What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: This notice engages GDPR and UK GDPR for EEA and UK data subjects, CCPA and CPRA for California residents, Brazil's LGPD, Australia's Privacy Act, and Canadian privacy law. The FTC has jurisdiction over unfair or deceptive trade practices in the US context. Cross-border data transfers for EU personal data are addressed through Standard Contractual Clauses, though the adequacy of these mechanisms remains subject to ongoing regulatory evolution following Schrems II. (2) …

How does DocuSign's DocuSign Privacy Statement affect users?

Users operating through DocuSign's platform are subject to data processing practices that extend to document content and associated metadata shared with designated third parties. Enterprise customers are governed primarily by separate data processing agreements rather than this public privacy statement, which establishes different contractual terms for organizational versus individual data subjects. The statement establishes user rights to request data access, deletion, or marketing opt-out thr…

How often is DocuSign's DocuSign Privacy Statement updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when DocuSign updates this document?

Yes. Monitor subscribers ($19/month) can add DocuSign to their watchlist and receive same-day email alerts whenever this document or any other DocuSign document changes.

CA-D-000198

DocuSign Privacy Statement

DocuSign

Last change detected May 21, 2026 Privacy policy

SHA-256: db171ce667d98db1d89… 5 versions captured 3 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at DocuSign ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

0 High severity

7 Medium severity

1 Low severity

Summary

DocuSign's Privacy Statement establishes the company's data collection, processing, and sharing practices for personal information generated through its document signing and management platform. The statement authorizes DocuSign to process document content and metadata, and permits sharing of personal data with third-party service providers and business partners for service delivery, analytics, and marketing purposes. The statement defines data subject rights available to California residents and EU users, including access, deletion, and opt-out mechanisms available through DocuSign's privacy portal.

Technical / Legal Breakdown

This document is DocuSign's global Privacy Notice, governing the collection, use, storage, and disclosure of personal data across DocuSign's products and services, with legal bases including consent, contractual necessity, and legitimate interests depending on jurisdiction. The notice states that DocuSign collects identifiers, contact data, device and usage data, geolocation, payment information, and the contents of documents processed through its platform, and the terms authorize sharing this data with service providers, business partners, and in connection with corporate transactions such as mergers or acquisitions. A notable operational distinction is DocuSign's role as both a data controller (for account and marketing data) and a data processor (for customer-submitted document content), meaning the privacy protections applicable to document content depend substantially on the enterprise customer's own data agreements rather than this notice alone. The notice engages GDPR and UK GDPR for EEA and UK users, CCPA and CPRA for California residents, and references additional regional frameworks including Brazil's LGPD, Australia's Privacy Act, and Canadian PIPEDA; cross-border data transfer mechanisms including Standard Contractual Clauses are referenced for EU data flows. Material compliance considerations include the adequacy of consent mechanisms for marketing communications, the scoping of processor versus controller obligations for enterprise customers, and the exercise of data subject rights across multiple applicable regimes.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

3 important changes detected

5 versions captured · Last updated: May 2026

May 21, 2026

low

What changed DocuSign updated its Privacy Statement on May 21, 2026 to expand the scope of personal information collection and describe data sources more explicitly. The updated language now states that DocuSign collects personal information from individuals 'with whom we otherwise communicate in connection with the Services' (broader than website and app users alone) and explicitly identifies 'Marketing Contact Data' collected from third-party provider Clay to support sales and marketing efforts. The policy also clarifies that DocuSign maintains opt-out list data to honor email marketing preferences.

Why this matters The updated privacy statement explicitly discloses that DocuSign collects marketing contact data (professional details such as email, phone number, job title, employer, and location) from third-party provider Clay to support sales and marketing activities. The policy now clarifies that its data collection scope includes individuals with whom DocuSign communicates about services, extending beyond active website or app users. The policy states DocuSign maintains minimal data (such as email address on an opt-out list) when users have opted out of email marketing to honor that request.

View full change record →

May 6, 2026

low

What changed DocuSign removed 'English' from the list of languages in which its Privacy Statement is available. The Privacy Statement itself remains unchanged in content; only the language availability list was modified. This is a minor administrative update with no impact on privacy rights or protections.

Why this matters This change removes English from the list of languages in which DocuSign's Privacy Statement is published. For English-speaking users, the Privacy Statement content itself remains unchanged and available; only the language header was modified. This is a formatting change with no material impact on privacy rights, data practices, or consumer protections.

View full change record →

May 6, 2026 low

DocuSign's privacy policy now displays language indicating available translations (French, German, Japanese, Portuguese, Spanish, Dutch, Italian, and English) at the beginning of the document. This is a formatting and accessibility …

View change record →

Recent Provision Changes May 21, 2026

Added (2)

Document Content Collection Medium

This new provision explicitly discloses that DocuSign collects and processes the actual content of documents, which is material for users to understand what data is collected beyond metadata.

EU/UK Data Subject Rights and Cross-Border Transfers Medium

This provision consolidates EU/UK data subject rights and cross-border transfer mechanisms in one location with explicit reference to Standard Contractual Clauses, providing critical GDPR/UK GDPR compliance information.

Removed (3)

User Data Rights (Access, Deletion, Correction, Portability)

This standalone provision was removed, though its content appears to be partially absorbed into the new EU/UK-specific provision and California-specific provision, potentially fragmenting global user rights information.

Children's Data — Age Restriction

Removal of this provision eliminates explicit disclosure about age restrictions and children's data handling, which is typically required by privacy regulations like COPPA and GDPR.

Disclosure to Law Enforcement and Government Authorities

Removal of this standalone provision means law enforcement disclosure practices are no longer explicitly highlighted, though may be covered in the combined third-party sharing provision.

Modified (6)

Controller vs. Processor Role Distinction

Previous version had no excerpt; current version adds detailed explanation of the distinction between controller and processor roles with specific examples.

Third-Party and Partner Data Sharing

Previous version title focused on 'advertising' whereas current version provides comprehensive enumeration of all third-party sharing scenarios, removing the specific advertising emphasis.

Cookies and Tracking Technologies

Previous version had no excerpt; current version adds specific detail about types of tracking technologies (web beacons, pixel tags) and scope of tracking.

California Resident Rights (CCPA/CPRA)

Previous version had no excerpt; current version adds explicit enumeration of CCPA/CPRA rights including opt-out of sale/sharing and limitation of sensitive data use.

Data Retention

Previous version had no excerpt; current version adds specific purposes for retention including legal, accounting, and reporting requirements.

1 provision unchanged.

View full change record →

Medium — 7 provisions

Document Content Collection Compare →

DocuSign collects and stores the actual content of documents you send, receive, or sign through its platform, including any personal information those documents contain.

Added May 10, 2026 Standard Seen across 284 platforms
Controller vs. Processor Role Distinction Compare →

DocuSign plays two different legal roles depending on the situation: it controls your account and marketing data on its own terms, but processes document content strictly on behalf of the business that sent you the document.

Added May 10, 2026 Standard Seen across 284 platforms
Third-Party and Partner Data Sharing Compare →

DocuSign can share your personal information with its vendors, business partners, and in the event of a sale or merger of the company.

Added May 10, 2026 Standard Seen across 252 platforms
Cookies and Tracking Technologies Compare →

DocuSign uses cookies and tracking tools to monitor your activity on its platform and across other websites and online services over time.

Added May 8, 2026 Standard Seen across 284 platforms
California Resident Rights (CCPA/CPRA) Compare →

California residents have legal rights to see, delete, and correct their data held by DocuSign, and to opt out of the sale or sharing of their personal information for advertising purposes.

Added May 10, 2026 Standard Seen across 284 platforms
EU/UK Data Subject Rights and Cross-Border Transfers Compare →

EU and UK users have extensive legal rights over their personal data held by DocuSign, and their data is transferred internationally using Standard Contractual Clauses as the legal safeguard.

Added May 10, 2026 Standard Seen across 284 platforms
Data Retention Compare →

DocuSign keeps your personal information for as long as needed for its business purposes, legal obligations, and to handle any disputes.

Added May 10, 2026 Standard Seen across 284 platforms

Low — 1 provision

Marketing Communications and Opt-Out Compare →

DocuSign and its partners may send you marketing messages by email, phone, and mail, but you can opt out by following unsubscribe instructions or contacting DocuSign.

Added April 3, 2026 Standard Seen across 284 platforms

Monitoring

DocuSign has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Identity Verification and Biometric-Adjacent Data Collection and similar clauses.

Compare across platforms →