Nintendo shares your personal data with a range of third-party companies that handle payment processing, data analysis, marketing, hosting, and customer service on its behalf, as well as with business partners for marketing purposes.
This analysis describes what Nintendo's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Sharing with business partners for marketing purposes goes beyond operational necessity and means your data may be used by companies outside Nintendo's direct control to market products to you.
Interpretive note: The distinction between service providers and business partners, and whether business partner sharing constitutes a 'sale' under CCPA, requires analysis of specific contractual arrangements not disclosed in the policy.
Nintendo now explicitly discloses that it collects persistent identifiers (IP addresses, device IDs) from child users for operational, security, fraud prevention, and service improvement purposes, and states that contractual restrictions limit how service providers can use this data. Parents gain enhanced transparency by being able to view a named list of third-party games and applications authorized to access their child's account, rather than just managing access through settings. The policy also clarifies that location information may be used for check-ins at Nintendo locations and events in addition to location-based games. You can review and manage which third-party apps have access to your child's account through your Nintendo Account profile settings.
View change record →Nintendo now discloses that it uses location data not only for location-based games and friend connections, but also to enable check-ins at specific events and Nintendo locations, which is a new explicit use case. The policy now details how child user data including persistent identifiers like IP addresses and device IDs are collected and retained, with commitments to delete or de-identify data based on sensitivity and account activity. Parents can now see which third-party apps have been authorized to access their child's account before deciding whether to allow continued access, giving more visibility into connected applications.
View change record →The revised policy simplifies how Nintendo describes data retention, now stating information is retained only as long as reasonably necessary in accordance with applicable law, without prior detail about sensitivity-based retention practices. For child users, the policy no longer explicitly lists persistent identifiers (IP addresses, device identifiers) that Nintendo and service providers collect, removing specific disclosure language that previously detailed collection purposes for child accounts. The policy now indicates it collects error information from both users and devices, broadening the prior language focused on device errors only. The privacy certification body changed from CARU to ESRB, meaning independent audits and enforcement are now administered by the Entertainment Software Rating Board rather than the Children's Advertising Review Unit.
View change record →Your personal data including gameplay history, purchase records, and contact information may be shared with Nintendo's service providers and business partners, some of whom may use it for their own marketing purposes, extending the reach of your data beyond Nintendo itself.
How other platforms handle this
We may share your personal information with third parties in the following circumstances: With service providers who perform services on our behalf, such as data analytics, marketing, customer service, and technology services. With financial partners, including banks, brokerage firms, and payment pr...
We may also share your personal information with third parties that assist us in providing our services, or where we are under an obligation to report to. But rest assured: we will only ever share your personal information in the limited circumstances described in this Policy.
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
Monitoring
Nintendo has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may share your information with third parties that perform services on our behalf, such as payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance. We may also share your information with business partners who offer products or services that may be of interest to you.— Excerpt from Nintendo's Nintendo Privacy Policy
REGULATORY LANDSCAPE: Data sharing with service providers must comply with CCPA requirements that service providers are contractually prohibited from retaining, using, or disclosing personal information outside the business purpose; sharing with 'business partners' for marketing may qualify as a 'sale' or 'sharing' of personal information under CCPA triggering opt-out rights. GDPR requires that data transfers to third parties have a valid lawful basis and that data processors be bound by appropriate contractual terms (Article 28 agreements). Cross-border data transfers to Nintendo affiliates or service providers outside the EEA require an adequacy decision or appropriate safeguards such as Standard Contractual Clauses. GOVERNANCE EXPOSURE: Medium. The distinction between service providers (who process data only on Nintendo's behalf) and business partners (who may use data for their own marketing) is operationally significant under CCPA and GDPR. If business partner data sharing constitutes a 'sale' or 'sharing' without an adequate opt-out mechanism, this creates direct regulatory risk. JURISDICTION FLAGS: California residents have opt-out rights for any sharing that qualifies under CCPA, and the California Privacy Protection Agency has enforcement authority. EU/EEA users require that any international data transfer be covered by Standard Contractual Clauses or another GDPR-compliant transfer mechanism. Other state privacy laws (Virginia, Colorado, Connecticut) impose similar opt-out rights for data sharing with third parties for advertising. CONTRACT AND VENDOR IMPLICATIONS: The policy does not enumerate specific service providers or business partners, which limits transparency for compliance due diligence. Vendor agreements should clearly distinguish between service provider relationships (with data processing agreements) and business partner relationships (which require opt-out mechanisms). Procurement teams should assess whether existing vendor agreements meet updated CCPA and GDPR contractual requirements. COMPLIANCE CONSIDERATIONS: Legal teams should maintain an up-to-date list of all third-party data recipients, categorized as service providers versus business partners, with the legal basis and contractual framework for each sharing relationship documented. The opt-out mechanism for business partner data sharing should be tested to verify it functions correctly and that opt-out signals are passed through to all relevant partners.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Sharing with business partners for marketing purposes goes beyond operational necessity and means your data may be used by companies outside Nintendo's direct control to market products to you.
Your personal data including gameplay history, purchase records, and contact information may be shared with Nintendo's service providers and business partners, some of whom may use it for their own marketing purposes, extending the reach of your data beyond Nintendo itself.
ConductAtlas has identified this type of provision across 7 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Nintendo.