Substack shares user account identifiers including email addresses and usernames with external child safety organizations to help detect and prevent child sexual abuse material online.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This practice, newly disclosed in this policy update, means that identifiers associated with your Substack account may be shared with third-party organizations outside of Substack for a defined safety purpose, without individual user consent or notification.
Interpretive note: The specific consortia receiving account identifiers are not named, which creates uncertainty about the scope of disclosure and whether it meets GDPR transparency obligations.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitati…
Your Substack email address and username may be shared with child safety industry consortia as a routine operational practice, which most users will not have been individually notified about prior to this policy update.
Cross-platform context
See how other platforms handle Account Identifier Sharing with Child Safety Consortia and similar clauses.
Compare across platforms →Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Industry Child Safety Programs: We may share account identifiers (such as email addresses and usernames) with trusted industry child safety organizations for the purpose of detecting and preventing online child sexual exploitation and abuse (OCSEA).— Excerpt from Substack's Substack Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Article 6 and Article 9 considerations where the sharing of account identifiers with third parties is based on legitimate interests or legal obligation rather than consent. Under GDPR, a legitimate interests assessment (LIA) should document that this sharing is necessary, proportionate, and that the legitimate interest in child safety is not overridden by data subject rights. In the US, sharing for CSAM detection purposes may be supported or required under the PROTECT Our Children Act and related federal frameworks, and may engage the National Center for Missing and Exploited Children (NCMEC) reporting ecosystem. The FTC's oversight of data sharing practices is also relevant. GOVERNANCE EXPOSURE: Medium. The purpose is clearly legitimate and socially significant, but the policy does not identify the specific consortia that receive account identifiers, which limits user ability to understand the scope of disclosure and may not satisfy GDPR transparency requirements that recipients or categories of recipients be disclosed with sufficient specificity. JURISDICTION FLAGS: EU and UK users have rights under GDPR to know the identity or categories of recipients of their data. The absence of named consortia may require further specification for GDPR compliance. California residents may have CCPA rights regarding this disclosure. For minor users, additional sensitivity applies under COPPA in the US. CONTRACT AND VENDOR IMPLICATIONS: Compliance teams should ensure that data sharing agreements with named child safety consortia include appropriate data protection provisions, access controls, and purpose limitations. The policy's use of 'trusted' without further specification warrants vendor due diligence documentation. COMPLIANCE CONSIDERATIONS: A documented legitimate interests assessment for this sharing practice should be maintained. The specific consortia involved should be identified internally and assessed for adequate data protection standards. For EU and UK users, the legal basis for onward transfer of identifiers to these third parties under GDPR Chapter V transfer rules should be confirmed.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This practice, newly disclosed in this policy update, means that identifiers associated with your Substack account may be shared with third-party organizations outside of Substack for a defined safety purpose, without individual user consent or notification.
Your Substack email address and username may be shared with child safety industry consortia as a routine operational practice, which most users will not have been individually notified about prior to this policy update.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.