Gusto · Gusto Privacy Policy · View original document ↗

Employee Data Submitted by Employers

Medium severity Medium confidence Explicitdocumentlanguage Unique · 0 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity Gusto recorded 12 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for Gusto Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

If your employer uses Gusto, your employer controls much of the data submitted about you, and your privacy rights may be shaped by both Gusto's policy and your employer's own privacy practices.

This analysis describes what Gusto's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

Employees have limited direct control over data their employer submits to Gusto, and they must navigate both Gusto's and their employer's privacy frameworks to understand their full rights.

Interpretive note: The practical scope of employee rights to independently exercise deletion or correction requests against Gusto, without employer authorization, is not fully specified in the policy and may depend on applicable state employment privacy law.

Recent Activity

This document changed recently

Medium Jun 1, 2026

The updated Privacy Policy now explicitly states it covers retirement account management (401k, SEP IRA, IRA accounts) and adds Stripe alongside Plaid as a third-party service provider that collects financial institution data. The policy restructures how it describes Gusto's role in different contexts: when Gusto acts as a service provider processing payroll or other data on behalf of employers, when it acts as an employer itself, or when it operates as a co-employer under a professional organization (PEO) arrangement, with separate privacy notices applying in each case. The policy introduces a new commitment that de-identified data will not be re-identified except to verify compliance with applicable law. If you connect a bank account through Stripe, that data will be treated under Stripe's Privacy Policy, which you should review separately.

View change record →
Medium May 1, 2026

The updated terms make explicit that using Gusto's background check service constitutes a binding agreement. Previously, the terms of the service relationship may have been less clearly stated. Now, the agreement clarifies that an authorized signatory represents they have authority to bind the organization, and that three actions trigger binding acceptance: checking a box, initiating a background check, or accessing the service. This means employers should ensure the person clicking through has actual authority to commit the organization to the full Background Check Customer Agreement before proceeding.

View change record →
High Apr 25, 2026

The updated terms now explicitly state that employers accept mandatory individual arbitration and waive the right to participate in class-action lawsuits or pursue relief in court with a jury trial. This significantly limits employers' ability to challenge Gusto's practices collectively or seek resolution through the court system. Any disputes employers have with Gusto must be resolved individually through arbitration, which typically involves private, binding proceedings with limited appeal options and discovery rights compared to court litigation.

View change record →

Clause Stability Stable

0
Changes
3
Months Monitored
May 10, 2026
First Seen
May 22, 2026
Last Seen
This clause type exists across 3350 other provisions on other platforms.

Change history

added May 14, 2026

This new provision explicitly states that employers control employee data and their privacy policies may apply, potentially creating dual privacy obligations and shifting responsibility for data protection to the employer rather than Gusto.

View full change record →

Consumer impact (what this means for users)

As an employee, your payroll, tax, and HR data is submitted to Gusto by your employer, meaning Gusto's obligations run primarily to the employer rather than to you directly, which can limit your practical ability to request changes or deletions independently.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Export Your Data
    If you are an employee (Team Member) and wish to understand or access the data Gusto holds about you, submit a rights request at privacy.gusto.com and also contact your employer's HR department to confirm what data they have submitted on your behalf.

How other platforms handle this

Ledger Medium

At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.

Garmin Medium

If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...

Strava Medium

We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...

See all platforms with this clause type →

Monitoring

Gusto has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
When an Employer uses the Gusto Platform to manage its human resources and payroll functions, we collect personal information from or about Team Members in order to provide the Gusto Platform to Employers. If you are a Team Member, your Employer controls certain information you submit through the Gusto Platform, and your Employer's privacy policy and practices may also apply to your use of the Gusto Platform.

— Excerpt from Gusto's Gusto Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: The employer-as-data-controller and Gusto-as-service-provider structure has direct implications under CCPA/CPRA, which distinguishes between a business's obligations to consumers and a service provider's obligations to the contracting business. Employee privacy in the workplace is also governed by state-specific employment privacy laws, particularly in California (which has enacted specific employee privacy protections) and New York. The FTC Act applies to unfair or deceptive practices affecting employees as data subjects. 2) GOVERNANCE EXPOSURE: High. The layered data relationship creates potential gaps in employee rights fulfillment: employees may submit rights requests to Gusto that Gusto is contractually constrained from fulfilling without employer authorization, leading to a situation where the practical exercise of privacy rights depends on employer cooperation. This structure is common in B2B HR platforms but creates meaningful employee-facing risk in jurisdictions with robust employee privacy laws. 3) JURISDICTION FLAGS: California Labor Code and California Consumer Privacy Act both provide protections for employees as data subjects; the interaction between employer control rights and employee CPRA rights creates heightened exposure for California-based employers using Gusto. Illinois Biometric Information Privacy Act and New York SHIELD Act may impose additional obligations on employers for data processed through third-party HR platforms. 4) CONTRACT AND VENDOR IMPLICATIONS: Employers should review their services agreement with Gusto to confirm Gusto's obligations when an employee submits a direct rights request, including whether Gusto will notify the employer, fulfill the request independently, or require employer authorization. Indemnification provisions should address liability for employee claims arising from Gusto's data handling. 5) COMPLIANCE CONSIDERATIONS: Employers should ensure their employee privacy notices explicitly disclose Gusto's role as a payroll and HR platform, the categories of data submitted, and the mechanism by which employees can exercise rights. HR and legal teams should establish a clear protocol for routing employee privacy rights requests that arrive at either the employer or Gusto.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has jurisdiction over unfair or deceptive practices affecting employee data subjects, including inadequate disclosure of employer-controlled data handling
    File a complaint →
  • State AG
    State attorneys general enforce employee privacy laws and consumer protection statutes applicable to HR and payroll data handling in employment contexts
    File a complaint →

Applicable regulations

CCPA/CPRA
California, USA
Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
FTC Act Section 5
United States Federal
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
Universal Opt-Out Mechanism Expansion 2026
US

Provision details

Document information
Document
Gusto Privacy Policy
Entity
Gusto
Document last updated
May 5, 2026
Tracking information
First tracked
May 10, 2026
Last verified
May 10, 2026
Record ID
CA-P-008793
Document ID
CA-D-00294
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
c4d8f17389d7d8490a863657e4b23ec13d3e6ba6188da2fae2a3bc7f510d2148
Analysis generated
May 10, 2026 11:04 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Gusto
Document: Gusto Privacy Policy
Record ID: CA-P-008793
Captured: 2026-05-10 11:04:56 UTC
SHA-256: c4d8f17389d7d849…
URL: https://conductatlas.com/platform/gusto/gusto-privacy-policy/employee-data-submitted-by-employers/
Accessed: July 1, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Gusto's Employee Data Submitted by Employers clause do?

Employees have limited direct control over data their employer submits to Gusto, and they must navigate both Gusto's and their employer's privacy frameworks to understand their full rights.

How does this clause affect you?

As an employee, your payroll, tax, and HR data is submitted to Gusto by your employer, meaning Gusto's obligations run primarily to the employer rather than to you directly, which can limit your practical ability to request changes or deletions independently.

Is ConductAtlas affiliated with Gusto?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Gusto.