Substack's updated privacy policy removes language describing a one-month response timeline for certain privacy rights requests and eliminates explicit disclosure about sharing account identifiers with child safety consortia. The policy now states recipients of direct messages may keep those messages even if deleted or the account is removed, without the prior qualifying language that noted this despite platform functionality. The updated terms no longer specify response deadlines or detail the child safety data sharing practice.
The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
The removal of response timelines for privacy rights requests eliminates a compliance commitment that operationalized GDPR and UK DPA obligations, creating ambiguity about what timeline now applies when users exercise data subject rights. The removal of explicit child safety consortium disclosure eliminates transparency about a data processing practice, which may affect users' ability to understand what data is shared and for what purpose, and may create compliance questions under transparency-focused regulations like GDPR Article 14.
→ Request clarification from Substack support on response timelines for privacy requests (access, correction, deletion, objection)
→ Substack is no longer bound by its stated one-month response commitment, and response timelines will be determined by applicable law or Substack's discretion
→ Users will no longer have explicit disclosure within Substack's privacy policy describing whether or how account identifiers are shared with child safety organizations
Removed commitment to respond within one month, or three months for complex requests with notification of delay
Removed explicit description of sharing account identifiers with child safety consortia for OCSEA detection
Clarified that recipients may retain messages even if sender requests deletion or closes account
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Substack no longer commits to a specific timeframe for responding when you ask to access, correct, or delete your data.
The policy no longer explicitly describes the practice of sharing identifiers with child safety organizations.
This change removes compliance commitments that appeared to operationalize GDPR and UK DPA response obligations (Articles 12(3), 12(4); Data Protection Act 2018 Section 45) and eliminates explicit disclosure of a data processing practice tied to child safety. EU and UK organizations relying on Substack services should evaluate whether removal of stated response timelines creates gaps in their own data subject rights fulfillment obligations or vendor accountability structures. The removal of child safety consortium disclosure may also engage regulatory scrutiny under GDPR Article 14 (information to be provided where personal data have not been obtained from the data subject) and UK Data Protection Act transparency requirements, depending on how regulators interpret the relationship between disclosed practices and legal obligations to disclose them.
GDPR (Articles 12, 14, 32), UK Data Protection Act 2018 (Sections 45, 57), CCPA (California Consumer Privacy Act, disclosure and response time provisions), FTC Act Section 5 (unfair or deceptive practices)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001927.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherThe navigation footer of Substack's privacy policy page was updated on May 19, 2026 to include comparative product links. Specifically, …
Substack's Terms of Use footer navigation was updated on May 19, 2026 to add comparative product links. The footer now …
Substack updated its privacy policy on May 15, 2026 to disclose that it shares account identifiers with child safety industry …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.