Public can share data that has been stripped of personal identifiers with outside companies for purposes like research and marketing, and this sharing is not subject to the same restrictions as personal data.
This analysis describes what Public.com's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy asserts that aggregated or de-identified data falls outside normal privacy protections, but the robustness of de-identification is not independently verified in the policy text, and re-identification risks exist particularly with detailed financial behavioral data.
Interpretive note: The policy asserts that de-identified data cannot reasonably be used to identify individuals, but does not disclose the technical standard applied. Whether this assertion satisfies applicable legal standards depends on the actual methodology, which is not available in the policy text.
Your trading behavior and account activity may inform research and marketing products shared with third parties after being aggregated or de-identified. The policy does not specify the de-identification standard applied, so users cannot independently assess the re-identification risk.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
RedCard. We share information with our financial partners to operate the Target RedCard program.
Monitoring
Public.com has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may also share aggregated or de-identified information, which cannot reasonably be used to identify you, with third parties for research, marketing, analytics, and other purposes.— Excerpt from Public.com's Public.com Privacy Policy
REGULATORY LANDSCAPE: CCPA/CPRA and other state privacy laws typically exempt truly de-identified data from consumer rights requirements, but CPRA imposes an obligation on businesses to implement processes to prevent re-identification and to contractually prohibit recipients from re-identifying data. The FTC has issued guidance warning that de-identified data may carry re-identification risks, particularly for large or behavioral datasets. The FTC Act's prohibition on deceptive practices applies if de-identification claims overstate actual anonymization. GOVERNANCE EXPOSURE: Medium. Financial behavioral data is among the most susceptible to re-identification because individual trading patterns can be distinctive. The policy's assertion that de-identified data 'cannot reasonably be used to identify you' is a legal conclusion that depends on the technical standard applied, which is not disclosed. JURISDICTION FLAGS: CPRA requires businesses that share de-identified data to take active steps to prevent re-identification, not merely assert that re-identification is unlikely. This is a heightened obligation relative to CCPA's original text. Similar requirements exist in Colorado and Connecticut privacy laws. CONTRACT AND VENDOR IMPLICATIONS: Contracts with third-party recipients of de-identified data should include explicit prohibitions on re-identification consistent with CPRA requirements. Legal teams should confirm that vendor agreements address this requirement and that technical de-identification methods meet applicable regulatory standards. COMPLIANCE CONSIDERATIONS: Compliance teams should document the technical methodology used to de-identify data shared with third parties and confirm it meets the standard referenced by applicable law (such as the FTC's safe harbor standard or NIST guidance). The policy should ideally identify the de-identification standard applied to support the claim that data cannot reasonably be re-identified.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy asserts that aggregated or de-identified data falls outside normal privacy protections, but the robustness of de-identification is not independently verified in the policy text, and re-identification risks exist particularly with detailed financial behavioral data.
Your trading behavior and account activity may inform research and marketing products shared with third parties after being aggregated or de-identified. The policy does not specify the de-identification standard applied, so users cannot independently assess the re-identification risk.
ConductAtlas has identified this type of provision across 4 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Public.com.