What to Include in an Instagram Privacy Policy

What to Include in an Instagram Privacy Policy

A good Privacy Policy can allow you to collect important information while fulfilling any legal and regulatory requirements about data collection.

The Privacy Policy should specify what kind of information you are collecting (if any), how you are using that information, and plenty of other relevant information. Putting together that policy can protect you legally and allow you to use user data to give your customers a better experience.

A good Privacy Policy can even allow you to connect your website to Instagram. Many websites use the Instagram API to connect the two sites and boost engagement across the platforms. However, Instagram has specific requirements that your Privacy Policy must fulfill before you can use the Instagram API.


Do I Need an Instagram Privacy Policy?

Instagram's own Platform Terms are very clear on this. If you use Instagram's API to connect your website or app to Instagram, you need a Privacy Policy. This is an important, basic piece of legal documentation that both customers and platforms expect to see.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

You can see the relevant portion of Instagram's Platform Terms below:

Facebook for Developers: Platform Terms - Privacy Policy clause - Privacy Policy requirement section

What Should My Privacy Policy Include?

Of course, consumers and social media platforms have basic expectations for Privacy Policies. Instagram specifically has five requirements that your Privacy Policy must meet:

  1. It must show what data you're processing, how you're using it, and what you're using it for
  2. It must include how users can delete their data
  3. It must comply with Instagram's policies on data use
  4. It can't contradict applicable laws
  5. It must be publicly accessible, and you must provide it to Instagram (or Facebook) if they ask to see your Privacy Policy

We'll break these down individually in the next section, but this is a good checklist for what Instagram requires for your Privacy Policy. You can see where they are laid out in Instagram's Platform Terms below:

Facebook for Developers: Platform Terms - Privacy Policy clause excerpt

How to Comply with Instagram's Platform Terms

How to Comply with Instagram's Platform Terms

Data Processing

First, explain what data you're processing. This should be a comprehensive list of all the forms of data you collect. You may want to specify that the particular types of information you're collecting may vary according to which of your products the user is using.

This clause from Brunswick Corporation gives a good example of one such list:

Brunswick Privacy Policy: What information we collect clause

Next, give the various ways that you may use the data. It's important for consumers to know exactly how you will and will not use the data you collect from them. For example, you might collect data as an essential part of continuing to operate your website.

Other reasons could be in order to contact your users, to analyze your website for areas where improvement is needed, for customer service and support, and quite a few more.

You can see a good example of the "Use of Data" section from the American Migraine Foundation's Privacy Policy below:

American Migraine Foundation Privacy Policy: Use of Data clause

Finally, you may want to provide the legal basis for your data collection. Although this isn't required by Instagram, it may be useful for preempting any questions users may have about the legality of your data collection.

Accenture lays out part of its Privacy Policy in a table where it states both the types of data it collects and the legal basis for collecting that specific data. You can see part of that table here:

Accenture Privacy Statement: Excerpt of For which purposes and on which legal basis do we use your personal data chart

Process for Deleting Data

Your Privacy Policy must also include the process for your users to request that you delete their data. There are a few ways to do this, but the simplest is simply to say that once you verify the user's identity and get their request, you will delete their data as required by law.

Of course, some laws may require you to keep some data even after you've deleted what you can, so you should make sure to clarify that as well.

You can see a good example of this from Brunswick Corporation below:

Brunswick Privacy Policy: Deletion Request clause

However, you may receive a large volume of requests for data deletion. If that's the case, you might want to specify a process and include a link to a form or portal that users can use for both of your convenience.

If your data deletion process requires you to collect some customer data so that you can verify the user's identity (like an email address), it's a good idea to explain that in your data deletion section as well.

Mattel has one such portal that handles all of the data deletion requests, and you can see how it's introduce here:

Mattel Privacy Statement: California Privacy rights clause - Deletion, Access and Information section - Deletion excerpt

Have Compliant Data Use

You need to make sure that your Privacy Policy does not contradict the Instagram Platform Terms section on Data Use, which is found in Section 3.

Section 3 outlines all prohibited practices with regards to data and the conditions around transferring, deleting, accessing, and retaining data, as well as any exceptions to those rules. While the section is lengthy, it's important to review closely to make sure that your own policy and practices don't conflict with it.

So it's not just sufficient to explain the ways that you use data, as in the "Data Processing" section. You must also make sure that your data use does not conflict with Instagram's own rules on how data should and should not be used.

Comply with Applicable Laws

To comply with regionally specific laws, it may be best to create separate policies for specific needs. The two most common exceptions to normal Privacy Policies are special policies for residents of California and the European Union, which each have more strict privacy requirements in place.

Creating a Privacy Policy that complies with California's requirements is its own endeavor, but you can find a quick checklist for doing that in our article: CCPA Privacy Policy Checklist.

Once you've put together the Privacy Policy and any exceptions, you can link to your region-specific policies within your more general Privacy Policy, the way Accenture does here:

Accenture Privacy Statement: California resident section

Make Your Privacy Policy Public

Your Privacy Policy has to be publicly accessible. This means that any user or potential user must be able to read it without being charged and without any other barrier to entry. The easiest way to do this is by giving your Privacy Policy its own link.

By keeping it on its own publicly-accessible web page, you can be sure that all the accessibility requirements are met. For example, Oregonlive.com keeps its Privacy Policy on the following page: https://www.oregonlive.com/privacy-policy/.

It's also key for users to be able to easily access your Privacy Policy from anywhere on your website. Most websites do this by providing a link to the Privacy Policy and other important pages on a menu at the bottom of every page in the website footer.

You can see how UNiDAYS lays out a fairly simple menu here:

Unidays website footer with Privacy Policy link highlighted

While meeting the above requirements allows your site to connect to Instagram, there are plenty of other ways your Privacy Policy can be helping you out.

What Else Should My Instagram Privacy Policy Include?

What Else Should My Instagram Privacy Policy Include?

Cookies Clause

Although Instagram doesn't require it, a cookies clause is an important part of Privacy Policies.

A cookies clause simply informs users that you may store cookies on their computer. It can also define what a cookie is, how you use cookies, what kinds of information the cookies may collect, and how users may opt-out of having cookies stored on their computers.

Cookies can let you know if a user is visiting your website a second time and customize their experience accordingly. They can also allow users to log in without entering all their login information every time, giving them a more pleasant experience. Overall, they're used to collect non-personal data that improves website experience.

The Celiac Disease Foundation has a thorough cookies clause that includes all of the above-mentioned information, as you can see below:

Celiac Disease Foundation Privacy Policy and Terms of Use: Cookies clause

Transfer of Data

A Transfer of Data clause explains that your website visitors' data may be transferred away from the jurisdiction in which they live. Because people could visit your website from all across the globe, they should know that the laws that apply to the data where they live may not apply where their data is stored.

Your Transfer of Data clause can let users know where their data is stored (non-specifically) and that the laws in that location may differ from those in the place they're accessing your website from. This can be important in setting expectations for data protection and maintenance.

You can also take this opportunity to reassure readers that you take steps to protect their data and keep it secure. You can explain that data transfer only happens when it is safe and necessary to do so.

Bob's Red Mill includes all of these pieces in the Transfer of Data section of its Privacy Policy, as you can see here:

Bobs Red Mill Privacy Policy: Transfer of Data clause

Contact Us Clause

A Contact Us clause is a fairly simple but important part of a Privacy Policy. It provides your users a way to get in touch with you about your policies. It can also be an important way to make sure your site is in compliance with laws like California's CCPA by making sure users have a way to reach out and request what data you have collected.

BIC's Privacy Policy has a brief but sufficient Contact Us clause, which you can see here:

BIC Privacy Policy: Contact Information clause

Now that you know how to create your Instagram-ready Privacy Policy, let's look at how you can make it enforceable with your users.

How to Enforce Your Instagram Privacy Policy

How to Enforce Your Instagram Privacy Policy

Your Privacy Policy doesn't do you any good if you don't make sure that visitors agree to it. A visitor should not be able to use your services without first agreeing to your Privacy Policy. To be certain that all your users agree to your Privacy Policy, make sure to use the clickwrap method.

The clickwrap method makes users click a box agreeing to your Privacy Policy (and any other legal agreements you may want to include) before they can create an account or use your services. In addition to the checkbox, you should also include a link to the Privacy Policy and other relevant agreements.

Clickwrap is standard for many websites, such as Autodesk, whose clickwrapped account creation page you can see below:

Autodesk Create Account form with Agree checkbox highlighted

Summary

Creating a Privacy Policy that's compliant with Instagram's Platform Terms is a little difficult, but it can be very worth it for websites that make the most of their integration. Instagram requires that your Privacy Policy explain how your practices comply with its own in the five following areas:

  1. How you collect data
  2. How and when you delete data
  3. How you use data
  4. How you follow applicable laws
  5. How you make your Privacy Policy publicly accessible
Chris M.

Chris M.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.