CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

Social Login: Extended Data Permissions

6 min read


When a user logs in socially to a website, their social data can be accessed by the site owner, depending on which permissions have been granted. The data a website can access by default is limited to the public profile, which usually consists of the name and the user's profile picture. In most cases websites, also request additional permissions to retrieve the user's email address. Any further permissions will require passing a review process from the social network in question. In this article, we will go through the best practices around retrieving these extended permissions.

Table of Contents

What are Extended Permissions?

Extended permissions enables a website to gather what is considered sensitive user data from their users' social profile and enrich their user accounts. Usually, this is the data that the user does not keep public on his social network profiles.  In order to capture this data, social providers include a separate screen in the user login flow will have to include a separate screen where the user can agree or refuse to grant these extended permissions. It is important to note that an application cannot ask users for extended permissions without proving to the social network that the data that will be captured will visibly personalize the experience of the user in the application – if there is no plans enhance the experience, then we advise not to even bother applying for extended permissions as the request will be rejected.

This is an example extended permissions request screen where the user is asked to share their public profile, email address and likes with the website.

Best Practices

Plan in Advance

In order to receive extended permissions, an application will have to be reviewed by the social network's team to ensure there is no misuse of user data. This review  process could be quite laborious and can sometimes take up to a few weeks depending on the social network. There will most likely be some development required from your team in order to justify and prove that the retrieval of extended permissions will enhance the user experience.

For example, Facebook requires the application to show, using a working demo, a valid use case outside of marketing for the user to give access to their permissions. This is why we recommend to start the review process early, and be aware that it their might take some back and forth with Facebook before the permissions are granted. 

The review process can take a few weeks to complete, do not leave this task to the last minute

Only Request Essential Permissions 

As discussed above, because the review process for extended permissions is quite laborious, it is important to work with all of your stakeholders to make sure that the permissions are required for the proper functioning of your application. It is also essential to figure out how these extended permissions will enhance the user experience. This is because, every extended permission required will be subject to social provider's scrutiny. We also do not want to scare off users at registration by requesting too much of their personal data. The more data you request from your users the higher drop off rate at registration will be observed, so we recommend to be very mindful of what data is requested from the user.

Never Rely on Extended Data

We strongly advise to design a registration system that does not need the extended permissions from social at all.  At best, only 50% of users will ever utilize social login and users also have the option to reject granting these permissions, so the application needs to design a system that captures the additional data for everyone by default. Also, the application will need to be very mindful in differentiating between the data points that are mandatory for the site's proper functioning and the data that are nice to have.

For example, if a site selling alcohol requests the permission to retrieve a user's age, and the user rejects granting this permission, it will be important for the site to handle the rejection properly and force the user to manually enter his age in a registration completion form in order to complete his registration. If however, the permission is just there to enhance the user experience and is not mandatory, the site can proceed with registering the user even without the granted permission.

All of the mandatory data to be collected at registration should be set as required in your data schema. These fields should also be present in your complete registration screen. This is to make sure all of the mandatory data is retrieved in all scenarios of the registration.


Most implementations will not need required extended permissions in order to function properly. This is because the most valued user data (user name and email address) are usually provided by default by the social networks without having to go through an extended review process. If your application does require some extended permissions, we recommend to only request the essential permissions and to plan the review process well in advance.

Furthermore, social data will only ever be available for a subset of users and because we don’t recommend designing personalized experience for “just some users”, you should never rely on social data.  Our advice is to design a personalized app experience and a method to capture data needed for this personalized experience directly into the app.  Social is just an avenue to simplify login, and should not be considered as a data source.