Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This document establishes Starbucks' data collection, use, and sharing practices for personal information obtained through its mobile app, website, in-store transactions, and Rewards program. The policy authorizes collection of precise location data, purchase history, payment details, and voice recordings from customer service interactions, with disclosed sharing of such information to advertising partners and analytics vendors in transactions classified as sales or sharing under California law. California residents are provided mechanisms to opt out of such sales or sharing through a designated link on the Starbucks website.
This document is Starbucks' Privacy Notice governing the collection, use, and sharing of personal information across its websites, mobile applications, in-store services, and Starbucks Rewards program, with stated legal basis rooted in consent, contractual necessity, and legitimate business interests. The notice states that Starbucks collects identifiable data including name, email, phone, payment card details, precise geolocation, purchase and transaction history, device identifiers, voice and audio data from customer service interactions, and inferences drawn from consumer behavior to build profiles used for personalized marketing, loyalty program administration, and analytics. The notice authorizes sharing of personal data with a broad range of third parties including advertising partners, data analytics vendors, social media platforms, and business partners for cross-context behavioral advertising purposes, and discloses the sale or sharing of personal information as defined under California law, which triggers specific opt-out rights; the breadth of inference and profiling activities, combined with sharing for advertising purposes, represents a notable scope of data monetization relative to what a retail food-and-beverage consumer might reasonably anticipate. The notice explicitly engages the California Consumer Privacy Act as amended by the California Privacy Rights Act, citing rights to know, delete, correct, opt out of sale or sharing, and limit sensitive personal information use, and references compliance with Washington State privacy law for Washington residents; the document is primarily US-focused with no substantive GDPR or UK GDPR framework described, which may create gaps for any EU or UK customer interactions. Compliance teams should note that the notice discloses collection of precise geolocation, voice and audio data, and inferences as categories of sensitive or functionally sensitive data, each carrying heightened regulatory attention under the CPRA and emerging state privacy statutes, and that the disclosed advertising-partner data-sharing model warrants ongoing assessment under FTC unfair or deceptive practices authority.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trialMonitoring
Starbucks has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle Sale and Sharing of Personal Information for Behavioral Advertising and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.