Privacy Policies In the Age of Social Login

There is, understandably, a degree of caution on the part of internet users when it comes to sharing data online which ebbs and flows based on security stories brought to light. Privacy is often at the forefront of peoples’ minds, especially with the growing number of websites that we trust will keep our personal data secure. Combine this caution with the ease by which social login permits end users to share their personal data with the brands and sites they choose, and suddenly, your privacy policy (which was previously skipped over) is now likely to get a good once-over by new and existing users alike. This should be seen as an opportunity to review your site’s privacy policy and ask yourself some basic questions. Is it compliant? Does it accurately convey to your end users the reason for requesting their personal data and what you will do with it?

Your privacy policy should be finely crafted, executed without complication, and it should build trust by making this statement to your end users: we care about your personal data, so this is what we are doing to protect it.

Let’s talk about best practices to comfort site visitors and build trust.

But wait… our site already has a privacy policy. Can’t we just continue to use that one if we let users sign in using Google or Facebook?

It may not be enough to leave your privacy policy unchanged. Odds are, you will be receiving substantially more personally identifiable information from your end users than you were before implementing social login and because of this, you will need to update your privacy policy to meet the requirements of a) the social identity providers you are using for your login solution and b) any governmental entity whose purview your site and/or user base is under. In turn, your end users will evaluate your privacy policy and decide if you are a responsible custodian of their data.

Your Social Identity Provider Requirements

The requirements set about by social identity providers that support OpenID and/or OAuth are numerous but not unreasonable. For instance, Facebook states in their platform policies page that you must not use, display, share, or transfer a user’s data in a manner inconsistent with your privacy policy and that you must disclose the purpose for having this data. This requires some line-item specificity for each piece of information you’re requesting.

Social identity providers want to make sure their users are making an informed decision when they allow your application to access their data. This is why they explicitly state what information your app is requesting in their authentication flow, and most of them helpfully include direct links to your privacy policy (and app terms), as seen here.

This screen might look daunting to a site visitor. I just want to sign in to this site, they may wonder, so why does this pop-up say they need my email address, relationship status and my birthdate?

In this hypothetical use case, a quick click to that wonderfully Facebook-compliant privacy policy will reveal that their email address is required for authentication purposes, that the public profile, relationship status & date of birth are used to provide targeted content based on demographic data and most importantly, that none of their personal information gleaned from Facebook will be turned over to a third party. As a site operator, you wouldn’t want to recommend the article “7 surprising L.A. hot-spots to meet interesting singles” to a user if they’re married and located in Seattle and it’s certainly a good idea to explain that fact (at a high level, perhaps not literally) to your visitors in the context of your privacy policy.

Also, the site visitor might breathe a little easier knowing that their information won’t be sold to a third party who will email them at 3:30 AM and ask why they’re 35 years old and haven’t settled down yet. We all know that’s no one’s business (and the right person just hasn’t come along yet).

Legalities

Many jurisdictions have rules and regulations in place to protect the online privacy of their constituents. A thorough review of those laws should be done with the guidance of experienced legal counsel. It is a good idea to get professional guidance on the legalities of personally identifiable data even at the earliest stages of deploying social login. Social identity providers give you, the site operator, the flexibility to choose which pieces of information are asked for at the time of authentication. If a particular piece of personal data causes you to run afoul of a local regulation or would expose you to certain additional legal responsibilities which would be difficult or impossible for your business to follow, then it’d be wise to leave that off the requested data list.

On the other hand, if a piece of data requires compliance to the law and you are able to do so, stating the law and the circumstances of that compliance to your visitors is a bonus. If your site is confirmed to be COPPA-compliant after a careful examination of the data provided by your chosen identity providers, I’d recommend you state that in your privacy policy. Compliance to privacy laws equals transparency, and transparency leads to trust in your brand.

Having social login on your site shouldn’t change your priorities in regards to end users’ data. Protection of your end users’ data should always be paramount. However, because social login makes it easier for the end user to pass on their personal information with just a few mouse clicks, it does make a well-crafted and forthright privacy policy that much more vital.

Examples of stellar privacy policies

  • Mattel – A Janrain customer, Mattel’s privacy policy conforms with the requirements set about by COPPA which states that users under the age of 13 not be asked to provide personally identifiable information. Sites like hotwheels.com and pollypocket.com don’t ask for PII; to sign up, you simply provide a username, password and provide a security question and answer.

  • Adobe – It’s a long read, but a good user experience. It’s displayed in one page and contains a table of contents full of hyperlinks that take you to anchors set within the page for its various sections. They also have a section specific to their social networking policies here.

  • Channel 4 – A UK-based site, and a Janrain customer. The language used in the privacy policy is direct, and their candor is a breath of fresh air. There is little ambiguity as to why user data is requested, what’s done with it and how they comply with UK laws and guidelines.