Third-Party Sharing for Advertising

What it is

Noom may share your personal information, which can include health-related data, with advertising networks and marketing companies to show you targeted ads.

Why it matters (compliance & governance perspective)

The clause establishes the operational scope of data sharing beyond Noom's direct control, specifying that user information flows to external parties involved in advertising delivery and measurement. This defines which categories of third parties receive access to user data as part of the service infrastructure.

Consumer impact (what this means for users)

Personal information you provide to Noom, potentially including health and behavioral data, may be passed to advertising networks and analytics companies, meaning your health journey data could be used to target you with ads inside and outside of the Noom platform. California residents can opt out of this sharing under CPRA.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: Under CPRA, sharing personal information with advertising partners for cross-context behavioral advertising may constitute a sale or sharing of personal information, triggering the right to opt out; GDPR requires a lawful basis for sharing personal data with third-party advertisers, and where health data is involved, explicit consent may be required; the FTC Act prohibits deceptive practices, and sharing health data with advertisers in ways not clearly disclosed or contrary to user expectations could attract FTC scrutiny, particularly given Noom's prior regulatory history with the FTC. GOVERNANCE EXPOSURE: High. The combination of sensitive health data and advertising-oriented third-party sharing is an area of active regulatory focus; enforcement actions by state AGs and the FTC against health app operators for similar practices have increased in recent years, and the policy's broad authorization of this sharing creates meaningful compliance exposure. JURISDICTION FLAGS: California (CPRA opt-out of sale and sharing rights), Colorado, Connecticut, Virginia, and other US states with comprehensive privacy laws that include opt-out rights for targeted advertising; EU/EEA (GDPR consent requirements for advertising profiling); UK (UK GDPR and ICO guidance on adtech). CONTRACT AND VENDOR IMPLICATIONS: Advertising and analytics partner agreements should be reviewed to confirm they restrict use of Noom user data to permitted purposes and do not allow onward transfer or secondary use; Data Processing Agreements and Standard Contractual Clauses should be in place for EU and UK data transfers to advertising partners outside those jurisdictions. COMPLIANCE CONSIDERATIONS: Noom should ensure a clear and accessible opt-out mechanism for the sale and sharing of personal information is available to California residents and users in other states with equivalent rights; the consent flow for advertising data sharing should be audited to confirm it meets GDPR standards where health data may be involved; marketing technology vendor assessments should confirm that pixel and SDK integrations with advertising platforms are reflected in the privacy policy and do not transfer more data than disclosed.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Sensitive Health Data Collection medium
• HIPAA Non-Applicability Disclaimer medium
• California CPRA Rights low
• GDPR and UK GDPR Rights for EU and UK Users low
• Data Retention Policy low
• International Data Transfers low

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.