The policy discloses that Substack shares account identifiers including email addresses and usernames with industry child safety organizations and consortia for the purpose of detecting and preventing child sexual exploitation and abuse material (CSAM/OCSEA). This provision was added in the most recent policy update (May 14, 2026).
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes a data sharing relationship between Substack and third-party child safety organizations for CSAM detection purposes, which represents a newly disclosed category of third-party data transfer. The provision does not identify the specific consortia involved, which limits the ability of users or compliance teams to assess the data governance practices of receiving organizations.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Severity escalated from 'low' to 'medium' and excerpt expanded to show additional context with more formal language structure.
View full change record →Under this clause, Substack may share account identifiers including email addresses and usernames with third-party child safety organizations without individual user consent, as this processing is described as a legitimate interest of the platform. The policy does not name the specific organizations with which these identifiers are shared.
How other platforms handle this
We are part of the Match Group family of businesses. Match Group considers the safety and security of members a top priority. If you were banned from another Match Group service, your data can be shared with us to allow us to take necessary actions, including closing your account or preventing you f...
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"to share account identifiers with trusted industry child safety consortia for the detection and prevention of online child sexual exploitation and abuse (OCSEA); ... We may share account identifiers (such as email addresses and usernames) with trusted industry child safety organizations for the purpose of detecting and preventing online child sexual exploitation and abuse (OCSEA).— Excerpt from Substack's Substack Privacy Policy
1. REGULATORY LANDSCAPE: This provision engages GDPR Article 6 lawful basis analysis (the policy appears to rely on legitimate interests for this processing) and Article 9 if any special category inferences could arise from CSAM detection activities. The provision may also engage the EU Digital Services Act obligations for very large online platforms regarding CSAM detection and reporting. In the US, the EARN IT Act and CyberTipline reporting obligations under 18 U.S.C. Section 2258A are relevant regulatory context. The FTC and relevant State AGs have jurisdiction over consumer data sharing disclosures. 2. GOVERNANCE EXPOSURE: Medium. The policy discloses the category of sharing (account identifiers with child safety consortia) but does not identify specific recipient organizations, the contractual framework governing data received by those organizations, or retention periods. This may create documentation gaps for GDPR Article 30 records of processing activities and Article 13/14 transparency obligations. 3. JURISDICTION FLAGS: EU/EEA users may have heightened exposure given GDPR requirements for specific identification of recipients or categories of recipients in privacy notices. California users have CCPA rights regarding disclosure of categories of third parties to whom personal information is shared. 4. CONTRACT AND VENDOR IMPLICATIONS: The policy does not specify which industry consortia receive account identifiers, which limits vendor due diligence. Organizations with GDPR obligations processing employee or user data on Substack should assess whether this disclosure is adequately specific to satisfy transparency requirements. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should evaluate whether the policy's disclosure of recipient category rather than specific recipient identity satisfies applicable transparency obligations in relevant jurisdictions. A data mapping update may be warranted to document this sharing category and assess lawful basis adequacy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes a data sharing relationship between Substack and third-party child safety organizations for CSAM detection purposes, which represents a newly disclosed category of third-party data transfer. The provision does not identify the specific consortia involved, which limits the ability of users or compliance teams to assess the data governance practices of receiving organizations.
Under this clause, Substack may share account identifiers including email addresses and usernames with third-party child safety organizations without individual user consent, as this processing is described as a legitimate interest of the platform. The policy does not name the specific organizations with which these identifiers are shared.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.