Governance documents monitored across 300+ platforms and digital services.

Why it matters: The updated Terms of Use no longer explicitly describe cookie preferences or chat functionality data requirements, shifting these disclosures to the separate Cookie Policy. Under GDPR and UK GDPR, organizations must provide clear, accessible information about cookies and data collection before obtaining consent. The removal of this language from the primary Terms document may create compliance risk if the separate Cookie Policy does not adequately address all required transparency and consent obligations.

Why it matters: The updated terms establish a reduced disclosure posture regarding cookie and data collection methods on the American Airlines website. Previously, the terms explicitly stated that certain cookies are essential and cannot be rejected, explained how performance cookies track site usage, and described how functional cookies store user preferences. The removal of these disclosures narrows the transparency available to users in the public-facing terms, which may create compliance questions under CCPA, GDPR, and FTC standards that require clear, accessible disclosure of data collection practices.

Why it matters: The updated policy establishes more explicit, structured disclosure of which personal information categories are collected and shared with specific recipient types. This shifts from a referential approach requiring readers to locate information across multiple sections to a consolidated table format, which may strengthen compliance with state privacy law transparency requirements and provides users clearer visibility into data sharing practices.

Why it matters: The updated Terms footer removes a direct navigation link to CCPA 'do not sell or share' disclosures, which may affect how readily California residents can locate and exercise their statutory privacy rights. California law requires covered businesses to provide an accessible mechanism for such requests; removing a prominent footer link could complicate that access and create regulatory compliance questions.

Why it matters: The updated terms establish explicit and binding mandatory arbitration for all disputes, eliminating access to court proceedings and class action lawsuits. This is a material change in how disputes will be resolved and affects the practical remedies available to users when disagreements arise.

Why it matters: The updated terms establish automatic enrollment in asset staking for eligible tokens, shifting from the prior language that stated staking was optional and required explicit user designation. This change means users must take affirmative action (opt out) to prevent their assets from being moved into staking arrangements, and it introduces a July 1, 2026 deadline for users to take that action. The 14-day advance notice requirement for material changes starting July 1, 2026 also creates a new notification window for future policy modifications, though the scope and enforceability of that requirement will depend on applicable state and federal regulations.

Why it matters: The updated policy narrows the stated scope of Data Privacy Framework participation, which may affect the legal mechanisms available for transferring personal data from regulated regions to Smartsheet. Organizations processing EU, UK, or Swiss data through Smartsheet should verify whether this change introduces gaps in documented lawful transfer mechanisms, particularly if non-U.S. affiliates are involved in data handling.

Why it matters: The updated terms expand the category of data Mixpanel may classify and use as Usage Data by removing the prior contractual exclusion of individually identifiable information. Organizations that relied on this exclusion to limit how Mixpanel could use personal data must now reassess their vendor agreements and privacy controls. Under privacy regulations like GDPR and CCPA, the reclassification of individually identifiable data may trigger new obligations if the organization lacks a lawful basis for such expanded use.