Last updated on 15 August 2022 by Stephen Titcombe (Legal writer at TermsFeed)
Simply put, social login is a single sign-on (SSO) technology that allows you to identify and register users on your website or app using information collected from their social media accounts.
To avoid legal liability, businesses that implement social login ("sign in with" buttons or "login with" buttons) will need to provide a Privacy Policy that complies with applicable privacy laws as well as the provisions of third-party social media platforms they integrate on their website or app.
In this article, we'll dive deep into the concept of social login integration and take an in-depth look at the privacy requirements of top social media platforms so that you're sufficiently equipped to comply with the requirements.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
As a website or mobile app owner, one of your primary objectives is to get more user engagement for your services. An excellent way to support this objective is to streamline the process by which users register to use your services.
This is especially important in today's fast-paced digital world, where users can get easily discouraged by a long or complex registration process.
Social logins have gained traction in recent years and are now a leading solution for businesses to increase the number of registered users or sign-ups on their website or app.
As a faster and more convenient alternative to the standard account creation process, social logins are also a popular choice among users.
While social logins undoubtedly offer many benefits for businesses and users alike, they also raise several data privacy concerns that must be addressed.
First introduced by Facebook in 2008, social login integration is now offered by multiple social networking platforms, including Google, LinkedIn, Twitter, and Instagram, to mention a few.
By leveraging the popularity of these social media platforms, you can now allow users to create accounts on or sign in to your website/app using the same credentials they use on their social platforms, all at the click of a button.
This essentially eradicates the "tediousness" associated with creating a new account which keeps most users from doing so. In other words, no sign-up forms have to be completed, and no new passwords have to be memorized with social logins implemented.
Needless to say, this login method presents plenty of benefits, which we'll briefly go over next.
The major benefits of social logins for businesses are as follows.
The user data you gather through social login can help you tailor your website's product or service offerings to suit the individual needs of users better, thereby providing a personalized experience for each user.
That said, providing a personalized experience shows users that you're willing to go the extra mile for them and will play a huge role in building customer loyalty, which (as you know) is the bedrock of every successful business.
Nowadays, users are more likely to abandon their mission on your website or app once they are prompted to create an account in order to continue. This is especially true if your registration process is unreasonably long or complicated.
Social logins resolve this issue by making it faster and more convenient for users to register on your website or app. This, of course, decreases abandonment and increases your user conversion rate.
In sum, social logins work much better than standard account creation in turning potential customers into actual customers.
A common issue with standard account creation is the potential for users to submit inaccurate personal information in order to get through your registration process quickly.
This can corrupt your customer database and negatively impact your marketing campaigns, conversion rate, and other significant activities or metrics.
However, with social logins, the likelihood of getting inaccurate information is significantly reduced since you'll be collecting information directly from users' social media accounts.
Despite its many benefits for businesses, users, and even social media platforms (e.g., off-site tracking for ad targeting), social logins raise some privacy concerns stemming from its evident collection and transfer of personal information.
As a result, websites and apps that implement social logins must provide a Privacy Policy to protect themselves from liability.
Before we examine the privacy requirements of major social media platforms, let's briefly clarify what a Privacy Policy is and why you need one before you implement social logins.
A Privacy Policy is a legal agreement that describes how your website or app collects, uses, and stores users' personal information. It also specifies how you share information with third parties, and describes the rights of users with regard to their personal information.
Keep in mind that personal information is generally defined as "ny type of data that can directly or indirectly identify an individual."
In other words, names/usernames, email addresses, phone numbers, profile photos, and similar details are all considered personal information.
Importantly, you must demonstrate transparency in your Privacy Policy by including as many details as possible about your collection, use, and disclosure of personal information.
If you collect users' personal information through social logins, it's important to ensure that your Privacy Policy also mentions this.
Here's an example from Social Assurance:
It's clear that having a Privacy Policy is a great idea, but it's also required by law. Let's look more at the reasons why you actually need a Privacy Policy if you're using any social login buttons functionality.
If you implement social login buttons on your website or app, there are two major reasons you need to provide a Privacy Policy. They are as follows:
Many privacy laws worldwide require websites and apps that collect or process personal information to provide a Privacy Policy.
If you implement social login on your website or app, you'll undoubtedly need a Privacy Policy since you collect users' personal information from social platforms.
Some regions and countries with privacy laws that require businesses to publish a Privacy Policy are as follows:
Note that you may fall under the scope of several of these laws, depending on where your business is located and where your users reside. Moreover, non-compliance with any of these laws may lead to lawsuits and substantial fines or penalties.
Social logins involve collecting and transferring personal information between social media platforms and websites or apps that integrate social login buttons.
To avoid potential liability, third-party social media platforms require any website or app that implements their social login button to provide a Privacy Policy.
We'll dive deeper into the privacy requirements of major third-party social media platforms later in this article.
That said, prominent social media players generally require website and app developers to do the following:
Now that we're clear on what social logins are and why a Privacy Policy is required to implement them, let's examine the privacy requirements of top social networking platforms and see how you can comply.
Twitter was one of the early adopters of social login integration. In 2009, Twitter launched its social login button to help users quickly and conveniently sign in to any website or app that integrates the Twitter login feature. This way, users can easily circumvent any long or tedious registration process.
In order to use the Twitter login button, website and app developers must comply with Twitter's rules for having a Privacy Policy. To start, developers must comply with the basic requirements for using Twitter's login button as specified in its Developer Policy. This includes:
Here's how Twitter displays this:
In terms of privacy requirements, developers must maintain a reasonable level of commitment to the privacy and control of users when employing any of Twitter's services. In keeping with these principles, developers must do the following:
Failing to comply with these requirements can result in an enforcement action, including suspension and termination from employing Twitter's services:
Further below in its Developer Policy, Twitter expands on how developers can comply with the requirements outlined above. Let's go over each in turn.
To satisfy Twitter's Privacy Policy requirement, your Privacy Policy must, at minimum, include the following details:
Importantly, Twitter requires that you display your Privacy Policy to users before they "download, install, or sign up" to your website or app. In addition, your Privacy Policy must be as protective as the Privacy Policy of Twitter and its affiliates.
Finally, your Privacy Policy must comply with all applicable laws. For instance, suppose you provide services to users based in Germany and Canada. In that case, you will likely need to comply with the GDPR and PIPEDA.
Note that you must stop using Twitter's services if you're unable to comply with either its Privacy Policy or yours:
In an effort to give users more control over their information, Twitter requires you as a developer to obtain "express and informed" consent from users before doing any of the following:
Now, let's briefly look at some examples of businesses implementing the Twitter login button appropriately and how their Privacy Policy acknowledges the use of social logins.
YouNow complies with Twitter's requirements by prominently displaying the Twitter login icon and linking its Privacy Policy before users sign up on its platform, as seen below:
In its Privacy Policy, YouNow acknowledges its use of social sign-in as well as the type of personal information it collects once users sign-up through its social sign-in feature.
Medium, on the other hand, uses a button to display its Twitter sign-in option while linking its Privacy Policy and Terms of Service:
Medium also links its Privacy Policy within the Twitter login registration form and describes its controls over users' Twitter accounts so users can make an informed decision about whether to continue:
Lastly, the Privacy Policy of Medium provides specific details about the information it collects once users connect their Twitter profile with Medium:
You can take this same approach to implement a Twitter social login button with your mobile app, as the Poll Pay app has done here:
When users first open the app, they immediately see a screen with multiple sign in options, including one for Twitter. You can see the Privacy Policy is also linked at the bottom of the screen. Tapping the link allows users to access the Privacy Policy before deciding whether or not to move forward with using the app.
Now let's look at how Google directs this process and what it requires from websites or apps that choose to use its social login feature.
Google is one of the top providers of social login integration, as a substantial number of websites and apps use its sign-in button.
In order to use the Google login button, website and app developers must comply with Google's rules for having a Privacy Policy. Google's requirements for developers are very similar to those of Twitter. For instance, in its Sign-In Branding Guidelines, Google requires developers to display its sign-in button as prominently as other third-party sign-in options:
When it comes to user privacy, Google requires developers to comply with all applicable privacy laws as well as the Google API Services User Data Policy. To this effect, developers must publish and adhere to a Privacy Policy as stipulated in the Google API Terms of Service:
To provide further guidance, let's briefly go over the requirements of a Google-compliant Privacy Policy.
To comply with Google's Privacy Policy requirements, the following must be observed:
Here's how Google presents these requirements in its API Services User Data Policy:
Like most social login providers, Google requires developers to obtain consent before collecting and using personal information.
In particular, Google requires you as a developer to:
Here's how this is displayed:
It's important to note that failure to comply with any of Google's policies may cause Google to "revoke or suspend" your access to all Google products and services:
Tinder complies with Google's requirement for equal prominence by displaying its login button as prominently as other sign-in options. It also links its Privacy Policy in a conspicuous location as Google requires:
Once users click the Google login button, they are prompted to enter their Google sign-in credentials and are informed that Google will share their basic information with Tinder if they wish to continue. In doing this, Tinder has fulfilled its consent requirements:
Among other relevant information required by Google, Tinder acknowledges its collection of users' information through Google login in its Privacy Policy:
Just like Tinder, Airbnb provides a prominent "continue with Google" button and links its Privacy Policy within the sign-in form:
In its Privacy Policy, Airbnb lets users know that it obtains their information from third-party services when users link, connect, or log in to its platform:
Now let's look at what you'll need to do if you integrate the Facebook login feature on your website or app.
As the first and most popular provider of social login integration, Facebook's login button is widely used by websites and apps the world over. Like other social logins, Facebook login improves user experience by allowing users to quickly sign up on a website or app without having to fill out a form or create a password.
However, developers must observe Facebook's regulations in order to enjoy the benefits of its login integration.
In order to use the Facebook login button, website and app developers must comply with Facebook's rules for having a Privacy Policy. The Developer Policies of Meta (Facebook's parent company) provides specific guidance to help developers compliantly implement its login button, as seen below:
For additional guidance on Facebook login integration, check out Facebook's article here with some of the company's suggested best practices.
Now let's take a look at Facebook's privacy requirements for developers.
To comply with Facebook's Privacy Policy requirement for developers, you must observe the following:
Here's how Facebook displays these requirements in its developer terms:
Meta's Developer Policies includes a section titled "Give people control" that clearly outlines several requirements developers must observe with regard to users' information.
Among other requirements, developers must "obtain consent from users before publishing content or taking any other action on their behalf."
Pinterest allows users with a Facebook account to log in automatically through its prominently displayed Facebook login button.
Note how Pinterest places its Privacy Policy below the login buttons to ensure users have read and consented to its data processing practices:
To obtain user consent, Pinterest informs users that it will connect their Facebook account to Pinterest if they click the continue button, as shown below:
Pinterest's Privacy Policy also mentions its connection to Facebook by letting users know what information it collects through Facebook login when users give their permission. This includes details like friends list and contact info to help improve users' experience:
Fiverr also includes a Facebook login button alongside other third-party login buttons but doesn't link its Privacy Policy on the sign-in form:
However, Fiverr's Privacy Policy can be found further below in the footer section of the website:
In its Privacy Policy, Fiverr mentions that its collects registration and profile information from third-party social media networks like Facebook, as shown below:
You can implement a Facebook login button on a mobile app as well, as seen here from the Million Steps app:
Users are given a few different options for signing into the app upon downloading and opening the app for the first time. They're also linked to the company's Privacy Policy on this screen which they can tap to access before continuing.
Next up we'll check out how Apple directs users of its login functionality to implement it and disclose it properly.
As one of the biggest tech companies in the world right now, Apple needs no introduction. Not surprisingly, the Apple login button is among the most widely used social logins on websites and apps worldwide alongside Facebook and Google. With the Apple login button, users can now use their Apple ID to quickly sign in to any website or app that offers Apple login functionality, thereby circumventing the standard sign-up process.
In order to use the Apple login button, website and app developers must comply with Apple's rules for having a Privacy Policy. In order to implement this button on your website or app, you must observe Apple's extensive regulations. The Apple Human Interface Guidelines is a good place to start.
This document briefly explains how the Apple login button works and specifies several guidelines developers must follow to be considered compliant. They are as follows:
In addition to these requirements, you must take note of Apple's Usage Guidelines for Websites and Other Platforms, most notably the prohibited uses, as seen below:
Now let's go over Apple's privacy obligations for developers on its platform.
In section 3.3.10 of its Developer Program License Agreement, Apple outlines several privacy obligations developers must observe, including the requirement to provide a Privacy Policy. These obligations are as follows:
Here's how Apple displays these provisions:
For app developers, the Apple App Store Review Guidelines also require a compliant Privacy Policy to be provided:
Like other major social platforms, Apple's consent requirements are explicitly addressed in its policies.
To comply accordingly, you must obtain consent from users before collecting their personal information. You must also get the approval of users before changing how you use personal information. Here's how it's stated in the Developer Program License Agreement:
Here's how Bumble prominently displays its "continue with Apple" button on its sign-up page and links to its Privacy Policy below:
As required by Apple, Bumble's Privacy Policy acknowledges its use of Apple login and explains what information it collects and how it will be used when users connect to Apple.
Bumble also clarifies what happens to users' information when they disconnect the social login feature and how to stop all access to their information:
Like Bumble, Reddit offers a quick and easy Apple login button that links to the Privacy Policy within the login page:
Within its Privacy Policy, Reddit goes on to describe the data it collects from third-party services when users link both services:
If your mobile app allows users to sign in with their existing Apple accounts, you can add such a button to your app's initial screen that users will see upon opening your app for the first time.
You can and should also link your Privacy Policy to this "welcome" screen, such as the Fancy Giveaways app has done here:
LinkedIn is next on our list of social login integrations and privacy requirements. Let's look at what it requires and how to comply.
As the leading social media platform for professional networking and career development, LinkedIn is highly relevant, especially in the B2B space.
Like other social logins, the LinkedIn login button reduces friction and helps business obtain more sign-ups for their websites and apps without the need to fill out a registration form.
In order to use the LinkedIn login button, website and app developers must comply with LinkedIn's rules for having a Privacy Policy. LinkedIn's privacy requirements for developers are also similar to those of Twitter and Google, with a few slight differences.
Let's briefly go over these requirements.
The LinkedIn API Terms of Use comprehensively explain the general requirements and privacy obligations developers must observe in order to use its services.
It's worth noting that, unlike other social logins, LinkedIn requires developers to provide a User Agreement in addition to their Privacy Policy. Essentially, your legal documents and privacy practices must meet specific standards as outlined below:
Here's how LinkedIn displays these requirements:
Like most other social networking platforms, LinkedIn requires developers to obtain consent from users before taking any action on their accounts or personal information.
To that effect, LinkedIn provides specific guidelines you must observe to get legally valid user consent. They are as follows:
Here's how LinkedIn presents these requirements in its API Terms of Use:
Indeed includes a "Log in with LinkedIn" button along with other third-party social logins to help applicants with LinkedIn profiles quickly sign in to their Indeed account:
When applicants click the login button and provide their LinkedIn sign-in information, Indeed seeks their consent to use their names, email addresses, and profile photos:
Further below on the login page, Indeed links its Privacy Policy:
Within its Applicant Privacy Policy, Indeed briefly addresses its collection of Applicant Personal Data (APD) from third-party services and explains how that information is used:
In 2012, Instagram was acquired by the multinational tech conglomerate, Meta Platforms (also known as Facebook's parent company). As a subsidiary of Meta, Instagram is now governed by the same set of developer rules that apply to Facebook.
In other words, the technical requirements and privacy obligations for the Facebook login button (as described in the Facebook section of this article) also apply to the Instagram login button.
In order to use the Instagram login button, website and app developers must comply with Facebook's rules for having a Privacy Policy.
Here's how Meta discloses this update in its Developer Policies, in an information box at the top of the page:
To recap, here are the key things to keep in mind when implementing the Instagram login button:
You've likely seen the option to log in to a site or app via your existing Instagram account, like this one:
Thismoment's Cookie Policy specifically addresses Instagram login and includes links to Instagram's Privacy Policy and Cookie Policy as shown below:
In its Privacy Policy, Thismoment informs users that it collects their information from third-party services connected to their accounts. It also disclaims liability here by referring users to review the Privacy Policy of third-party services as well as any permission notice they receive:
For our final social login integration, we will take a look at how Amazon does this.
Although less commonly used than other social logins, Amazon login works just as well for businesses and users. It presents a quick and efficient solution for users to register or sign in to a website or app without having to fill out the standard registration form.
In order to use the Amazon login button, website and app developers must comply with Amazon's rules for having a Privacy Policy. To help developers implement its login button, Amazon provides a Login with Amazon Developer Guide for Websites. This guide explains in detail the technical implementation of the Amazon login button to help developers properly integrate it on their websites and apps.
Admittedly, Amazon's privacy requirements for websites and apps aren't particularly comprehensive. The most notable privacy requirement for developers is to provide a Privacy Notice URL in the applicable section of their website or app:
To remain compliant with Amazon's privacy requirements (and as a best practice), your Privacy Policy must inform users what type of information you collect from them when they use the Amazon login button.
Let's see an example.
Aoyue allows users to skip the standard login method and sign in through its Amazon login button while outlining the advantages of doing so:
Notably, Aoyue doesn't link its Privacy Policy in the login form, but it does link it in the footer section of the login page (which is also a valid option):
Aoyue specifically addresses its implementation of Amazon login in its Privacy Policy.
Although the phrasing is not so easy-to-follow, Aoyue essentially lets users know that details like user ID, name, and email address will be collected when they use the Amazon login button but only after receiving express consent.
To obtain more information about the purpose and scope of the information collected, Aoyue refers users to Amazon's Privacy Policy, as shown below:
The highlighted sections above state as follows:
"Using the Amazon login button on our website allows you to log in or register on our website using your Amazon user data. Only if you give your express consent in accordance with Art. 6 (1) point a GDPR prior to the registration process based on a corresponding notice about the exchange of data with Amazon, will we receive the publicly accessible information stored in your profile when you use the Amazon button, depending on your personally made data protection settings. This information includes the user ID, name, address, email address, age, and gender"
"The purpose and scope of the data collection and further processing and use of the data by Amazon, as well as your rights in this regard and setting options for protecting your privacy, can be found in Amazon's privacy policy: https://www.amazon.de/gp/help/customer/display.html?language=en_GB&nodeId=201909010."
As a developer, integrating a social login button undoubtedly presents benefits for your website or app. However, to implement these buttons appropriately, you need to observe certain privacy obligations.
Although the requirements are slightly different for each social login button outlined above, the core concept remains the same for all.
Regardless of which social login buttons you wish to use, here are the takeaways to ensure a compliant login integration:
Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
15 August 2022