What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This statement engages the EU General Data Protection Regulation, UK GDPR, the California Consumer Privacy Act as amended by CPRA, the EU-U.S. and Swiss-U.S. Data Privacy Frameworks administered by the U.S. Department of Commerce with FTC enforcement authority, and the APEC Cross-Border Privacy Rules and Privacy Recognition for Processors frameworks. The document also references Salesforce's EU and UK Processor Binding Corporate Rules, approved by relevant supervisory auth…

How does Salesforce's Salesforce Privacy Statement affect users?

Salesforce's data collection and sharing practices apply to individuals across website visits, event registrations, and marketing interactions, with data transfer authorized to third parties for advertising purposes. Individuals in GDPR, UK, and CCPA jurisdictions operate under mandatory opt-in requirements for certain disclosures and retain rights to request data deletion and object to automated profiling through the specified request mechanisms. All other users may submit opt-out requests reg…

How often is Salesforce's Salesforce Privacy Statement updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Salesforce updates this document?

Yes. Watcher subscribers ($9.99/month) can add Salesforce to their watchlist and receive same-day email alerts whenever this document or any other Salesforce document changes.

CA-D-000202

Salesforce Privacy Statement

Salesforce

Last change detected May 1, 2026 Privacy policy

SHA-256: 906367235ff8fca154a… 3 versions captured 1 change documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Salesforce ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

9 Total

0 High severity

6 Medium severity

3 Low severity

Summary

This document establishes Salesforce's practices for collecting, using, and sharing personal information from individuals who interact with Salesforce websites, attend events, receive marketing communications, or otherwise engage with the company. The statement authorizes Salesforce to share personal data with third parties including event sponsors, partners, and advertising networks for purposes including advertising on non-Salesforce websites. Individuals in the EU, UK, and California are granted specific rights including data access, deletion, and objection to automated decision-making, exercisable through Salesforce's privacy request form or email to privacy@salesforce.com.

Technical / Legal Breakdown

This document is Salesforce's full Privacy Statement (effective August 26, 2025), governing the collection, use, sharing, and processing of Personal Data by Salesforce, Inc. and its affiliates acting as data controllers, explicitly excluding Salesforce's role as a processor on behalf of enterprise customers. The statement asserts that Personal Data is collected across websites, events, marketing communications, office visits, and service interactions for purposes including personalized advertising, sales prospecting, research, and legal compliance; the terms authorize sharing with service providers, affiliates, event sponsors, partners, AppExchange partners, and public authorities. Notably, the document addresses cross-border data transfers through multiple mechanisms including EU-U.S. and Swiss-U.S. Data Privacy Frameworks, EU and UK Binding Corporate Rules, and Standard Contractual Clauses, and explicitly discloses advertising-related data sharing that triggers opt-out rights, including for those under 16; the document is explicit that it does not govern data processed in Salesforce's processor capacity, which is a significant carve-out affecting enterprise customer data handled through Salesforce's CRM and cloud platforms. The statement engages GDPR, CCPA, UK GDPR, APEC CBPR and PRP frameworks, and the EU-U.S. Data Privacy Framework administered by the U.S. Department of Commerce and enforceable by the FTC; jurisdiction-dependent rights such as data portability, automated decision-making objection, and minor-specific opt-in requirements create materially different compliance obligations depending on where data subjects are located.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

1 important change detected

3 versions captured · Last updated: May 2026

May 1, 2026

low

What changed Salesforce removed the direct contact method (email and form link) from the main contact section of its Privacy Statement and replaced it with a new 'Transparency Reports' section. The updated policy now links to Salesforce's annual Transparency Reports (2020-2025) that describe how the company handles government requests for customer data. The change shifts focus from immediate contact channels to published disclosure of government data request practices.

Why this matters This change removes the direct email and web form contact method from the main Privacy Statement but preserves the contact information itself (it remains in the 'Contact Information' section at the end). Users seeking to exercise privacy rights or ask questions can still use the existing form and email, but Salesforce now emphasizes published Transparency Reports as the primary disclosure mechanism for how it handles government data requests. The practical impact on individual consumers is minimal, as the contact channels remain functional; the change primarily shifts documentation toward aggregate disclosure rather than individual inquiry.

View full change record →

Medium — 6 provisions

Processor Carve-Out from Privacy Statement Scope Compare →

This Privacy Statement only covers how Salesforce handles data in its own right, not the data that enterprise customers put into Salesforce's CRM or cloud products. That data is governed by separate contracts, not this document.

Added May 9, 2026 Standard Seen across 189 platforms
Advertising Data Sharing and Opt-Out Right Compare →

Salesforce may share your personal data with third-party advertising networks so that you can be shown targeted ads on other websites and apps. You have the right to opt out of this specific type of sharing.

Added May 9, 2026 Standard Seen across 246 platforms
Minor Data Opt-In Requirement Compare →

If you are under 16 (or a different age threshold depending on your country), Salesforce requires opt-in consent before sharing your personal data with third parties in certain ways, rather than relying on an opt-out approach.

Added May 9, 2026 Standard Seen across 262 platforms
International Data Transfers and Data Privacy Framework Compare →

Your personal data may be stored and processed in the United States and other countries, potentially with different privacy protections than your home country. Salesforce uses approved legal tools including Standard Contractual Clauses and Data Privacy Framework certification to authorize these transfers.

Added May 7, 2026 Common Seen across 122 platforms
Data Subject Rights Framework

Depending on where you live, you may have rights to see, correct, delete, or transfer your personal data, object to how it is processed, and appeal if Salesforce declines your request.

Added May 9, 2026 Rare
Breadth of Data Sharing Categories Compare →

Salesforce lists twelve distinct categories of third parties with whom your personal data may be shared, ranging from service providers and affiliates to event sponsors, AppExchange partners, and public authorities.

Added May 9, 2026 Standard Seen across 246 platforms

Low — 3 provisions

Third-Party Dispute Resolution and Supervisory Authority Complaint Rights Compare →

If Salesforce does not resolve your privacy concern, you can escalate for free to TrustArc (an independent dispute resolution provider) or, if you are in the EU or UK, to your national data protection regulator.

Added May 9, 2026 Standard Seen across 189 platforms
Government Transparency Reporting

Salesforce publishes annual transparency reports disclosing how many government requests for customer data it received and how it responded.

Added May 9, 2026 Rare
Purposes for Personal Data Processing Compare →

Salesforce uses your personal data for a wide range of purposes including showing you personalized ads, prospecting you as a sales lead, running events, conducting research, and complying with legal requirements.

Added May 9, 2026 Standard Seen across 189 platforms