Uber
· Uber Privacy Notice
This provision authorizes collection of biometric identifiers, a category of sensitive personal data subject to specific statutory requirements in Illinois, Texas, Washington, and other jurisdictions, with distinct consent, retention, and destruction obligations that may exceed what a general privacy policy disclosure satisfies.
Runway
· Runway Privacy Policy
Biometric identifiers such as face scans and voiceprints are among the most sensitive personal data categories and are subject to specific consent, retention, and destruction requirements under laws such as Illinois BIPA and Texas CUBI. The policy does not disclose a specific biometric data retention schedule, which is a material requirement under several of these statutes.
Adobe
· Adobe Privacy Policy
Biometric data like faceprints is sensitive and largely irreplaceable if misused. Users in states like Illinois have strong legal protections for this data that may exceed what this policy describes, and the carve-out 'unless otherwise specified in the Software or Services' creates some ambiguity about data deletion timelines.
Biometric data is among the most sensitive personal information because it cannot be changed if compromised. Several states have strict laws governing how companies may collect, store, and share biometric identifiers.
Stripe
· Stripe Privacy Policy
This provision establishes that biometric data collection is within scope of Stripe's data practices for identity verification purposes, which engages state biometric privacy statutes and GDPR special category data provisions requiring explicit consent.
This provision discloses collection of biometric identifiers, which are among the most sensitive personal data categories under CCPA/CPRA and state biometric privacy laws. The scope of collection across the Samsung device ecosystem creates obligations regarding consent, retention schedules, and data sharing restrictions that vary by jurisdiction.
Biometric data is among the most sensitive personal information categories because it is immutable. State laws like Illinois BIPA impose strict requirements and statutory damages for non-compliant biometric data collection, making this provision legally significant regardless of the stated retention limit.
Uber
· Uber Privacy Notice
This provision requires collection and processing of biometric identifiers, which are classified as special category data under GDPR Article 9 and sensitive personal information under CCPA/CPRA, and as biometric identifiers under Illinois BIPA and similar statutes, triggering heightened consent, retention, and security obligations in multiple jurisdictions.
Gemini
· Gemini Privacy Policy
Biometric data is among the most sensitive personal information because it cannot be changed if compromised; its collection and storage creates significant privacy risk and is subject to strict regulation in some states.
Biometric data like facial recognition is among the most sensitive categories of personal information because it is unique, immutable, and cannot be changed if compromised; state laws impose strict requirements around its collection, use, and retention.
TikTok
· TikTok Privacy Policy
Biometric data is among the most sensitive categories of personal information under US law because it cannot be changed if compromised; the policy's qualifier 'where required by law' means consent may not be sought in all jurisdictions.
Biometric data is unique and permanent; unlike a password, it cannot be changed if compromised, making its collection and storage a significant privacy risk.
Biometric data collection is subject to strict consent, retention, and destruction requirements under state laws including Illinois BIPA, and the policy's disclosure of this practice requires consumers in covered jurisdictions to be aware of their rights to consent or object.
Roblox
· Roblox Privacy and Cookie Policy
Biometric data is subject to strict state-level laws in the US (notably Illinois BIPA) that require informed written consent, impose retention and destruction obligations, and provide a private right of action; the policy does not specify which features or jurisdictions are involved.
Target
· Target Privacy Policy
This provision requires compliance with state biometric privacy statutes including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and Washington's biometric privacy law, each of which imposes specific written consent, retention schedule, and destruction obligations prior to and following collection of biometric identifiers.
Biometric data is among the most sensitive categories of personal information because it is permanent and uniquely identifies individuals; unauthorized collection or misuse can cause irreversible harm.
This provision directly limits the practical scope of your privacy rights. Even if you exercise your legal right to erasure, the most sensitive financial activity data remains permanently public.
This provision clarifies the operational boundaries of MetaMask's data deletion obligations under privacy regulations. It establishes that the company's ability to honor erasure requests is constrained by the immutable nature of blockchain infrastructure rather than company policy.
This provision clarifies the operational limits on Coinbase's ability to process data deletion requests under privacy regulations. The clause establishes that certain transaction data subject to deletion requests falls outside the scope of Coinbase's technical capabilities due to the immutable nature of public blockchain records.
The collection of biometric identifiers and precise geolocation alongside financial identifiers creates significant data security and regulatory exposure, particularly under state biometric privacy laws and health-adjacent data statutes.
The policy states that data collection occurs simply by viewing the platform, without any account interaction, and that a wide range of personal and behavioral data categories are collected based on feature use, which means the scope of data collected can be extensive even for passive users.
The scope of data collection extends well beyond what most people associate with a credit bureau, encompassing behavioral, biometric, and psychological inference data that can affect how companies evaluate you.
Notion
· Notion Terms of Service
The availability of a Business Associate Agreement is operationally significant for healthcare organizations and covered entities that need contractual assurances under HIPAA before using Notion to process protected health information.
23andMe
· 23andMe Privacy Statement
This provision is particularly significant given that 23andMe has publicly reported financial difficulties; it means your most sensitive personal data, your DNA, could be acquired and controlled by an entity you did not originally consent to share it with.
Adobe
· Adobe Terms of Use
Employees and students using Adobe through an institutional account have no independent privacy protections from their employer or school within that account, including for content created prior to the current terms.
This provision authorizes collection of persistent identifiers from users identified as children for purposes including analytics and personalization, which requires evaluation against COPPA's restrictions on data use for child-directed services and equivalent national youth privacy frameworks. The policy states that technical and organizational measures are in place to prevent use of Cabined Account identifiers for other purposes, but the breadth of stated collection purposes may warrant review by compliance teams assessing COPPA and GDPR Article 8 alignment.
Persistent identifiers collected from children, including IP addresses and device IDs, are sensitive data categories under COPPA and equivalent laws, and the sufficiency of the asserted technical controls determines whether this practice complies with those frameworks.
This clause establishes the operational scope of data collection and use under the service agreement. It conditions continued service on Comcast's authority to gather and process subscriber information according to the Privacy Policy, which constitutes the primary mechanism for disclosing data practices under cable subscriber privacy regulations.
Cable viewing history is among the most sensitive categories of subscriber data, and its use for off-platform advertising raises questions about whether the current opt-out consent model satisfies the Cable Communications Policy Act's opt-in requirements.
Visa
· Visa Privacy Notice
The provision operationalizes Visa's compliance with state privacy statutes by establishing procedural mechanisms for consumer requests and defining the entity's obligations to process, verify, and fulfill those requests within specified timeframes. This establishes the institutional framework under which California consumers may exercise statutory privacy rights.