Booking.com's privacy policy has been reorganized to separate US (non-California) residents from California residents, with California-specific protections removed and replaced with broader US state privacy language. New sections have been added describing data sharing related to a co-branded credit card product with Imprint Payments, Inc. Key consumer rights such as the ability to limit use of sensitive personal information have been removed from the policy.
The updated policy removes California residents' right to limit use and disclosure of sensitive personal information, which previously required Booking.com to restrict sensitive data use to what was necessary for service delivery. The policy now treats California residents under broader US state privacy rules rather than California-specific protections. Additionally, the policy now discloses data sharing with Imprint Payments, Inc. for a co-branded credit card program, meaning personal data will be shared with a third party acting as an independent controller when you apply for the card. You can review the card terms and conditions provided at application to understand how Imprint Payments will use your data before applying.
The removal of California-specific sensitive data protections narrows privacy rights previously available to California consumers and may require organizations using Booking.com to update their own privacy representations. The addition of credit card vendor disclosures introduces a new third-party data controller into the data processing chain, meaning personal data will be shared with an independent party not bound by Booking.com's own privacy commitments.
→ Review the credit card terms and conditions provided at application before applying for the Genius Reward Visa Signature card to understand how Imprint Payments, Inc. will use your personal data.
→ If you have concerns about Booking.com's use of sensitive personal information, contact Booking.com directly to ask about their current policies, as the policy no longer explicitly grants the right to limit such use.
→ You will no longer have explicit contractual language supporting a right to limit Booking.com's use of sensitive personal information (such as immigration status or health data) to only what is necessary for service delivery.
→ If you apply for the Genius Reward credit card, your personal data will be shared with Imprint Payments, Inc., an independent data controller, and you will have no contractual recourse against Booking.com for how Imprint uses that data.
→ Booking.com will no longer be required to disclose a right to opt out of cross-context behavioral advertising, though applicable law may still provide such a right depending on your jurisdiction.
Removed the right for California consumers to ask Booking.com to limit use of sensitive personal information to what is necessary for service delivery.
Removed explicit disclosure of the right to opt out of cross-context behavioral advertising.
Added disclosure that Booking.com shares personal data with Imprint Payments, Inc. for co-branded credit card processing, and that Imprint acts as an independent data controller.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
You can no longer ask Booking.com to restrict sensitive data (like immigration status, health, or sexual orientation) to only what is necessary to provide services.
The policy no longer explicitly states you can ask Booking.com not to use your data for behavioral advertising across different websites and apps.
+ 1 more obligation changes. Full breakdown available with Watcher.
Track changes →This change removes explicit language protecting sensitive personal information in California and restructures regional privacy disclosures to treat California residents under generic US state privacy frameworks rather than California-specific law. It adds a new vendor disclosure for credit card processing (Imprint Payments, Inc.) and clarifies that this third party acts as an independent data controller. Organizations using Booking.com as a vendor should evaluate whether this change affects their own privacy notices, data processing agreements, or vendor management obligations. The removal of the sensitive data limitation right may narrow protections previously available to California consumers and could affect how organizations dependent on Booking.com's privacy commitments represent their own data practices.
CCPA/CPRA (California Consumer Privacy Act/California Privacy Rights Act); US state privacy laws (Connecticut, Colorado, Delaware, Indiana, Iowa, Michigan, Mississippi, Montana, Ohio, Tennessee, Utah, Virginia); FTC Act Section 5 (unfair or deceptive practices standard)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001387.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherThe detected change in Booking.com's published document consists entirely of technical updates to nonce values and timestamp parameters in the …
Booking.com's Terms and Conditions document appears to have been replaced with an error page or security challenge page on May …
Booking.com's privacy statement update on May 7, 2026 involved a technical modification to security scripting nonce values that protect against …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.