What You Must Include in an Instagram Privacy Policy

Most of us have clicked on one of those ‘Sign Up With Instagram’ buttons when accessing a new app or joining a new online community.

Letting your consumers create a login account or connect to your platform through Instagram’s application programming interface (API) is convenient and enhances the user experience.

But if your website or app connects to Instagram’s API, you must have a compliant privacy policy. Meta, the owners of Instagram, clearly state this directly in their platform terms.

I’ll walk you through the privacy requirements outlined by Instagram’s platform terms so you know exactly how to make an Instagram-ready privacy policy.

Table of Contents

Do You Need a Privacy Policy for Instagram API Usage?
What Are Instagram’s Platform Policy Requirements?
What Should You Include in Your Instagram Privacy Policy?
How Do You Make a Privacy Policy for Instagram API Usage?
Where Should You Display Your Instagram Privacy Policy?
How Do You Enforce Your Instagram Privacy Policy?
Summary

Do You Need a Privacy Policy for Instagram API Usage?

Hey, didn’t I just answer this question? Yes, you need a privacy policy if your website or app uses Instagram’s API, which they clearly state directly in their platform terms.

Read it for yourself in the screenshot of their terms below.

Instagram-API-privacy-policy

Even if no data privacy laws apply to your business (which I doubt, but more on that later), you still need to post a privacy policy to use Instagram’s platform to process personal data.

What Are Instagram’s Platform Policy Requirements?

Meta describes several requirements your privacy policy must meet to process information using their Instagram platform.

Like all businesses, Meta also needs to follow applicable laws and regulations — something they seem to be struggling with if you look at this big list of massive GDPR fines.

Requiring all websites and apps that access the Instagram platform to publish a privacy policy and follow specific guidelines is an effort to remove liabilities from Meta’s plate, just in case a third party using their API violates a data privacy law.

Let’s take a look at their specific privacy policy rules:

Ensure your privacy policy is clear, accurate, and easy to access.
Your policy must follow all applicable laws and regulations and accurately explain what data you process, how you process it, your purpose for doing so, and how users can request to delete that information.
You can only process platform data exactly as you describe it in your privacy policy and in accordance with all applicable laws and regulations and the Meta terms.
It will not supersede, modify, or be inconsistent with the Meta terms.
You must retain all versions of your in-effect privacy policies and provide them to Meta if they ask.
Your privacy policy must be available through public links that you maintain in the privacy policy field in the settings of your App Dashboard, in any App Store that allows you to do so
You must ensure the links to your policy are always current and up to date.

The requirements continue further, with Meta describing additional rules for service and tech providers and outlining a long list of prohibited practices regarding data use.

To achieve full privacy compliance, it’s worth looking into these sections of their Platform Terms a little closer.

Rules for Service Providers and Tech Providers

Meta’s additional rules for service and tech providers appear in Section 5 of their Terms.

There, they state that if you use any service providers, they must have a signed policy in place stating that they also agree to the Instagram Platform Terms before gaining access to any data.

You can read more about their specific contractual obligations in the screenshot below.

Meta-rules-for-service-and-tech-providers

The additional rules for tech providers mainly cover client-related information. It stipulates that all tech providers will use data solely for the specific purpose outlined by the client.

Read more about it in the screengrab below.

Meta-rules-for-service-and-tech-providers- client-related-information

Tech providers are also subject to rules regarding client information, data sharing with clients, and client termination.

Prohibited Practices Regarding Data Use

Meta also prohibits certain uses regarding processing data collected from their Instagram platform, as outlined in Section 3 of their terms. This directly impacts your privacy policy because you must explain how and why you process and collect the data.

Some of the prohibited uses include:

Processing platform data to discriminate or encourage discrimination against others
Processing platform data to make eligibility determinations about people (like housing, employment, or education opportunities)
Processing platform data to perform or facilitate surveillance
Selling, licensing, or purchasing the data
Placing the data on a search engine or making it otherwise available
Decoding, circumventing, re-identifying, de-anonymising, or unscrambling the data in any way
Changing the functionality of your app or data processing so users view it as an unfamiliar or different app
Processing friends list from Facebook (also owned by Meta) to establish social connections in your platform, unless each person grants you access for that purpose

Their policy outlines additional restrictions regarding who you share the data with and your data retention, deletion, and accessibility options for consumers granted those rights by data privacy laws and regulations.

Laws That Impact Your Instagram Privacy Policy

Speaking of which, if you’re subject to laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), your Instagram privacy policy must also comply with their legal requirements.

These laws impact businesses worldwide, and some have very broad thresholds, so chances are at least one applies to your business.

While each piece of legislation is different, you’ll need to include the following information:

What personal data you collect
Why you collect the information
How you use it (aka, your legal basis)
Who you share it with or sell it to
What rights your users have over that data
How they can follow through on those rights

Some other laws that could impact your data collection practices and the contents of your privacy policy include the following:

California Privacy Rights Act (CPRA), which amends some areas of the CCPA
California Online Privacy Protection Act (CalOPPA)
Virginia Consumer Data Protection Act (CDPA)
Personal Information Protection and Electronic Documents Act (PIPEDA)

What Should You Include in Your Instagram Privacy Policy?

The specific clauses you’ll need in your Instagram-worthy privacy policy are unique, as they depend on your data processing procedures and the laws you’re subject to follow.

In practice, nearly every privacy policy should include the following sections:

Introduction

In this section, you introduce your business, explain who the terms of the policy apply to, and write clear definitions of phrases used throughout the agreement so your users’ expectations are properly set.

Additionally, this is where you would want to include your business’s physical address and even its complete legal entity name(s).

Throughout this section, I’m pulling example screenshots from Adobe’s privacy policy, as they allow users to use social media APIs to sign into their accounts, like Instagram.

See an image of their introductory clause below.

Adobe-privacy-policy

What Personal Data You Collect

In this section, list the categories of personal data you collect and process about your users, including any sensitive personal information.

Be thorough and specific in this section to meet the Instagram Platform Terms and any additional legal requirements.

Adobe has an excellent example of this clause, shown in the screenshot below.

Adobe-privacy-policy-Personal-Data-Collected

Why You Collect the Data and How it Gets Used

If you’re subject to laws like the GDPR or the CCPA, you must say why you collect the data and include your legal basis.

Below, you can see how Adobe achieves this in its privacy policy.

Adobe-privacy-policy- GDPR-CCPA

Who You Share the Data With

If you share or sell personal information with another party (like the Instagram API), you must state as much in your privacy policy.

This way, your users can read those third-party agreements and decide if they’re comfortable giving those entities access to their information.

Below, see how Adobe formats this clause in their privacy agreement.

Adobe-privacy-policy-third-party agreements

Internet Cookies

Under laws like the GDPR and CCPA, internet cookies qualify as personal data, plus most of these regulations give users the right to limit how their information gets used regarding analytics and advertising.

Ensure you also include a cookie policy on your site that lists all cookies used and explains how individuals can control which cookies are placed on their browsers. This cookie policy must be updated whenever a cookie is added or removed from the website.

Adobe includes a short paragraph with live links to their other policies, shown below.

Adobe-privacy-policy-Internet-Cookies

The Legal Rights of Your Consumers

You must list all rights your users have over their data if you’re subject to laws like the GDPR, CCPA, or the Virginia CDPA.

You can do this in one clause or separate it into policies specific to users in those unique areas.

Below, see how carefully Adobe phrases this section in their privacy policy.

Adobe-privacy-policy-The-Legal-Rights-of-Your-Consumers

Information Regarding Children’s Data

If your services target children, you must follow additional requirements to process their information, like obtaining consent from their legal guardians.

If you don’t target children, you must say as much in your privacy policy.

Adobe puts a thorough children’s privacy clause in its policy, shown below, and includes live links parents can visit for more information.

Adobe-privacy-policy-childrens-privacy

International Data Transfers

The GDPR outlines specific guidelines regarding international data transfers.

Some countries are approved for transfers because they follow the same safety standards mandated by the regulation.

But if you transfer to other places, including the US, you must ensure the third party signs an agreement stating they’ll abide by all the obligations, user rights, and data protocols required by the GDPR.

Below, read how Adobe phrases this clause in its policy.

Adobe-privacy-policy-International-Data-Transfers

Safety and Security

Laws like the CCPA and the GDPR require you to implement and maintain proper safety and security measures to protect the data you collect from data breaches or leaks, and you must include a clause about this in your privacy policy.

Adobe puts a short paragraph in its policy to meet this legal requirement, as shown below.

Adobe-privacy-policy-safety-and-security-measures

How Do You Make a Privacy Policy for Instagram API Usage?

If your website or app uses the Instagram API and you need a privacy policy, there are three standard methods for making one:

Use a managed solution
Try a free template
Do it yourself

Let’s walk through these solutions so you can choose what’s best for you.

Managed Solution

For most businesses, a managed solution, like our Privacy Policy Generator, is the easiest method for making an Instagram-approved privacy policy.

To use it, you answer questions about your business, and it kicks out a compliant, properly formatted agreement that you can then link to your website or app.

I suggest using a generator if you’re subject to data privacy laws. For example, Termly’s privacy policy generator asks if you want to comply with regulations like the CCPA or GDPR.

Termly’s product engineers and data privacy experts help ensure that all of the tools reflect the most recent data privacy laws and regulations, which often change.

I’ve included two screenshots of our generator below to show you what I mean. This one is about the CCPA.

Termly-Privacy-Policy-Generator

This next screenshot shows the section of our generator that asks if you want to comply with the Virginia CDPA.

Termly-Privacy-Policy-Generator-Virginia-CDPA

Free Template

If you use Instagram’s API, another good option I recommend checking out our free privacy policy template.

These take more work on your end, as you’ll have to fill out blank sections of the agreement manually. But they still provide proper formatting, the most common clauses, and standardized language that typically appears in these legal policies.

I recommend using a template if you don’t actually collect data from your users or if your data processing is minimal.

Below, you can see a screenshot of our free template.

Termly-Privacy-Policy-Generator-template

Do-It-Yourself

You can always write your own privacy policy for Instagram usage. But I recommend this method only if you have extensive legal knowledge or access to a lawyer or if your platform doesn’t collect any personal data from users.

If you do decide to make your Instagram-compliant privacy policy on your own, remember to include these key components:‌

Make your policy clear and freely accessible. People can’t be charged to access it.
Clearly define compliance rules, like age and content restrictions.
Clearly define what information you’ll access and how you’ll use it.
Explain how you’ll utilize user-generated content.
Tell users how you protect their data and what security measures are in place.
Include any relevant contact information if users have questions about your privacy policy.
Include information on international privacy laws, like the GDPR and CCPA.

Where Should You Display Your Instagram Privacy Policy?

According to Meta’s terms, you must link your Instagram-compliant privacy policy in the following places:

In the settings field in your App Dashboard
In the official listing of your app on any App Stores that allow you to do so

But for legal compliance under laws like the GDPR and CCPA, you should put a link to your agreement at or before the point of data collection.

It should also live in a static place on your website, like in the footer or within a specific privacy center, so consumers can easily find and read it.

Instagram Privacy Policy URL

To link your Instagram privacy policy in the settings field of your Meta app dashboard, you must have it hosted somewhere and provide a URL.

This means you need a dedicated web or app privacy policy page you can send people to when they click the URL link.

You can manually add one of these pages to your own website. Or, if you use Termly, we’ll provide the URL for you. Either option works for both Instagram and legal compliance.

How Do You Enforce Your Instagram Privacy Policy?

You should implement two methods to help ensure your Instagram privacy policy is enforceable — clickwrap and browsewrap.

But by enforceable, I really mean compliant. Privacy policies are descriptions of your privacy collection practices intended to inform your users; it’s not a set of rules or directions your users must follow.

The first thing you should do is provide a live, working link to the official version of your agreement on the form used to sign in to your services via the Instagram API and request your users take an affirmative action to express that they agree to it, for example, you might:

Ask them to select an unmarked checkbox to express that they’ve read and agreed to it
Request that they click a clearly labeled ‘I Read and Agree to the Privacy Policy’ button

This is known as the clickwrap consent method because the individual must manually do something to express their acknowledgment and agreement with your Instagram privacy policy.

You should also put language in the introduction of your privacy policy explaining that using your services with the Instagram API means the user agrees to all terms outlined in your privacy policy (and Meta’s, too).

This second method is known as the browsewrap method or implied consent.

While this type of language safeguards for your business, it is not a legally compliant way to obtain user consent under data privacy laws like the GDPR.

For this reason alone, I highly recommend using browsewrap and clickwrap consent methods.

Summary

Instagram privacy policies are required for any app or website that uses their API, even those that don’t collect personal data. With this guide in your toolbox, you’re more than ready to make your own.

These agreements usually need to cover a variety of requirements. So, along with Meta’s Platform Terms, you must stay on top of any laws or regulations that impact your business’s privacy policy and always keep it updated and accurate.

If you use Instagram’s API and need help creating a customized privacy policy, make it easy on yourself and try Termly’s privacy policy generator today.

More about the author

Written by Stefani Schmidt, M.S., CIPM, CIPP-US

Stefani is a data privacy, risk, compliance, and program management professional with experience in the communications, financial, and adtech industries. Stefani’s previous experience includes working closely with stakeholders from different departments to push forward privacy initiatives across corporations, including working on privacy and security reviews of new business initiatives and vendors. Stefani has an M.S. in Security Technologies from the University of Minnesota – Twin Cities and a B.A. in Journalism and Political Science. More about the author

Data Subject Access Requests (DSAR) Guide & How-To

64 Alarming Data Privacy Statistics Businesses Must See in 2024

Clickwrap vs. Browsewrap Agreements and When To Use Them

Florida Digital Bill of Rights: First Look & Summary

Delaware Personal Data Privacy Act: First Look & Summary

Indiana Consumer Data Protection Act: First Look & Summary

Iowa Consumer Data Protection Act: First Look & Summary

Montana Consumer Data Privacy Act: First Look & Summary

Tennessee Information Protection Act: First Look & Summary