Since APIs have broken into the technology world, they have been an integral part of online companies and websites. As Google has grown and extended into different apps and systems, its APIs have become one of the top systems to use and have access to.

However, if companies wish to use Google's APIs and be able to request the data of Google users, you must follow Google's User Data Policy. This policy, in particular, greatly affects your company's Privacy Policy.

For those who are already using Google's APIs or are looking to start accessing them, make sure to check out what you may need to update or include in your Privacy Policy. We're going to make it as easy as possible for you here.


What are Google's API Services?

Google's API Services are included in an overall "authentication and authorization" process where online companies and websites can connect with Google customers so they can request and collect a Google user's data.

The Application Programming Interfaces (APIs) can include metrics and analytics on user demographics, software libraries, and data structures. Google APIs in particular, are multiple systems that collect and store their users' data. Outside parties may also use these APIs on their own sites to help improve functionality and usership.

Examples of Google's API Services include:

  • Google Sign-In
  • Google Maps
  • Gmail
  • Google Analytics
  • Google Translate

One of the most common Google APIs is Google Sign-In. Many websites have options of signing up through a form, through your Facebook profile, or your Google profile to create an account.

eBay uses this option for its new users when they wish to create an account.

Screenshot of eBay sign in page

Offering options like this make it easier for users to sign up or sign in, which in turn helps businesses get more people who are willing to take the (shortened) time to create an account. You can see how this is a win-win for all parties.

What Does Google Require For Your Privacy Policy if You Use its API Services?

What Does Google Require?

If companies wish to use Google's APIs to access the data of Google users, they must not only agree to Google's API Terms of Service, but they must also comply with Google's requirements under the User Data Policy. This Policy has clear requirements for what should be included in your Privacy Policy regarding the usage of the APIs.

Violation of the User Data Policy, or of Google's other policies, could put your company in jeopardy of being revoked from using the APIs.

To comply with Google's User Data Policy, your own Privacy Policy must not only be "accurate and comprehensive," but also include:

  • What type of data is collected
  • Why and how data is collected
  • Disclosure of use of APIs
  • COPPA disclosure

If you change or update your Privacy Policy, must notify and allow your users to accept the changes. The Privacy Policy and all change/update notifications must be clearly displayed.

Here's how Google says it:

Google API Services User Data Policy: Accurate, comprehensive and accessible requirement clause

In addition to these requirements, it's also highly recommended that you include some type of security clause in your Privacy Policy notifying the user of what measures you take to protect their data and whether you disclose the data to outside parties.

If you develop Chrome Apps or Extensions, you'll also need to have a Privacy Policy. Learn more about that in our article "Privacy Policies for Chrome Apps and Extensions."

What Type of Data is Collected

What Type of Data is Collected

One of the most important requirements in your Privacy Policy is disclosing what type of data is collected. This is especially important when you are using Google APIs.

The data you are collecting must be "clear and accurate." Misleading or hiding additional data that is collected could lose your ability to access the API. However, if you do collect data that was not originally listed, you must update your Privacy Policy with that new type of data.

Trying to collect additional data that wasn't originally listed in your Privacy Policy is never a good idea. You must only collect data that is the "minimal, technical feasible scope" of information. The more specific you are, the better.

Take a look at Trilio's clause on what data it collects as an example of how specific a clause like this can be:

Trilio Privacy Policy: Personal data that we collect about you clause

Microsoft is one of the largest computer operating systems. It uses multiple cookies and services to collect users' data to help create a better user experience. In its Privacy statement, it includes what data its collect for its metrics, including Google Analytics:

Microsoft Privacy Statement: Web beacons and third party analytics clause

The document online storage site, Dropbox, also uses Google APIs. One way it uses them is by allowing users to sign in to the site using their Google accounts. Dropbox includes a clause in its Privacy Policy about the collection of email addresses, log-in info, addresses, and other data when you use the website:

Dropbox Privacy Policy: Account information excerpt of What and Why information is collected clause

Dropbox doesn't explicitly mention Google, but it does mention "other service providers" which lets its users know that third party services, such as Google, may be in use and accessing personal data.

Why and How Data is Collected

Why and How Data is Collected

Google's User Data Policy is about being transparent and honest with your users. This includes disclosing why and how your data is collected. You should include the following in your Privacy Policy:

  • Why you are collecting the data
  • What it is being used for
  • How you are collecting the data

The website hosting company WordPress goes into great detail in its Privacy Policy (which is Automattic's Privacy Policy) about how it collects data and how the information is used by the company:

Automattic Privacy Policy: How and why we use information - Purposes clause

Also, if the data is collected for one reason but it can be used by your company for other means, those additional means must also be disclosed either in your original Privacy Policy or included in an update.

Your disclosures of how and why you collect the data must be clear and in simple enough language that the user can easily read and understand the reasons for the data collection.

In its clause about how it may use information it collects, Algolia separates out each reason use using bullet points with plain language. This helps to create a reader-friendly experience:

Algolia Privacy Policy: How we may use this information clause excerpt

Remember to include as much information and be as detailed as possible, while still keeping things organized and easy to follow.

Disclosure of Use of APIs

Disclosure of Use of APIs

Attempting to lie to your users or defraud them is strictly prohibited by Google. You must be forward and upfront with your users about the use of APIs and their data that is collected.

Here's an example of how Uber discloses the usage Google APIs in its Privacy Policy. Riders can order rides through the website or on the app, however, they can also book a ride through Google Maps. Here, Uber discloses that it uses APIs to collect data, along with Google Maps, which it specifically lists:

Uber Privacy Policy: Information created when you use our services - other sources clause excerpt

Websites that don't end up collecting very personal data (such as credit card numbers) still regularly use APIs. Dictionary.com for example is used to look up words and definitions for free, but it still uses Google Analytics to help analyze site statistics.

In its Privacy Policy it makes note of how it uses third-party services and analytics tools and that these services and tools may collect information about the users/site visitors:

Dictionary com Privacy Policy: Information collected via automated technologies and interactions clause excerpt

Note how Google Analytics is noted as well as linked to the clause so readers can easily find out more and have more specific information about the use of their information.

Even if your website doesn't collect any information aside from Google Analytics data, you'll still need to comply with Google's requirements and disclose this information appropriately.

Updates or Changes to Your Privacy Policy

Updates or Changes to Your Privacy Policy

As technology develops, your company will also change. This extends to your Privacy Policy as well. You must update your Privacy Policy if you:

  • Start collecting additional data
  • Start using new ways to collect data
  • Start using more APIs
  • Start using other services

Along with updating or changing your Privacy Policy, you must also notify your users of these changes. You can notify your users through emails, updated statements in the actual policy, and in-product notifications like pop-ups.

Google's own site includes an entire page dedicated to updates made to its Privacy Policy with a statement notifying the user of the updates. It also includes previous Privacy Policy versions so users can see the past changes and how those changes have affected the collection of their data:

Google Privacy Policy Updates comparison screen

Emails are one of the most efficient ways to update your users as the emails go directly to their inbox and you don't have to wait until the user accesses your site for them to accept.

PayPal sends out email notifications when it make any changes to its Privacy Policy or other legal agreements and informs users how they can reject those changes if they wish:

PayPal email for Privacy Policy updates

An example of a pop-up or in-product notification of updates is from Airbnb. Before you are able to complete your sign in, a pop up appears with a notification of changes to the Privacy Policy and your opportunity to accept or decline.

Airbnb: Updated Terms and Privacy Policy - Notification with consent request

Note that this method can be used for updates to other legal agreements such as the Terms of Service and Payment Terms as Airbnb has done above.

Displaying of Privacy Policy and Notifications

Displaying of Privacy Policy and Notifications

Where and how you display your Privacy Policy and notifications is just as important as what you disclose in them.

Google requires that your notifications not only be clear, but timely as well.

Google API User Data Policy: Prominent and timely disclosure requirement section

Providing pop-ups right away when a user visits your site for the first time or including a link and a notification in your sign-up form, like Bluehost does, would be considered timely as it is early on in a user's interaction with your site:

Bluehost sign-up notification with checkbox to agree to Terms and Privacy Policy

Google also mentions that your notifications should be "in context." This means that providing a link to your Privacy Policy or notifying a user of an update should be in a location that would make sense.

Finding the notification of a change in the middle of a long post would not be "in context," instead, including it in your footer or on a sidebar would be better.

Since Pinterest is a search engine for pictures and ideas, its site continues to scroll through thousands of examples. This means that putting the link in the footer wouldn't be ideal as there is no real end to the page. Instead, Pinterest includes its links in a drop-down menu on the side of the website:

Screenshot of Pinterest side menu links

Where you display your links to your Privacy Policy should be clear and prominent so the user can easily access the link. You can include a link in:

  • Footers
  • Pop-ups
  • Sign-up forms
  • Emails

COPPA Disclosures

COPPA Disclosures

COPPA, or the Children's Online Privacy Protection Act, applies to websites or apps whose audience includes children under the age of 13. The act was created to protect the disclosure and usage of private data of children.

Google does allow companies to use Google services to collect information if your company's primary or mixed audience includes children. However, it limits what services may be used. Google does not allow Google Sign-In or data from Google Accounts to be used:

Google API User Data Policy: Child-directed apps - COPPA requirements section

If you do use Google APIs and collect data from children, intentionally or unintentionally, you must also include that in your Privacy Policy to comply with COPPA.

Epic Games states that it doesn't intentionally target children under 13 or collect personal information from children in its Children's Privacy clause that meets COPPA requirements:

Epic Games Privacy Policy: Childrens Privacy clause

On the other hand, you have Disney whose audience is largely made up of children. It has a longer and more in-depth policy that directly pertains to children:

Walt Disney Privacy Policy: Childrens Privacy clause

Summary

APIs help websites create user-friendly experiences, analyze site performance and accomplish a number of other important functions. Google is one of the top suppliers of APIs and hundreds of companies use these systems to interact with users or provide some type of service.

If you wish to use Google's APIs, your company must adhere to the strict requirements found in Google's API Services User Data Policy and update your Privacy Policy according to the requirements.

Make sure you follow the below requirements to protect your company from being restricted from using Google's APIs:

  • Disclose the data you collect
  • Disclose how and why it is collected
  • Disclose what APIs you use
  • If you make any changes to your Privacy Policy, you must notify your users
  • Display your Privacy Policy in an easy-to-find and easy-to-access location
  • If your audience includes children, or could include children, include a COPPA disclosure