Google announced last week that it would be making major changes to Gmail API platform. 

Moving forward, the company said, any Gmail Add-on apps that request access Google user data must adhere to a new set of security standards, limiting the purposes for which this data can be used.

The timing of this announcement closely coincided with last week's news of a Google+ data breach, in which a bug may have granted unauthorized access to the private data of nearly half a million Google+ users.

Here's a closer look at the new rules -- and what marketers should know about Google's growing privacy efforts.

Google's New Rules for Gmail App Developers

Perhaps the biggest change to stem from these new rules is the data usage restriction. Google has previously faced some controversy over how it uses Gmail user data, including user email content.

In 2017, the company said that consumer Gmail content wouldn't be used or scanned for any ad targeting purposes after this change. But in September, it was revealed that third-party Gmail apps were still permitted access to these emails for the purposes of ad personalization -- with user consent.

First, Gmail has changed the way users are asked for their consent for these apps to access their data. Instead of a single "sign in with Google screen," each item to which the app is requesting access -- e.g., Google docs, Google calendar, Gmail, et cetera. -- will have its own permission dialog box.


Source: Google

But the biggest change may lie within which apps are still allowed to even ask for permission in the first place. Google has strictly limited the type of app that can access this data -- and among those who can, the use of that data is limited.

According to Google official user data policy, the types of apps listed below are permitted to request access to Gmail user data:

Screen Shot 2018-10-15 at 2.01.36 PM

Source: Google

Essentially, only apps that directly apply to regular email functions -- like reading, writing, or sending messages -- or otherwise aid email "productivity" are considered "appropriate access" to Gmail user data. However, these app developers must still comply with data usage standards -- listed in full here -- including some that ban humans from viewing or reading this data without clear-cut, direct consent from users. 

What is not allowed under the new rules, Google says, is accessing user data by any app for the purposes ad targeting, market research, or email campaign tracking. 

The new rules will take effect on January 9, 2019, leaving developers just under two months to make necessary changes. 

What Marketers and Business Should Know 

To put these changes into context, one example of an app that could be impacted is the aforementioned aforementioned Gmail plug-in

Originally designed to help automate the process of unsubscribing users from newsletters with which they weren't engaging, the New York Times reported last April that the app actually collected email content data -- like ride-hailing app receipts -- from the users who had installed the plug-in. That data was then reportedly used for market research on behalf of's parent company, Slice Intelligence.

That type of app behavior and data access, under Google's new rules, is no longer permitted.

Any app that does not wholly abide by the permitted types and capabilities (and corresponding data access rules) dictated by Google will have to be re-submitted for review by a third-party security assessor -- which the company estimates to cost developers anywhere between $15,000 and $75,000. 

If developers don't agree to the security assessment, Google says, their "access to all covered API scopes will be disabled for consumer accounts."

While that might seem an excessive and inaccessible price point for startup or emerging developers with limited budgets, overall, these changes could represent a broader step in the right direction.

Google is hardly the first to enforce API and app developer restrictions of this kind. Facebook, when faced with the improper harvesting of personal user data by voter profiling firm Cambridge Analytica, enforced a somewhat similar app review process -- in the name of, the company said, user safety and security.

"It's not surprising to see a crackdown on this sort of data usage, given the level of privacy risk in the market right now," says HubSpot VP of Marketing Jon Dick. "Although it may be painful for some developers, I think it's positive that Google is prioritizing end-user experience."

As for what steps marketers and small-to-midsize businesses (SMBs) can take -- both proactively and in response to this growing number of privacy-oriented changes by Big Tech companies -- Dick says there are a few key takeaways. 

"One of them, which is not new, is that it's risky to build your business solely based on data from another company," he advises. "We've seen platform changes from Facebook and Twitter impact SMBs before, and now, you can add Google to the list."

But there's also an upshot to developers, marketers, and SMBs here -- and it comes in the form of gaining your audience's confidence in your product, service, or brand, even if it means reformulating strategies and plans now.

That's what Google appears to be aiming for with these changes.

"By ensuring that users get value back when they provide their data," Dick says, "Google can start rebuilding trust with customers."

We are evaluating this news and its implications on HubSpot and its ecosystem.

Featured image credit: Google

Originally published Oct 16, 2018 9:57:31 AM, updated December 11 2019