OAuth Consent Screen Privacy

OAuth consent screens for Google, Meta, LinkedIn, and similar platforms require a publicly accessible privacy policy URL before production access or app verification.

Reviewers compare requested scopes to your policy — if you read profile email but the policy only mentions analytics, verification fails.

What to include in the policy

  • Categories of data accessed through each OAuth scope.
  • How long tokens and profile data are retained.
  • Subprocessors and whether data is shared with advertisers.
  • How users revoke access and request deletion.

Stable URL across scope changes

When you add sensitive scopes, update policy text — not the URL. A hosted privacy policy link avoids resubmitting OAuth client configurations.

Related

Generate your privacy policy URL