For a technical overview and best practices for implementing Privacy-by-Design, see End User Consent.
Automatic Gigya Support
Gigya supports forcing age restriction in compliance with COPPA rules, as part of the Registration-as-a-Service (RaaS) product. To apply COPPA Compliance in you site, please check the "Users under the age of 13 cannot register" check-box on the Policies page of the Gigya Dashboard. To access this page you need to be logged-in and to have the RaaS product included in your Gigya package.
If this check-box is checked, Gigya will check the age of every user who registers on your site. Registration will fail if the user's age is under 13. If you are using our client side tools (Screen-sets/Markup Extensions) the message "Your age does not meet the minimal age requirement (13+) for this site" will be delivered. You must also add fields to your Registration and Registration Completion screens that enable users to supply their age when they register via a social network that does not provide it.
If you are using a direct server-side API call (i.e., accounts.register) you will receive the following error in the response: "Underage user" (error code: 403044).
Note: The age policy should be enabled for any site that requests the age or the birth year from its users. COPPA states that sites must not knowingly store data for users under the age of 13.
Gigya's default screens and Screen-Sets support WCAG compliance level AA, including:
- Labels and ARIA-labels for screen reader support
- Correct indication to screen readers of mandatory fields, warning messages etc.
- Full keyboard control (tabbing, entering information, exiting screens)
- The default behavior of Gigya screens ensures that they integrate smoothly with your website flows. However, they are only one component of your website. It is still the site owner's responsibility to ensure that the entire page or site conforms with WCAG standards and that disabled users can use the site, including completing the flows in full and consuming relevant content.
- To customize colors, change the CSS of screens by clicking the "Screens Style" button in the UI Builder. For more information on designing the visual appearance of Screen-Sets, see Screen-Sets: Responsive Design.
Identity Compliance: Facebook Data
Gigya uses Social Sync to monitor and track Facebook Webhooks. Gigya's Social Sync enables your user's account data to be automatically updated whenever your Facebook users update their profiles on Facebook; these changes will sync automatically to their existing accounts in Gigya.
When a user deletes your site's Facebook application from their Facebook Apps, Gigya automatically deletes all the Facebook data kept in the user's account except for the following fields: snuid, firstName, lastName, nickname, profilePhoto, and gender. This happens automatically and no action is required by your site's admin.
Recommended Steps to Ensure User Privacy
As an additional step to respecting user privacy, we recommend that you implement the following:
Give the user an option to delete their own account. Create a proper UI, cautioning the user before permanently deleting their account. For permanently deleting the user's account, use one of the following API methods (depending on your Gigya package):
- Call the accounts.deleteAccount method - if you are using our RaaS product.
- Call the socialize.deleteAccount method - if you are using our Social Login product.
Note that the delete account operation can not be undone. We recommend confirming this action with the user, and even asking for his password again, before executing.
Download User Data
Give the user an option to download his own account data. Call the accounts.getAccountInfo API method to retrieve the user's account data (if you are using our RaaS product). Create UI for downloading a text file with the data you received in the response of the accounts.getAccountInfo API method.
Data Center Compliance
Russian and Chinese law require that user data of their respective citizens be stored in a dedicated local data center. To this end, Gigya maintains Russian and Chinese data centers that are physically located in those countries. See:
These policies include:
- Google login flows should be mutually exclusive: a site should display either Google+ login button (preferred) OR Google OAuth/OpenID button -- but never both at the same time.
- Please ensure the Google+ login button shows with equal prominence to the other providers -- it shouldn't be hidden offscreen behind a "more" link. Read more about Google+ login.
- You must implement the disconnect and data deletion policy, including:
- Revoke the OAuth token when the user unlinks Google from within your site/app
- Delete data read from Google after the user unlinks Google from within your site/app
- For more information, please refer to the Google+ Deletion Rules