Since the end of 2025, VK has switched to the .ru domain and updated its login application. The settings now also allow connecting authorization via Mail.ru and OK. Accordingly, the following legally significant changes are analyzed.
1. Obligation to Provide Documents Within 3 Calendar Days
Sections:
- In PDF (Odnoklassniki): Section 3.3.1
- In text agreement (Mail.ru): Section 3.3.1
“Within a period not exceeding 3 (three) calendar days from the date of receipt of the Company’s request, provide properly certified copies of documents confirming the information provided by the Partner during application registration.”
What This Means in Practice:
- When registering an application (e.g., here), you provide data:
- For individuals: Full name, passport details, contact information.
- For legal entities: Company name, OGRN/INN, address, etc.
- If VK/Mail.ru requests verification of this data (e.g., due to suspected fraud, bulk registration, or rule violations), you must send scanned documents (passport, extract from EGRYUL, power of attorney, etc.) within 3 days.
- Risk: Failure to comply → unilateral suspension or blocking of API and OAuth access (Section 3.2.2 of both agreements), without prior notice — only notification comes after.
Recommendation:
- Prepare your document set in advance.
- Ensure that during application registration, you provide accurate and verifiable data — otherwise, verification requests are almost inevitable.
2. Requirement to Obtain Explicit User Consent for Personal Data Transfer
Sections:
- OK PDF: Section 3.3.4
- Mail.ru: Section 3.3.4
The Partner must obtain explicit user consent (including under Federal Law No. 152-FZ) for transferring their data from the Company’s services → explicit consent, including:
- Scope of requested data (email, name, photo, etc.)
- Purpose of processing
- Link to your privacy policy
Critically Important:
- You cannot automatically transfer data (e.g., email) without separate, informed user consent — even if the user clicked “Sign in via OK/Mail.”
- Consent must be obtained via a separate checkbox before or alongside the login button, with clear wording, for example:
“I agree to the transfer of my data (name, email, profile photo) from Odnoklassniki/Mail.ru for login to example.com and processing in accordance with Privacy Policy.”
- You are not permitted to request excessive data (Section 3.3.5): for example, requesting birth date if it is not needed for authentication.
3. Prohibition on Modifying Logos, Buttons, and UI Elements
Sections:
- OK: Section 3.3.3
- Mail.ru: Section 3.3.3
Prohibited:
- Hiding or altering logos (“Sign in via OK” → cannot be renamed to “Quick Login”),
- Removing hyperlinks to OK/Mail,
- Using unofficial buttons and images.
Solution:
- Always use official UI kits and buttons provided in documentation:
4. Restrictions on Use of User Data
Sections:
- OK: Section 3.3.6
- Mail.ru: Section 3.3.6
Prohibited:
- Storing, processing, or transferring user data (email, name, etc.) obtained via OAuth to third parties if not required for authentication and not specified in the agreement.
- Using data for newsletters, analytics, advertising profiles — without additional consent.
Example of Risk:
If you receive an email via OAuth and immediately add it to a newsletter — this is a violation.
Solution:
- Clearly separate:
- Data for login (only for authentication),
- Data for further use (newsletters, profiles, etc.) → must be collected separately, with separate consent.
5. Agreement Governs “As Is” — No Guarantees or Liability
Section:
- OK: Section 5.1
- Mail.ru: Section 3.2.3
The Company does not guarantee uninterrupted operation and assumes no responsibility for outages, data leaks, blocks, etc.
What to Do:
- Do not rely on OAuth as your sole login method. Always maintain a fallback (e.g., email + password).
- In UI, inform users: “Sign-in via OK is temporarily unavailable — please try again later or use another method.”
Summary: Critical Points Requiring Your Immediate Attention
| 1 | Prepare and, if necessary, send certified documents | Within 3 days of request | API/OAuth blocking |
| 2 | Obtain explicit user consent for data transfer | Before authentication | Penalties under Federal Law 152-FZ, blocking via complaints |
| 3 | Use only official buttons and UI | Immediately | Application accreditation denial |
| 4 | Do not use obtained data beyond authentication | Ongoing | Blocking + complaints from regulators |
| 5 | Follow official instructions and rules | Ongoing | Risk of suspension without prior notice |