By using Gusto, you give Gusto permission to use and process the data you upload, including employee payroll and HR data, to run and improve their services.
This analysis describes what Gusto's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This license covers highly sensitive data including employee Social Security numbers, bank account details, compensation, and personal information, and the scope of permitted use for service improvement warrants careful review.
Interpretive note: The phrase 'improve the Services' is ambiguous as to whether it permits use of identifiable employee data for product development or only aggregated, de-identified data; this distinction is material under CCPA and GDPR.
The updated terms make explicit that requesting a background check through Gusto creates a legally binding agreement not just with Gusto but also incorporating terms from Gusto's payroll service and Checkr's service agreement. This means customers are committing to multiple overlapping sets of terms when they initiate a background check request. The change does not appear to alter the substantive rights or obligations, but rather clarifies their scope and binding nature in writing.
View change record →Developers integrating with Gusto's platform are now bound by mandatory arbitration and class action waiver provisions, meaning they cannot join or file class actions against Gusto and must resolve disputes through individual, binding arbitration. The updated terms also grant Gusto the right to modify, update, or discontinue developer tools at its sole discretion without notice or liability, which could disrupt integrations and require developers to absorb costs of upgrading to new versions. Developers should review Section 19 of the updated terms carefully before creating or maintaining integrations with Gusto's platform, and consider whether the arbitration and modification provisions align with their business and legal risk tolerance.
View change record →The updated terms now explicitly state that Employers waive the right to participate in class-action lawsuits and must pursue all claims against Gusto on an individual basis through binding arbitration. This means Employers can no longer join other users in collective legal action, even if many face identical problems with Gusto's service or billing. Individual arbitration typically costs more and produces less leverage for individual plaintiffs than class actions. You should review whether this dispute resolution requirement aligns with your business needs and consult legal counsel if you have concerns about waiving class-action rights.
View change record →Removal of this provision eliminates explicit employer grant of data license rights to Gusto, potentially clarifying data ownership but also removing clarity on Gusto's data usage permissions.
View full change record →Employer-customers authorize Gusto to store and process sensitive employee data, including financial and identification data, to provide payroll services. The phrase 'improve the Services' is worth noting, as it may authorize use of aggregated or de-identified data for product development purposes beyond the immediate payroll transaction. Gusto's Privacy Policy should be reviewed for additional detail on data retention and use.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
RedCard. We share information with our financial partners to operate the Target RedCard program.
Monitoring
Gusto has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"By using the Services, you grant Gusto a non-exclusive, worldwide, royalty-free license to use, copy, store, transmit, and display the data and content you submit through the Services solely to the extent necessary to provide, operate, and improve the Services.— Excerpt from Gusto's Gusto Terms of Service
REGULATORY LANDSCAPE: The data license provision engages several regulatory frameworks. The Gramm-Leach-Bliley Act applies to Gusto's financial product offerings and governs how financial data about individuals may be shared. The California Consumer Privacy Act grants California residents rights over their personal data and requires clear disclosure of data use purposes. Where employee data includes health benefit information, HIPAA may apply, requiring a separate Business Associate Agreement. The FTC Act's prohibition on unfair or deceptive practices applies to the stated scope of data use. GOVERNANCE EXPOSURE: Medium. The license scope includes 'improve the Services,' which is a common but contested phrase in data processing agreements. If improvement includes training machine learning models or benchmarking analytics using identifiable employee data, this may conflict with employee privacy expectations and applicable data protection law. The provision does not explicitly limit use to de-identified or aggregated data for improvement purposes. JURISDICTION FLAGS: California CCPA and CPRA create specific rights for employees regarding how their personal data is used, including the right to know, the right to delete, and limitations on secondary use. EU GDPR would apply if any EU-based employees are included in payroll data processed through Gusto, though Gusto's primary market appears to be US-based. Illinois BIPA would apply to any biometric data elements, though payroll data typically does not include biometrics. CONTRACT AND VENDOR IMPLICATIONS: Employer-customers who are themselves subject to data protection obligations should assess whether Gusto's data license is consistent with their own privacy policies and employee data use representations. A Data Processing Agreement separate from the ToS may be necessary for GDPR compliance or for customers subject to sector-specific data handling requirements. COMPLIANCE CONSIDERATIONS: HR compliance teams should review Gusto's Privacy Policy in conjunction with this license provision to understand the full scope of permitted data use. Employers should assess whether their own employee privacy notices accurately describe the transfer of data to Gusto and the scope of Gusto's permitted use. Where HIPAA applies to benefits data processed through Gusto, a Business Associate Agreement should be in place.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This license covers highly sensitive data including employee Social Security numbers, bank account details, compensation, and personal information, and the scope of permitted use for service improvement warrants careful review.
Employer-customers authorize Gusto to store and process sensitive employee data, including financial and identification data, to provide payroll services. The phrase 'improve the Services' is worth noting, as it may authorize use of aggregated or de-identified data for product development purposes beyond the immediate payroll transaction. Gusto's Privacy Policy should be reviewed for additional detail on data retention and use.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Gusto.