The Instagram application programming interface (API) has become one of the internet's favorite tool for instantly loading trending photo feeds into websites and apps. If you've used it as a tool for your online business, then you know the possibilities for the Instagram API are virtually endless.
Since you undoubtedly read every word of Instagram's Platform Policy upon installing the API, then you already know Instagram's requirements regarding privacy.
Oh, you haven't read the Platform Policy? Shocking!
It's true that most business owners do not read every word of fine print for the online applications and tools they integrate into a website or app. Regardless, it's still important to know the basic requirements you're agreeing to when you click the "Agree" button.
In the case of the Instagram API, one of those requirements is a Privacy Policy. We'll help you skip reading that fine print and let you know what you should do.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
- 1. Instagram API Requirements for Privacy Policies
- 2. What Clauses Does Your Privacy Policy Need?
- 2.1. Which Personal Information is Collected
- 2.2. How Personal Information is Used
- 2.3. Third-Party Sharing of Personal Data
- 2.4. Cookies and Advertising
- 2.5. User-Generated Content
- 3. Other Clauses to Include in Your Privacy Policy
- 3.1. Effective Date and Location of Business
- 3.2. Marketing Preferences and Opting Out
- 3.3. Access to and Security of Information
- 3.4. Collecting Information from Children
- 3.5. European Consumer Rights
- 3.6. Transferring Data Over International Borders
- 3.7. Making Changes to the Privacy Policy & Do Not Track Signals
- 4. Where to Post the Privacy Policy For Instagram's API
Instagram API Requirements for Privacy Policies
The Platform Policy for Instagram's API is pretty lengthy, but there are only three sections that specifically mention Privacy Policies:
As you can see, Instagram states several requirements regarding Privacy Policies for anyone who wants to use the API service. First and foremost is a public and accessible Privacy Policy.
This policy should include the following information:
- What kind of personal data you collect
- How the data you collect is used
- How the data is shared
- How data is treated in relation to advertising and cookies
Finally, you must be prepared to comply with your own Privacy Policy. Otherwise, what's the point?
What Clauses Does Your Privacy Policy Need?
By now you understand that a Privacy Policy will be necessary in order to work with the Instagram API at all, even if you're just using it as a login feature. According to the Instagram Platform Policy, the following clauses are the most relevant in order to work with an Instagram API:
Which Personal Information is Collected
The first requirement that Instagram mentions in regard to Privacy Policies is to tell consumers what information you are collecting about them. This section should include information you collect directly from customers as well as anonymous information like IP address and geolocation.
Luster separates this clause into different sections and makes sure to include information obtained through Instagram and other social media:
If you use the Instagram API to collect, display, or otherwise process end user data, you will need to mention it in this clause.
How Personal Information is Used
Next, lay out the different ways you use the personal information collected from customers.
Be as comprehensive as possible to prevent any misunderstandings with consumers in the future. Especially in cases of advertising, automated personalization or remarketing, it is important to be as transparent as possible.
Sincerely does a pretty thorough job of listing out the ways in which it uses personal information:
It notes that it uses it to fulfill purchases, for marketing and to provide service and support to customers. It notes that it may send out physical mailings or emails, but that customers can opt out of this if they wish. More general uses of the information are listed as well, including things like responding to police requests, complying with laws or court orders, and helping to prevent fraud.
Third-Party Sharing of Personal Data
Most companies share customer data with other entities, if only for analytics purposes. No matter the purpose, any sharing of personal information will require a mention in your Privacy Policy. It would be a good idea to explain why personal data is shared as well, in order to retain confidence and trust with customers.
Hootsuite explains its third-party sharing practices in an easy-to-understand list format:
Note how Hootsuite specifically mentions sharing information between social media entities, which will be necessary to disclose if you use the Instagram API.
Cookies and Advertising
If you use cookies or similar technologies to collect personal information or improve your advertising efforts, Instagram requires that you explain this in your Privacy Policy. In addition, if you serve ads at all within your website or mobile application, this will also need to be mentioned.
Sincerely describes its use of cookies in the following paragraph, going on to explain why and how the cookies are used in a way that consumers can easily understand:
To disclose its advertising practices, Sincerely dedicates a different clause to spelling out how the company work with third parties to serve ads and create personalized marketing campaigns:
You can see here that Sincerely provides a link that users can use to opt-out of advertising. Although this step is not required by Instagram's Platform Policy, it is required by most third-party advertising providers.
User-Generated Content
This clause is not required by the Instagram Platform Policy either, but it will be necessary to include if you are allowing users to post or publish their Instagram content on your website or app. It is also a good idea if you load Instagram photo feeds that include images from anyone other than your own business.
A user-generated content clause will remind users that the content they post is public to everyone. It is also a good place to mention that your company is not responsible for what is posted by users, as well as a method of contact for those who wish to remove content after posting it.
Here is a good example of how this can be phrased, from PetCube:
Even though it is not specifically required, a clause like this one can reduce the risk of privacy disputes over content that is generated through the Instagram API.
Other Clauses to Include in Your Privacy Policy
The above clauses are the bare minimum that you will need to have in place in order to integrate the Instagram API into your online business. However, there are a number of other elements that will be required if you wish to comply with local and international privacy laws.
Large-scale privacy regulations like the following will almost certainly apply to your business:
- General Data Protection Regulation (GDPR)
- Children's Online Privacy Protection Act (COPPA)
- California Online Privacy Protection Act (CalOPPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Although some of the clauses we covered above will satisfy certain stipulations set forth by privacy regulations like these, there are a few more elements to include in order to avoid potential lawsuits or legal accusations:
Effective Date and Location of Business
The latest effective date lets visitors know how often you're updating privacy measures. It's also a requirement of CALOPPA, which applies to anyone who collects personal data from California residents, which you likely do.
Most companies include this detail at the very top of the Privacy Policy, or within the introduction, as Hootsuite does in this example:
The introduction is also a good place to state the physical location and a point-of-contact for your business. Of course, these details may also be placed in a contact clause towards or usually at the very end of your policy.
Shopify chooses to list its location and contacts information in this way, at the end of its policy as its final clause:
You can see here that Shopify has listed the physical location of its headquarters as well as the contact information for its EU-based Data Protection Officer. The first is required for all businesses with users in the European Union (according to the GDPR), while the latter is necessary only if you need to have a Data Protection Officer in place.
Marketing Preferences and Opting Out
Almost every major privacy regulation has stipulations in place regarding user consent and marketing. Whether it's direct email marketing, personalized advertising, or remarketing campaigns, it is important that you inform customers about how their personal information is used for marketing purposes.
Both the GDPR and CAN-SPAM call for simple, easy-to-access methods for users to opt-out of direct marketing and email campaigns, while most online advertising providers require that you supply consumers with opt-out methods from personalized advertising and remarketing.
In short, opt-out options are a must for any business that implements these marketing avenues, and you need to include this information in your Privacy Policy.
Hootsuite addresses all of these objectives in the following clause:
By including a few prominent links to opt-out interfaces, Hootsuite makes the process simple for customers to update their marketing preferences.
Access to and Security of Information
In a world where personal information is requested from every website, application, and online activity, consumers can become overwhelmed by privacy implications. They want to know who has their information, where to find it, and what's being done with it.
Make it easy for them by creating a straightforward customer interface that provides them with full access to view and edit the personal data you hold about them.
Shopify provides an explanation of how users can view and update personal information, as well as a dedicated contact link in case users have any trouble accessing that information:
In order to satisfy GDPR requirements, it is also recommended to mention how personal data is secured and retained. Shopify mentions security in this clause:
The company also makes sure to state how long the data is retained and under what circumstances it will be erased:
Collecting Information from Children
In most parts of the world, collecting personal information from children is illegal without explicit, well-documented permission from a parent. Most businesses do not target their websites or apps to children, but even then, it is necessary to include a clause in the Privacy Policy to declare your position on collecting personal information from minors.
Sincerely achieves this in one short but direct paragraph:
If your online business does not offer its services to children, a statement like this is all you need to meet COPPA compliance. If you do intend to target or collect data from minors, it will be necessary to follow extensive COPPA regulations before you can do so legally.
European Consumer Rights
In order to comply with the GDPR, it will be necessary to allocate a clause that states the rights of users that are residents of the European Union.
Photobox demonstrates a concise way of writing this out:
Photobox lists each consumer right as it is stated in the GDPR, as well as instructions for how to exert those rights.
Transferring Data Over International Borders
Especially if you have customers in the EU, transferring data between countries can be tricky. It will be necessary to use certified legal mechanisms to transfer data over international borders and explain what mechanisms you use in the Privacy Policy.
Shopify describes its international transfer policy like this:
Making Changes to the Privacy Policy & Do Not Track Signals
CalOPPA requires the following two elements in the Privacy Policy of any business that collects data from California residents:
- How customers will be informed of changes to the Privacy Policy
- How your website responds to Do Not Track signals from web browsers
Hootsuite simply lets users know that they should check the Privacy Policy periodically to stay updated with Privacy changes:
As for DNT signals, this single sentence from Luster demonstrates a quick way to address CALOPPA's requirement:
Once you have all of the above clauses incorporated into your Privacy Policy, you'll be covered under Instagram's Platform Policy as well as most privacy laws. Remember, however, that you have to actually comply with all the statements you make in the Privacy Policy if you expect it to be considered valid by Instagram or any other entity.
Where to Post the Privacy Policy For Instagram's API
The placement of Privacy Policy links matters. First of all, if ever a privacy dispute comes up, it could be advantageous to your case to prove that every user actively agreed to your Privacy Policy when they signed up to use your service.
An easy way to make this possible is to require each customer to click to agree to the Privacy Policy within the signup interface, as Photobox has done here:
With this method, you can guarantee that every active user has had ample opportunity to read and agree to your Privacy Policy.
Regulations like CalOPPA and the GDPR also require that you provide easy access to your Privacy Policy throughout your website or mobile app.
On a website, this is simply a matter of including a link to the Privacy Policy within a navigation bar that permeates every page of the site, such as the footer.
This is the Privacy Policy link that appears in the footer navbar on every page of Shopify's website:
If you run a mobile app, the Privacy Policy should appear within the settings or account interface. You can see how the Privacy Policy is easily accessed from the Bitmoji settings interface:
Once you have your Privacy Policy posted and accessible to customers, you'll be ready to roll with the Instagram API integrated into your website or mobile application. You'll be using it compliantly with Instagram's requirements and privacy laws around the world that work to protect your users.
