The Instagram application programming interface (API) has become one of the internet's favorite tool for instantly loading trending photo feeds into websites and apps. If you've used it as a tool for your online business, then you know the possibilities for the Instagram API are virtually endless.
Since you undoubtedly read every word of Instagram's Platform Policy upon installing the API, then you already know Instagram's requirements regarding privacy.
Oh, you haven't read the Platform Policy? Shocking!
It's true that most business owners do not read every word of fine print for the online applications and tools they integrate into a website or app. Regardless, it's still important to know the basic requirements you're agreeing to when you click the "Agree" button.
- 1. Instagram API Requirements for Privacy Policies
- 2.1. Which Personal Information is Collected
- 2.2. How Personal Information is Used
- 2.3. Third-Party Sharing of Personal Data
- 2.4. Cookies and Advertising
- 2.5. User-Generated Content
- 3.1. Effective Date and Location of Business
- 3.2. Marketing Preferences and Opting Out
- 3.3. Access to and Security of Information
- 3.4. Collecting Information from Children
- 3.5. European Consumer Rights
- 3.6. Transferring Data Over International Borders
Instagram API Requirements for Privacy Policies
The Platform Policy for Instagram's API is pretty lengthy, but there are only three sections that specifically mention Privacy Policies:
This policy should include the following information:
- What kind of personal data you collect
- How the data you collect is used
- How the data is shared
- How data is treated in relation to advertising and cookies
Which Personal Information is Collected
The first requirement that Instagram mentions in regard to Privacy Policies is to tell consumers what information you are collecting about them. This section should include information you collect directly from customers as well as anonymous information like IP address and geolocation.
Luster separates this clause into different sections and makes sure to include information obtained through Instagram and other social media:
If you use the Instagram API to collect, display, or otherwise process end user data, you will need to mention it in this clause.
How Personal Information is Used
Next, lay out the different ways you use the personal information collected from customers.
Be as comprehensive as possible to prevent any misunderstandings with consumers in the future. Especially in cases of advertising, automated personalization or remarketing, it is important to be as transparent as possible.
Sincerely does a pretty thorough job of listing out the ways in which it uses personal information:
It notes that it uses it to fulfill purchases, for marketing and to provide service and support to customers. It notes that it may send out physical mailings or emails, but that customers can opt out of this if they wish. More general uses of the information are listed as well, including things like responding to police requests, complying with laws or court orders, and helping to prevent fraud.
Third-Party Sharing of Personal Data
Hootsuite explains its third-party sharing practices in an easy-to-understand list format:
Note how Hootsuite specifically mentions sharing information between social media entities, which will be necessary to disclose if you use the Instagram API.
Cookies and Advertising
To disclose its advertising practices, Sincerely dedicates a different clause to spelling out how the company work with third parties to serve ads and create personalized marketing campaigns:
You can see here that Sincerely provides a link that users can use to opt-out of advertising. Although this step is not required by Instagram's Platform Policy, it is required by most third-party advertising providers.
This clause is not required by the Instagram Platform Policy either, but it will be necessary to include if you are allowing users to post or publish their Instagram content on your website or app. It is also a good idea if you load Instagram photo feeds that include images from anyone other than your own business.
A user-generated content clause will remind users that the content they post is public to everyone. It is also a good place to mention that your company is not responsible for what is posted by users, as well as a method of contact for those who wish to remove content after posting it.
Here is a good example of how this can be phrased, from PetCube:
Even though it is not specifically required, a clause like this one can reduce the risk of privacy disputes over content that is generated through the Instagram API.
The above clauses are the bare minimum that you will need to have in place in order to integrate the Instagram API into your online business. However, there are a number of other elements that will be required if you wish to comply with local and international privacy laws.
Large-scale privacy regulations like the following will almost certainly apply to your business:
- General Data Protection Regulation (GDPR)
- Children's Online Privacy Protection Act (COPPA)
- California Online Privacy Protection Act (CalOPPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Although some of the clauses we covered above will satisfy certain stipulations set forth by privacy regulations like these, there are a few more elements to include in order to avoid potential lawsuits or legal accusations:
Effective Date and Location of Business
The latest effective date lets visitors know how often you're updating privacy measures. It's also a requirement of CALOPPA, which applies to anyone who collects personal data from California residents, which you likely do.
The introduction is also a good place to state the physical location and a point-of-contact for your business. Of course, these details may also be placed in a contact clause towards or usually at the very end of your policy.
Shopify chooses to list its location and contacts information in this way, at the end of its policy as its final clause:
You can see here that Shopify has listed the physical location of its headquarters as well as the contact information for its EU-based Data Protection Officer. The first is required for all businesses with users in the European Union (according to the GDPR), while the latter is necessary only if you need to have a Data Protection Officer in place.
Marketing Preferences and Opting Out
Almost every major privacy regulation has stipulations in place regarding user consent and marketing. Whether it's direct email marketing, personalized advertising, or remarketing campaigns, it is important that you inform customers about how their personal information is used for marketing purposes.
Both the GDPR and CAN-SPAM call for simple, easy-to-access methods for users to opt-out of direct marketing and email campaigns, while most online advertising providers require that you supply consumers with opt-out methods from personalized advertising and remarketing.
Hootsuite addresses all of these objectives in the following clause:
By including a few prominent links to opt-out interfaces, Hootsuite makes the process simple for customers to update their marketing preferences.
Access to and Security of Information
In a world where personal information is requested from every website, application, and online activity, consumers can become overwhelmed by privacy implications. They want to know who has their information, where to find it, and what's being done with it.
Make it easy for them by creating a straightforward customer interface that provides them with full access to view and edit the personal data you hold about them.
Shopify provides an explanation of how users can view and update personal information, as well as a dedicated contact link in case users have any trouble accessing that information:
In order to satisfy GDPR requirements, it is also recommended to mention how personal data is secured and retained. Shopify mentions security in this clause:
The company also makes sure to state how long the data is retained and under what circumstances it will be erased:
Collecting Information from Children
Sincerely achieves this in one short but direct paragraph:
If your online business does not offer its services to children, a statement like this is all you need to meet COPPA compliance. If you do intend to target or collect data from minors, it will be necessary to follow extensive COPPA regulations before you can do so legally.
European Consumer Rights
In order to comply with the GDPR, it will be necessary to allocate a clause that states the rights of users that are residents of the European Union.
Photobox demonstrates a concise way of writing this out:
Photobox lists each consumer right as it is stated in the GDPR, as well as instructions for how to exert those rights.
Transferring Data Over International Borders
Shopify describes its international transfer policy like this:
- How your website responds to Do Not Track signals from web browsers
As for DNT signals, this single sentence from Luster demonstrates a quick way to address CALOPPA's requirement:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button: