What are the institutional and regulatory implications of this document?

1. REGULATORY LANDSCAPE: The policy explicitly invokes GDPR (citing legal bases including legitimate interests, contract performance, and consent for EU personal data processing) and CCPA (granting California residents rights to know, delete, correct, and opt out of sale or sharing). The FTC exercises general oversight over unfair or deceptive data practices for US users. The policy's reliance on legitimate interests as a legal basis for behavioral tracking and personalization may require evalu…

How does Medium's Medium Privacy Policy affect users?

The agreement establishes that Medium collects reading history, search queries, device identifiers, IP addresses, and inferred interests, and authorizes use of this data for personalized content recommendations and marketing communications. Under these terms, personal data may be shared with third-party service providers, business partners, and successors in the event of a corporate transaction, with no stated obligation to notify users individually prior to such a transfer. You can manage emai…

How often is Medium's Medium Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Medium updates this document?

Yes. Monitor subscribers ($19/month) can add Medium to their watchlist and receive same-day email alerts whenever this document or any other Medium document changes.

CA-D-000246

Medium Privacy Policy

Medium

Last change detected June 6, 2026 Privacy policy

SHA-256: 4b267a46c437897047a… 4 versions captured 4 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Medium ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

0 High severity

7 Medium severity

3 Low severity

Summary

Medium's Privacy Policy describes how A Medium Corporation collects and uses personal data from readers, writers, and subscribers on its publishing platform. The policy authorizes collection of identifiers, reading and browsing activity, payment information, device data, and inferred interests, and discloses that this data may be shared with analytics providers, payment processors, advertising partners, and business transfer recipients. California residents and EU users hold specific rights under the policy, including the ability to access, delete, or correct their data and, for California residents, to opt out of the sale or sharing of personal information.

Technical / Legal Breakdown

This document is Medium's Privacy Policy, effective March 24, 2022, governing the collection, use, sharing, and retention of personal data for users of the Medium platform (medium.com), published by A Medium Corporation. The policy states that Medium collects account registration data (name, email, password), payment information, content and activity data (drafts, reading history, search queries, follows), device identifiers, IP addresses, browser type, operating system, referral URLs, and inferred interests, and the terms authorize use of this data for service operation, personalization, analytics, communications, and marketing. The policy discloses sharing of personal data with third-party service providers (analytics, payment processors, infrastructure), business partners, and in the context of corporate transactions such as mergers or acquisitions, and reserves the right to share aggregated or de-identified data without restriction. The policy states that it engages the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), explicitly acknowledging legal bases for processing EU personal data (legitimate interests, contract performance, consent) and granting California residents rights to know, delete, and opt out of data sale; applicable law in these jurisdictions may constrain certain data-sharing or retention assertions beyond what the policy alone establishes. Material compliance considerations include the adequacy of disclosed consent mechanisms for marketing communications, the scope of the legitimate interests basis asserted for behavioral tracking, and the policy's handling of data transfers from the EU to the United States, which engages Standard Contractual Clauses or equivalent transfer mechanisms required under post-Schrems II frameworks.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

4 important changes detected

4 versions captured · Last updated: June 2026

June 6, 2026

low

What changed Medium's privacy policy was updated on June 6, 2026 to add engagement metrics (53K views, 13 responses) to the policy document header. The change is purely editorial and adds visible article engagement statistics to the document display. No substantive changes to privacy rights, data collection practices, or consumer obligations were made.

Why this matters This change is a formatting and display update only. The updated privacy policy document now displays engagement metrics (53K views, 13 responses) in the header. No changes to data collection practices, privacy rights, consumer obligations, or data processing procedures were made.

View full change record →

May 18, 2026

low

What changed Medium updated its Privacy Policy on May 18, 2026 to add detailed disclosure about its address book contact feature. The new language explains that when users opt in to this feature, Medium converts contact names and email addresses into encrypted, non-reversible identifiers to match against its member database. Medium does not store names or emails in plain text, deletes identifiers for non-members immediately, and deletes all encrypted identifiers within 30 days. The policy also reorganized its personal information collection disclosure, though the categories themselves (identifiers, commercial information, internet activity, inferences) remain unchanged.

Why this matters The updated policy adds transparency about Medium's address book feature by explaining the technical process: contact names and emails are converted into encrypted identifiers, matched against Medium's member database, and then deleted. For contacts who are not Medium members, these encrypted identifiers are deleted immediately; all encrypted identifiers are deleted within 30 days regardless. The policy states Medium relies on legitimate interests to offer this feature, specifically its interest in helping users connect with people they know. You can review the specific disclosure in the 'Helping You Connect With People You Know' section of the updated policy.

View full change record →

April 26, 2026 low

Medium's privacy policy was updated on April 26, 2026, but the changes appear to be primarily formatting and structural rather than substantive. The document added a sentence reiterating the categories …

View change record →

April 22, 2026 low

Medium removed a call-to-action encouraging newsletter sign-up and replaced it with a disclosure statement listing the categories of personal information collected in the preceding 12 months, identifiers, commercial information, internet …

View change record →

Recent Provision Changes Jun 6, 2026

Added (2)

Data Collection Scope Medium

New provision explicitly enumerates specific personal data points collected, providing users with transparent detail about what information Medium gathers.

Policy Change Notification Low

New provision clarifies the methods and scope of notification for policy changes, setting expectations for user awareness of future modifications.

Removed (3)

Payment Data Collection and Processing

Removal of dedicated payment data processing clause may indicate integration of payment details into broader data collection scope, reducing transparency about payment-specific handling.

Data Collection from Third-Party Linked Accounts

Removal of explicit provision on third-party linked account data collection eliminates transparency about OAuth and social login data sharing practices.

Age Restriction and COPPA Compliance

Removal of standalone COPPA compliance clause means child privacy protections are now only covered under the general Children's Privacy provision with modified language.

Modified (8)

Third-Party Service Provider Data Sharing

Language simplified and narrowed to remove explicit mention of fraud prevention and business partners, consolidating focus on service providers only.

Corporate Transaction Data Transfer

Removed specific scenarios (financing due diligence, reorganization, bankruptcy, receivership, transition of service) and affiliate entity references, now covers only mergers, asset sales, and acquisition scenarios.

GDPR Legal Bases for Processing

Shifted focus from user rights (access, rectify, erase, restrict, portability, object) to Medium's legal bases for processing data, fundamentally changing the provision's perspective.

California Residents Rights and Opt-Out

Added explicit mention of the right to non-discrimination for exercising privacy rights, which is a key CCPA provision previously omitted.

Cookies and Tracking Technologies

Expanded to explicitly mention third-party partners' use of tracking technologies, web beacons, targeted advertising, and third-party data collection; removed reference to Cookie Policy.

View full change record →

Medium — 7 provisions

Data Collection Scope Compare →

The policy states that Medium collects account registration data including name, email address, password, and payment method information directly from users, and separately collects device identifiers, IP addresses, browser type, operating system, referral URLs, and behavioral data such as reading history and search queries through automated means.

Added May 21, 2026 Standard Seen across 284 platforms
Third-Party Service Provider Data Sharing Compare →

The policy authorizes sharing of personal information with third-party vendors and service providers for purposes including payment processing, data analysis, email delivery, hosting, customer service, and marketing, without specifying a complete list of named providers or requiring user notification prior to each sharing event.

Added May 21, 2026 Standard Seen across 284 platforms
Corporate Transaction Data Transfer Compare →

The policy states that personal information may be shared or transferred in connection with a merger, asset sale, financing, or acquisition of Medium, including during the negotiation phase of such transactions, with user notification described as prominent notice or direct communication.

Added May 21, 2026 Standard Seen across 284 platforms
GDPR Legal Bases for Processing Compare →

The policy states that for EEA users, Medium processes personal data on the legal bases of consent, contract performance, legitimate interests, or legal obligation under GDPR, without specifying in the policy text which legal basis applies to each individual processing activity.

Added May 21, 2026 Standard Seen across 284 platforms
California Residents Rights and Opt-Out Compare →

The policy states that California residents hold rights under CCPA to know about, delete, and opt out of the sale of their personal information, and have a right to non-discrimination for exercising these rights, with opt-out available via a designated link.

Added May 21, 2026 Standard Seen across 284 platforms
Cookies and Tracking Technologies Compare →

The policy authorizes Medium and third-party partners to use cookies, web beacons, and similar technologies to collect usage information and deliver targeted advertising, and permits third parties to independently collect information about user online activities through these technologies on Medium's platform.

Added May 21, 2026 Standard Seen across 284 platforms
International Data Transfers Compare →

The policy states that personal information may be transferred to and stored on computers outside a user's home jurisdiction, including to jurisdictions with less protective privacy laws, without specifying the transfer mechanisms used to safeguard EEA personal data.

Added May 21, 2026 Standard Seen across 284 platforms

Low — 3 provisions

Data Retention Compare →

The policy states that Medium retains personal information for as long as necessary to provide services and for legal, dispute, and enforcement purposes, without specifying defined retention periods for individual data categories.

Added May 21, 2026 Standard Seen across 284 platforms
Children's Privacy Compare →

The policy states that Medium's services are not directed to children under 13 and that Medium does not knowingly collect personal information from this age group, committing to delete such information if discovered, consistent with COPPA requirements.

Added May 21, 2026 Standard Seen across 284 platforms
Policy Change Notification Compare →

The policy states that Medium may update the Privacy Policy at any time, with notification limited to updating the effective date at the top of the document; additional notice through homepage statements or direct notifications is described as discretionary rather than required.

Added May 21, 2026 Standard Seen across 284 platforms

Monitoring

Medium has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Reading History and Behavioral Data Collection and similar clauses.

Compare across platforms →

Archival ProvenanceSource & Archival Record

Last Captured June 6, 2026 09:59 UTC

Capture Method Automated scheduled archival capture

Document ID CA-D-000246

Version ID CA-V-003504

Source URL https://policy.medium.com/medium-privacy-policy-f03bf92035c9

Wayback Machine View external archival references →

SHA-256 4b267a46c437897047ad44c133fcdf78501c2cd41d799d2ceba4674bd6a84694

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Medium Privacy Policy

June 6, 2026

May 18, 2026

Recent Provision Changes Jun 6, 2026

Monitor governance changes across the platforms you rely on.