Last updated on 15 August 2022 by Stephen Titcombe (Legal writer at TermsFeed)
Simply put, social login is a single sign-on (SSO) technology that allows you to identify and register users on your website or app using information collected from their social media accounts.
In this article, we'll dive deep into the concept of social login integration and take an in-depth look at the privacy requirements of top social media platforms so that you're sufficiently equipped to comply with the requirements.
As a website or mobile app owner, one of your primary objectives is to get more user engagement for your services. An excellent way to support this objective is to streamline the process by which users register to use your services.
This is especially important in today's fast-paced digital world, where users can get easily discouraged by a long or complex registration process.
Social logins have gained traction in recent years and are now a leading solution for businesses to increase the number of registered users or sign-ups on their website or app.
As a faster and more convenient alternative to the standard account creation process, social logins are also a popular choice among users.
While social logins undoubtedly offer many benefits for businesses and users alike, they also raise several data privacy concerns that must be addressed.
First introduced by Facebook in 2008, social login integration is now offered by multiple social networking platforms, including Google, LinkedIn, Twitter, and Instagram, to mention a few.
By leveraging the popularity of these social media platforms, you can now allow users to create accounts on or sign in to your website/app using the same credentials they use on their social platforms, all at the click of a button.
This essentially eradicates the "tediousness" associated with creating a new account which keeps most users from doing so. In other words, no sign-up forms have to be completed, and no new passwords have to be memorized with social logins implemented.
Needless to say, this login method presents plenty of benefits, which we'll briefly go over next.
The major benefits of social logins for businesses are as follows.
The user data you gather through social login can help you tailor your website's product or service offerings to suit the individual needs of users better, thereby providing a personalized experience for each user.
That said, providing a personalized experience shows users that you're willing to go the extra mile for them and will play a huge role in building customer loyalty, which (as you know) is the bedrock of every successful business.
Nowadays, users are more likely to abandon their mission on your website or app once they are prompted to create an account in order to continue. This is especially true if your registration process is unreasonably long or complicated.
Social logins resolve this issue by making it faster and more convenient for users to register on your website or app. This, of course, decreases abandonment and increases your user conversion rate.
In sum, social logins work much better than standard account creation in turning potential customers into actual customers.
A common issue with standard account creation is the potential for users to submit inaccurate personal information in order to get through your registration process quickly.
This can corrupt your customer database and negatively impact your marketing campaigns, conversion rate, and other significant activities or metrics.
However, with social logins, the likelihood of getting inaccurate information is significantly reduced since you'll be collecting information directly from users' social media accounts.
Despite its many benefits for businesses, users, and even social media platforms (e.g., off-site tracking for ad targeting), social logins raise some privacy concerns stemming from its evident collection and transfer of personal information.
Keep in mind that personal information is generally defined as "ny type of data that can directly or indirectly identify an individual."
In other words, names/usernames, email addresses, phone numbers, profile photos, and similar details are all considered personal information.
Here's an example from Social Assurance:
Note that you may fall under the scope of several of these laws, depending on where your business is located and where your users reside. Moreover, non-compliance with any of these laws may lead to lawsuits and substantial fines or penalties.
Social logins involve collecting and transferring personal information between social media platforms and websites or apps that integrate social login buttons.
We'll dive deeper into the privacy requirements of major third-party social media platforms later in this article.
That said, prominent social media players generally require website and app developers to do the following:
Twitter was one of the early adopters of social login integration. In 2009, Twitter launched its social login button to help users quickly and conveniently sign in to any website or app that integrates the Twitter login feature. This way, users can easily circumvent any long or tedious registration process.
Here's how Twitter displays this:
In terms of privacy requirements, developers must maintain a reasonable level of commitment to the privacy and control of users when employing any of Twitter's services. In keeping with these principles, developers must do the following:
Failing to comply with these requirements can result in an enforcement action, including suspension and termination from employing Twitter's services:
Further below in its Developer Policy, Twitter expands on how developers can comply with the requirements outlined above. Let's go over each in turn.
In an effort to give users more control over their information, Twitter requires you as a developer to obtain "express and informed" consent from users before doing any of the following:
You can take this same approach to implement a Twitter social login button with your mobile app, as the Poll Pay app has done here:
Now let's look at how Google directs this process and what it requires from websites or apps that choose to use its social login feature.
Google is one of the top providers of social login integration, as a substantial number of websites and apps use its sign-in button.
Here's how Google presents these requirements in its API Services User Data Policy:
Like most social login providers, Google requires developers to obtain consent before collecting and using personal information.
In particular, Google requires you as a developer to:
Here's how this is displayed:
It's important to note that failure to comply with any of Google's policies may cause Google to "revoke or suspend" your access to all Google products and services:
Once users click the Google login button, they are prompted to enter their Google sign-in credentials and are informed that Google will share their basic information with Tinder if they wish to continue. In doing this, Tinder has fulfilled its consent requirements:
Now let's look at what you'll need to do if you integrate the Facebook login feature on your website or app.
As the first and most popular provider of social login integration, Facebook's login button is widely used by websites and apps the world over. Like other social logins, Facebook login improves user experience by allowing users to quickly sign up on a website or app without having to fill out a form or create a password.
However, developers must observe Facebook's regulations in order to enjoy the benefits of its login integration.
For additional guidance on Facebook login integration, check out Facebook's article here with some of the company's suggested best practices.
Now let's take a look at Facebook's privacy requirements for developers.
Here's how Facebook displays these requirements in its developer terms:
Meta's Developer Policies includes a section titled "Give people control" that clearly outlines several requirements developers must observe with regard to users' information.
Among other requirements, developers must "obtain consent from users before publishing content or taking any other action on their behalf."
Pinterest allows users with a Facebook account to log in automatically through its prominently displayed Facebook login button.
To obtain user consent, Pinterest informs users that it will connect their Facebook account to Pinterest if they click the continue button, as shown below:
You can implement a Facebook login button on a mobile app as well, as seen here from the Million Steps app:
Next up we'll check out how Apple directs users of its login functionality to implement it and disclose it properly.
As one of the biggest tech companies in the world right now, Apple needs no introduction. Not surprisingly, the Apple login button is among the most widely used social logins on websites and apps worldwide alongside Facebook and Google. With the Apple login button, users can now use their Apple ID to quickly sign in to any website or app that offers Apple login functionality, thereby circumventing the standard sign-up process.
This document briefly explains how the Apple login button works and specifies several guidelines developers must follow to be considered compliant. They are as follows:
In addition to these requirements, you must take note of Apple's Usage Guidelines for Websites and Other Platforms, most notably the prohibited uses, as seen below:
Now let's go over Apple's privacy obligations for developers on its platform.
Here's how Apple displays these provisions:
Like other major social platforms, Apple's consent requirements are explicitly addressed in its policies.
To comply accordingly, you must obtain consent from users before collecting their personal information. You must also get the approval of users before changing how you use personal information. Here's how it's stated in the Developer Program License Agreement:
Bumble also clarifies what happens to users' information when they disconnect the social login feature and how to stop all access to their information:
If your mobile app allows users to sign in with their existing Apple accounts, you can add such a button to your app's initial screen that users will see upon opening your app for the first time.
LinkedIn is next on our list of social login integrations and privacy requirements. Let's look at what it requires and how to comply.
As the leading social media platform for professional networking and career development, LinkedIn is highly relevant, especially in the B2B space.
Like other social logins, the LinkedIn login button reduces friction and helps business obtain more sign-ups for their websites and apps without the need to fill out a registration form.
Let's briefly go over these requirements.
Here's how LinkedIn displays these requirements:
Like most other social networking platforms, LinkedIn requires developers to obtain consent from users before taking any action on their accounts or personal information.
To that effect, LinkedIn provides specific guidelines you must observe to get legally valid user consent. They are as follows:
Indeed includes a "Log in with LinkedIn" button along with other third-party social logins to help applicants with LinkedIn profiles quickly sign in to their Indeed account:
When applicants click the login button and provide their LinkedIn sign-in information, Indeed seeks their consent to use their names, email addresses, and profile photos:
In 2012, Instagram was acquired by the multinational tech conglomerate, Meta Platforms (also known as Facebook's parent company). As a subsidiary of Meta, Instagram is now governed by the same set of developer rules that apply to Facebook.
In other words, the technical requirements and privacy obligations for the Facebook login button (as described in the Facebook section of this article) also apply to the Instagram login button.
Here's how Meta discloses this update in its Developer Policies, in an information box at the top of the page:
To recap, here are the key things to keep in mind when implementing the Instagram login button:
You've likely seen the option to log in to a site or app via your existing Instagram account, like this one:
For our final social login integration, we will take a look at how Amazon does this.
Although less commonly used than other social logins, Amazon login works just as well for businesses and users. It presents a quick and efficient solution for users to register or sign in to a website or app without having to fill out the standard registration form.
Admittedly, Amazon's privacy requirements for websites and apps aren't particularly comprehensive. The most notable privacy requirement for developers is to provide a Privacy Notice URL in the applicable section of their website or app:
Let's see an example.
Aoyue allows users to skip the standard login method and sign in through its Amazon login button while outlining the advantages of doing so:
Although the phrasing is not so easy-to-follow, Aoyue essentially lets users know that details like user ID, name, and email address will be collected when they use the Amazon login button but only after receiving express consent.
The highlighted sections above state as follows:
"Using the Amazon login button on our website allows you to log in or register on our website using your Amazon user data. Only if you give your express consent in accordance with Art. 6 (1) point a GDPR prior to the registration process based on a corresponding notice about the exchange of data with Amazon, will we receive the publicly accessible information stored in your profile when you use the Amazon button, depending on your personally made data protection settings. This information includes the user ID, name, address, email address, age, and gender"
As a developer, integrating a social login button undoubtedly presents benefits for your website or app. However, to implement these buttons appropriately, you need to observe certain privacy obligations.
Although the requirements are slightly different for each social login button outlined above, the core concept remains the same for all.
Regardless of which social login buttons you wish to use, here are the takeaways to ensure a compliant login integration:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
15 August 2022