A Privacy Policy for Google's API Services - TermsFeed

Summary of Privacy Policy Contents for Google API Services · Understand what kind of apps can use this data · Only use the data for prominent, ... PrivacyPolicyGenerator Terms&ConditionsGenerator CookiesPolicyGenerator DisclaimerGenerator EULAGenerator ReturnandRefundGenerator TermsofServiceGenerator TermsofUseGenerator Home Blog APrivacyPolicyforGoogle'sAPIServices APrivacyPolicyforGoogle'sAPIServices Lastupdatedon24May2022byMarkKellermeyer(LegalwriteratTermsFeed) GoogleAPIServicesisasetofApplicationProgrammingInterfaces(APIs)thatallowyourapplicationtointeractwithanduseGooglefeatures.ToolssuchasGmail,MapsandLogincanallbeusedwithinyourownapplicationaspartoftheseServices. IfyouareadeveloperorownerofanapplicationthatusesGoogleAPIServices,itisimportantthatyouconstructyourPrivacyPolicyaccordingtoGoogle'sstandardsaslaidoutinitsAPIServicesUserDataPolicy. ThePrivacyPolicyyouincludeissoimportantbecausetheGoogleAPIServicesallowyoutoaccessGoogleuserdataundercertainconditions,andprotectingthisdataisatoppriority. Inthisarticle,wewilldiscussandprovideexamplesof: Howtoaccuratelyrepresentyouandyourapplicationtoyourusers Howtodescribetoyourusersthesecurityofyourapplication HowtocomplywithCOPPAruleswhichconcernchildren'sonlineprivacy Howtohandlerestrictedscopes,suchasemaildata Whereandhowtodisplayyourpolicy ThiswillhelpsimplifyGoogle'sAPIServicesUserDataPolicyandmakeiteasierforyoutowriteyourownPrivacyPolicy. OurPrivacyPolicyGeneratormakesiteasytocreateaPrivacyPolicyforyourbusiness.Justfollowthesesteps: AtStep1,selecttheWebsiteoptionorAppoptionorboth. Answersomequestionsaboutyourwebsiteorapp. Answersomequestionsaboutyourbusiness. Entertheemailaddresswhereyou'dlikethePrivacyPolicydeliveredandclick"Generate." You'llbeabletoinstantlyaccessanddownloadyournewPrivacyPolicy. 1.RepresentingYourselfandYourApp2.InformUsersofYourSecurityPrecautions3.SpecialConsiderationsforMinors4.RestrictedScopes:HowtoHandleUserEmailData4.1.RestrictedScopeDataisOnlyForProminent,User-FacingFeatures4.2.RestrictedScopeDataTransferRules4.3.Don'tUseRestrictedScopeDataforAdvertising4.4.AllowingHumanstoReadtheDataisHeavilyRestricted5.WheretoDisplayYourPrivacyPolicy6.SummaryofPrivacyPolicyContentsforGoogleAPIServices RepresentingYourselfandYourApp It'sveryimportanttoGoogleforyoutobehonestandtransparentaboutwhatyouandyourapparedoingwithyourusers'data.Partofthisassuranceinvolvesbeingupfrontaboutwhoyouareinthefirstplace.Notonlythat,youmustbespecificaboutwhatdatayouarerequesting.Someofthisshouldbecoveredbythenotificationsthatareapartofyourapp,butallofthiswillneedtobeacknowledgedinyourPrivacyPolicyaswell. Here'swhereGooglesetsoutsomerequirementsinits: Tosummarize,youruserneedstoknow: Whoisrequestingtheirdata Whatdataisspecificallybeingrequested Whythedatahasbeenrequested AgreatexampleofaPrivacyPolicyaddressingGoogle'srequirementsistheoneprovidedbyEdisonSoftwareforitsMailapp.Edisondescribesitsappinawaythatwillcommunicateclearlyandeffectivelywithuserswhattheycanexpect.Youcanseeaclearlystatedpurposeoftheapp,andabriefdescriptionofhowitworks: Laterinthepolicyitlistsspecificinformationthatwillbecollected,andwhateachisusedfor.Forexample,intheEdisonMailapp,thereisaspecificuseforcommercialemails,soitisappropriatelymentionedinthepolicy: Atthesametime,Googleisveryclearaboutwhatyoushouldavoidinyourpolicy: Don'tlieaboutwhatdatayoucollectorwhy Don'tlieabouttheoperatingenvironment Don'tuseundocumentedAPIsunlessyouhavepermission Don'tlieaboutwhomanagesyourapplication TheundocumentedAPIsruleisworthmentioningbecauseitmaybeagoodideatolistwhatotherapplicationsyourelyoninyourPrivacyPolicy.Thisisagoodwaytobefullytransparentaboutwhoyouareworkingwith. Tobeclear,Googlehasstatedthat,"MakingfalserepresentationsaboutclientcredentialstoGoogleorGoogleusersisgroundsforsuspension."Itcanbeassumedthatanyviolationontheabovepointsisgroundsforsaidsuspension. InformUsersofYourSecurityPrecautions AnotherimportantfeatureofyourPrivacyPolicyshouldbeadescriptionofyourapplicationsecurity.InitsUserDataPolicy,Googleurgesyoutomaintainyourappsecurity: Thissection,thoughsmall,isveryimportant,andisagoodthingtonoteinyourPrivacyPolicy.Takethispassageforexample,wherethecompanydescribesthevariouswaysitsecurestheuser'sdata,involvingencryption,andcybersecurity,butalso"administrative[...]safeguards.": Althoughyoudon'tneedtogointoextremedetail,discussingyoursecuritymeasuresisagoodwaytomaintaintransparencyforyourusers. SpecialConsiderationsforMinors Ifyourappisdirectedatchildrenundertheageofthirteen,orisformixed-audienceuse(includingboththoseaboveandbelowtheageofthirteen),youwillneedtomakespecialmentionoftheChildren'sOnlinePrivacyProtectionAct(COPPA). AccordingtoGoogle'sUserDataPolicy,"child-directedappsmayusesomeGoogleservices"buttheyarecarefultostatethatyouaretheoneresponsibleforobeyingCOPPA Thatbeingsaid,GoogledoesprovidetwoinstructionsspecificallyconcerningtheGoogleSign-InAPI: TosummarizewhatGooglerequireshere: Ifyourappisdirectedprimarilyatchildren,itshouldnotuseGoogleSign-Inoranyotherservicethatrequiresanaccount. Ifyourappisdirectedatamixedaudience,itcannotrequireanaccount,butitcanoffertheuseofoneasanoptionalfeature. WhicheverapproachyoutaketotheCOPPArulesandthedirectionofyourapp,besuretomentiontheapproachinyourPrivacyPolicy. Belowisanexampleofanapp'sPrivacyPolicythatisnotdirectedatchildren.Edisondoesagoodjobofstatingitspolicyregardingminorsveryclearlyandnotingtheconsequencesiftherulesarebroken.Thecompanyprioritizesobediencewiththelawandstatesthatitwilldeletethedatainquestion: Let'slookatanotherexampleofaPrivacyPolicyforanappwithamixedaudience. Plariumnotesthatthroughcertainservices,itmayinfacthaveusersundertheageofthirteen.Thepolicygoesontostatethatifthisisthecase,itwilltakethenecessaryprecautionstoacceptonlythebareminimumofdatafortheservicetofunction: Clausesandstatementslikethisshowthatyou'reawareofprivacylawsregardingchildrenandaremakingeffortstokeepthedataofminorssecure. RestrictedScopes:HowtoHandleUserEmailData Ifyourapphasanythingtodowithemail,youmayneedtotakeextraprecautionswithhowyouhandlethatdataandhowyouwriteyourPrivacyPolicy. AsofJanuary15,2019,GooglehasaddedatermtoitsUserDataPolicycalledaRestrictedScope.ARestrictedScopeisanareaofdatathathasextrarulesabouthowthatdatacanbehandled.Fornow,theonlydatathatfallsintotheRestrictedScopecategoryisanythingfromanemail,oranythingrelatedtoanemailmailboxaddress. ItiseasytounderstandwhyGooglehasaddedtheseextrarulesforaccessingemaildata.Thecontentsofanemailmessagecanbeverypersonal.Therehavealsobeenplentyofbreachesinsecuritywhenitcomestoemailsandemailservers.Someappshaveevenfoundthemselvesinhotwaterforthewaytheyhavehandleduser'semaildata. Tostart,GoogleonlypermitscertainkindsofapplicationstoaccessthisRestrictedScopedata: Emailclients Automaticemailbackups Productivityenhancementsforemail Reportingservicesusingemailinfoforthebenefitoftheuser Ifyourappdoesn'tfallintooneoftheabovecategories,thenithasnobusinessrequestingemaildatafromauser: ThewayyouhandletheRestrictedScopedataistightlycontrolledbyGoogle.Ithasmultiplerequirementsforwhatyourappcandowiththisdataandwhocanseeit: We'llgothrougheachoftheserequirementsbelow. RestrictedScopeDataisOnlyForProminent,User-FacingFeatures Thefeaturesmustbeprominentinthesensethattheappneedstobeprimarilyfocusedontheuseofthisdata.Itmustbemadeclearfromthebeginningthatthisappusesemaildata,anditisnotsomeperipheral,extracategoryofdatafortheapptouse. Thefeaturesmustalsobeuser-facing,meaningyoucannotsimplyscanthroughthisemaildataforsomeotherpurposethangivingvaluebacktothesameuserwhogaveyouthedata. IntermsofwritingyourPrivacyPolicy,muchofthiscomesdowntoclearlyidentifyingyourapp,whomanagesit,andwhatitsintendeduseis,asdiscussedabove. RestrictedScopeDataTransferRules Thisdatacanonlybetransferredif: Thetransferofdataisnecessaryforprominent,user-facingfeatures Itisnecessarytocomplywiththelaw Itispartofamergerorsaleofassets Thissectionpresumablyexistsbecauseofthedangerofsellingthisprivateemaildata,orprovidingitasaservicetopeopleotherthantheuserprovidingit.Thefirstpointisarepetitionoftherulefromaboveinthatthetransferofdatamustbefortheserviceoftheenduser,andmustbeclearlystatedandpartofthemainpurposeofyourapp. Thesecondtwopointsareconcessionstothefactthatsometimesalegalinvestigationmayrequireyoutoprovidedataasevidence.Also,intheeventthatyourcompanyisbought,this"transfer"ofdataisstillconsideredacceptable.Notethatanytransferofthiskindmustbeaccompaniedwitha"noticetousers"aspertheUserDataPolicy. Sinceprovidingnoticetousersisrequired,itisagoodideatogoaheadandmentionthesethingsinyourownPrivacyPolicytoproperlyforewarnusersofhowtheirdatacanbetransferred. Here'showEdisondiscussesitslegalcomplianceinitsPrivacyPolicy: Don'tUseRestrictedScopeDataforAdvertising Thisrequirementismentionedbriefly,butit'sveryclear:useofanyemailormailboxdatafortheuseofadvertisingortargetingisstrictlyforbiddenbyGoogle. AllowingHumanstoReadtheDataisHeavilyRestricted AccordingtotheUserDataPolicy,itshouldbeassumedthatnooneshouldbereadingprivateemaildataexceptforthepersonitbelongsto.Thoughthisseemslikeahardandfastrule,thereareactuallyafewreasonsemaildatacouldstillberead: Youhavetheuser'spermissionforspecificmessages Securitypurposes Legalcompliance Theseechothepointsabove,butthereisonemorewaythedatacanbeusedthatneedstobehighlighted: Thehighlightedportionisabitcomplicated,solet'sbreakitdown: Usemustbe"limitedtointernaloperations" Dataincludesderivationsandmustbeaggregatedandanonymized Aggregatedmeansthatyoucannotlookatasingleuser'sdata,orasingleemail,butyoucanlookatalargesetofdata,overaperiodoftimeforexample.Anonymizedmeansthatallpersonalinformationmustberemovedfromthisdata. Asyoucansee,therulesonusingRestrictedScopedataareveryfirm.InyourPrivacyPolicy,youshouldbesuretomentionifyourappusesanyofthisdataatallandbeclearonhowitworks. Here'sanotherexamplefromEdison,whichstatesthatthedataisbothaggregatedandanonymized.Thiscanbeassuringtousers,andsimilarlanguageshouldbeusedinyourPolicy: WheretoDisplayYourPrivacyPolicy OnceyouhavewrittenyourPrivacyPolicy,youmustalsotakespecialcaretomakeitavailabletoyourusersintherightplaceandtime.ManyapplicationshavealinktothePrivacyPolicyinsomecornerofitswebsite,butthereareacoupleothertimeswhenyouarerequiredtolinktoit: AtthemomentuserswillconnecttheirGoogledatatoyourapp WheneverchangesaremadetoyourPrivacyPolicy ThesetwothingsarepartofGoogle'srequirementthatyourPrivacyPolicybe"easilyaccessible." Youmustassumethatyouruserwillwanttoreviewyourpolicyatthemomenttheymustdecidetoconnecttotheirgoogleaccount. HereyoucanseethattheEdisonapplinksitsPrivacyPolicyandTermsofServicerightfromthestartatitssign-inscreen: ThismayberelatedtoyourOAuthconfiguration,whichGooglesaysmustincludealinktoyourownPrivacyPolicy WheneverchangesaremadetoyourPrivacyPolicy,youmaychoosetonotifytheuserthroughtheapp,butanothercommonwaytodosoistosendanemailtotheassociatedaccount.HereisanexampleofanotificationemailfromAsana: NoticeofchangestoyourPrivacyPolicyisalsoagoodthingtomentionwithinthepolicyitself.Youcanmentionthatchangesmayhappen,aswellashowyouwillgoaboutnotifyingusersofthem. Here'sanexamplefromEdisonshowinghowthisinformationcanbeincluded: SummaryofPrivacyPolicyContentsforGoogleAPIServices Asyoucansee,Google'srequirementsforyourPrivacyPolicyarenotfarofffromwhatyoushouldbeprovidingforyourappandyourendusersanyway.Justbesuretotakecareofthefollowingdetailsandyou'llbealrightwithGoogle,too: ReadGoogle'sAPIServicesUserDataPolicycarefully Accuratelyrepresentwhomanagesyourappandwhoyoupartnerwith Beclearaboutwhatyourappdoesandhowitusestheuser'sinformation NotethatdeceptiveuseofGoogleAPIServicesisprohibited Giveacleardescriptionofyoursecuritymeasures TakespecialconsiderationforminorstocomplywithCOPPAlaws ObeytheGoogleUserDataPolicywhenitcomestoemaildata: Understandwhatkindofappscanusethisdata Onlyusethedataforprominent,user-facingfeatures Don'tusethedataforads Forthemostpart,don'tlethumansreadthedata DisplayyourPrivacyPolicywhen: AuserfirstsignsuptosharetheirGoogleinformation Wheneveryoumakeachangetoyourpolicy CreatePrivacyPolicy,Terms&Conditionsandotherlegalagreementsinafewminutes.Freetouse,freetodownload. Getstartedtoday⇢ MarkKellermeyer LegalwriteratTermsFeed Thisarticleisnotasubstituteforprofessionallegaladvice.Thisarticledoesnotcreateanattorney-clientrelationship,norisitasolicitationtoofferlegaladvice. PrivacyPolicy 24May2022