes a whole separate section dedicated to data use:

Facebook Data Policy: Excerpt of How do we use this information clause

The Policy includes detailed information about the data it collects, and how it uses it. These clauses will be slightly different for every app.

What you'll also note is that Facebook provides a direct link to Instagram's own Terms of Use.

Users may view both Policies before proceeding.

Section 9

Section 9 of the Instagram Platform Policy addresses third party matters.

Commonly, developers allow third parties to either market through their platform using advertisements, or they let third parties place cookies on user devices to better target their marketing strategies.

While this practice is still fine, section 9 states that you must disclose any third party involvement to users:

instagram-platform-policy-disclose-third-party-activity-requirement-clause

9. If you allow third parties to serve content, including advertisements, or collect information directly from visitors, including placing or recognizing cookies on visitors' browsers, disclose this in your privacy policy.

Let's use Twitter as an example. Twitter complies with section 8 of the Platform Policy by making its Privacy Policy freely accessible to users, and prospective users, from its homepage:

Twitter footer with Privacy Policy link highlighted

When we click on "Privacy Policy" we go straight to a detailed Policy outlining, firstly, why Twitter needs to collect personal information:

Twitter Privacy Policy: Information You Share With Us clause

The Policy also explains how the information is used by Twitter:

Twitter Privacy Policy: How information is used clause

So far, so good. What about section 9, though? Twitter dedicates a whole section of its Privacy Policy to how data is shared with and used by third parties.

Twitter explains that if you click on an external advertisement or link, then the advertiser may find out, through data exchange, that you found their link on Twitter:

Twitter Privacy Policy: Links clause

It also says cookies are only used when necessary to ensure site functionality:

Twitter Privacy Policy: Cookies clause excerpt

Twitter is also open about its third party data sharing policy. It explains why it uses advertisements, and how it chooses its partners:

Twitter Privacy Policy: Advertisers and Other Ad Partners clause excerpt

A whole subsection of the Privacy Policy covers how users control the data they share with third parties through the platform. Twitter lets users control much of the data that gets shared with advertisers or third parties:

Twitter Privacy Policy: Sharing You Control clause excerpt

However, there's still data that Twitter can share without seeking user consent. The app is transparent about this. It explains that it only shares so much data as is necessary to ensure application functionality:

Twitter Privacy Policy: Service Providers clause

Section 10

By no means the least important of the three relevant subclauses in the Platform Policy is section 10. Section 10 states that in order to access the Instagram API, you must comply with your Privacy Policy.

It's not enough just to have a Privacy Policy. You must actually adhere to its terms:

Instagram Platform Policy: Comply with your Privacy Policy requirement clause

10. Comply with your privacy policy.

Instagram could enforce this clause against you and remove your app from its API if you fail to adhere to this section.

Instagram Requirement Summary

Instagram Requirement Summary

You need a Privacy Policy if you plan on accessing Instagram's API. Your Privacy Policy must comply with Instagram's Terms of Use and its Platform Policy.

You must:

  • Make sure everyone who wants to see your Privacy Policy knows it's there
  • Ensure everyone can freely access this Privacy Policy without making payments or downloading anything
  • Tell users what data you collect about them, and how you handle this data
  • Explain what access third parties have to the information you gather
  • Stick to the terms of your own Privacy Policy

Now, it's time to figure out how to draft a Privacy Policy of your own.

Creating a Privacy Policy That's Compliant With Instagram's API

Creating a Privacy Policy That's Compliant With Instagram's API

Instagram's Platform Policy lists many requirements for apps planning on connecting to the API. Aside from the clauses above, there are other things your Privacy Policy must contain to remain compliant.

Contact Details

Section 7 of the Platform Policy says that users must be able to contact the developers for support and further information:

Instagram Platform Policy: Contact requirement clause

7. Provide meaningful customer support for your app, and make it easy for people to contact you.

Twitter, for example, sets out who users should contact based upon their geographical location:

Twitter Platform Policy: Contact information clause

Similarly, Pinterest sets out its contact details at the end of its Privacy Policy. Again, it explains who the relevant data controller is and where users should direct their queries:

Pinterest Privacy Policy: Contact information clause

Compliance

Section 35 of Instagram's Platform Policy states that developers must avoid exposing Instagram to legal liabilities:

Instagram Platform Policy: Comply with laws and regulations clause

35. Comply with all applicable laws or regulations. Don't provide or promote content that violates any rights of any person, including but not limited to intellectual property rights, rights of privacy, or rights of personality. Don't expose Instagram or people who use Instagram to harm or legal liability.

To comply, for example, Twitter specifies that only users aged 13 and over may use its services:

Twitter Privacy Policy: Children and Our Services clause

Publing dedicates a whole clause to legal compliance. It explains that the company will always cooperate with law enforcement and abide by laws and regulations:

Publing Privacy Policy: Compliance with Laws and Law Enforcement clause

Another great clause to include is something like Pinterest's disclosure clause. The platform explains when it's obliged to share information with law enforcement, which shows that it's committed to legal compliance:

Pinterest Privacy Policy: Share information with law enforcement agencies clause

Data Security

Instagram says, in section 27 of its Platform Policy, that developers connecting to its API must commit to protecting data from unauthorized access and use:

Instagram Platform Policy: Protect information clause

27. Protect the information you receive from us against unauthorized access, use, or disclosure. For example, don't use data obtained from us to provide tools that are used for surveillance.

To comply with this Policy, Publing explains exactly how it safeguards information while still limiting its liability for unforeseen issues:

Publing Privacy Policy: Security clause

Photo app Flickr keeps its security clause broad. The wording means that Flickr's only obliged to take reasonable steps to keep data secure, which mitigates its responsibility. This is a great idea for developers:

Flickr Privacy Policy: Security clause

User Generated Content

Given the nature of Instagram's platform, it's unsurprising that the Platform Policy contains numerous clauses dedicated to regulating what happens to user generated content.

Section 11 states that apps must respect any restrictions that a content owner places on their own generated content:

Instagram Platform Policy: Comply with any requirements or restrictions clause

11. Comply with any requirements or restrictions imposed on usage of Instagram user photos and videos ("User Content") by their respective owners. You are solely responsible for making use of User Content in compliance with owners' requirements or restrictions.

Tumblr makes it clear that, although users can restrict who sees their content, it is an app designed for public sharing. However, Tumblr still takes steps to ensure that it complies with user specified requirements where possible. What's important is that the app is only obliged to take reasonable steps, which is key for any app provider:

Tumblr Privacy Policy: User Content clause

Anyone who uses Tumblr, then, should understand that their own content is easily shared. Basically, Tumblr can't give any guarantees about what happens to content once it's uploaded and viewable on the internet.

Instagram expects API users to promptly remove its own users' content and other personal information upon request at clause 12:

Instagram Platform Policy: Remove user content clause

12. Remove within 24 hours any User Content or other information that the owner asks you to remove.

It's unwise to warrant that you'll remove data so promptly because it's impossible to personally monitor the data 24 hours a day. To work around this, Tumblr tells users that content removal, or account deletion, is almost effective immediately. However, there's no guarantee that all user content will be removed if, for example, it has been reblogged:

Tumblr Privacy Policy: Delete account clause

Similarly, WhatsApp tells users that it only stores personal information, and user content, until a user deletes their account. Significantly, WhatsApp doesn't warrant that it'll remove the data within a 24 hour period, because the app can't reasonably guarantee this is the case:

WhatsApp Privacy Policy: Managing and Deleting Your information clause

The general principle throughout Instagram's Platform Policy is that you should only store as much data as necessary to provide the app's service, and that you shouldn't store it any longer than necessary.

This is emphasized in section14:

Instagram Platform Policy: Store user content for necessary period clause

14. Only store or cache User Content for the period necessary to provide your app's service.

Pinterest only keeps user data for long enough to provide the user with essential services. Importantly, Pinterest doesn't warrant that it always removes every trace of a user's data.

Instead, it sometimes randomizes and anonymizes this data. This then doesn't place an onerous burden on the developers to ensure every strand of a user's data is removed from its systems:

Pinterest Privacy Policy: Data retention clause

It's often necessary to collect and store data such as a user's IP address or location to provide them with the right services and relevant content.

Twitter explains this in its Privacy Policy, and explicitly ties storing and collecting this data back to essential site services:

Twitter Privacy Policy: Location Information

Remember, every Privacy Policy is unique. What's important is that you familiarize yourself with Instagram's Platform Policy and draft your own Policy in line with its terms.

How to Create a Privacy Policy for Your Website

PrivacyPolicies.com: Privacy Policy Generator - How to Create your Privacy Policy

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.


Displaying Your Privacy Policy

Displaying Your Privacy Policy

So, you've drafted your Privacy Policy and now it's time to publish it on your website. There are a couple of places to always post your Policy.

Place a link to your Policy within your footer. This is where you'll find the first link to most Privacy Policies online.

Here's an example from WhatsApp:

WhatsApp website footer

And another example from DeviantArt, a popular art sharing site:

DeviantArt website footer

Remember, to comply with Instagram's Platform Policy, your Policy, just like your other Terms and Conditions, can't be hidden or concealed in any way.

It's a good idea to make your Privacy Policy viewable at different places across your site. Since your users navigate across your platform using app menus, this is a perfect place to link to your Privacy Policy.

For example, Venmo includes its Privacy Policy within the Settings page of its app menu:

Venmo app Settings menu screenshot

Before Signup or Information Exchange

Users must be able to view your Privacy Policy before they share data with any third party applications. It's a good idea to highlight the Privacy Policy before users even sign up for an account.

Snapchat asks you to confirm you've read their Privacy Policy before you sign up for an account, or even download the app:

Snapchat download link screen

Slice presents its Privacy Policy at its sign-up screen so its accessible to users before they share any information:

Slice: Example of clickwrap for consent to Terms and Privacy on sign up form

Note how the sign up form has a checkbox asking users to agree to the Policy and Terms. This is called clickwrap and is a failsafe way to get users to consent to your agreements, including a Privacy Policy.

Summary

If you're a developer who plans on connecting to Instagram's API, then you must comply with its Platform Policy. To comply, you must provide a Privacy Policy that's publicly accessible, and that tells users both what information you collect about them, and how you share and handle this data.

You must also enforce your Privacy Policy. Moreover, you must provide clear ways for users to delete their account and remove their data from your app in a timely manner. Most important, you must be willing to comply with state, international, and domestic laws.

It's not enough to create a Privacy Policy. It must be published on your website, and users must have the opportunity to read it before they download your app or sign up for an account. Get consent to it using a method such as clickwrap.

Last updated on 18 May 2020

Article categories

Jennifer L.

Legal writer.