Data License and Processing Authorization

What it is

By using Gusto, you give Gusto permission to use and process the data you upload, including employee payroll and HR data, to run and improve their services.

Why it matters (compliance & governance perspective)

This license covers highly sensitive data including employee Social Security numbers, bank account details, compensation, and personal information, and the scope of permitted use for service improvement warrants careful review.

This document changed recently

Consumer impact (what this means for users)

Employer-customers authorize Gusto to store and process sensitive employee data, including financial and identification data, to provide payroll services. The phrase 'improve the Services' is worth noting, as it may authorize use of aggregated or de-identified data for product development purposes beyond the immediate payroll transaction. Gusto's Privacy Policy should be reviewed for additional detail on data retention and use.

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: The data license provision engages several regulatory frameworks. The Gramm-Leach-Bliley Act applies to Gusto's financial product offerings and governs how financial data about individuals may be shared. The California Consumer Privacy Act grants California residents rights over their personal data and requires clear disclosure of data use purposes. Where employee data includes health benefit information, HIPAA may apply, requiring a separate Business Associate Agreement. The FTC Act's prohibition on unfair or deceptive practices applies to the stated scope of data use. GOVERNANCE EXPOSURE: Medium. The license scope includes 'improve the Services,' which is a common but contested phrase in data processing agreements. If improvement includes training machine learning models or benchmarking analytics using identifiable employee data, this may conflict with employee privacy expectations and applicable data protection law. The provision does not explicitly limit use to de-identified or aggregated data for improvement purposes. JURISDICTION FLAGS: California CCPA and CPRA create specific rights for employees regarding how their personal data is used, including the right to know, the right to delete, and limitations on secondary use. EU GDPR would apply if any EU-based employees are included in payroll data processed through Gusto, though Gusto's primary market appears to be US-based. Illinois BIPA would apply to any biometric data elements, though payroll data typically does not include biometrics. CONTRACT AND VENDOR IMPLICATIONS: Employer-customers who are themselves subject to data protection obligations should assess whether Gusto's data license is consistent with their own privacy policies and employee data use representations. A Data Processing Agreement separate from the ToS may be necessary for GDPR compliance or for customers subject to sector-specific data handling requirements. COMPLIANCE CONSIDERATIONS: HR compliance teams should review Gusto's Privacy Policy in conjunction with this license provision to understand the full scope of permitted data use. Employers should assess whether their own employee privacy notices accurately describe the transfer of data to Gusto and the scope of Gusto's permitted use. Where HIPAA applies to benefits data processed through Gusto, a Business Associate Agreement should be in place.

Applicable agencies

Provision details

Other risks in this policy

• Mandatory Arbitration and Class Action Waiver high
• Limitation of Liability high
• User Indemnification Obligation medium
• Account Suspension and Termination medium
• Employer Responsibility for Payroll Accuracy medium
• Intellectual Property and Platform Ownership low