Gusto updated its Privacy Policy on April 24, 2026 with significant new language clarifying how the policy applies and when it does not. The policy now explicitly states it applies when you access Gusto's platform, create an account, or communicate with Gusto, but does not apply when Gusto processes data on behalf of customer employers. The update also adds contact information for privacy questions and acknowledges that the policy will be updated as practices change.
The updated policy clarifies an important boundary: if you access Gusto through your employer's account for payroll processing, Gusto's Privacy Policy may not govern how your personal information is handled in that context. Instead, you would need to direct privacy concerns to your employer rather than to Gusto directly. The policy now provides a clear contact method (privacy@gusto.com) for users who have privacy questions about Gusto's direct practices, making it easier to understand who to contact depending on your relationship with Gusto.
This change clarifies a critical boundary in data responsibility: if you access Gusto through your employer's payroll account, Gusto's Privacy Policy may not protect you directly because Gusto acts as a processor, not controller, of your data. Understanding this distinction is essential for knowing whether to contact Gusto or your employer with privacy concerns, and for employers to understand their own data governance obligations.
→ Determine whether you access Gusto as a direct user (creating your own account) or through your employer's account for payroll processing.
→ If accessing through your employer's payroll account, direct privacy questions and concerns to your employer's HR or privacy team rather than to Gusto at privacy@gusto.com.
→ If accessing Gusto as a direct user, you can contact privacy@gusto.com with privacy questions.
→ If you send privacy inquiries to Gusto regarding payroll data processed through your employer's account, Gusto may redirect you to your employer, delaying resolution.
→ Your employer may not have adequately communicated to you that they, not Gusto, control your payroll data privacy, leaving you uncertain about your rights.
ConductAtlas has recorded 2 material changes to this document (since April 2026). An additional minor or cosmetic changes were excluded.
Privacy Policy does not apply when Gusto processes data as a processor on behalf of customer employers; employer becomes primary responsible party for employee privacy.
Accessing or using Gusto's platform now constitutes acknowledgment that you have read the Privacy Notice and agree to its practices.
Adds explicit contact information (privacy@gusto.com) for privacy inquiries and clarifies circumstances under which users should contact their employer instead.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Using Gusto's services counts as your agreement to how they handle your data according to their Privacy Notice.
If you're an employee accessing Gusto through your employer, your employer, not Gusto, controls your payroll data and should answer your privacy questions.
Gusto substantially expanded its Privacy Policy on April 24, 2026 by adding 120 sentences clarifying scope, applicability, and contact procedures. The most significant substantive addition is an explicit carve-out: the Privacy Policy does not apply when Gusto acts as a data processor on behalf of customers (employers). This distinction aligns with GDPR and CCPA frameworks that differentiate between data controller and processor roles. Employers using Gusto become the primary data controller for employee information, while Gusto may act as processor under a data processing agreement. Organizations that include Gusto in their vendor ecosystem should verify that data processing agreements (DPAs) are in place and clearly allocate controller and processor responsibilities, particularly for payroll and employee data. The policy expansion also establishes new user acknowledgment language (accessing the platform constitutes agreement to privacy practices), which may trigger consent-management review.
GDPR (Articles 4(7), 4(8), 28 regarding controller/processor distinction), CCPA (distinction between business and service provider roles), state privacy laws (similar controller/processor frameworks)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001421.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherGusto's privacy policy was updated on May 9, 2026 to add two new document references in its table of contents: …
Gusto updated its Terms of Service on May 9, 2026 with five technical corrections. The changes include updating contact email …
Gusto updated two email addresses in their Terms of Service contact sections on May 6, 2026. The opt-out form submission …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.