Advertising and Analytics Data Sharing

What it is

Duolingo shares your personal information with advertising and analytics companies, including for those companies' own marketing purposes in some cases.

Why it matters (compliance & governance perspective)

The policy authorizes sharing personal data with third parties for the third parties' own marketing purposes, which in practice may include platforms such as Meta and Google, and which for EU and UK users requires valid consent under GDPR.

This document changed recently

Consumer impact (what this means for users)

The policy states Duolingo may share personal data with advertising and analytics third parties, potentially including for those parties' own marketing uses, which affects how user data is used beyond Duolingo's own platform.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: Sharing personal data with advertising partners for those partners' own marketing purposes implicates GDPR Article 6 lawful basis requirements and, where consent is relied upon, GDPR Article 7 validity requirements for EU and UK users. Under CCPA and CPRA, sharing personal information for cross-context behavioral advertising constitutes a 'share' under California law, triggering opt-out rights. The FTC Act applies to any material misrepresentation about the scope of third-party data sharing. GOVERNANCE EXPOSURE: High. The authorization to share personal data with third parties for those parties' own marketing purposes, combined with the advertising technology infrastructure embedded in the platform (Meta Pixel, Google Analytics, Google Tag Manager), creates significant regulatory exposure under GDPR consent requirements and CCPA opt-out obligations. The policy's language is relatively general and may not fully satisfy GDPR transparency requirements regarding specific recipients and purposes. JURISDICTION FLAGS: EU and UK users require specific, informed, and freely given consent before their data is shared with advertising partners for marketing purposes. California residents must be provided a clear opt-out mechanism. Users in other jurisdictions may have limited recourse depending on local law. CONTRACT AND VENDOR IMPLICATIONS: Each advertising and analytics partner receiving personal data should be subject to a data processing agreement or, where acting as an independent controller, appropriate controller-to-controller terms. The presence of Meta Pixel and Google Analytics scripts on the policy page itself suggests data is transmitted to these platforms upon page load, which may warrant review of consent sequencing. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the list of advertising and analytics partners receiving personal data and verify that disclosures in the policy accurately reflect current data flows. For EU and UK users, consent management platform configuration should be reviewed to ensure advertising cookies and tracking pixels are not activated prior to valid consent.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Data Collection Scope medium
• Children's Privacy and Parental Consent high
• International Data Transfers medium
• Corporate Transaction Data Sharing medium
• California Resident Rights (CCPA/CPRA) medium
• EU and UK User Rights (GDPR) medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.