I'm writing an Apps Script Add-on for Google Sheets. There are duplicate fields on the OAuth consent screen and the Google Workspace Marketplace SDK Store Listing screen. These are "Terms of Service" and "Privacy Policy" URLs.
Do they need to be filled out in both places? It appears that they are optional on the OAuth consent screen since they do not have an asterisk next to them. Is that true?
If they do need to be entered in both places, do they need to match? On the Store Listing, I used URLs pointing to a shared (with everyone) Google Doc. But on the OAuth screen, it appears they are requiring the documents to be on my website, since they are under the App domain section.
I've seen a working tutorial from a few years ago where a shared Google doc was used for the store listing. But has that policy changed and now do they have to be on my website?
CodePudding user response:
If you are planning to make the OAuth Consent Screen for External users you should add the Terms and Conditions as well the Privacy Policy fields, otherwise it's very unlikely that it will be approved in the verification process, if it will be for Internal users you might try to keep these fields empty as in this case the OAuth Consent Screen will not be verified.
Regarding if these fields should match the fields on the Marketplace listing, it will be weird if they doesn't match. AFAIK Google doesn't review exhaustively the Marketplace listings but if users complain the might review it. They might contact you giving some recommendations, disable the Marketplace listing, etc.
If you want to use a Google Editor files for your TOS and Policy files, you might embed them in a Google Site with a custom URL.
Resources
CodePudding user response:
I found the following information about the "Privacy Policy" URLs:
Make sure that your app's Privacy Policy meets the following requirements:
- The Privacy Policy must be visible to users, hosted within the domain of your website, and linked from the OAuth consent screen on the Google API Console.
- The Privacy Policy must disclose the manner in which your application accesses, uses, stores, or shares Google user data. Your use of Google user data must be limited to the practices disclosed in your published Privacy Policy.
Based on the first requirement, I will say they need to be the same URL under the Google Workspace Marketplace SDK Store Listing and the OAuth consent screen in the project.
However, there is no such restriction for the Terms of Service inside Google Documentation.
Reference: