Privacy Policy for Social Login

Want to attract new users by making it simple to create an account on your website or app? Start with a social media login button.

Social media logins allow new users to create an account by clicking a button and using the same credentials they use on their favorite social sites with your site.

This allows developers to maximize their reach by connecting with users' social media profiles so users can cross-post between their own social media profiles and websites. It also removes the tediousness of signing up for a new account that may keep some users from doing so.

Facebook began offering the service back in 2008, and Google, Twitter, Instagram, and other social platforms now provide it. At present, nearly 4.5 million websites allow users to log in with their Facebook accounts.

Social logins have as many benefits for businesses as they do for users. It reduces the number of steps between arriving on the site and buying to improve conversions. One-click logins also decrease abandonment - new users don't have yet another password to remember.

Social logins also give more accurate information about a user because it comes from their profile. Otherwise, 83 percent of users admit to filling in false information when creating new profiles.

If you intend to offer a "Log in with x" system, you'll need a Privacy Policy.

What is a Privacy Policy?

A Privacy Policy is a legal agreement that you display on your website or app. It's where you disclose to your users important facts about what personal data of theirs that you collect, how you collect it, where and how you store it, and what rights users have regarding all of this.

Anyone using your site - even if they access it via Facebook or Google - needs to have access to your Privacy Policy before you can legally collect any of their personal information. The purpose of this is to give consumers a chance to make an informed decision about whether or not they want to give you access to their personal information.

Why You Need a Privacy Policy for Social Logins

Both international laws and social media platforms require apps to feature a Privacy Policy.

The primary laws you have to contend with are California's Online Privacy Protection Act (CalOPPA) and the General Data Protection Regulation (GDPR).

California's law technically applies to California, but the nature of the internet means all companies must comply because Californians will surely be accessing their sites.

Greater privacy protections arrived in the European Union in 2018 with the GDPR.

Why do EU and California law apply to your company? Because the nature of social media means that you will inevitably find users from the state of California or one of the European Union's 28 member states.

Once those laws apply, so too do the enforcement and punishment measures associated with them. That means you're liable for lawsuits and fines.

Regardless of international law, you'll need to provide a Privacy Policy URL whenever you utilize social logins because this is part of the Terms and Conditions of using such features.

You'll learn more about Facebook, Google, Twitter, and Instagram's Privacy Policy requirements in each respective section.

We'll show you what the four big "Log in with..." players request from developers and give a few examples for each login system.

Generally, the biggest social media players want three things:

• They want to see the Privacy Policy front and center, ideally before users connect the two profiles.
• They want the Privacy Policy to be compliant with CalOPPA, the GDPR, and any relevant legislation.
• They want you to follow the guidelines you write in your own policy.

If you add social login to your website or app, you should also update your Privacy Policy to reflect this and send out an appropriate Privacy Policy update notice.

Let users know what kinds of data get shared to the social media site and whether users have control over it. The social media site will also let users know via a prompt based on information provided to the site during development and when you add the login button.

Facebook Login

Facebook Login is a secure and straightforward way for users to log into your app quickly and without generating new data.

Facebook's Platform Policy must be followed when integrating the Login with Facebook function. First, Facebook requires you to provide a Privacy Policy whenever you use Facebook for business - as a developer or otherwise.

Both the law and Facebook require you to ask for permission to access the user's data when they log in to your app with their Facebook credentials. When the user grants the authority, it gives your app seamless access to the requested data items like usernames, profile photos, and friends lists.

Where does your Privacy Policy come into play?

Facebook's platform policy requests that you "give people control."

In Facebook's words, control means gaining consent, using permissions, and not prefilling content.

It also means writing your Privacy Policy. Facebook wants a Privacy Policy that meets the following requirements:

• Publicly available
• Easily accessible
• Explains what data you collect
• Describes how you use the data
• Remains consistent with Facebook's policy

Additionally, Facebook requires that you:

• Add your Privacy Policy URL to the App Dashboard
• Include a link in any app store listings where your app is available
• Operate by your Privacy Policy

Facebook Login Privacy Policy Example

TripCase users have three options for logging in:

• Create a new account
• Sign in with Facebook
• Sign in with Google

TripCase provides a link to its Privacy Policy at the bottom of the page underneath the sign-in options.

How does TripCase meet Facebook's requirements?

First, the Privacy Policy is conspicuously placed at login. The site also added a link to the Privacy Policy in the app store, as requested:

Then, within the Privacy Policy itself, TripCase details what data it takes, how it uses it, and explicitly mentions that some information will be received through Facebook or Google's login features:

The New York Times allows social login with Facebook.

Instead of linking directly to a Privacy Policy, The New York Times adds a Help link to the bottom of the social login page.

Clicking this link will take users to all kinds of information including the Privacy Policy and the Social login FAQ that lets users know what information is shared with social networks.

Users are told in the general Privacy Policy that their personal information is collected when Facebook or Google accounts are linked to their NYT account:

The New York Time's policies and linking practices are in line with what Facebook wants given that the organization doesn't mine and store data from Facebook or other social media platforms. It reiterates that users do the sharing, and that The New York Times doesn't share information without the users' permission.

Twitter Login

Just like Facebook, Twitter's Developer Policy mandates a Privacy Policy.

It requires that your Privacy Policy must:

• Inform users of what information your app collects
• Share how you intend to use the information
• Tell users whether you give user information to third parties
• Inform whether you honor Do Not Track requests
• Demonstrate how to manage cookies
• Disclose adding location information to tweets

Twitter also demands that you share your Privacy Policy BEFORE the user downloads, installs, or signs up for an account. It's possible to interpret this as being similar to Facebook's request that apps add Privacy Policy URLs to their listing in app stores when possible.

One of the differences you'll find in the Privacy Policy lies in the "Respect Users' Control and Privacy" section. If you intend to take one or more of the following actions, then you need to note it in your Privacy Policy:

• Post content on the user's behalf
• Follow/unfollow other users
• Change profile information
• Add hashtags to user's tweets
• Republic content accessed outside the Twitter API or Twitter tools
• Deploy user content for commercial promotion
• Store non-public content (i.e., direct messages)
• Share or publish private tweets or confidential information

You'll also need to get consent to perform these actions from the users if you perform these tasks after they already used the Sign in with Twitter function.

Twitter Login Privacy Policy Example

Medium allows users to Sign in with Twitter directly from its homepage.

You can see the links to the Privacy Policy placed prominently at the bottom of the page for the user to find before signing in, which meets Twitter's request.

Medium's Privacy Policy notes that Medium allows social login and that information may be collected and stored through the third-party service:

Medium may collect information like friends lists or followers, which it then uses to recommend friends or connections to follow on the Medium platform. However, the site never posts to your social media accounts with permission.

Google Login

Want to offer a Google Sign-In function to users? It operates similarly to Facebook and Twitter by providing one simple, secure way to sign in and manage accounts.

However, given the nature of Google services, the requirements differ substantially. You'll need to meet the requirements of the Google Buttons Policy.

Google Buttons Policy covers:

• Sign-In Button
• +1 button
• Google+ Badge
• Google+ Share
• Hangout Button

Google's Privacy Policy demand isn't explicit, but you get the idea with two parts of the Buttons Policy text. The first declares that you must disclose any data collection, sharing, or use that uses Google+ buttons. You can use a Privacy Policy and display Google's own link when you set up the button:

The second part refers to the EU User Consent Policy, which states that "you must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area."

You can interpret disclosures as a Privacy Policy.

You also need to stick to your Privacy Policy, and you shouldn't change it without giving advance notice and requesting new consent.

Google also explicitly shares what information you're not allowed to collect and store including:

• Credit card details
• Bank account information
• Driver's license numbers
• Social security numbers
• Any other sensitive personal information

You may only collect the data only when you need to collect payment.

Google is also particularly wary of EU privacy laws, at least on paper. The firm focuses heavily on making everything conspicuous and easy to read. Some of Google's rules include:

• Make the Log in with Google button as prominent as other buttons
• Make it easy to know what Google account users connected
• Make signing in and out of the Google account and app easy to do
• Never sell or transmit data about a user related to their use of a Google button

Both the developer policy and the button policy require a Privacy Policy that acknowledges:

• What information you collect
• What you do with the data
• Compliance with EU user consent policy

Google Login Privacy Policy Example

Pinterest uses a "Continue with Google" button on its login page:

It meets Google's request to include the Privacy Policy before linking accounts by adding a small link directly below the buttons where it's easily spotted.

Pinterest notes its social login mechanisms in multiple points in its Privacy Policy including right at the beginning under the section where data collection is disclosed.

If you log in with your Google account, Pinterest will obtain information from the Google account. The service reminds you that it's up to you to check what your privacy settings on your Google account allow you to share.

The Privacy Policy also shows you how to link and unlink your social media profiles from your Pinterest settings.

Finally, Pinterest notes that users can choose to share their Pinterest account data on other services like Google. Though, these would apply more to Facebook and Twitter than Google, Google+, or other services like YouTube.

Instagram Login

According to Instagram's Platform Policy, your site or app needs to adhere to some terms if you wish to use the Login with Instagram feature, including the following:

• Have transparency about your company and app
• Offer a public Privacy Policy sharing how you collect and store information
• Disclose third-party data sharing in your policy
• Live up to your Privacy Policy
• Provide a way for users to request you to remove content or information and follow through with the removal

Instagram Login Privacy Policy Example

LIKEtoKNOWIt is an app built for social media and thrives on Instagram.

When users sign up for a new account, they can either log in with Instagram or create a new account and then link it to their Instagram if they choose.

Instagram's Privacy Policy is linked to the bottom of the Log in With Instagram page:

When you log in, you'll also receive a prompt to read and agree to the LIKEtoKNOWit End User Agreement, Terms of Service, Privacy Policy, and Cookie Policy:

The Policy itself tackles Instagram's request to note the information collected and tracked, data use and data sharing. While the login with Instagram feature isn't specifically mentioned, the Policy is very thorough and informative when it comes to what data it collects and how.

It also offers points on California (CalOPPA) privacy rights and the rights afforded to those in the EU and EEA under the GDPR.

Summary

If you use social login functionality on your website or app, you need a Privacy Policy according to laws and to the social media platforms providing you with their login feature.

Be clear and transparent about what data you receive, how you use it, and how users can manage sharing between the two. Every social login function comes with a set of guidelines and preferences to guide you, and they tend to mirror the law as well as personal preferences like placing Privacy Policy URLs in the app store listing when possible.

Follow the law and developer guidelines and your site will benefit from compliantly allowing users to login quickly and conveniently.