Regardless of what industry your company belongs to, you are obligated to think about the privacy of your customers. Not only is it good business, but privacy expectations have been set through regulations like the EU’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA), and many others across the world.
When selecting a third-party web service or API, it is important to consider their privacy compliance in order to avoid putting your own company at risk. Unknown practices can lead to shadow APIs. Sometimes this information is front and center, but in many cases the details of each provider’s privacy compliance is buried in privacy policies or help center documents. In this article we’ll look at where to find information about an API provider’s privacy standards, as well as the minimum level of privacy compliance to consider when assessing an API provider.
Note: The information in this article is meant to be used as a basis for helping inform your decisions, but should not be taken as legal advice.
Privacy policies generally include:
- What type of information is collected. This could be location data, user contact details, payment information, or purchase history.
- Details about their security or compliance information. This bridges into a topic we’ll discuss in future articles, but some policies will detail how data is securely stored.
- Information about how to retrieve and remove data, or even opt-out of data collection.
- Specific regional and industry-specific details, such as HIPAA for health data or FERPA for education institutions. These are sometimes found in the Data Protection Addendum (DPA)—more on that below.
- Contact information for the necessary departments that handle data privacy at the company. These are often the best people to reach out to, beyond the sales team you’re working with, for specifics if you need to ensure regulations are met—and sometimes it is easier to ask them than navigate their policy.
The Data Protection Addendum
The DPA will also go into detail on exactly which roles the API provider takes when handling data, if they use any sub-processors—such as a cloud hosting provider for data storage—and links to specific policies and measures for each regulation type. You may also find direct language related to how the API provider, and you as the consumer of the API, are liable for certain aspects of a user’s data.
The key regulations to look for when selecting an API provider
While the needs of your specific industry and the region of your customers will dictate exactly which privacy laws apply to your company, here are some you should expect to see from most API providers.
The EU-US Privacy Shield is a framework that you’ll often see paired with GDPR. It is essentially a means for US and EU companies to safely transfer data without conflicting with the requirements of GDPR. Some nations, like Switzerland, have their own implementation for transferring data to and from US companies. However, as of July 2020 the European Court of Justice declared that transfers of data belonging to EU citizens is not legal under this framework, so be aware that privacy shield alone may no longer be useful.
The Children’s Online Privacy Protection Act (COPPA) dictates how the data and personal information of minors is managed. It affects any user below the age of 13. This is why many companies limit account creation to ages 13 and over.
The California Consumer Privacy Act (CCPA) went into effect in 2018 and offers specific protections for residents of California. Essentially it allows residents to request any data a company has about them, decide if their data can be sold, and be notified before data is collected. It also offers some legal options if a data breach occurs.
The newest law in this space is Lei Geral de Proteção de Dados Pessoais (LGPD). This is Brazil’s equivalent of the GDPR and has officially gone into law as of August 2020, and companies will be expected to abide by the terms in mid-2021. In many ways it is inspired by GDPR and applies to the data of all Brazilian users, even if the companies do not themselves reside in Brazil.
Additional aspects to keep in mind
For most privacy-related regulation, it is important to remember that it is all dependent on how the API interacts with user data. Privacy rules only apply in situations where user data is transmitted to or from the API provider. For instance, if an API is only pulling in data with no knowledge of the user, you won’t need to be as concerned with their compliance to specific regulations and laws.
It is also worth mentioning that while many regulations are enforced, companies are not required to be “certified” like a traditional compliance certification. Instead, they self-report and self-assess on how accurately they meet the requirements of a law or regulation. Ensuring that not only the API provider, but also any of their sub-processors are compliant is the best way to protect yourself from any potential issues.
Unsure if your third-party APIs are compliant with the certifications and privacy laws required in your industry? At Bearer, we’re building a tool to monitor APIs, keep you better informed of problems, and protect your business.