Gemini
· Gemini Privacy Policy
Biometric data is among the most sensitive personal information because it cannot be changed if compromised; its collection and storage creates significant privacy risk and is subject to strict regulation in some states.
Biometric data like facial recognition is among the most sensitive categories of personal information because it is unique, immutable, and cannot be changed if compromised; state laws impose strict requirements around its collection, use, and retention.
TikTok
· TikTok Privacy Policy
Biometric data is among the most sensitive categories of personal information under US law because it cannot be changed if compromised; the policy's qualifier 'where required by law' means consent may not be sought in all jurisdictions.
Target
· Target Privacy Policy
This provision requires compliance with state biometric privacy statutes including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and Washington's biometric privacy law, each of which imposes specific written consent, retention schedule, and destruction obligations prior to and following collection of biometric identifiers.
Biometric data is unique and permanent; unlike a password, it cannot be changed if compromised, making its collection and storage a significant privacy risk.
Biometric data collection is subject to strict consent, retention, and destruction requirements under state laws including Illinois BIPA, and the policy's disclosure of this practice requires consumers in covered jurisdictions to be aware of their rights to consent or object.
Roblox
· Roblox Privacy and Cookie Policy
Biometric data is subject to strict state-level laws in the US (notably Illinois BIPA) that require informed written consent, impose retention and destruction obligations, and provide a private right of action; the policy does not specify which features or jurisdictions are involved.
Biometric data is among the most sensitive categories of personal information because it is permanent and uniquely identifies individuals; unauthorized collection or misuse can cause irreversible harm.
This provision directly limits the practical scope of your privacy rights. Even if you exercise your legal right to erasure, the most sensitive financial activity data remains permanently public.
This provision clarifies the operational boundaries of MetaMask's data deletion obligations under privacy regulations. It establishes that the company's ability to honor erasure requests is constrained by the immutable nature of blockchain infrastructure rather than company policy.
This provision clarifies the operational limits on Coinbase's ability to process data deletion requests under privacy regulations. The clause establishes that certain transaction data subject to deletion requests falls outside the scope of Coinbase's technical capabilities due to the immutable nature of public blockchain records.
The collection of biometric identifiers and precise geolocation alongside financial identifiers creates significant data security and regulatory exposure, particularly under state biometric privacy laws and health-adjacent data statutes.
The policy states that data collection occurs simply by viewing the platform, without any account interaction, and that a wide range of personal and behavioral data categories are collected based on feature use, which means the scope of data collected can be extensive even for passive users.
The scope of data collection extends well beyond what most people associate with a credit bureau, encompassing behavioral, biometric, and psychological inference data that can affect how companies evaluate you.
Notion
· Notion Terms of Service
The availability of a Business Associate Agreement is operationally significant for healthcare organizations and covered entities that need contractual assurances under HIPAA before using Notion to process protected health information.
23andMe
· 23andMe Privacy Statement
This provision is particularly significant given that 23andMe has publicly reported financial difficulties; it means your most sensitive personal data, your DNA, could be acquired and controlled by an entity you did not originally consent to share it with.
Adobe
· Adobe Terms of Use
Employees and students using Adobe through an institutional account have no independent privacy protections from their employer or school within that account, including for content created prior to the current terms.
This provision authorizes collection of persistent identifiers from users identified as children for purposes including analytics and personalization, which requires evaluation against COPPA's restrictions on data use for child-directed services and equivalent national youth privacy frameworks. The policy states that technical and organizational measures are in place to prevent use of Cabined Account identifiers for other purposes, but the breadth of stated collection purposes may warrant review by compliance teams assessing COPPA and GDPR Article 8 alignment.
Persistent identifiers collected from children, including IP addresses and device IDs, are sensitive data categories under COPPA and equivalent laws, and the sufficiency of the asserted technical controls determines whether this practice complies with those frameworks.
This clause establishes the operational scope of data collection and use under the service agreement. It conditions continued service on Comcast's authority to gather and process subscriber information according to the Privacy Policy, which constitutes the primary mechanism for disclosing data practices under cable subscriber privacy regulations.
Cable viewing history is among the most sensitive categories of subscriber data, and its use for off-platform advertising raises questions about whether the current opt-out consent model satisfies the Cable Communications Policy Act's opt-in requirements.
Visa
· Visa Privacy Notice
The provision operationalizes Visa's compliance with state privacy statutes by establishing procedural mechanisms for consumer requests and defining the entity's obligations to process, verify, and fulfill those requests within specified timeframes. This establishes the institutional framework under which California consumers may exercise statutory privacy rights.
This provision establishes the statutory framework governing how Robinhood must handle personal information requests from California residents. The clause operationalizes consumer privacy rights that are enforceable under California law and creates corresponding obligations for the entity to implement mechanisms for exercising these rights.
The provision operationalizes Instacart's compliance obligations under California privacy statutes by providing residents with jurisdiction-specific rights regarding data collection, use, disclosure, and deletion. This establishes the procedural framework through which California residents may exercise statutory privacy rights that differ from residents of other states.
The provision operationalizes California's statutory privacy mandates within Nintendo's service terms, establishing procedural requirements for data subject requests and defining the scope of personal information subject to CCPA/CPRA protections. This framing determines how Nintendo processes and responds to consumer rights exercises and shapes the company's data governance obligations.
Fiverr
· Fiverr Privacy Policy
This provision operationalizes state-level data privacy requirements that apply to Fiverr's processing of California residents' personal information. It establishes mandatory procedures for responding to consumer data requests and limiting data monetization practices under CCPA/CPRA frameworks.
This provision operationalizes Instacart's compliance framework for California privacy statutes, which require distinct disclosures regarding consumer rights, data collection categories, and use practices. The supplemental structure reflects California's regulatory requirement that entities provide residents with statutory-mandated privacy notices separate from general privacy policies.
Chase
· Chase Privacy Notice
The provision acknowledges CCPA statutory obligations that Chase must honor for California residents. These rights operate as legal requirements rather than voluntary company policies, establishing baseline data access and control mechanisms that users may invoke independently of the privacy notice terms.
Chase
· Chase Privacy Notice
The clause establishes that Chase recognizes the applicability of California privacy statutes to its California resident users and references supplemental disclosure materials. This framing indicates the agreement incorporates compliance with state-specific privacy obligations rather than creating independent contractual privacy rights.
The provision operationalizes statutory consumer rights under California law by establishing procedures through which the company must process access, deletion, and opt-out requests, and specifies the company's obligations regarding disclosure of data collection and sharing practices.