The policy discloses that when Xfinity shares non-directly-identifying data such as IP addresses or device identifiers with third-party partners, those partners may be capable of re-identifying users using information from other sources.
This analysis describes what Xfinity's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause establishes that Xfinity recognizes a re-identification risk when sharing ostensibly non-identifying information, meaning practical anonymity is not guaranteed even for non-directly-identifying data Xfinity discloses.
Under this clause, Xfinity discloses that third-party partners receiving data such as IP addresses or device identifiers may combine that data with other sources to identify individual users. The agreement does not represent that Xfinity contractually restricts partners from engaging in such re-identification.
How other platforms handle this
prevent or detect violations of our Terms or fraud or abuse of Strava or its users; or (4) protect our operations or our property or other legal rights, including in connection with actual or potential litigation.
the Receiving Party shall (other than to the extent prohibited by law) provide prior written notice to the Disclosing Party and reasonably cooperate...with any efforts by the Disclosing Party to contest or limit such disclosure requirement
Recipient may disclose Discloser's Confidential Information: (i) to the extent that such disclosure is required by applicable law or by the order of a court...provided that...the Recipient promptly notifies the Discloser in writing of such required disclosure...
Monitoring
Xfinity has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Where the personal information we may disclose does not directly identify you...it is possible that our third party partners may be able to identify you based on information they collect from other sources...— Excerpt from Xfinity's Comcast Privacy Policy
1) REGULATORY LANDSCAPE: This provision engages GDPR's definition of personal data, which encompasses information that is identifiable when combined with other data held by a controller or a third party. Under GDPR and UK GDPR, IP addresses and device identifiers are generally treated as personal data. CCPA similarly covers information that is reasonably linkable to a consumer. The FTC has addressed re-identification risks in guidance on data broker and advertising ecosystem practices. Relevant enforcement authorities include the FTC, state Attorneys General, the European Data Protection Board, and the UK ICO. 2) GOVERNANCE EXPOSURE: High. The policy's explicit acknowledgment that third-party partners may re-identify users from shared pseudonymous identifiers may, in jurisdictions where IP addresses and device identifiers are classified as personal data, mean that disclosures of such data to third parties constitute personal data transfers subject to consent and transparency requirements under GDPR and CCPA. The policy does not represent that partner contracts include re-identification prohibitions. 3) JURISDICTION FLAGS: EEA and UK users face heightened exposure because GDPR and UK GDPR treat reasonably re-identifiable data as personal data, meaning third-party sharing of IP addresses and device identifiers may require a valid legal basis and data processing agreements with appropriate safeguards. California residents may have rights regarding the sale or sharing of such data under CCPA. Illinois BIPA is not directly implicated unless biometric identifiers are included. 4) CONTRACT AND VENDOR IMPLICATIONS: B2B clients and partners should assess whether Xfinity's data sharing agreements include restrictions on third-party re-identification and whether those terms satisfy their own regulatory obligations. The absence of disclosed contractual re-identification restrictions in the policy may be a due diligence flag for enterprise customers. 5) COMPLIANCE CONSIDERATIONS: Legal teams should evaluate whether the disclosure of this re-identification risk satisfies transparency requirements under GDPR Article 13/14 and CCPA notice obligations. Data processing agreements with third-party advertising partners should be reviewed to assess whether re-identification restrictions are contractually imposed. Organizations subject to GDPR should assess whether shared pseudonymous identifiers qualify as personal data transfers requiring appropriate safeguards.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause establishes that Xfinity recognizes a re-identification risk when sharing ostensibly non-identifying information, meaning practical anonymity is not guaranteed even for non-directly-identifying data Xfinity discloses.
Under this clause, Xfinity discloses that third-party partners receiving data such as IP addresses or device identifiers may combine that data with other sources to identify individual users. The agreement does not represent that Xfinity contractually restricts partners from engaging in such re-identification.
ConductAtlas has identified this type of provision across 275 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Xfinity.