This expands data sharing scope beyond the previous 'resellers and distributors' provision to include affiliates, vendors, service providers, and business partners, with explicit mention of marketing purposes.

This new provision discloses that OneLogin collects personal information from external data brokers and social media, which represents a significant expansion of data sources not mentioned in the previous version.

This new provision explicitly states marketing email opt-out procedures, providing clearer guidance on how to unsubscribe than was previously available in the 'Legitimate Interests' provision.

This new consolidated provision combines GDPR and CCPA rights in one section, including data portability and consent withdrawal rights not explicitly listed in previous version provisions.

This new provision establishes the mechanism for notifying users of policy changes, which is important for transparency regarding material modifications to privacy practices.

This specific provision about reseller and distributor data sharing was replaced with a broader 'Third-Party Data Sharing' provision that encompasses more categories of recipients without the specific limitation to product/service-related communications.

This provision explicitly mentioning 'legitimate interests' as a legal basis was removed, potentially obscuring the legal justification for marketing communications that was previously disclosed.

This California-specific provision was replaced with a more generic 'GDPR and CCPA' provision, potentially reducing specificity about CCPA/CPRA rights such as the right to opt-out of 'sale or sharing' which are legally distinct under California law.

This provision with specific process details and response time commitment was removed and fragmented into separate provisions, potentially reducing clarity on how to exercise rights and response timelines.

The provision was reframed to explicitly mention the United States as a destination and removed reference to 'adequacy decision' and 'equivalent mechanisms,' instead focusing on the lower level of protection in destination countries.

The provision was simplified and deprioritized, removing specific purposes (analytics, advertising, personalization) and cookie consent tool management details, instead deferring to a separate Cookie Notice.

The provision removed the detailed criteria for determining retention periods (amount, nature, sensitivity, risk of harm) and simplified the language while keeping the core principle.