Social ID Provider Rules for API-Transferred User Information

When a website or app visitor uses Janrain technology to quickly register on a Janrain customer property by agreeing to share profile information from an account she established with a social network or email ID provider (“IDP”) such as Facebook or Google+, the information in the form of electronic data is shared via the IDP’s API.  As a condition of accessing the API, our customers, like others seeking access,  must agree to the IDP’s API terms of service (“API ToS”) governing the use of the IDP-transferred profile data.  The API ToS are often in the form of a platform or developer policy and incorporate other terms as indicated on the IDPs respective websites.  A careful reading of each applicable IDP’s API ToS, which may include several documents as indicated on the IDPs websites, is required to understand which uses  – beyond facilitating user registration and login on customer website and apps – are permitted for IDP-transferred profile data and which are not.

The API ToS reflect privacy law requirements, such as providing users with notice of their information being requested and the purposes for which it will be used and treating IDP-transferred data consistent with the privacy statement of the recipient website or app.  (Facilitating compliance with these requirements, consent mechanisms are built into the IDP widgets that enables the transfer of consenting user’s information from the IDP to our customer.  In addition, it is easy for Janrain to include acknowledgement of a customer’s privacy statement in the user registration flow designed for a customer.)

API ToS generally encourage the use of IDP-transferred data to create a satisfying experience for the registered user on the customer website or app.  Generally, IDP-transferred data can be used to personalize site content, better understand the user through analytics, and support user-focused marketing by the company with whom the user agreed to share his or her information.  Exceptions to this general rule include LinkedIn’s ban on the use of its IDP-transferred information in connection with recruiting, lead generation, adult content, and gambling activities among others; Yahoo’s ban on using its API-transferred information to promote a myriad number of activities including “professional services regulated by state licensing regimes;” and Facebook’s ban on using its API-transferred information in connection with gambling and lotteries without prior authorization.

Using IDP-transferred data for the purposes of advertising is generally prohibited. Because Facebook makes money by offering ads on its own site, it is not surprising that Facebook prohibits other websites and apps from directly or indirectly transferring any Facebook user data to (or using it in connection with) an ad network, ad exchange, data broker, or other advertising or “monetization related toolset, even if a user consents to such transfer or use.” Facebook extends this ban to aggregate, anonymous, or derivative data obtained through use of the Facebook API.  LinkedIn’s ToS prohibit using LinkedIn API Data “for purposes of targeting advertisements.”  Like Facebook, Google prohibits transfers of its Google+ API-transferred data to third party ad brokers, ad brokers and the like.  But Google does permit a first party that isn’t a data broker to use anonymized Google API data to directly sell ads to third parties.   Last time I checked, Twitter and Yahoo were less restrictive in this regard, permitting the use of API Data in its original or anonymized form to serve as the basis for targeting advertisements while prohibiting the use of the shared content within any ad.

Because the IDPs update their respective API ToS from time to time, reviewing them on a regular basis is advised to ensure compliance.  Here are links to API ToS for some of the leading IDPs:

Facebook

Google+

Yahoo

Twitter

LinkedIn