Recent Policy Changes

Why it matters: This is a direct example of regulatory enforcement changing platform governance in real time. The Digital Markets Act is forcing Meta to reverse its own platform policies. For WhatsApp users, this determines whether you can choose which AI assistant you use within the app or are locked into Meta AI. The outcome of EU negotiations will set precedent for whether dominant platforms can restrict AI competition on messaging services used by over 2 billion people.

Why it matters: The revised terms establish an automatic 7% annual fee increase mechanism at each subscription renewal, shifting pricing from a fixed-term model to an automatic escalation structure. This directly affects the total cost of service for Mixpanel customers and may require organizations to adjust budget forecasting, renewal workflows, and vendor management processes to accommodate or negotiate around compounding annual increases.

Why it matters: The updated terms establish a new mandatory dispute resolution framework for Mexico users that requires good faith negotiation before arbitration and explicitly excludes Mexico's consumer protection law from applicability. This narrows available remedies for Mexico-domiciled users and establishes the relationship as purely commercial rather than subject to consumer-protection standards, affecting how disputes with Segment may be resolved and what legal protections apply.

Why it matters: The updated terms establish a new payment-routing service feature with clear boundaries on AWS liability and responsibility. By explicitly disclaiming regulated financial services status and fund custody, AWS is signaling the operational model for this feature: developers retain full liability for regulatory compliance, transaction security, and customer disputes. Organizations evaluating or integrating AgentCore Payments need to understand these liability assignments and ensure their own compliance frameworks and customer disclosures align with AWS's stated limitations.

Why it matters: The updated terms establish a different dispute resolution pathway for Mexico-based customers, requiring negotiation before arbitration and explicitly excluding Mexican consumer protection law. This change affects how commercial disputes are resolved and creates potential enforceability uncertainty around the consumer protection law carve-out. Organizations operating in Mexico should understand these revised procedures and evaluate whether the carve-out aligns with their legal status and compliance obligations.

Why it matters: The restructuring of Instacart's Terms of Service indicates material content changes affecting 367 newly added sentences and 314 modified provisions. The new section structure explicitly addresses AI-driven experiences, content and data handling, and access policies, suggesting substantive updates to these areas. Organizations and users should obtain the complete updated terms to understand what operational or rights changes have been introduced.

Why it matters: The updated privacy notice shifts from a default-consent model to an explicit opt-out framework for non-essential tracking. Users now have granular control over which cookie categories are enabled, and SoFi no longer relies on inaction to establish agreement to tracking. This change reduces regulatory exposure under GDPR, CCPA, and similar consent-based privacy frameworks, and clarifies which cookies are functionally necessary versus discretionary.

Why it matters: The updated terms establish that continued use of Best Buy Properties after unilateral amendments constitutes acceptance, shifting the burden of discovering term changes entirely to users. This affects how consumers operate under the agreement: they are no longer receiving advance notice of changes and must actively monitor for modifications. The terms reserve authority to make changes at any time without notification.

Why it matters: The updated privacy notice establishes that users must actively decline optional tracking and data sharing; inaction is now treated as affirmative consent. This reverses the prior framing, in which users had discretion to allow or disallow cookies, and may affect how users' browsing data is collected and shared. The policy's explicit disclosure of data sharing with advertising and analytics partners and its statement that Strictly Necessary Cookies cannot be disabled reflect a more restrictive operational model on user control, even as transparency about third-party recipients is improved.

Why it matters: The relocation to Singapore incorporation and clarified acceptance procedures affect which laws govern your rights and how disputes are resolved, and the new AI tools disclosure signals Supabase's use of AI in customer interactions. Organizations handling regulated personal data should verify that their vendor agreements and data processing frameworks remain compliant.

Why it matters: The updated policy establishes explicit disclosure of AI-driven data processing practices applied to recorded communications and communication metadata. This formalization of AI analysis, data retention, and cross-functional use (sales analytics, coaching, follow-up tracking) represents a material operational change in how OneLogin processes communication data and creates a clearer regulatory disclosure obligation under GDPR and CCPA. Organizations using OneLogin in their vendor stack should verify that these practices are reflected in contractual agreements and downstream privacy notices.

Why it matters: The controlling entity and jurisdiction of TikTok Ads determine which consumer protection laws apply, where disputes must be resolved, and what data processing safeguards are contractually required. The shift from a U.S. operator to a Singapore-registered company, combined with removal of explicit health data law compliance language, materially changes the regulatory framework consumers operate under. The broader geographic scope (from U.S.-specific to 'other regions') creates ambiguity about which consumer protection laws TikTok commits to follow in each jurisdiction.

Why it matters: The updated terms establish explicit disclosure of a data collection practice (phone number collection from device contacts) that was not clearly described in the prior policy. This clarification affects how the policy communicates Waze's access to and use of contact-book data. The disclosure is material because it confirms that Waze collects identifying information (phone numbers) from user devices and cross-references it against its user database, a practice that regulators and privacy advocates scrutinize closely, particularly when contact access is not obviously necessary for the app's core navigation function.

Why it matters: The updated policy no longer explicitly discloses cookie purposes or presents a consent interaction at the point where users first encounter cookie information in the privacy policy. Under GDPR and ePrivacy law, valid consent for non-essential cookies requires clear, specific disclosure of what cookies are used for before consent is requested. Removing this disclosure from the main privacy policy may reduce transparency and could create compliance gaps if Canva does not maintain equally clear disclosures elsewhere.

Why it matters: The removal of explicit cookie consent language from the primary terms may reduce the visibility and accessibility of Canva's cookie practices and user control options. Users and compliance teams evaluating Canva's data practices based on the main terms will no longer find this disclosure in the document they reference most frequently. The change creates a documentation gap if equivalent disclosures do not remain in separate, easily discoverable policy documents.

Why it matters: The updated policy removes explicit guidance that medical information collected through telehealth services is governed by separate privacy terms. This affects how users understand the scope of privacy protections applicable to healthcare information, and may create ambiguity about whether the main privacy statement or separate healthcare-specific terms govern medical records collected through telehealth. Organizations using 23andMe telehealth services should verify whether separate healthcare privacy protections remain in effect and how they are now disclosed.

Why it matters: This change restructures which Terms apply to which users and how conflicts between overlapping agreements are resolved. US, Canadian, and European users will now operate under region-specific Terms rather than the unified Terms, and the substance of those regional agreements may differ materially from what the main Terms stated. The inverted conflict-of-laws rule means disputes over service-specific features will be resolved using that feature's terms rather than appealing to the master agreement.

Why it matters: The removal of a direct link to the Children's Privacy Policy from the Community Guidelines footer reduces the discoverability of child-specific privacy information from a major policy document. Under COPPA and similar regulations, children's privacy practices must be clearly and prominently disclosed; this change may complicate regulatory demonstration of accessibility. Organizations relying on TikTok's documented disclosure structure may need to update their own privacy policies or vendor assessments.

Why it matters: The updated terms establish an affirmative warranty obligation (reasonable skill and care) that replaces prior 'as is' disclaimers, which may strengthen user claims in disputes over whether services met a baseline quality standard. This is operationally significant because it shifts the terms from maximum liability limitation toward a standard-of-care framework where service quality failures can be contested, rather than assumed to be disclaimed.

Why it matters: The updated policy removes specific disclosures about where ad targeting data comes from and what controls users have over ad personalization, while simultaneously expanding the stated scope of direct marketing activities on third-party properties. For free and go tier users, this creates reduced transparency about advertiser data flows. For organizations with data processing agreements or privacy notices that reference OpenAI's policy, this change may require contract or notice updates to accurately reflect what OpenAI now discloses about its practices.

Why it matters: The policy now transparently discloses a new data sharing practice that affects all users' email addresses and usernames, and establishes formal timelines for exercising privacy rights that previously had no guaranteed deadline. This clarifies both what Substack does with user identifiers and what users can expect when requesting data or privacy rights.

Why it matters: The updated privacy policy establishes explicit data collection and sharing practices involving AI chatbots and OpenAI. This change materially affects what information Binance.US discloses it collects from user interactions with its AI features and identifies a specific third-party (OpenAI) that will receive account, portfolio, and communication data. For users in jurisdictions with data protection requirements, this disclosure is operationally significant because it clarifies downstream data flows that may require explicit consent, vendor scrutiny, or privacy notice updates depending on applicable law.

Why it matters: This change removes a material disclosure about how Coinbase could restrict access to user assets and prioritize third-party instructions over user commands. The removal simplifies the core asset protection clause but creates ambiguity about whether Secured USDC continues to operate and under what terms. Users reviewing the main User Agreement would no longer see disclosure of the prior restrictions and loss-of-control provisions tied to that product, which affects their understanding of how their assets are protected and when their instructions control their funds.

Why it matters: Cookie consent and preference controls are a foundational transparency and control mechanism required by GDPR, the ePrivacy Directive, and similar regulations. Removing this disclosure without explaining where users can now manage cookies creates compliance ambiguity for both ADP and downstream organizations that rely on vendor transparency.

Why it matters: The CCPA requires companies to provide California consumers with a straightforward mechanism to opt out of the sale and sharing of personal information. Ancestry's removal of this link from the privacy footer reduces the visibility and ease of access to this legally protected right, even if the right itself is not eliminated. California regulators have emphasized that blocking or obscuring access to opt-out mechanisms undermines consumer choice.

Why it matters: CCPA requires businesses to provide California residents with a clear and conspicuous method to opt out of personal information sales and sharing. Removing the opt-out link from the terms footer reduces the discoverability of this required right from a prominent location, potentially creating a CCPA compliance gap if equivalent access is not available elsewhere.

Why it matters: This change removes explicit disclosure of cookie practices and user consent controls from Canva's privacy policy. The updated terms no longer state how non-essential cookies are used or direct users to manage preferences, which may affect transparency and compliance with cookie consent regulations in jurisdictions such as the EU and UK. Users and organizations relying on the privacy policy as the source of cookie information will no longer find this disclosure there.

Why it matters: The removal of explicit cookie disclosure and preference-management language from the Terms of Use may weaken the evidentiary foundation for informed user consent under GDPR Article 7, EDPB consent guidelines, UK PECR, and similar privacy frameworks that require clear notice and choice prior to non-essential cookie placement. The change does not clarify whether Canva continues to use such cookies under a separate policy or whether practices have changed; it indicates only that the specific disclosure mechanism previously embedded in the Terms of Use has been deleted.

Why it matters: The updated terms establish that arbitration is now an explicit, non-negotiable condition of using SoFi's platform or obtaining its products. Previously, the arbitration requirement may have been referenced in separate documents or less prominently. This change clarifies SoFi's position on dispute resolution and means users cannot access SoFi's services without accepting the arbitration clause, which typically bars class action lawsuits and requires individual disputes to be resolved through arbitration rather than court.

Why it matters: The updated terms formalize what constitutes binding acceptance of the service agreement and explicitly require the accepting individual to warrant they have authority to commit the organization. For employers, this means the person clicking through is now formally representing they have that authority, creating potential liability if they do not; for Gusto and Checkr, it creates a documented basis for enforcing the agreement and a defense against claims that acceptance was invalid.