SoFi updated its Privacy Notice on May 14, 2026 to replace passive cookie disclosure language with active tracking technology descriptions and revised consent mechanics. The previous version described cookies in general terms and offered choice mechanisms; the updated version explicitly states that SoFi uses cookies, pixels, and other tracking technologies to collect information about user interactions with its site, and shares this information with social media, advertising, and analytics partners. The change establishes a default consent model where continued use constitutes agreement to these tracking practices unless users actively decline through toggle buttons.
The updated privacy notice explicitly describes SoFi's use of cookies, pixels, and other tracking technologies to collect information about your interactions with its website, and states that this information is shared with social media, advertising, and analytics partners. The revised notice establishes that continued use of the site constitutes agreement to these tracking practices unless you actively decline. Previously, the notice described these technologies in general terms and framed choice as the default. You can toggle opt-out buttons that appear to the right of each cookie category (the button will be gray when opted out), or you can decline all optional tracking before consenting to use the site.
The updated notice shifts from describing tracking practices in general terms to explicitly naming tracking methods (cookies, pixels, other technologies) and data-sharing partners (social media, advertising, analytics), while establishing that continued use constitutes agreement unless users actively decline. This change affects the transparency and consent mechanics users operate under, and reflects how SoFi's data handling practices integrate with third-party marketing and analytics ecosystems.
→ Review the Privacy Preference Center and toggle opt-out buttons to the right of each cookie category (gray when opted out) to decline optional tracking before consenting to use the site.
→ Be aware that continued use of the site without making a selection will constitute agreement to tracking and advertising partner data sharing.
→ Your site activity and interaction data will be collected and shared with social media, advertising, and analytics partners as stated in the updated terms.
→ Strictly necessary cookies will remain enabled to support core site functions (login, logout, cookie banner management) regardless of your preferences.
This is the 2nd significant Advertising Use Expansion change SoFi has made since ConductAtlas began monitoring.
ConductAtlas has recorded 5 material changes to this document (since April 2026). An additional minor or cosmetic changes were excluded.
Across all monitored documents, SoFi has made 7 significant changes.
5 of SoFi's significant changes have been classified as negative for consumers.
If you do not actively opt out via toggle buttons, continued use of the site constitutes agreement to tracking and advertising partner data sharing.
The updated terms explicitly state that collected information is shared with social media, advertising, and analytics partners.
Users cannot opt out of strictly necessary cookies, which SoFi states are required for proper site functioning (login, logout redirection, cookie banner prompting).
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
You must actively decline tracking if you don't want your site activity collected and shared with advertising and analytics partners; doing nothing means you agree to it.
SoFi revised its cookie and tracking technology disclosure from generic descriptive language to specific enumeration of tracking methods (cookies, pixels, other technologies) and named data sharing partners (social media, advertising, analytics). The change shifts from a choice-centric framing to a default-consent model where continued use constitutes acceptance unless users actively opt out. This change engages CCPA transparency requirements (California consumers must be informed of collection and sharing practices) and general FTC Act Section 5 standards around unfair or deceptive practices. Organizations using SoFi's services should evaluate whether their own privacy notices and vendor management practices adequately reflect how customer data flows to third parties through this platform.
FTC Act Section 5 (unfair or deceptive practices), CCPA (California Consumer Privacy Act, disclosure and opt-out requirements), state privacy laws with similar consent and disclosure standards
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002062.
Explicitly names the scope of data collection to include financial and behavioral information, enhancing transparency about the types of personal data handled.
Explicitly discloses data sharing practices with affiliates, marketing partners, and analytics vendors at high severity, reflecting significant privacy implications.
Implements CCPA-compliant user experience controls that differentiate between authenticated and unauthenticated users for privacy option access.
Adds explicit reference to GLBA compliance and joint marketing practices, critical for financial services regulatory adherence.
Introduces reference to international data transfer frameworks, signaling compliance with EU privacy regulations for cross-border data flows.
Removal of dark pattern that automatically opted users into cookies based on passive page visibility changes eliminates non-affirmative consent mechanism.
Removal of specific third-party analytics vendor details and tracking configurations reduces transparency but may indicate consolidation or policy restructuring.
Removal of detailed consent category mappings simplifies the technical implementation but obscures the granular consent structure previously exposed.
Removal of session-dependent routing logic may indicate a shift to simplified, uniform privacy controls rather than differentiated unauthenticated user handling.
Severity was upgraded from low to medium, indicating heightened regulatory importance of GPC signal recognition.
The automatic cookie opt-in mechanism based on passive behavior was replaced with a direct privacy options toggle function, and severity was upgraded to high.
Cross-platform context
See how other platforms handle similar provisions across the ConductAtlas archive.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorAd personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.