OAuth Consent Screen Privacy
OAuth consent screens for Google, Meta, LinkedIn, and similar platforms require a publicly accessible privacy policy URL before production access or app verification.
Reviewers compare requested scopes to your policy — if you read profile email but the policy only mentions analytics, verification fails.
What to include in the policy
- Categories of data accessed through each OAuth scope.
- How long tokens and profile data are retained.
- Subprocessors and whether data is shared with advertisers.
- How users revoke access and request deletion.
Stable URL across scope changes
When you add sensitive scopes, update policy text — not the URL. A hosted privacy policy link avoids resubmitting OAuth client configurations.