Recent Policy Changes

Why it matters: The updated terms restructure how users access privacy controls and opt-out rights. Rather than providing an explicit button dedicated to opting out of data sales and targeted advertising, the revised language embeds consent management within a general cookie framework. This change affects the accessibility and prominence of privacy choices, and may impact compliance with statutory privacy law requirements in California and the EU that mandate clear, accessible opt-out mechanisms. Organizations relying on AI21's services should verify that the revised framework remains adequate for their vendor compliance obligations.

Why it matters: The updated terms establish explicit transparency about AI-powered processing and feature development, which strengthens disclosure compliance and clarifies how personal health data may be used. The addition of user choice over partner data sharing provides a concrete control mechanism within the AI feature ecosystem.

Why it matters: The updated terms eliminate court access and jury trial rights for Australian sellers, consolidating all disputes under mandatory individual arbitration. This materially changes the dispute resolution mechanism available to sellers and may affect how they evaluate risk and enforce claims against Whatnot.

Why it matters: This change materially alters how disputes between Australian sellers and Whatnot will be resolved, shifting from court-based proceedings with defined venue to mandatory individual arbitration. The change consolidates dispute governance into cross-referenced provisions, meaning sellers must now review the main Terms of Service arbitration sections to understand their rights, creating additional complexity for dispute resolution.

Why it matters: The updated terms establish explicit authorization for AWS to share request metadata with Anthropic for usage tracking, which modifies the data-processing relationship and may require organizations to update their privacy notices and data-processing agreements if they handle regulated data. The introduction of AWS WAF AI traffic monetization formalizes a new optional payment-facilitation service that involves sharing user configuration and payment information with third parties, requiring organizations to understand their own vendor relationships and liability frameworks.

Why it matters: The updated policy establishes explicit authorization for collection of voice, audio, and location data, moving beyond the previously disclosed text-based input model. This expansion affects the scope of personal data Inflection AI may process and requires users and organizations relying on the service to understand the full range of data collection practices now authorized under the policy.

Why it matters: The updated terms establish a privacy control mechanism that operationally requires affirmative user choice for non-essential tracking rather than deploying tracking technology by default unless users actively opt out. This shift aligns SoFi's consent model with GDPR requirements for valid consent and reflects regulatory emphasis on transparent, granular user control over data collection practices. The change affects how SoFi collects and shares user data with advertising and analytics partners, since those data flows now depend on users affirmatively selecting corresponding cookie categories.

Why it matters: The updated terms establish an affirmative warranty commitment and dispute-resolution procedure, replacing a categorical disclaimer framework. This change affects how service quality is defined and contested contractually, and may create measurable obligations for Google to address reported quality issues, which was previously disclaimed entirely.

Why it matters: The updated terms remove specific disclosures of advertiser data sourcing and user controls over ad personalization, which may reduce transparency about how Free and Go users' data is used in advertising contexts. Simultaneously, the policy adds explicit authorization for contact identification and universal content monitoring, centralizing these practices in the main policy purposes section. Together, these changes shift the balance between disclosed advertiser practices and explicit data-processing authorities, with potential implications for how users understand data flows and what controls remain available to them.

Why it matters: The removal of cookie and tracking technology disclosures from NVIDIA's Privacy Policy eliminates explicit user notice about data collection practices that were previously stated. Privacy regulations in the EU, UK, and California require transparent disclosure of tracking technologies before data collection. If NVIDIA continues to deploy cookies and tracking tools without updated disclosure language, the company may lack compliant notice mechanisms to satisfy legal requirements or obtain user consent.

Why it matters: The updated policy establishes explicit authorization and disclosure for biometric data collection and event photography practices that were not previously detailed. These additions create transparency regarding sensitive data practices and establish objection mechanisms, but also signal that Ticketmaster may implement these practices at events. Organizations that use Ticketmaster for customer data should evaluate whether these disclosed practices require updates to their own privacy notices or data processing agreements.

Why it matters: The removal of explicit language describing ad personalization controls creates operational ambiguity for users previously informed that they could manage ad-targeting data through account settings. While OpenAI's policy continues to authorize ad personalization for Free and Go users, the elimination of documented control mechanisms without explanation or alternative disclosure may affect user ability to understand and manage their participation in targeted advertising. This change is operationally significant because it shifts from explicit control disclosure to implicit authorization, potentially affecting how users exercise choices about their data and ads.

Why it matters: The updated terms reduce the stated commitment to notify users before Personal Information disclosure, shifting from an intent to attempt notification to a discretionary option. This change affects operational clarity around when and whether users will receive advance notice of data sharing and may have implications for organizations that rely on Rumble's practices as part of their own data governance or vendor management frameworks.

Why it matters: The updated guidelines establish explicit, enforceable content moderation obligations for developers and introduce app removal as a direct consequence of non-compliance. This clarifies Apple's enforcement authority and creates a formal escalation pathway (notice, plan, removal) that developers must respond to operationally. For developers with user-generated content features or child-focused apps, this change requires proactive content governance infrastructure and compliance response processes.

Why it matters: The updated terms establish a material shift in Ford's obligation to notify you of privacy policy changes. The prior language created a standalone contractual commitment to provide advance notice; the revised language conditions Ford's notice obligation on legal requirements. This change affects how and when you will be informed of future modifications to Ford's data practices, particularly regarding connected vehicle data collection and use.

Why it matters: The updated Terms of Use no longer explicitly describe cookie preferences or chat functionality data requirements, shifting these disclosures to the separate Cookie Policy. Under GDPR and UK GDPR, organizations must provide clear, accessible information about cookies and data collection before obtaining consent. The removal of this language from the primary Terms document may create compliance risk if the separate Cookie Policy does not adequately address all required transparency and consent obligations.

Why it matters: The updated terms establish a reduced disclosure posture regarding cookie and data collection methods on the American Airlines website. Previously, the terms explicitly stated that certain cookies are essential and cannot be rejected, explained how performance cookies track site usage, and described how functional cookies store user preferences. The removal of these disclosures narrows the transparency available to users in the public-facing terms, which may create compliance questions under CCPA, GDPR, and FTC standards that require clear, accessible disclosure of data collection practices.

Why it matters: The updated policy establishes more explicit, structured disclosure of which personal information categories are collected and shared with specific recipient types. This shifts from a referential approach requiring readers to locate information across multiple sections to a consolidated table format, which may strengthen compliance with state privacy law transparency requirements and provides users clearer visibility into data sharing practices.

Why it matters: The updated Terms footer removes a direct navigation link to CCPA 'do not sell or share' disclosures, which may affect how readily California residents can locate and exercise their statutory privacy rights. California law requires covered businesses to provide an accessible mechanism for such requests; removing a prominent footer link could complicate that access and create regulatory compliance questions.

Why it matters: The updated terms establish explicit and binding mandatory arbitration for all disputes, eliminating access to court proceedings and class action lawsuits. This is a material change in how disputes will be resolved and affects the practical remedies available to users when disagreements arise.

Why it matters: The updated terms establish automatic enrollment in asset staking for eligible tokens, shifting from the prior language that stated staking was optional and required explicit user designation. This change means users must take affirmative action (opt out) to prevent their assets from being moved into staking arrangements, and it introduces a July 1, 2026 deadline for users to take that action. The 14-day advance notice requirement for material changes starting July 1, 2026 also creates a new notification window for future policy modifications, though the scope and enforceability of that requirement will depend on applicable state and federal regulations.

Why it matters: The updated policy narrows the stated scope of Data Privacy Framework participation, which may affect the legal mechanisms available for transferring personal data from regulated regions to Smartsheet. Organizations processing EU, UK, or Swiss data through Smartsheet should verify whether this change introduces gaps in documented lawful transfer mechanisms, particularly if non-U.S. affiliates are involved in data handling.

Why it matters: The updated terms expand the category of data Mixpanel may classify and use as Usage Data by removing the prior contractual exclusion of individually identifiable information. Organizations that relied on this exclusion to limit how Mixpanel could use personal data must now reassess their vendor agreements and privacy controls. Under privacy regulations like GDPR and CCPA, the reclassification of individually identifiable data may trigger new obligations if the organization lacks a lawful basis for such expanded use.

Why it matters: The updated terms eliminate a prior commitment against advertising in Status and Channels, signaling that these features may be subject to future monetization. This shifts the company's stated position from 'no intention' to 'possible if policy is updated,' which materially changes the expected user experience of these features.

Why it matters: The removal of the Arbitration Agreement from the primary Terms acceptance language creates ambiguity about whether new users are explicitly bound to resolve disputes through arbitration rather than court litigation. This change affects the clarity and enforceability of SoFi's dispute resolution terms and may trigger regulatory review regarding how prominently arbitration is disclosed at onboarding.

Why it matters: The updated terms shift authorization for teen payment products from per-action parental approval to blanket delegation at account creation. This changes the operational friction for teens accessing Cards and Tags, which may increase usage of Cash App's payment and wearable products among minors. Parents should understand that authorizing a Sponsored Account now constitutes consent for teens to independently request and activate these products. The introduction of Cash App Tag fees also creates a new cost consideration for parents evaluating whether to allow teens to use the wearable payment service.

Why it matters: The updated policy establishes that Affirm qualifies as a financial institution under federal banking law, which may limit the applicability of state privacy laws to Affirm's core lending operations. The policy also newly discloses sharing of personal information with fraud prevention and identity verification providers, expanding transparency about third parties that receive consumer data.

Why it matters: The updated policy formalizes ClickUp's recognition of data subject rights under GDPR and equivalent frameworks, providing users and regulators with explicit legal reference points for exercising control over personal data. Organizations that process customer data through ClickUp should verify the formalized rights are reflected in their DPAs and privacy notices to ensure compliance obligations are accurately stated.

Why it matters: The removal of explicit statements about AI training and data disclosure reduces the policy's stated transparency regarding how user data informs Meta's AI systems and which parties receive user information. Under GDPR and CCPA, privacy policies are required to clearly disclose data collection, processing purposes, and automated decision-making practices. The absence of these previously stated disclosures may create compliance ambiguity and complicates user understanding of how their data is used.

Why it matters: The updated policy formally expands Gusto's privacy disclosures to cover retirement account management and establishes Stripe as a named financial data processor, requiring users to understand that bank data flows to Stripe under Stripe's terms. The restructured guidance on when separate notices apply (service provider, employer, co-employer contexts) clarifies governance boundaries, but also implies that different privacy rules may apply depending on the user's relationship to Gusto, which customers and users should verify. For organizations contracting with Gusto, these changes may require updates to vendor documentation, employee privacy notices, and data processing agreements.