Understanding an API provider’s privacy policy

Regardless of what industry your company belongs to, you are obligated to think about the privacy of your customers. Not only is it good business, but privacy expectations have been set through regulations like the EU’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA), and many others across the world.

When selecting a third-party web service or API, it is important to consider their privacy compliance in order to avoid putting your own company at risk. Unknown practices can lead to shadow APIs. Sometimes this information is front and center, but in many cases the details of each provider’s privacy compliance is buried in privacy policies or help center documents. In this article we’ll look at where to find information about an API provider’s privacy standards, as well as the minimum level of privacy compliance to consider when assessing an API provider.

Note: The information in this article is meant to be used as a basis for helping inform your decisions, but should not be taken as legal advice.

The Privacy Policy

An API provider’s privacy policy is often the best place to start. You’ll often find it at the bottom of their website, or wherever they keep their terms and conditions. The best ones include a plain-language overview, but the vast majority are written by and for lawyers. As the New York Times put it, most privacy policies are “an incomprehensible disaster.” There are some key sections that can help in way-finding when looking through an API provider’s privacy policy.

Privacy policies generally include:

  • What type of information is collected. This could be location data, user contact details, payment information, or purchase history.
  • How information is gathered. For an API, it most likely comes directly from your application, but if you are handing a user off for authentication the provider may also use cookies or the user’s IP to collect information.
  • Details about their security or compliance information. This bridges into a topic we’ll discuss in future articles, but some policies will detail how data is securely stored.
  • Information about how to retrieve and remove data, or even opt-out of data collection.
  • Specific regional and industry-specific details, such as HIPAA for health data or FERPA for education institutions. These are sometimes found in the Data Protection Addendum (DPA)—more on that below.
  • Contact information for the necessary departments that handle data privacy at the company. These are often the best people to reach out to, beyond the sales team you’re working with, for specifics if you need to ensure regulations are met—and sometimes it is easier to ask them than navigate their policy.

While it can be difficult parsing through a privacy policy, researchers have built a tool called Polisis that uses machine learning to identify key information and organize it. Try searching for policies from the API providers you use to see a more human-readable overview of their privacy statements.

The Data Protection Addendum

Most privacy policies are separate from their interactions with industry or regional privacy regulations. To deal with this, many companies will have a data protection addendum (DPA, not to be confused with data processing agreement or data protection authority) that acts as a supplement to the privacy policy and includes any new laws, regulations, or policies that affect data privacy. While the privacy policy may mention or include details about the big-name privacy regulations, they are often found in the DPA.

The DPA will also go into detail on exactly which roles the API provider takes when handling data, if they use any sub-processors—such as a cloud hosting provider for data storage—and links to specific policies and measures for each regulation type. You may also find direct language related to how the API provider, and you as the consumer of the API, are liable for certain aspects of a user’s data.

The key regulations to look for when selecting an API provider

While the needs of your specific industry and the region of your customers will dictate exactly which privacy laws apply to your company, here are some you should expect to see from most API providers.

The General Data Protection Regulation (GDPR). While GDPR is specific to businesses whose customers and users reside in the European Union, it has become the standard by which most data protection legislation is based. Unless your company is explicitly only dealing with customers outside the EU, as well as prohibiting access to users inside the EU, you should ensure that all APIs you deal with are GDPR-compliant. When viewing an API provider’s compliance with GDPR, you’ll often find dedicated pages separate from their privacy policy and DPA.

The EU-US Privacy Shield is a framework that you’ll often see paired with GDPR. It is essentially a means for US and EU companies to safely transfer data without conflicting with the requirements of GDPR. Some nations, like Switzerland, have their own implementation for transferring data to and from US companies. However, as of July 2020 the European Court of Justice declared that transfers of data belonging to EU citizens is not legal under this framework, so be aware that privacy shield alone may no longer be useful.

The Children’s Online Privacy Protection Act (COPPA) dictates how the data and personal information of minors is managed. It affects any user below the age of 13. This is why many companies limit account creation to ages 13 and over.

The California Consumer Privacy Act (CCPA) went into effect in 2018 and offers specific protections for residents of California. Essentially it allows residents to request any data a company has about them, decide if their data can be sold, and be notified before data is collected. It also offers some legal options if a data breach occurs. The CCPA has been expanded, via the CPRA, and continues to see regular updates.

The newest law in this space is Lei Geral de Proteção de Dados Pessoais (LGPD). This is Brazil’s equivalent of the GDPR and has officially gone into law as of August 2020, and companies will be expected to abide by the terms in mid-2021. In many ways it is inspired by GDPR and applies to the data of all Brazilian users, even if the companies do not themselves reside in Brazil.

Additional aspects to keep in mind

For most privacy-related regulation, it is important to remember that it is all dependent on how the API interacts with user data. Privacy rules only apply in situations where user data is transmitted to or from the API provider. For instance, if an API is only pulling in data with no knowledge of the user, you won’t need to be as concerned with their compliance to specific regulations and laws.

It is also worth mentioning that while many regulations are enforced, companies are not required to be “certified” like a traditional compliance certification. Instead, they self-report and self-assess on how accurately they meet the requirements of a law or regulation. Ensuring that not only the API provider, but also any of their sub-processors are compliant is the best way to protect yourself from any potential issues.

Unsure if your third-party APIs are compliant with the certifications and privacy laws required in your industry? At Bearer, we’re building a tool to monitor APIs, keep you better informed of problems, and protect your business.