Recent Policy Changes

Why it matters: The updated policy establishes that Affirm qualifies as a financial institution under federal banking law, which may limit the applicability of state privacy laws to Affirm's core lending operations. The policy also newly discloses sharing of personal information with fraud prevention and identity verification providers, expanding transparency about third parties that receive consumer data.

Why it matters: The updated policy formalizes ClickUp's recognition of data subject rights under GDPR and equivalent frameworks, providing users and regulators with explicit legal reference points for exercising control over personal data. Organizations that process customer data through ClickUp should verify the formalized rights are reflected in their DPAs and privacy notices to ensure compliance obligations are accurately stated.

Why it matters: The removal of explicit statements about AI training and data disclosure reduces the policy's stated transparency regarding how user data informs Meta's AI systems and which parties receive user information. Under GDPR and CCPA, privacy policies are required to clearly disclose data collection, processing purposes, and automated decision-making practices. The absence of these previously stated disclosures may create compliance ambiguity and complicates user understanding of how their data is used.

Why it matters: The updated policy formally expands Gusto's privacy disclosures to cover retirement account management and establishes Stripe as a named financial data processor, requiring users to understand that bank data flows to Stripe under Stripe's terms. The restructured guidance on when separate notices apply (service provider, employer, co-employer contexts) clarifies governance boundaries, but also implies that different privacy rules may apply depending on the user's relationship to Gusto, which customers and users should verify. For organizations contracting with Gusto, these changes may require updates to vendor documentation, employee privacy notices, and data processing agreements.

Why it matters: The updated terms eliminate the ability for sellers to litigate contract disputes in California courts and instead require all disputes to proceed through arbitration as defined in Whatnot's main Terms of Service. This change affects how sellers can seek remedies for breach of contract, payment disputes, or other claims, and likely reduces their access to discovery, jury trial, and appeal procedures available through traditional litigation. Additionally, the explicit definition of a 30-day programming/content gap as a material breach clarifies grounds for suspension or termination that previously may have been less defined.

Why it matters: The updated terms establish mandatory individual arbitration as the exclusive dispute resolution method for sellers, removing access to California courts and jury trial rights. This materially changes the cost, timeline, and procedural options available to sellers if conflicts arise with Whatnot regarding content commitments, account status, or contract interpretation.

Why it matters: The updated terms establish new customer obligations to manage database engine lifecycle and upgrade to supported versions, with AWS authorized to take unilateral action (delete instances) on unsupported software after notice. This creates operational risk for customers with legacy databases or limited maintenance resources, and shifts liability for extension-related failures from AWS to customers.

Why it matters: The updated terms establish that BeePitched processes personal data from users and non-users, including names, phone numbers, and photos, in a feature that enables shared profiles about individuals. The disclosure describes what data is collected and how it is used, which addresses transparency requirements under privacy frameworks like GDPR and CCPA. However, the disclosure does not explicitly describe consent mechanisms, user rights, or controls to opt out of being featured, which may create compliance gaps depending on jurisdiction.

Why it matters: The updated terms establish a material change in how SoFi collects consent for tracking technologies. The shift from opt-in to opt-out consent means users must now affirmatively decline tracking rather than affirmatively accept it. The explicit disclosure of data sharing with advertising partners provides clarity about downstream data destinations, but the opt-out consent structure may create compliance risk under CCPA/CPRA, which generally requires affirmative opt-in consent for nonessential tracking.

Why it matters: The updated statement removes a documented opt-out mechanism for advertising cookies and eliminates explicit disclosure of data sharing (IP addresses, device identifiers) with advertising partners. These removals reduce transparency about consent options and data practices previously disclosed to users, creating potential compliance exposure under FTC Act Section 5 (material omissions) and state privacy laws (CCPA, CPRA) that require disclosure of data practices and opt-out rights.

Why it matters: The updated terms establish explicit, prominent acceptance of mandatory arbitration as a condition of using SoFi's platform. Previously, while arbitration may have applied through incorporation by reference, it was not named in the primary acceptance clause. This change makes the arbitration requirement more transparent and removes ambiguity about whether users have agreed to binding arbitration.

Why it matters: The removal of explicit disclosure about AI training data use reduces the transparency provided to users in this specific policy document about how their support interactions may be processed. Under GDPR and CCPA, clear disclosure of data processing practices is a legal requirement, so the removal of this language may create questions about whether adequate notice is being provided elsewhere in Meta's documentation.

Why it matters: The updated terms establish explicit compliance obligations for customers using Amazon Connect Talent, a generative AI tool for employment decisions. Rather than treating Connect Talent as a standard AWS service, the terms now require customers to independently ensure legal compliance with employment discrimination law, data privacy regulation, and emerging AI governance frameworks, implement documented consent and appeal processes for job applicants, review all AI recommendations before making hiring decisions, and notify AWS of legally mandated data deletions. This represents a shift toward customer accountability for AI-driven hiring outcomes and creates material compliance and operational obligations that organizations must integrate into their HR processes and vendor management.

Why it matters: The updated terms formalize Mercury's ACH payment processing timeline for merchants, establishing that incoming invoice payments will not be immediately available. Merchants relying on Mercury Invoicing for cash flow should understand that funds may be held for up to 4 business days while Mercury assesses transaction risk, which directly affects liquidity management and payment reconciliation.

Why it matters: The updated agreement restructures how eBay's policies bind users by explicitly incorporating external policies into the core User Agreement, clarifies which eBay legal entity users contract with by jurisdiction, and emphasizes mandatory arbitration and class action waiver provisions. This materialization of dispute resolution and policy incorporation provisions in the main agreement makes the terms more prominent and may affect users' understanding of their rights and obligations.

Why it matters: The removal of explicit disclosures about cookie use and data sharing partnerships reduces the transparency statements previously made in Duolingo's policy. The removal of the Do Not Sell button is operationally significant because CCPA and similar state laws may require companies to provide consumers with an opt-out mechanism. The absence of these disclosures in the updated policy creates potential compliance questions depending on whether replacement language exists elsewhere and whether actual data practices have changed.

Why it matters: The updated policy removes specific disclosures about advertiser data sources and account-level control mechanisms that were previously documented. This narrows the transparency of how ad targeting operates, which may affect user ability to manage data practices and may create compliance questions under FTC and state privacy law standards that require clear, accessible disclosure of ad targeting and data sources. The shift toward broader marketing language without equivalent specificity represents a reduction in documented user control and data source transparency.

Why it matters: The updated policy establishes explicit consent requirements and disclosures around AI training uses. Previously, this processing activity was not clearly disclosed in the privacy policy. The change clarifies Meta's authority to use conversational data for AI improvement and links user consent to separate AI terms, which operationally affects how user data flows into Meta's AI training infrastructure.

Why it matters: The updated terms now require users to warrant that all personal information they provide to Medium has been lawfully collected with required notices and consents obtained. This expanded warranty creates liability exposure for users who submit third-party data without proper consent documentation and may increase Medium's ability to enforce data compliance requirements across all user submissions, not just newsletter editor materials.

Why it matters: The complete removal of Cohere's Usage Policy eliminates the primary posted reference document defining prohibited conduct and enforcement procedures. Organizations relying on this policy as part of vendor governance, data processing agreements, or child safety compliance frameworks will need to identify alternative documentation or establish independent usage restrictions. The removal of child safety prohibitions from the public policy creates potential regulatory and reputational risk, particularly under COPPA if Cohere Services are used by or on behalf of minors.

Why it matters: Intuit consolidated cookie and advertising tracking disclosures from its main privacy statement into a separate document, reducing inline transparency about how user data is collected and shared with advertising partners. This consolidation may affect how clearly users understand Intuit's tracking and targeting practices, and may impact regulatory compliance assessments under CCPA and GDPR, which typically require prominent, accessible disclosure of data sharing for targeted advertising.

Why it matters: The updated terms explicitly establish that England-based users will have disputes administered through London arbitration under New York law, removing prior ambiguity about which arbitration institution and governing law would apply to England-based disputes. For organizations using Unity as a vendor, this clarification may require verification that customer-facing terms accurately reflect the arbitration procedures now stated in Unity's updated terms.

Why it matters: The removal of explicit unsubscribe language eliminates a documented mechanism users could rely on to manage communications. Under GDPR, CCPA, and CAN-SPAM, clear opt-out mechanisms are generally required for marketing communications; the removal of this disclosure may create compliance questions if unsubscribe functionality is no longer available or if the company's actual practice diverges from the new silence on the topic.

Why it matters: The restructured Terms of Service clarifies the document's function as a binding legal agreement and removes marketing content that may have created ambiguity about what constitutes contractual obligations versus promotional messaging. This formalization generally improves clarity about the legal framework governing service use, though users should verify the current status of promotional programs through non-terms channels.

Why it matters: The updated terms establish that reserved capacity purchases create binding noncancellable payment obligations that persist even if the AWS agreement terminates, removing any termination-based exit mechanism for these commitments. The explicit authorization to retain Kiro Free Tier inputs for 60 days establishes a data retention and processing practice that may affect privacy compliance obligations for organizations processing regulated data through Kiro.

Why it matters: The updated terms establish explicit disclosure of a previously less-detailed advertising data-sharing practice: TurboTax now states it may share IP addresses and device identifiers with advertising partners. This disclosure creates transparency about how user data is used for targeted advertising and acknowledges that such practices may trigger privacy law requirements in certain jurisdictions. The addition of an opt-out control for advertising cookies provides users a mechanism to limit certain tracking, though the policy makes clear that essential website cookies cannot be refused.

Why it matters: The updated privacy notice establishes explicit disclosure and consent mechanisms for pixel tracking and advertising partner data sharing that previously were either not disclosed or described in more general terms. The change shifts the consent model so that users must affirmatively select preferences; failing to do so means you agree to all tracking and data sharing as described. This affects how user interaction data is collected and shared for marketing and analytics purposes.

Why it matters: The introduction of BYOC Deployment and redefinition of Hybrid Deployment clarify infrastructure control options, allowing enterprises to evaluate data residency and operational control tradeoffs more precisely. The explicit extension of data-use restrictions to exclude LLM training directly addresses a key concern in AI governance and may affect how organizations assess vendor compliance with their own AI governance frameworks. The expanded non-warranty clause removes guarantees of accuracy and completeness, which affects what assurances customers can rely on operationally.

Why it matters: The updated terms establish a new user control mechanism over data sharing and secondary use, which operationally empowers users to restrict how their data flows to third parties and how it is deployed for new purposes. The explicit FTC oversight disclosure establishes regulatory transparency about which federal authority has enforcement jurisdiction over Segment's privacy practices. For organizations using Segment as a vendor, these changes may require privacy notice updates to ensure customer-facing representations remain accurate.

Why it matters: The updated terms establish explicit FTC oversight disclosure and introduce a user-accessible opt-out mechanism for third-party data sharing and materially different uses. These additions operationalize user data control rights and clarify regulatory accountability, which may affect how Twilio customers communicate data practices in their own policies and how data subject requests are processed.