What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages GDPR for EU/EEA users, granting rights of access, rectification, erasure, restriction, portability, and objection; the policy references these rights explicitly and identifies Medium as the data controller. For California residents, the policy engages CCPA, disclosing categories of personal information collected and shared, and providing a right to know and delete. COPPA is implicated by the policy's minimum age requirement of 13. The FTC holds primary …

How does Medium's Medium Privacy Policy affect users?

Medium's collection and sharing practices establish that user reading history, writing activity, payment information, and linked account data are processed by analytics and advertising partners as part of platform operations. EU and California residents operate under specific legal rights to access, correct, delete, or restrict their data through formal request mechanisms, while users in other jurisdictions operate under the data handling terms stated in the policy without equivalent statutory …

How often is Medium's Medium Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Medium updates this document?

Yes. Watcher subscribers ($9.99/month) can add Medium to their watchlist and receive same-day email alerts whenever this document or any other Medium document changes.

CA-D-000246

Medium Privacy Policy

Medium

Last change detected May 18, 2026 Privacy policy

SHA-256: 311b83ba6da0980f518… 3 versions captured 3 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Medium ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

0 High severity

8 Medium severity

2 Low severity

Summary

Medium's privacy policy establishes the categories of personal information collected from users, including email address, reading and writing history, payment details, device identifiers, and location data, along with the purposes for collection and processing. The policy authorizes Medium to share collected data with third-party advertising partners, analytics providers, and potential acquirers, and permits international data transfers including to the United States. The policy establishes differential data rights for users in the EU and California, who may request access to, correction of, deletion of, or restriction on processing of their personal data by contacting Medium at privacy@medium.com.

Technical / Legal Breakdown

This document is Medium's Privacy Policy (effective March 24, 2022), governing the collection, use, and sharing of personal data by A Medium Corporation across its publishing platform, and operates on a consent and legitimate interest basis depending on jurisdiction. The policy states that Medium collects account registration data, usage data, payment information, location data, and third-party linked account data, and the terms authorize sharing this information with service providers, business partners, affiliated entities, and in connection with mergers or acquisitions. Notably, the policy asserts broad data retention and third-party sharing rights, including the use of third-party analytics and advertising partners, and permits transfer of personal data to the United States and other jurisdictions that may lack equivalent data protection laws, which is a standard but practically significant disclosure for international users. The policy engages GDPR for EU/EEA users (including specific rights to access, erasure, and objection), CCPA for California residents (including rights to know, delete, and opt out of certain data sharing), and COPPA in the context of age restrictions; enforcement oversight would fall primarily under the FTC at the federal level and applicable state attorneys general. Material compliance considerations include the adequacy of consent mechanisms for EU transfers, the sufficiency of the CCPA opt-out infrastructure, and whether third-party advertising and analytics integrations are disclosed with sufficient specificity to satisfy applicable transparency requirements.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

3 important changes detected

3 versions captured · Last updated: May 2026

May 18, 2026

low

What changed Medium updated its Privacy Policy on May 18, 2026 to add detailed disclosure about its address book contact feature. The new language explains that when users opt in to this feature, Medium converts contact names and email addresses into encrypted, non-reversible identifiers to match against its member database. Medium does not store names or emails in plain text, deletes identifiers for non-members immediately, and deletes all encrypted identifiers within 30 days. The policy also reorganized its personal information collection disclosure, though the categories themselves (identifiers, commercial information, internet activity, inferences) remain unchanged.

Why this matters The updated policy adds transparency about Medium's address book feature by explaining the technical process: contact names and emails are converted into encrypted identifiers, matched against Medium's member database, and then deleted. For contacts who are not Medium members, these encrypted identifiers are deleted immediately; all encrypted identifiers are deleted within 30 days regardless. The policy states Medium relies on legitimate interests to offer this feature, specifically its interest in helping users connect with people they know. You can review the specific disclosure in the 'Helping You Connect With People You Know' section of the updated policy.

View full change record →

April 26, 2026

low

What changed Medium's privacy policy was updated on April 26, 2026, but the changes appear to be primarily formatting and structural rather than substantive. The document added a sentence reiterating the categories of personal information Medium collects (identifiers, commercial information, internet activity, and inferences) and made minor edits to navigation text. The effective date of the policy remains March 24, 2022, and no new data collection practices or rights changes were introduced.

Why this matters This change appears to be a formatting and structural update with minimal consumer impact. Medium reaffirmed existing categories of personal information it collects (identifiers, commercial information, internet activity, and inferences) but did not introduce new data collection practices or modify consumer rights. The policy's effective date remains unchanged at March 24, 2022.

View full change record →

April 22, 2026 low

Medium removed a call-to-action encouraging newsletter sign-up and replaced it with a disclosure statement listing the categories of personal information collected in the preceding 12 months, identifiers, commercial information, internet …

View change record →

Medium — 8 provisions

Third-Party Data Sharing with Analytics and Advertising Partners Compare →

Medium shares your personal information with outside companies that help it run its business, including companies involved in advertising, analytics, fraud prevention, and payment processing.

Added May 10, 2026 Standard Seen across 246 platforms
International Data Transfer to the United States Compare →

If you live outside the US, your personal data will be sent to and stored in the United States, where privacy laws may offer less protection than in your home country.

Added May 10, 2026 Standard Seen across 246 platforms
GDPR Rights for EU/EEA Users Compare →

If you live in the EU or EEA, you have legal rights to see, correct, delete, or move your personal data, and to object to certain types of processing.

Added May 10, 2026 Standard Seen across 262 platforms
CCPA Rights for California Residents

If you live in California, you have the right to know what personal data Medium holds about you, request that it be deleted, and opt out of Medium selling your data.

Added May 10, 2026 Rare
Data Retention Without Fixed Periods Compare →

Medium keeps your personal data for as long as it considers necessary to run its services, without committing to specific deletion timelines in most cases.

Added May 10, 2026 Standard Seen across 223 platforms
Age Restriction and COPPA Compliance Compare →

Medium's services are not intended for users under 13, and Medium states it will delete any personal data it discovers it has collected from a child under that age.

Added May 10, 2026 Standard Seen across 262 platforms
Data Sharing in Connection with Business Transfers Compare →

If Medium is sold, merges with another company, or goes through bankruptcy, your personal data may be transferred to the new owner or successor entity as part of that transaction.

Added May 10, 2026 Standard Seen across 246 platforms
Use of Cookies and Tracking Technologies Compare →

Medium uses cookies and similar tools to track your behavior on its platform and references a separate Cookie Policy for more detail.

Added May 10, 2026 Standard Seen across 251 platforms

Low — 2 provisions

Payment Data Collection and Processing Compare →

When you pay for a Medium subscription or other purchase, Medium collects your card number and billing details and passes this through a third-party payment processor.

Added May 10, 2026 Standard Seen across 251 platforms
Data Collection from Third-Party Linked Accounts Compare →

If you sign into Medium using Google, Facebook, or another third-party account, Medium receives personal information from that service about you, such as your name and email address.

Added May 10, 2026 Standard Seen across 251 platforms