The policy states that Medium collects account registration data including name, email address, password, and payment method information directly from users, and separately collects device identifiers, IP addresses, browser type, operating system, referral URLs, and behavioral data such as reading history and search queries through automated means.
This analysis describes what Medium's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the categories of personal data Medium collects across both direct user input and automated technical collection, which determines the scope of data subject rights requests under GDPR and CCPA and informs the data mapping obligations of any organization assessing Medium as a data processor or service.
New provision explicitly enumerates specific personal data points collected, providing users with transparent detail about what information Medium gathers.
View full change record →The agreement establishes that Medium collects identifiers, payment information, reading and browsing activity, device data, and inferred interests, forming the data set subject to user rights requests for access, correction, or deletion under applicable law.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Medium has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect information you provide to us directly, such as when you create or modify your account, sign up for and use our Services, contact us for support, or otherwise communicate with us. This information may include: name, email address, password, account settings and preferences, payment method information (e.g., your credit card number) and other account registration information.— Excerpt from Medium's Medium Privacy Policy
1. REGULATORY LANDSCAPE: The breadth of data categories collected engages GDPR Article 5 data minimization principles and CCPA Section 1798.100 disclosure requirements. The FTC Act's prohibition on unfair or deceptive practices applies to the accuracy of these disclosures for US users. EU supervisory authorities may assess whether all collected categories are necessary and proportionate to stated processing purposes. 2. GOVERNANCE EXPOSURE: Medium. The collection of payment method information, including credit card numbers, introduces PCI DSS compliance considerations for payment data handling, even if processing is delegated to a third-party payment processor. The collection of reading history and inferred interests for personalization purposes requires a documented legal basis under GDPR. 3. JURISDICTION FLAGS: EU and EEA users have heightened exposure given GDPR data minimization and purpose limitation requirements. California residents are entitled to a specific disclosure of categories of personal information collected under CCPA. Illinois users should note that the policy does not specifically address biometric data, which is regulated under BIPA. 4. CONTRACT AND VENDOR IMPLICATIONS: Organizations integrating with Medium via API or embedding Medium content should assess whether Medium's data collection practices on their properties create joint controller obligations under GDPR. The policy does not specify contractual data processing terms for B2B integrations. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that the policy's enumerated data categories are reflected in the organization's data inventory and Records of Processing Activities (ROPA) where Medium is a relevant processor or controller. CCPA compliance audits should confirm that all collected categories are disclosed in the policy's California-specific disclosures.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the categories of personal data Medium collects across both direct user input and automated technical collection, which determines the scope of data subject rights requests under GDPR and CCPA and informs the data mapping obligations of any organization assessing Medium as a data processor or service.
The agreement establishes that Medium collects identifiers, payment information, reading and browsing activity, device data, and inferred interests, forming the data set subject to user rights requests for access, correction, or deletion under applicable law.
ConductAtlas has identified this type of provision across 17 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Medium.