Data Sharing with Third-Party Service Providers and Partners

What it is

Riot shares your data with a wide range of outside companies including analytics providers, customer support vendors, advertising partners, and potentially acquirers in a business transaction.

Why it matters (compliance & governance perspective)

Data shared in connection with a business transaction such as a merger or acquisition may reach new parties under different privacy frameworks, and users typically have limited ability to prevent this type of transfer.

This document changed recently

Consumer impact (what this means for users)

Your personal data may be shared with a broad range of third parties beyond Riot itself, including external advertising and analytics companies, and could be transferred to a new owner if Riot is acquired. Users have limited practical control over business transaction transfers, though they retain deletion and access rights under applicable law.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: Third-party data sharing engages GDPR Article 28 (processor relationships) and Article 26 (joint controllers) depending on the nature of the relationship. CCPA/CPRA regulates 'selling' and 'sharing' personal information with third parties for commercial purposes. FTC guidance on data broker practices applies to analytics and advertising partners receiving Riot user data. M&A data transfers may require regulatory notification or consent mechanisms in some jurisdictions. GOVERNANCE EXPOSURE: Medium. The notice provides a categorical rather than specific enumeration of third parties, which is common industry practice but may not satisfy GDPR's transparency requirements for processor and sub-processor disclosure. The inclusion of M&A transfers without a consent mechanism or opt-out right is standard but limits consumer control in a material transaction scenario. JURISDICTION FLAGS: California residents have CPRA rights to know which categories of third parties receive their data. EU users have rights to obtain information about recipients under GDPR Article 15. The breadth of sharing with advertising partners may require evaluation under the ePrivacy Directive in EU jurisdictions. CONTRACT AND VENDOR IMPLICATIONS: Organizations integrating Riot services into enterprise environments should assess whether Riot's data processor agreements with sub-processors are available and adequate. M&A due diligence should account for Riot's data sharing obligations and whether acquirer privacy practices are compatible with Riot's stated commitments. COMPLIANCE CONSIDERATIONS: A vendor risk assessment covering the third-party ecosystem referenced in the notice is recommended. CCPA compliance teams should verify whether the opt-out of sale and sharing mechanism covers all advertising partner relationships. Legal teams should assess whether M&A transfer provisions include privacy continuity commitments for existing users.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Voice and Text Chat Recording high
• Kernel-Level Anti-Cheat (Vanguard) Data Collection high
• Behavioral Data Used for Targeted Advertising medium
• Children's Data and Age Restrictions high
• International Data Transfers medium
• User Privacy Rights and Request Process low

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.