Public can share data that has been stripped of personal identifiers with outside companies for purposes like research and marketing, and this sharing is not subject to the same restrictions as personal data.
This analysis describes what Public.com's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy asserts that aggregated or de-identified data falls outside normal privacy protections, but the robustness of de-identification is not independently verified in the policy text, and re-identification risks exist particularly with detailed financial behavioral data.
Interpretive note: The policy asserts that de-identified data cannot reasonably be used to identify individuals, but does not disclose the technical standard applied. Whether this assertion satisfies applicable legal standards depends on the actual methodology, which is not available in the policy text.
Your trading behavior and account activity may inform research and marketing products shared with third parties after being aggregated or de-identified. The policy does not specify the de-identification standard applied, so users cannot independently assess the re-identification risk.
How other platforms handle this
We may use and share de-identified or aggregated information for any purpose, including research and analytics. We maintain and use de-identified data without attempting to re-identify it.
Mixpanel may use aggregated or de-identified data derived from customer event data for its own purposes, including improving its services, developing new features, and generating analytics insights, provided that such data cannot reasonably be used to identify individual users.
We may use aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for any purpose, including sharing it with partners, advertisers, and other third parties. This information is not subject to the restrictions in this Privacy Policy.
Monitoring
Public.com has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may also share aggregated or de-identified information, which cannot reasonably be used to identify you, with third parties for research, marketing, analytics, and other purposes.— Excerpt from Public.com's Public.com Privacy Policy
REGULATORY LANDSCAPE: CCPA/CPRA and other state privacy laws typically exempt truly de-identified data from consumer rights requirements, but CPRA imposes an obligation on businesses to implement processes to prevent re-identification and to contractually prohibit recipients from re-identifying data. The FTC has issued guidance warning that de-identified data may carry re-identification risks, particularly for large or behavioral datasets. The FTC Act's prohibition on deceptive practices applies if de-identification claims overstate actual anonymization. GOVERNANCE EXPOSURE: Medium. Financial behavioral data is among the most susceptible to re-identification because individual trading patterns can be distinctive. The policy's assertion that de-identified data 'cannot reasonably be used to identify you' is a legal conclusion that depends on the technical standard applied, which is not disclosed. JURISDICTION FLAGS: CPRA requires businesses that share de-identified data to take active steps to prevent re-identification, not merely assert that re-identification is unlikely. This is a heightened obligation relative to CCPA's original text. Similar requirements exist in Colorado and Connecticut privacy laws. CONTRACT AND VENDOR IMPLICATIONS: Contracts with third-party recipients of de-identified data should include explicit prohibitions on re-identification consistent with CPRA requirements. Legal teams should confirm that vendor agreements address this requirement and that technical de-identification methods meet applicable regulatory standards. COMPLIANCE CONSIDERATIONS: Compliance teams should document the technical methodology used to de-identify data shared with third parties and confirm it meets the standard referenced by applicable law (such as the FTC's safe harbor standard or NIST guidance). The policy should ideally identify the de-identification standard applied to support the claim that data cannot reasonably be re-identified.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy asserts that aggregated or de-identified data falls outside normal privacy protections, but the robustness of de-identification is not independently verified in the policy text, and re-identification risks exist particularly with detailed financial behavioral data.
Your trading behavior and account activity may inform research and marketing products shared with third parties after being aggregated or de-identified. The policy does not specify the de-identification standard applied, so users cannot independently assess the re-identification risk.
ConductAtlas has identified this type of provision across 4 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Public.com.