Gusto · Gusto Privacy Policy

Employer as Data Controller; Employee Data Collected on Employer's Behalf

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

Your employer — not Gusto — is legally responsible for deciding how your data is used when Gusto processes payroll on the employer's behalf. Gusto acts as the data processor carrying out those instructions.

Clause Stability Highly Volatile

1
Change
1
Month Monitored
Apr 28, 2026
First Seen
Apr 28, 2026
Last Seen
This clause has changed once in 1 month of monitoring.

Change history

modified Apr 29, 2026

Previous version had no excerpt; current version adds explicit clarification that Gusto is a data processor and employers are controllers determining processing purposes and means.

View full change record →

Consumer impact (what this means for users)

Employees whose payroll is run through Gusto may need to contact their employer — not just Gusto — to exercise data privacy rights like access or deletion, because the employer is the legal data controller for employment-related data.

Cross-platform context

See how other platforms handle Employer as Data Controller; Employee Data Collected on Employer's Behalf and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Employees may assume Gusto is solely responsible for protecting their data, but in the employer-client context, both your employer and Gusto share responsibility, and your privacy rights may need to be exercised through your employer rather than directly with Gusto.

View original clause language
When Gusto provides services to employer-customers, it processes employee personal information on behalf of those employers, who act as the data controllers determining the purposes and means of processing. Gusto acts as a service provider or data processor in this context.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: The controller-processor distinction is central to GDPR (Art. 4(7)-(8), Art. 28) and is increasingly adopted in U.S. CDPAs (California CPRA §1798.140(j); Virginia CDPA §59.1-575; Colorado CPA §6-1-1301). Under CPRA, the employer-client is the 'business' and Gusto is the 'service provider,' limiting how Gusto may use employee data. GLBA applies to Gusto as a financial institution handling employee financial data regardless of the controller-processor distinction. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC enforces against unfair or deceptive data practices including misuse of consumer data collected in a processor capacity for the company's own commercial purposes.
    File a complaint →
  • State AG
    State AGs enforce CCPA/CPRA and state CDPA violations including improper use of employee data by service providers acting outside the scope of their data processing agreements.
    File a complaint →

Provision details

Document information
Document
Gusto Privacy Policy
Entity
Gusto
Document last updated
April 29, 2026
Tracking information
First tracked
April 28, 2026
Last verified
April 28, 2026
Record ID
CA-P-003670
Document ID
CA-D-00294
Evidence Provenance
Source URL
https://gusto.com/about/privacy
Wayback Machine
View archived versions →
SHA-256
d6e7cfbbde265012f8586fe6121a9e92a0ebc041ed4ea1611b6f921b07b3be2a
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Gusto | Document: Gusto Privacy Policy | Record: CA-P-003670
Captured: 2026-04-28 04:53:53 UTC | SHA-256: d6e7cfbbde265012…
URL: https://conductatlas.com/platform/gusto/gusto-privacy-policy/employer-as-data-controller-employee-data-collected-on-employers-behalf/
Accessed: May 2, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document