Third-Party Data Sharing with Service Providers and Partners

What it is

Gusto shares your personal data including payroll and financial information with external companies that help deliver its services, as well as business partners who may offer additional products.

Why it matters (compliance & governance perspective)

Your most sensitive data, including payroll figures and bank account details, flows to multiple third parties, expanding the number of entities that hold and could potentially expose your information.

This document changed recently

Consumer impact (what this means for users)

Your payroll, tax, and financial account data is shared with third-party financial service providers and business partners by design, meaning data security risks are not limited to Gusto itself but extend across its vendor and partner network.

What you can do

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: Third-party data sharing with financial service providers engages GLBA and its Safeguards Rule, which requires financial institutions to oversee service provider data security. CCPA/CPRA distinguishes between 'service providers' (permissible sharing) and 'third parties' (potentially requiring opt-out rights); sharing with 'business partners' for promotions may qualify as 'sharing' under CPRA and require an opt-out mechanism. FTC Act Section 5 applies to unfair or deceptive sharing practices. 2) GOVERNANCE EXPOSURE: Medium. The distinction between service provider sharing (operationally necessary) and business partner sharing (potentially promotional) is significant under CPRA. If business partner sharing constitutes cross-context behavioral advertising or sale, California users must be offered an opt-out, and the policy should clearly delineate these flows. 3) JURISDICTION FLAGS: California CPRA requires a 'Do Not Sell or Share My Personal Information' mechanism if any third-party sharing qualifies as 'sharing.' The policy references this right for California residents, but the scope of business partner sharing should be audited to confirm compliance. EU/EEA users are not the primary focus of this notice, but any data transfers to international subprocessors would require evaluation under GDPR adequacy and transfer mechanisms. 4) CONTRACT AND VENDOR IMPLICATIONS: Employers should request Gusto's subprocessor list and assess whether those subprocessors operate under equivalent data protection standards. Contracts with Gusto should specify breach notification obligations that extend to subprocessor incidents. Business partner sharing terms should be reviewed for liability allocation in the event of a partner breach. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should audit whether the 'business partner' sharing category is adequately disclosed in employee-facing privacy notices and whether opt-out mechanisms are functioning for California users. Data mapping should capture all third-party data flows, not just primary service providers.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Sensitive Personal Information Collection high
• California Resident Privacy Rights (CCPA/CPRA) medium
• De-Identified and Aggregated Data Use for Analytics medium
• Employee Data Submitted by Employers medium
• Data Retention low
• Health and Benefits Data Collection high

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.