Recent Policy Changes

Why it matters: The removal of explicit language describing ad personalization controls creates operational ambiguity for users previously informed that they could manage ad-targeting data through account settings. While OpenAI's policy continues to authorize ad personalization for Free and Go users, the elimination of documented control mechanisms without explanation or alternative disclosure may affect user ability to understand and manage their participation in targeted advertising. This change is operationally significant because it shifts from explicit control disclosure to implicit authorization, potentially affecting how users exercise choices about their data and ads.

Why it matters: The updated terms reduce the stated commitment to notify users before Personal Information disclosure, shifting from an intent to attempt notification to a discretionary option. This change affects operational clarity around when and whether users will receive advance notice of data sharing and may have implications for organizations that rely on Rumble's practices as part of their own data governance or vendor management frameworks.

Why it matters: The updated guidelines establish explicit, enforceable content moderation obligations for developers and introduce app removal as a direct consequence of non-compliance. This clarifies Apple's enforcement authority and creates a formal escalation pathway (notice, plan, removal) that developers must respond to operationally. For developers with user-generated content features or child-focused apps, this change requires proactive content governance infrastructure and compliance response processes.

Why it matters: The updated terms establish a material shift in Ford's obligation to notify you of privacy policy changes. The prior language created a standalone contractual commitment to provide advance notice; the revised language conditions Ford's notice obligation on legal requirements. This change affects how and when you will be informed of future modifications to Ford's data practices, particularly regarding connected vehicle data collection and use.

Why it matters: The updated Terms of Use no longer explicitly describe cookie preferences or chat functionality data requirements, shifting these disclosures to the separate Cookie Policy. Under GDPR and UK GDPR, organizations must provide clear, accessible information about cookies and data collection before obtaining consent. The removal of this language from the primary Terms document may create compliance risk if the separate Cookie Policy does not adequately address all required transparency and consent obligations.

Why it matters: The updated terms establish a reduced disclosure posture regarding cookie and data collection methods on the American Airlines website. Previously, the terms explicitly stated that certain cookies are essential and cannot be rejected, explained how performance cookies track site usage, and described how functional cookies store user preferences. The removal of these disclosures narrows the transparency available to users in the public-facing terms, which may create compliance questions under CCPA, GDPR, and FTC standards that require clear, accessible disclosure of data collection practices.

Why it matters: The updated policy establishes more explicit, structured disclosure of which personal information categories are collected and shared with specific recipient types. This shifts from a referential approach requiring readers to locate information across multiple sections to a consolidated table format, which may strengthen compliance with state privacy law transparency requirements and provides users clearer visibility into data sharing practices.

Why it matters: The updated Terms footer removes a direct navigation link to CCPA 'do not sell or share' disclosures, which may affect how readily California residents can locate and exercise their statutory privacy rights. California law requires covered businesses to provide an accessible mechanism for such requests; removing a prominent footer link could complicate that access and create regulatory compliance questions.

Why it matters: The updated terms establish explicit and binding mandatory arbitration for all disputes, eliminating access to court proceedings and class action lawsuits. This is a material change in how disputes will be resolved and affects the practical remedies available to users when disagreements arise.

Why it matters: The updated terms establish automatic enrollment in asset staking for eligible tokens, shifting from the prior language that stated staking was optional and required explicit user designation. This change means users must take affirmative action (opt out) to prevent their assets from being moved into staking arrangements, and it introduces a July 1, 2026 deadline for users to take that action. The 14-day advance notice requirement for material changes starting July 1, 2026 also creates a new notification window for future policy modifications, though the scope and enforceability of that requirement will depend on applicable state and federal regulations.

Why it matters: The updated policy narrows the stated scope of Data Privacy Framework participation, which may affect the legal mechanisms available for transferring personal data from regulated regions to Smartsheet. Organizations processing EU, UK, or Swiss data through Smartsheet should verify whether this change introduces gaps in documented lawful transfer mechanisms, particularly if non-U.S. affiliates are involved in data handling.

Why it matters: The updated terms expand the category of data Mixpanel may classify and use as Usage Data by removing the prior contractual exclusion of individually identifiable information. Organizations that relied on this exclusion to limit how Mixpanel could use personal data must now reassess their vendor agreements and privacy controls. Under privacy regulations like GDPR and CCPA, the reclassification of individually identifiable data may trigger new obligations if the organization lacks a lawful basis for such expanded use.

Why it matters: The updated terms eliminate a prior commitment against advertising in Status and Channels, signaling that these features may be subject to future monetization. This shifts the company's stated position from 'no intention' to 'possible if policy is updated,' which materially changes the expected user experience of these features.

Why it matters: The removal of the Arbitration Agreement from the primary Terms acceptance language creates ambiguity about whether new users are explicitly bound to resolve disputes through arbitration rather than court litigation. This change affects the clarity and enforceability of SoFi's dispute resolution terms and may trigger regulatory review regarding how prominently arbitration is disclosed at onboarding.

Why it matters: The updated terms shift authorization for teen payment products from per-action parental approval to blanket delegation at account creation. This changes the operational friction for teens accessing Cards and Tags, which may increase usage of Cash App's payment and wearable products among minors. Parents should understand that authorizing a Sponsored Account now constitutes consent for teens to independently request and activate these products. The introduction of Cash App Tag fees also creates a new cost consideration for parents evaluating whether to allow teens to use the wearable payment service.

Why it matters: The updated policy establishes that Affirm qualifies as a financial institution under federal banking law, which may limit the applicability of state privacy laws to Affirm's core lending operations. The policy also newly discloses sharing of personal information with fraud prevention and identity verification providers, expanding transparency about third parties that receive consumer data.

Why it matters: The updated policy formalizes ClickUp's recognition of data subject rights under GDPR and equivalent frameworks, providing users and regulators with explicit legal reference points for exercising control over personal data. Organizations that process customer data through ClickUp should verify the formalized rights are reflected in their DPAs and privacy notices to ensure compliance obligations are accurately stated.

Why it matters: The removal of explicit statements about AI training and data disclosure reduces the policy's stated transparency regarding how user data informs Meta's AI systems and which parties receive user information. Under GDPR and CCPA, privacy policies are required to clearly disclose data collection, processing purposes, and automated decision-making practices. The absence of these previously stated disclosures may create compliance ambiguity and complicates user understanding of how their data is used.

Why it matters: The updated policy formally expands Gusto's privacy disclosures to cover retirement account management and establishes Stripe as a named financial data processor, requiring users to understand that bank data flows to Stripe under Stripe's terms. The restructured guidance on when separate notices apply (service provider, employer, co-employer contexts) clarifies governance boundaries, but also implies that different privacy rules may apply depending on the user's relationship to Gusto, which customers and users should verify. For organizations contracting with Gusto, these changes may require updates to vendor documentation, employee privacy notices, and data processing agreements.

Why it matters: The updated terms eliminate the ability for sellers to litigate contract disputes in California courts and instead require all disputes to proceed through arbitration as defined in Whatnot's main Terms of Service. This change affects how sellers can seek remedies for breach of contract, payment disputes, or other claims, and likely reduces their access to discovery, jury trial, and appeal procedures available through traditional litigation. Additionally, the explicit definition of a 30-day programming/content gap as a material breach clarifies grounds for suspension or termination that previously may have been less defined.

Why it matters: The updated terms establish mandatory individual arbitration as the exclusive dispute resolution method for sellers, removing access to California courts and jury trial rights. This materially changes the cost, timeline, and procedural options available to sellers if conflicts arise with Whatnot regarding content commitments, account status, or contract interpretation.

Why it matters: The updated terms establish new customer obligations to manage database engine lifecycle and upgrade to supported versions, with AWS authorized to take unilateral action (delete instances) on unsupported software after notice. This creates operational risk for customers with legacy databases or limited maintenance resources, and shifts liability for extension-related failures from AWS to customers.

Why it matters: The updated terms establish that BeePitched processes personal data from users and non-users, including names, phone numbers, and photos, in a feature that enables shared profiles about individuals. The disclosure describes what data is collected and how it is used, which addresses transparency requirements under privacy frameworks like GDPR and CCPA. However, the disclosure does not explicitly describe consent mechanisms, user rights, or controls to opt out of being featured, which may create compliance gaps depending on jurisdiction.

Why it matters: The updated terms establish a material change in how SoFi collects consent for tracking technologies. The shift from opt-in to opt-out consent means users must now affirmatively decline tracking rather than affirmatively accept it. The explicit disclosure of data sharing with advertising partners provides clarity about downstream data destinations, but the opt-out consent structure may create compliance risk under CCPA/CPRA, which generally requires affirmative opt-in consent for nonessential tracking.

Why it matters: The updated statement removes a documented opt-out mechanism for advertising cookies and eliminates explicit disclosure of data sharing (IP addresses, device identifiers) with advertising partners. These removals reduce transparency about consent options and data practices previously disclosed to users, creating potential compliance exposure under FTC Act Section 5 (material omissions) and state privacy laws (CCPA, CPRA) that require disclosure of data practices and opt-out rights.

Why it matters: The updated terms establish explicit, prominent acceptance of mandatory arbitration as a condition of using SoFi's platform. Previously, while arbitration may have applied through incorporation by reference, it was not named in the primary acceptance clause. This change makes the arbitration requirement more transparent and removes ambiguity about whether users have agreed to binding arbitration.

Why it matters: The removal of explicit disclosure about AI training data use reduces the transparency provided to users in this specific policy document about how their support interactions may be processed. Under GDPR and CCPA, clear disclosure of data processing practices is a legal requirement, so the removal of this language may create questions about whether adequate notice is being provided elsewhere in Meta's documentation.

Why it matters: The updated terms establish explicit compliance obligations for customers using Amazon Connect Talent, a generative AI tool for employment decisions. Rather than treating Connect Talent as a standard AWS service, the terms now require customers to independently ensure legal compliance with employment discrimination law, data privacy regulation, and emerging AI governance frameworks, implement documented consent and appeal processes for job applicants, review all AI recommendations before making hiring decisions, and notify AWS of legally mandated data deletions. This represents a shift toward customer accountability for AI-driven hiring outcomes and creates material compliance and operational obligations that organizations must integrate into their HR processes and vendor management.

Why it matters: The updated terms formalize Mercury's ACH payment processing timeline for merchants, establishing that incoming invoice payments will not be immediately available. Merchants relying on Mercury Invoicing for cash flow should understand that funds may be held for up to 4 business days while Mercury assesses transaction risk, which directly affects liquidity management and payment reconciliation.

Why it matters: The updated agreement restructures how eBay's policies bind users by explicitly incorporating external policies into the core User Agreement, clarifies which eBay legal entity users contract with by jurisdiction, and emphasizes mandatory arbitration and class action waiver provisions. This materialization of dispute resolution and policy incorporation provisions in the main agreement makes the terms more prominent and may affect users' understanding of their rights and obligations.