Booking.com replaced a technical security challenge page with a substantially expanded privacy notice on April 19, 2026. The new document added approximately 516 sentences of privacy policy content covering data collection, processing purposes, user rights, cookie usage, AI decision-making, and data protection practices. This represents a comprehensive rewrite or major expansion of Booking.com's privacy disclosure to travelers.
Booking.com's expanded privacy notice provides substantially more detail about what personal data it collects from travelers, how it uses that data, what rights travelers have, and how the company protects information. The updated notice explicitly addresses cookie usage, artificial intelligence and automated decision-making, data sharing within the Booking Holdings group and with third parties, and specific regulatory disclosures for markets like California and the EU. Travelers can review the full notice to understand their data rights and contact options before booking.
The expanded privacy notice provides substantially more detail about what data Booking.com collects from travelers, how it uses that data (including for AI-driven decisions), who it shares data with, and what rights travelers have. For travelers considering booking through Booking.com, the additional transparency allows more informed decisions about data privacy before committing to a reservation.
→ Review the expanded privacy notice to understand what data Booking.com collects and how it is used, particularly if you have concerns about AI-driven recommendations or data sharing across the Booking Holdings group
→ Check the notice for information about your rights (access, correction, deletion, objection) and contact information for Booking.com's data protection team if you wish to exercise those rights
→ You may not understand the full scope of data Booking.com collects about your travel preferences, payment information, and browsing behavior
→ You may not be aware of how Booking.com uses your data in automated decision-making (such as personalized price recommendations) or how widely it is shared within the Booking Holdings corporate group
Across all monitored documents, Booking.com has made 3 significant changes.
2 of Booking.com's significant changes have been classified as negative for consumers.
Expanded notice specifies personal data Booking.com collects directly, from users about others, automatically via website/app, and from third-party sources
Added new section disclosing Booking.com's use of AI and automated decision-making affecting travelers
Expanded disclosure of how traveler data is shared internally across Booking Holdings Inc. subsidiaries and with external third parties
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Booking.com substantially expanded its privacy notice on April 19, 2026, adding 516 sentences of disclosure covering data collection sources, processing purposes, legal bases, internal and external data sharing, cookie and tracking technology use, AI-driven automated decisions, minor protection practices, and consumer rights. This expansion likely reflects compliance obligations under GDPR, CCPA, UK GDPR, and other privacy frameworks that require specific disclosures about data practices. Organizations processing traveler bookings through Booking.com or its partners may need to review how the expanded disclosures affect their own privacy statements and data processing agreements, particularly regarding data sharing across the Booking Holdings group and with identified third parties.
GDPR, CCPA, UK GDPR, COPPA (regarding minors), EU AI Act (if automated decisions involve profiling or significant effects)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-000569.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorThe change appears to be a technical update to Booking.com's WAF (Web Application Firewall) challenge page, updating nonce values and …
The detected change consists of updates to nonce values and timestamps in the HTML security infrastructure of Booking.com's challenge page, …
The detected change in Booking.com's published document consists entirely of technical updates to nonce values and timestamp parameters in the …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.