Booking.com's privacy notice has been replaced with a technical error page containing security challenge code instead of the actual privacy policy document. The previous comprehensive privacy notice, which explained how Booking.com collects and uses traveler data, has been removed entirely and replaced with JavaScript code for handling security challenges and robot verification. This means the privacy policy that previously described your data rights, how your information is shared, and how to contact the company is no longer accessible through the standard policy URL.
Booking.com travelers can no longer access the company's privacy notice through the standard policy URL. The document that previously explained what personal data is collected, how it is used, who it is shared with, and what rights travelers have has been replaced with technical code. This prevents users from reviewing critical information about their data privacy before booking travel or understanding their legal rights. You should attempt to locate an archived or alternative version of the privacy policy, or contact Booking.com directly to request a copy of their current privacy notice.
Privacy notices are mandatory disclosures under GDPR, CCPA, LGPD, and most modern privacy statutes; they describe what data is collected, how it is used, who it is shared with, and what rights individuals have. An inaccessible privacy notice means users cannot review the terms that govern their personal data before booking travel, and it prevents Booking.com from demonstrating compliance with transparency obligations that regulators actively enforce.
→ Contact Booking.com support to request a copy of their current privacy notice.
→ Check the Internet Archive (archive.org) for a recent snapshot of Booking.com's privacy policy.
→ If you are an EU resident or California resident, consider submitting a data subject access request to Booking.com to obtain documentation of how your data is being processed.
→ You cannot review Booking.com's data collection and sharing practices before booking travel.
→ You may not have clear information about what rights you have over your personal data (access, correction, deletion, objection).
→ You cannot verify whether Booking.com's practices comply with privacy laws in your jurisdiction.
Comprehensive privacy notice previously describing data collection, processing, sharing, retention, rights, and contact information is no longer accessible; replaced with security challenge page.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Travelers can no longer read Booking.com's privacy policy to understand what data is collected or how it is used.
A privacy policy that previously contained 400+ sentences of required disclosures under GDPR, CCPA, LGPD, and other privacy regimes has been entirely replaced with a WAF (Web Application Firewall) security challenge page. This creates immediate compliance exposure: the company is unable to produce its promised privacy notice to regulators, DPOs, or data subjects who request it. Organizations using Booking.com in their vendor stack should verify whether Booking.com has moved the privacy notice to another URL and confirm that vendors remain able to obtain and audit current privacy terms. This may trigger data processing agreement (DPA) review and vendor communication obligations depending on jurisdiction and contract terms.
GDPR (Articles 13-14: transparency and prior-notice obligations); CCPA (California privacy rights statute); LGPD (Brazilian privacy law); UK Data Protection Act 2018; PIPEDA (Canadian privacy law); similar privacy statutes in other jurisdictions. Unavailability of privacy notice may trigger enforcement focus from data protection authorities and state privacy regulators.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001720.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherThe detected change in Booking.com's published document consists entirely of technical updates to nonce values and timestamp parameters in the …
Booking.com's Terms and Conditions document appears to have been replaced with an error page or security challenge page on May …
Booking.com's privacy statement update on May 7, 2026 involved a technical modification to security scripting nonce values that protect against …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.