Booking.com's privacy notice has been replaced with a technical error page containing security challenge code instead of the actual privacy policy document. The previous comprehensive privacy notice, which explained how Booking.com collects and uses traveler data, has been removed entirely and replaced with JavaScript code for handling security challenges and robot verification. This means the privacy policy that previously described your data rights, how your information is shared, and how to contact the company is no longer accessible through the standard policy URL.
Booking.com travelers can no longer access the company's privacy notice through the standard policy URL. The document that previously explained what personal data is collected, how it is used, who it is shared with, and what rights travelers have has been replaced with technical code. This prevents users from reviewing critical information about their data privacy before booking travel or understanding their legal rights. You should attempt to locate an archived or alternative version of the privacy policy, or contact Booking.com directly to request a copy of their current privacy notice.
Privacy notices are mandatory disclosures under GDPR, CCPA, LGPD, and most modern privacy statutes; they describe what data is collected, how it is used, who it is shared with, and what rights individuals have. An inaccessible privacy notice means users cannot review the terms that govern their personal data before booking travel, and it prevents Booking.com from demonstrating compliance with transparency obligations that regulators actively enforce.
→ Contact Booking.com support to request a copy of their current privacy notice.
→ Check the Internet Archive (archive.org) for a recent snapshot of Booking.com's privacy policy.
→ If you are an EU resident or California resident, consider submitting a data subject access request to Booking.com to obtain documentation of how your data is being processed.
→ You cannot review Booking.com's data collection and sharing practices before booking travel.
→ You may not have clear information about what rights you have over your personal data (access, correction, deletion, objection).
→ You cannot verify whether Booking.com's practices comply with privacy laws in your jurisdiction.
This is the 3rd significant Transparency Removal change Booking.com has made since ConductAtlas began monitoring.
ConductAtlas has recorded 4 material changes to this document (since April 2026). An additional minor or cosmetic changes were excluded.
Across all monitored documents, Booking.com has made 8 significant changes.
6 of Booking.com's significant changes have been classified as negative for consumers.
Comprehensive privacy notice previously describing data collection, processing, sharing, retention, rights, and contact information is no longer accessible; replaced with security challenge page.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Travelers can no longer read Booking.com's privacy policy to understand what data is collected or how it is used.
A privacy policy that previously contained 400+ sentences of required disclosures under GDPR, CCPA, LGPD, and other privacy regimes has been entirely replaced with a WAF (Web Application Firewall) security challenge page. This creates immediate compliance exposure: the company is unable to produce its promised privacy notice to regulators, DPOs, or data subjects who request it. Organizations using Booking.com in their vendor stack should verify whether Booking.com has moved the privacy notice to another URL and confirm that vendors remain able to obtain and audit current privacy terms. This may trigger data processing agreement (DPA) review and vendor communication obligations depending on jurisdiction and contract terms.
GDPR (Articles 13-14: transparency and prior-notice obligations); CCPA (California privacy rights statute); LGPD (Brazilian privacy law); UK Data Protection Act 2018; PIPEDA (Canadian privacy law); similar privacy statutes in other jurisdictions. Unavailability of privacy notice may trigger enforcement focus from data protection authorities and state privacy regulators.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001720.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorThe change appears to be a technical update to Booking.com's WAF (Web Application Firewall) challenge page, updating nonce values and …
The detected change consists of updates to nonce values and timestamps in the HTML security infrastructure of Booking.com's challenge page, …
The detected change in Booking.com's published document consists entirely of technical updates to nonce values and timestamp parameters in the …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.