Data Sharing with Third Parties

What it is

The notice states that Zendesk shares personal data with affiliated entities, subprocessors, advertising and analytics partners, and with third parties in asset sale or merger contexts, as well as when legally required.

Why it matters (compliance & governance perspective)

This provision authorizes sharing of personal data with advertising and analytics partners, which engages consent requirements under ePrivacy and GDPR in the EU, and opt-out rights under CCPA/CPRA for California residents, including the right to opt out of sale or sharing for cross-context behavioral advertising.

Consumer impact (what this means for users)

Under these terms, Zendesk shares personal data including identifiers, browsing activity, and usage data with advertising and analytics partners, and with affiliates and subprocessors. The agreement also authorizes disclosure to third parties in the context of business acquisitions or asset sales, which may transfer personal data to successor entities.

What you can do

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: Sharing with advertising and analytics partners engages GDPR Article 6 lawful basis requirements and the ePrivacy Directive's consent requirements for cookie-based advertising. CCPA and CPRA treat sharing with advertising partners for cross-context behavioral advertising as a regulated activity requiring opt-out. The FTC, EU supervisory authorities, and California Privacy Protection Agency are the primary enforcement authorities. (2) GOVERNANCE EXPOSURE: Medium. The authorization to share data with advertising and analytics partners without specifying partner names or data types in the notice itself may create transparency gaps under GDPR and CPRA, which require more granular disclosure in some contexts. The business transfer clause creates the possibility of personal data moving to a successor entity under materially different privacy terms. (3) JURISDICTION FLAGS: EU/EEA users require valid consent for advertising cookie deployment under ePrivacy. California residents have a statutory right to opt out of sharing for cross-context behavioral advertising under CPRA. Business transfer provisions may trigger notification obligations in jurisdictions requiring prior consent or regulatory approval for certain data transfers. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should review Zendesk's published subprocessor list to identify advertising and analytics vendors and assess whether those vendors' data practices align with organizational data governance requirements. Business transfer provisions should be flagged in vendor contracts as a potential trigger for renegotiation or termination rights. (5) COMPLIANCE CONSIDERATIONS: Organizations that direct their end users to Zendesk-hosted support properties should assess whether their own privacy notices disclose Zendesk's advertising partner sharing practices. California-regulated organizations should confirm that opt-out mechanisms for sharing are accessible to their California-resident end users interacting with Zendesk properties.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Controller vs. Processor Dual Role medium
• Personal Data Categories Collected medium
• Cookie and Tracking Technologies medium
• International Data Transfers medium
• Data Subject Rights medium
• Data Retention low

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.