Privacy Policy for Google OAuth

What does Google require my privacy policy to contain?

Google Privacy Policy Requirements

If you'd like to skip reading this entire article, Google Recently provided copy that can be used in your privacy policy.  “(App’s) use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.” Copy/paste and add your apps name. Done 🪄

Google requires you to add a link to your Privacy Policy to your OAuth Consent Screen settings. Often your current privacy policy is adequate, but occasionally they find an issue with it. When they do, they may send you an email like this which a number of cryptically worded statements.

Thanks for your patience. We reviewed your project and found that your privacy policy https://example.com/privacy/ doesn’t meet our requirements for the Google API Service: User Data Policy. If you want to continue with the verification process, please make sure the privacy policy linked to your project follows these requirements:

Privacy Policy Requirements

  • The URL in your project points to a privacy policy on a publicly accessible domain.
  • The privacy policy is hosted and accessible in the domain of your website.
  • The privacy policy is accessible from the app’s home page.
  • Users can view the privacy policy.
  • The privacy policy clearly describes the way your application accesses, uses, stores, or shares Google user data.
  • The privacy policy is linked to the OAuth Consent Screen on the Google API Console.
  • You only use Google user data in the ways described in your published privacy policy.

Let’s unpack it

I’m going to walk you through verifying these requirements. If one of the tests below fails, you know what to fix. Do so, and then reply to the email to let Google know that you have remediated the issue.

1. Your privacy policy must be publicly available

Open an incognito browser and visit your privacy policy. If you are able to view it, you are golden. If your app redirects to a sign in form, you need to fix this.

2. Your privacy policy must be hosted on a domain that matches your application

For example, https://www.stitchfix.com/privacy is hosted exactly where you would expect anything related to StichFix to be located. A subdomain is OKAY. Look at NextDoor’s privacy policy on https://legal.nextdoor.com/us-privacy-policy-2020/.

Don’t host your privacy policy on a Facebook page or an unbranded platform page.

3. Your privacy policy must have a link on your home page

Visit your home page. Find a link to your privacy policy. If you can’t, add one. Done.

4. Signed in users should still be able to view your privacy policy

Sign in as a user on your application and visit your privacy policy. It should display the same as it does for anonymous visitors to your site.

5. Your OAuth Consent Screen settings should include a link to your privacy policy

Sign in to your Google Console and make sure that your privacy policy is set. Or add it now.

Looking deeper

The first five requirements are straightforward to verify for yourself. If any of them failed, you have a clear path forward.

However, if your application is not in violation of any of these requirements, you’ll need to take a closer look into the content of your privacy policy and what you are doing with the data that users share with you.

The first place to start is by reading Google’s User Data Policy to get an idea of the intent behind Google’s review. Essentially, it states that your application should be clear about what it’s going to do and users should not be surprised by anything your app does with regards to Google Contact data.

With that in mind, I’ll briefly describe the last requirements.

6. Your privacy policy should describe the data that your application accesses and how it uses that data

Basically, your privacy policy should talk about Google Contact data and address the following:

  • What data are you requesting from your users?
  • How are you using and storing this data?
  • With whom do you share this data?
You can use Google's template for the privacy policy. “(App’s) use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.” 

7. Don’t abuse Google data

Your application should use the Google Contact data only in the way that your privacy policy describes. If you are doing something with the data that you didn’t mention in the privacy policy, then  either:

  • add it to your privacy policy, or
  • change your app to conform to your stated policies.

Hopefully, you didn’t have to read this far because you found and fixed a simple issue with your privacy policy. If you made it here without a clear resolution, reach out to us and we’ll try to pinpoint the issue with you.


    • Related Articles

    • How do I get approved for Google OAuth?

      We have written an exhaustive guide on getting approved for Google OAuth here. We recommend watching this video before you begin: *Recently Google changed their requirements for the privacy policy. They have provided this examples, "“(App’s) use and ...
    • How do I add CloudSponge to my Google OAuth project?

      Add us to your Google OAuth Google OAuth is tricky to get right. We understand the frustrations, we’ve helped 100’s of customers through the process. That’s why you should consider this recommended step when setting up your Google OAuth. Adding us to ...
    • How do I verify my domain for Google OAuth?

      You need to prove that you own your domain before Google approves your OAuth project. Here’s how to do it. Did you already verify your domain? Maybe you aren’t quite sure that your domain is verified. Maybe you are trying to figure out which Google ...
    • How do I make a successful demo video for Google OAuth?

      We recommend you start by watching this video: Our CTO wizard, Graeme has also written an extensive blog about demo videos for Google OAuth. If you need help, don't be afraid to put us to the test at support@cloudsponge.com. Just don't ask us to fix ...
    • What do I do if my shared Google credentials aren’t working anymore?

      Years ago, CloudSponge was able to share Google OAuth credentials. Over time, Google stopped allowing us to share these credentials with you. You will need to get verified by Google for the People API. You can read our complete guide on Google OAuth ...