The Instagram application programming interface (API) has become one of the internet's favorite tool for instantly loading trending photo feeds into websites and apps. If you've used it as a tool for your online business, then you know the possibilities for the Instagram API are virtually endless.

Since you undoubtedly read every word of Instagram's Platform Policy upon installing the API, then you already know Instagram's requirements regarding privacy.

Oh, you haven't read the Platform Policy? Shocking!

It's true that most business owners do not read every word of fine print for the online applications and tools they integrate into a website or app. Regardless, it's still important to know the basic requirements you're agreeing to when you click the "Agree" button.

In the case of the Instagram API, one of those requirements is a Privacy Policy. We'll help you skip reading that fine print and let you know what you should do.


Instagram API Requirements for Privacy Policies

The Platform Policy for Instagram's API is pretty lengthy, but there are only three sections that specifically mention Privacy Policies:

Instagram Platform Policy: Privacy Policy sections

As you can see, Instagram states several requirements regarding Privacy Policies for anyone who wants to use the API service. First and foremost is a public and accessible Privacy Policy.

This policy should include the following information:

  • What kind of personal data you collect
  • How the data you collect is used
  • How the data is shared
  • How data is treated in relation to advertising and cookies

Finally, you must be prepared to comply with your own Privacy Policy. Otherwise, what's the point?

What Clauses Does Your Privacy Policy Need?

What Clauses Does Your Privacy Policy Need?

By now you understand that a Privacy Policy will be necessary in order to work with the Instagram API at all, even if you're just using it as a login feature. According to the Instagram Platform Policy, the following clauses are the most relevant in order to work with an Instagram API:

Which Personal Information is Collected

The first requirement that Instagram mentions in regard to Privacy Policies is to tell consumers what information you are collecting about them. This section should include information you collect directly from customers as well as anonymous information like IP address and geolocation.

Luster separates this clause into different sections and makes sure to include information obtained through Instagram and other social media:

Luster Privacy Policy: The Information We Collect and or Receive clause excerpt

If you use the Instagram API to collect, display, or otherwise process end user data, you will need to mention it in this clause.

How Personal Information is Used

Next, lay out the different ways you use the personal information collected from customers.

Be as comprehensive as possible to prevent any misunderstandings with consumers in the future. Especially in cases of advertising, automated personalization or remarketing, it is important to be as transparent as possible.

Sincerely does a pretty thorough job of listing out the ways in which it uses personal information:

Sincerely Privacy Policy: How We Use Your Information clause

It notes that it uses it to fulfill purchases, for marketing and to provide service and support to customers. It notes that it may send out physical mailings or emails, but that customers can opt out of this if they wish. More general uses of the information are listed as well, including things like responding to police requests, complying with laws or court orders, and helping to prevent fraud.

Third-Party Sharing of Personal Data

Most companies share customer data with other entities, if only for analytics purposes. No matter the purpose, any sharing of personal information will require a mention in your Privacy Policy. It would be a good idea to explain why personal data is shared as well, in order to retain confidence and trust with customers.

Hootsuite explains its third-party sharing practices in an easy-to-understand list format:

Hootsuite Privacy Notice: When we may share personal information clause

Note how Hootsuite specifically mentions sharing information between social media entities, which will be necessary to disclose if you use the Instagram API.

Cookies and Advertising

If you use cookies or similar technologies to collect personal information or improve your advertising efforts, Instagram requires that you explain this in your Privacy Policy. In addition, if you serve ads at all within your website or mobile application, this will also need to be mentioned.

Sincerely describes its use of cookies in the following paragraph, going on to explain why and how the cookies are used in a way that consumers can easily understand:

Sincerely Privacy Policy: Cookies and Other Information Gathering Tools clause

To disclose its advertising practices, Sincerely dedicates a different clause to spelling out how the company work with third parties to serve ads and create personalized marketing campaigns:

Sincerely Privacy Policy: Third Party Ad Servers clause

You can see here that Sincerely provides a link that users can use to opt-out of advertising. Although this step is not required by Instagram's Platform Policy, it is required by most third-party advertising providers.

User-Generated Content

This clause is not required by the Instagram Platform Policy either, but it will be necessary to include if you are allowing users to post or publish their Instagram content on your website or app. It is also a good idea if you load Instagram photo feeds that include images from anyone other than your own business.

A user-generated content clause will remind users that the content they post is public to everyone. It is also a good place to mention that your company is not responsible for what is posted by users, as well as a method of contact for those who wish to remove content after posting it.

Here is a good example of how this can be phrased, from PetCube:

PetCube Privacy Policy: Excerpt of User-Generated Content clause

Even though it is not specifically required, a clause like this one can reduce the risk of privacy disputes over content that is generated through the Instagram API.

Other Clauses to Include in Your Privacy Policy

Other Clauses to Include in Your Privacy Policy

The above clauses are the bare minimum that you will need to have in place in order to integrate the Instagram API into your online business. However, there are a number of other elements that will be required if you wish to comply with local and international privacy laws.

Large-scale privacy regulations like the following will almost certainly apply to your business:

  • General Data Protection Regulation (GDPR)
  • Children's Online Privacy Protection Act (COPPA)
  • California Online Privacy Protection Act (CalOPPA)
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)

Although some of the clauses we covered above will satisfy certain stipulations set forth by privacy regulations like these, there are a few more elements to include in order to avoid potential lawsuits or legal accusations:

Effective Date and Location of Business

The latest effective date lets visitors know how often you're updating privacy measures. It's also a requirement of CALOPPA, which applies to anyone who collects personal data from California residents, which you likely do.

Most companies include this detail at the very top of the Privacy Policy, or within the introduction, as Hootsuite does in this example:

Hootsuite Privacy Notice: Effective date

The introduction is also a good place to state the physical location and a point-of-contact for your business. Of course, these details may also be placed in a contact clause towards or usually at the very end of your policy.

Shopify chooses to list its location and contacts information in this way, at the end of its policy as its final clause:

Shopify Privacy Policy: Contact clause

You can see here that Shopify has listed the physical location of its headquarters as well as the contact information for its EU-based Data Protection Officer. The first is required for all businesses with users in the European Union (according to the GDPR), while the latter is necessary only if you need to have a Data Protection Officer in place.

Marketing Preferences and Opting Out

Almost every major privacy regulation has stipulations in place regarding user consent and marketing. Whether it's direct email marketing, personalized advertising, or remarketing campaigns, it is important that you inform customers about how their personal information is used for marketing purposes.

Both the GDPR and CAN-SPAM call for simple, easy-to-access methods for users to opt-out of direct marketing and email campaigns, while most online advertising providers require that you supply consumers with opt-out methods from personalized advertising and remarketing.

In short, opt-out options are a must for any business that implements these marketing avenues, and you need to include this information in your Privacy Policy.

Hootsuite addresses all of these objectives in the following clause:

Hootsuite Privacy Notice: Choices for processing of content, marketing emails and customized advertising clause

By including a few prominent links to opt-out interfaces, Hootsuite makes the process simple for customers to update their marketing preferences.

Access to and Security of Information

In a world where personal information is requested from every website, application, and online activity, consumers can become overwhelmed by privacy implications. They want to know who has their information, where to find it, and what's being done with it.

Make it easy for them by creating a straightforward customer interface that provides them with full access to view and edit the personal data you hold about them.

Shopify provides an explanation of how users can view and update personal information, as well as a dedicated contact link in case users have any trouble accessing that information:

Shopify Privacy Policy: Control over and access to your personal information clause

In order to satisfy GDPR requirements, it is also recommended to mention how personal data is secured and retained. Shopify mentions security in this clause:

Shopify Privacy Policy: Security clause

The company also makes sure to state how long the data is retained and under what circumstances it will be erased:

Shopify Privacy Policy: Data Retention clause

Collecting Information from Children

In most parts of the world, collecting personal information from children is illegal without explicit, well-documented permission from a parent. Most businesses do not target their websites or apps to children, but even then, it is necessary to include a clause in the Privacy Policy to declare your position on collecting personal information from minors.

Sincerely achieves this in one short but direct paragraph:

Sincerely Privacy Policy: Children's Information clause

If your online business does not offer its services to children, a statement like this is all you need to meet COPPA compliance. If you do intend to target or collect data from minors, it will be necessary to follow extensive COPPA regulations before you can do so legally.

European Consumer Rights

In order to comply with the GDPR, it will be necessary to allocate a clause that states the rights of users that are residents of the European Union.

Photobox demonstrates a concise way of writing this out:

Photobox Privacy Policy: Your Rights clause

Photobox lists each consumer right as it is stated in the GDPR, as well as instructions for how to exert those rights.

Transferring Data Over International Borders

Especially if you have customers in the EU, transferring data between countries can be tricky. It will be necessary to use certified legal mechanisms to transfer data over international borders and explain what mechanisms you use in the Privacy Policy.

Shopify describes its international transfer policy like this:

Shopify Privacy Policy: Excerpt of international data transfer clause

Making Changes to the Privacy Policy & Do Not Track Signals

CalOPPA requires the following two elements in the Privacy Policy of any business that collects data from California residents:

  • How customers will be informed of changes to the Privacy Policy
  • How your website responds to Do Not Track signals from web browsers

Hootsuite simply lets users know that they should check the Privacy Policy periodically to stay updated with Privacy changes:

Hootsuite Privacy Notice: Changes to this Privacy Notice clause

As for DNT signals, this single sentence from Luster demonstrates a quick way to address CALOPPA's requirement:

Luster Privacy Policy: DNT clause

Once you have all of the above clauses incorporated into your Privacy Policy, you'll be covered under Instagram's Platform Policy as well as most privacy laws. Remember, however, that you have to actually comply with all the statements you make in the Privacy Policy if you expect it to be considered valid by Instagram or any other entity.

How to Create a Privacy Policy

FreePrivacyPolicy: Privacy Policy Generator - Steps How to Create Privacy Policy

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.


Where to Post the Privacy Policy For Instagram's API

The placement of Privacy Policy links matters. First of all, if ever a privacy dispute comes up, it could be advantageous to your case to prove that every user actively agreed to your Privacy Policy when they signed up to use your service.

An easy way to make this possible is to require each customer to click to agree to the Privacy Policy within the signup interface, as Photobox has done here:

Photobox Sign-up form with checkboxes

With this method, you can guarantee that every active user has had ample opportunity to read and agree to your Privacy Policy.

Regulations like CalOPPA and the GDPR also require that you provide easy access to your Privacy Policy throughout your website or mobile app.

On a website, this is simply a matter of including a link to the Privacy Policy within a navigation bar that permeates every page of the site, such as the footer.

This is the Privacy Policy link that appears in the footer navbar on every page of Shopify's website:

Shopify website foote

If you run a mobile app, the Privacy Policy should appear within the settings or account interface. You can see how the Privacy Policy is easily accessed from the Bitmoji settings interface:

Bitmoji mobile app: Settings menu

Once you have your Privacy Policy posted and accessible to customers, you'll be ready to roll with the Instagram API integrated into your website or mobile application. You'll be using it compliantly with Instagram's requirements and privacy laws around the world that work to protect your users.