Save a few days on your Google review by adding their template to your privacy policy. Replace “App” with your own application’s name and add the following to your own Privacy Policy before requesting approval:
(App’s) use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Let’s unpack it
Google requires you to add a link to your Privacy Policy to your OAuth Consent Screen settings. Often your current privacy policy is adequate, but occasionally they find an issue with it. When they do, they may send you an email like this which a number of cryptically worded statements.
Thanks for your patience. We reviewed your project and found that your privacy policy https://example.com/privacy/ doesn’t meet our requirements for the Google API Service: User Data Policy. If you want to continue with the verification process, please make sure the privacy policy linked to your project follows these requirements:
Privacy Policy Requirements
- The URL in your project points to a privacy policy on a publicly accessible domain.
- The privacy policy is hosted and accessible in the domain of your website.
- The privacy policy is accessible from the app’s home page.
- Users can view the privacy policy.
- The privacy policy clearly describes the way your application accesses, uses, stores, or shares Google user data.
- The privacy policy is linked to the OAuth Consent Screen on the Google API Console.
- You only use Google user data in the ways described in your published privacy policy.
I’m going to walk you through verifying these requirements. If one of the tests below fails, you know what to fix. Do so, and then reply to the email to let Google know that you have remediated the issue.
1. Your privacy policy must be publicly available
Open an incognito browser and visit your privacy policy. If you are able to view it, you are golden. If your app redirects to a sign in form, you need to fix this.
2. Your privacy policy must be hosted on a domain that matches your application
For example, https://www.stitchfix.com/privacy is hosted exactly where you would expect anything related to StichFix to be located. A subdomain is OKAY. Look at NextDoor’s privacy policy on https://legal.nextdoor.com/us-privacy-policy-2020/.
Don’t host your privacy policy on a Facebook page or an unbranded platform page.
3. Your privacy policy must have a link on your home page
Visit your home page. Find a link to your privacy policy. If you can’t, add one. Done.
4. Signed in users should still be able to view your privacy policy
Sign in as a user on your application and visit your privacy policy. It should display the same as it does for anonymous visitors to your site.
5. Your OAuth Consent Screen settings should include a link to your privacy policy
Sign in to your Google Console and make sure that your privacy policy is set. Or add it now.
Looking deeper
The first five requirements are straightforward to verify for yourself. If any of them failed, you have a clear path forward.
However, if your application is not in violation of any of these requirements, you’ll need to take a closer look into the content of your privacy policy and what you are doing with the data that users share with you.
The first place to start is by reading Google’s User Data Policy to get an idea of the intent behind Google’s review. Essentially, it states that your application should be clear about what it’s going to do and users should not be surprised by anything your app does with regards to Google Contact data.
With that in mind, I’ll briefly describe the last requirements.
6. Your privacy policy should describe the data that your application accesses and how it uses that data
Basically, your privacy policy should talk about Google Contact data and address the following:
- What data are you requesting from your users?
- How are you using and storing this data?
- With whom do you share this data?
7. Don’t abuse Google data
Your application should use the Google Contact data only in the way that your privacy policy describes. If you are doing something with the data that you didn’t mention in the privacy policy, then either:
- add it to your privacy policy, or
- change your app to conform to your stated policies.
Hopefully, you didn’t have to read this far because you found and fixed a simple issue with your privacy policy. If you made it here without a clear resolution, reach out to us and we’ll try to pinpoint the issue with you.