Booking.com replaced what appeared to be a bot-challenge/security page with its full Privacy Notice for Travelers, updated March 2026. The previous version showed a JavaScript security challenge rather than any readable privacy content, while the new version contains a comprehensive privacy statement covering data collection, processing purposes, user rights, and AI use. This matters because users can now actually read and understand how Booking.com handles their personal data.
Booking.com has published a comprehensive new Privacy Notice for Travelers covering how your personal data is collected, shared with third parties and group companies, used for AI and automated decisions, and what rights you have over it. The notice explicitly addresses specific markets including the US, California, and insurance products, giving more targeted transparency to those users. You can review the updated privacy notice on Booking.com to understand what data is collected about you and how to exercise your rights, including access, deletion, and objection.
You are now formally told why Booking.com collects your data and what legal justification they use.
Booking.com now tells you which other companies in its group and outside it receive your personal data.
+ 4 more obligation changes. Full breakdown available with Watcher.
Unlock — $9.99/mo →This is the first time a readable, comprehensive privacy notice has been accessible at Booking.com's privacy policy URL in the detected period, meaning travelers can now actually understand how their data is used, shared, and protected. The inclusion of AI, automated decision-making, and California-specific sections significantly expands the transparency travelers receive.
This is the 2nd significant Transparency Removal change Booking.com has made since ConductAtlas began monitoring.
Across all monitored documents, Booking.com has made 3 significant changes.
Booking.com now explicitly discloses how it uses artificial intelligence and makes automated decisions about travelers, triggering GDPR Art. 22 and EU AI Act transparency considerations.
A dedicated California section now addresses CCPA/CPRA rights including access, deletion, and opt-out of data sale or sharing.
The notice now formally discloses intra-group data sharing across the Booking Holdings corporate family, relevant to DPA and SCC obligations for partner organizations.
ConductAtlas Policy Archive Entity: Booking.com | Document: Booking.com Privacy Statement | Record: CA-C-000569 Captured: 2026-04-19 06:19:46 UTC URL: https://conductatlas.com/change/2026-04-19-bookingcom-bookingcom-privacy-statement-569/ Accessed: May 2, 2026
Unlock the full analysis
14-day free trial available.
Booking.com replaced a non-functional security-challenge page with a full Privacy Notice for Travelers on April 19, 2026, updated March 2026. The notice covers lawful bases under GDPR Art. 6 and Art. 9, cross-border transfers, AI and automated decision-making disclosures under GDPR Art. 22, and California-specific disclosures under CCPA/CPRA. It references data sharing within the Booking Holdings Inc. group and with third parties. Organizations with Booking.com in their vendor stack should confirm their DPAs and internal records of processing are consistent with the new notice. Attention is required for DPO review.
1. GDPR (EU) 2016/679 — Art. 13 (information to be provided at collection), Art. 14 (information from third-party sources), Art. 22 (automated decision-making and profiling, including AI), Art. 6 (lawful bases), Art. 9 (special category data), Art. 46 (cross-border transfer mechanisms), Art. 17 (right to erasure), Art. 21 (right to object).
Compliance intelligence locked
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-000569.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Unlock full diff — Watcher $9.99/moBooking.com updated their Terms and Conditions on April 29, 2026 by removing the link and reference to 'Don't sell or …
Booking.com updated its privacy policy on April 23, 2026 to replace the general 'US (other than California)' section with a …
Booking.com replaced what appeared to be a security challenge page with their full Terms and Conditions document on April 23, …
We monitor 200+ platforms and archive every change — verified and timestamped.