Substack updated its privacy policy on May 5, 2026 to disclose that it shares account identifiers with child safety organizations to detect child sexual abuse material, added a one-month deadline for responding to privacy rights requests, and clarified that direct message recipients may retain messages even after deletion. The policy also now specifies that only material changes to the privacy policy will trigger user notification.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
The policy now transparently discloses a new data sharing practice that affects all users' email addresses and usernames, and establishes formal timelines for exercising privacy rights that previously had no guaranteed deadline. This clarifies both what Substack does with user identifiers and what users can expect when requesting data or privacy rights.
Substack now explicitly states it shares account identifiers with child safety organizations to detect and prevent online child sexual exploitation and abuse.
Substack commits to respond to privacy rights requests within one month, or up to three months for complex requests, with notification of extension.
Policy now clarifies that platform may restrict message access but recipients may retain messages indefinitely, regardless of user deletion or account closure.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
You are now told that Substack shares your email and username with industry groups working to prevent child abuse online.
When you ask Substack for your data or to exercise a privacy right, you now have a guaranteed timeline for their response instead of an indefinite wait.
+ 1 more obligation changes. Full breakdown available with Watcher.
Track changes →This change introduces a new disclosure about data sharing for child safety purposes and establishes formal response timelines for data subject rights requests. The child safety sharing disclosure engages GDPR Article 6 (lawful basis), CCPA disclosure requirements, and potentially COPPA considerations if minors are present. The one-month response commitment aligns with GDPR Article 12 timelines and may influence vendor contracts and privacy notices for organizations that embed Substack services. Organizations should assess whether their own privacy disclosures and data processing agreements need updating to reflect this sharing practice.
GDPR (Articles 6, 12, 13, 14 on lawful basis, response timelines, and transparency), CCPA (disclosure and consumer rights request timing), COPPA (if minors are present on the platform), UK Data Protection Act 2018, potential state privacy laws (VMPPA, IPDPA, etc. depending on jurisdiction)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001590.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherSubstack's privacy policy now discloses that the company shares account identifiers with child safety industry consortia to detect child sexual …
Substack added one navigation link to its site architecture on May 6, 2026: a new 'For media founders' option in …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.