Most of us have clicked on one of those ‘Sign Up With Instagram’ buttons when accessing a new app or joining a new online community.
Letting your consumers create a login account or connect to your platform through Instagram’s application programming interface (API) is convenient and enhances the user experience.
- What Are Instagram’s Platform Policy Requirements?
Read it for yourself in the screenshot of their terms below.
What Are Instagram’s Platform Policy Requirements?
Like all businesses, Meta also needs to follow applicable laws and regulations — something they seem to be struggling with if you look at this big list of massive GDPR fines.
- Your policy must follow all applicable laws and regulations and accurately explain what data you process, how you process it, your purpose for doing so, and how users can request to delete that information.
- It will not supersede, modify, or be inconsistent with the Meta terms.
- You must retain all versions of your in-effect privacy policies and provide them to Meta if they ask.
- You must ensure the links to your policy are always current and up to date.
The requirements continue further, with Meta describing additional rules for service and tech providers and outlining a long list of prohibited practices regarding data use.
To achieve full privacy compliance, it’s worth looking into these sections of their Platform Terms a little closer.
Rules for Service Providers and Tech Providers
Meta’s additional rules for service and tech providers appear in Section 5 of their Terms.
There, they state that if you use any service providers, they must have a signed policy in place stating that they also agree to the Instagram Platform Terms before gaining access to any data.
You can read more about their specific contractual obligations in the screenshot below.
The additional rules for tech providers mainly cover client-related information. It stipulates that all tech providers will use data solely for the specific purpose outlined by the client.
Read more about it in the screengrab below.
Tech providers are also subject to rules regarding client information, data sharing with clients, and client termination.
Prohibited Practices Regarding Data Use
Some of the prohibited uses include:
- Processing platform data to discriminate or encourage discrimination against others
- Processing platform data to make eligibility determinations about people (like housing, employment, or education opportunities)
- Processing platform data to perform or facilitate surveillance
- Selling, licensing, or purchasing the data
- Placing the data on a search engine or making it otherwise available
- Decoding, circumventing, re-identifying, de-anonymising, or unscrambling the data in any way
- Changing the functionality of your app or data processing so users view it as an unfamiliar or different app
- Processing friends list from Facebook (also owned by Meta) to establish social connections in your platform, unless each person grants you access for that purpose
Their policy outlines additional restrictions regarding who you share the data with and your data retention, deletion, and accessibility options for consumers granted those rights by data privacy laws and regulations.
These laws impact businesses worldwide, and some have very broad thresholds, so chances are at least one applies to your business.
While each piece of legislation is different, you’ll need to include the following information:
- What personal data you collect
- Why you collect the information
- How you use it (aka, your legal basis)
- Who you share it with or sell it to
- What rights your users have over that data
- How they can follow through on those rights
- California Privacy Rights Act (CPRA), which amends some areas of the CCPA
- California Online Privacy Protection Act (CalOPPA)
- Virginia Consumer Data Protection Act (CDPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
In this section, you introduce your business, explain who the terms of the policy apply to, and write clear definitions of phrases used throughout the agreement so your users’ expectations are properly set.
Additionally, this is where you would want to include your business’s physical address and even its complete legal entity name(s).
See an image of their introductory clause below.
What Personal Data You Collect
In this section, list the categories of personal data you collect and process about your users, including any sensitive personal information.
Be thorough and specific in this section to meet the Instagram Platform Terms and any additional legal requirements.
Adobe has an excellent example of this clause, shown in the screenshot below.
Why You Collect the Data and How it Gets Used
If you’re subject to laws like the GDPR or the CCPA, you must say why you collect the data and include your legal basis.
Who You Share the Data With
This way, your users can read those third-party agreements and decide if they’re comfortable giving those entities access to their information.
Below, see how Adobe formats this clause in their privacy agreement.
Under laws like the GDPR and CCPA, internet cookies qualify as personal data, plus most of these regulations give users the right to limit how their information gets used regarding analytics and advertising.
Adobe includes a short paragraph with live links to their other policies, shown below.
The Legal Rights of Your Consumers
You must list all rights your users have over their data if you’re subject to laws like the GDPR, CCPA, or the Virginia CDPA.
You can do this in one clause or separate it into policies specific to users in those unique areas.
Information Regarding Children’s Data
If your services target children, you must follow additional requirements to process their information, like obtaining consent from their legal guardians.
Adobe puts a thorough children’s privacy clause in its policy, shown below, and includes live links parents can visit for more information.
International Data Transfers
The GDPR outlines specific guidelines regarding international data transfers.
Some countries are approved for transfers because they follow the same safety standards mandated by the regulation.
But if you transfer to other places, including the US, you must ensure the third party signs an agreement stating they’ll abide by all the obligations, user rights, and data protocols required by the GDPR.
Below, read how Adobe phrases this clause in its policy.
Safety and Security
Adobe puts a short paragraph in its policy to meet this legal requirement, as shown below.
- Use a managed solution
- Try a free template
- Do it yourself
Let’s walk through these solutions so you can choose what’s best for you.
To use it, you answer questions about your business, and it kicks out a compliant, properly formatted agreement that you can then link to your website or app.
Termly’s product engineers and data privacy experts help ensure that all of the tools reflect the most recent data privacy laws and regulations, which often change.
I’ve included two screenshots of our generator below to show you what I mean. This one is about the CCPA.
This next screenshot shows the section of our generator that asks if you want to comply with the Virginia CDPA.
These take more work on your end, as you’ll have to fill out blank sections of the agreement manually. But they still provide proper formatting, the most common clauses, and standardized language that typically appears in these legal policies.
I recommend using a template if you don’t actually collect data from your users or if your data processing is minimal.
Below, you can see a screenshot of our free template.
- Make your policy clear and freely accessible. People can’t be charged to access it.
- Clearly define compliance rules, like age and content restrictions.
- Clearly define what information you’ll access and how you’ll use it.
- Explain how you’ll utilize user-generated content.
- Tell users how you protect their data and what security measures are in place.
- Include information on international privacy laws, like the GDPR and CCPA.
- In the settings field in your App Dashboard
- In the official listing of your app on any App Stores that allow you to do so
But for legal compliance under laws like the GDPR and CCPA, you should put a link to your agreement at or before the point of data collection.
It should also live in a static place on your website, like in the footer or within a specific privacy center, so consumers can easily find and read it.
You can manually add one of these pages to your own website. Or, if you use Termly, we’ll provide the URL for you. Either option works for both Instagram and legal compliance.
But by enforceable, I really mean compliant. Privacy policies are descriptions of your privacy collection practices intended to inform your users; it’s not a set of rules or directions your users must follow.
The first thing you should do is provide a live, working link to the official version of your agreement on the form used to sign in to your services via the Instagram API and request your users take an affirmative action to express that they agree to it, for example, you might:
- Ask them to select an unmarked checkbox to express that they’ve read and agreed to it
This second method is known as the browsewrap method or implied consent.
While this type of language safeguards for your business, it is not a legally compliant way to obtain user consent under data privacy laws like the GDPR.
For this reason alone, I highly recommend using browsewrap and clickwrap consent methods.
Instagram privacy policies are required for any app or website that uses their API, even those that don’t collect personal data. With this guide in your toolbox, you’re more than ready to make your own.