Recent Policy Changes

Why it matters: The updated terms make explicit that initiating a background check through Gusto triggers a legally binding, three-part contract covering Gusto, payroll, and Checkr services. Organizations must ensure their authorized signatories understand this binding scope and that their vendor agreements with Gusto account for the incorporation of Checkr's service terms.

Why it matters: The removal of explicit Data Privacy Framework compliance language eliminates a key transparency disclosure about how Upwork protects personal data transferred from the EU, UK, and Switzerland to the U.S. Under GDPR and UK GDPR, data transfers to non-adequate third countries require documented safeguards, and privacy policies are expected to inform users of the mechanisms used; the removal of this disclosure creates uncertainty about what legal basis now protects those transfers.

Why it matters: The removal of Data Privacy Framework language eliminates transparent commitments about how Upwork handles personal data transfers from regulated jurisdictions. For individual users and enterprises, this creates ambiguity about the legal mechanism protecting cross-border transfers and may require verification of the current transfer arrangement.

Why it matters: The updated terms establish a clear age-based boundary for ad personalization, restricting targeted advertising to adults 18 and older. This change affects how minors experience the platform and limits data use for marketing purposes, which has operational implications for advertisers relying on behavioral targeting and compliance implications for organizations subject to child privacy regulations like COPPA.

Why it matters: The updated terms establish explicit identification of Roblox entities operating in multiple jurisdictions and formalize previously implicit policies around advertising and API usage. The addition of dedicated sections on advertising integrations and content moderation signals expanded disclosure and formalization of procedures that were previously less explicitly addressed, which affects how users and developers understand their rights and obligations under the platform. For organizations with commercial or data processing relationships, the restructuring may require contract review to ensure alignment with the new subsidiary structure.

Why it matters: The updated terms create a new category of asset transfers that operate outside the prior framework requiring user instruction or legal mandate. Users who opt into the Secured USDC feature agree to lose withdrawal rights and permit Coinbase to follow third-party instructions without their further approval. This materially changes the control and disposition rights for designated assets and introduces a new product-specific governance structure not previously addressed in the general asset custody provisions.

Why it matters: The updated terms establish explicit authorization for OpenAI to engage in direct marketing to users and to share data with non-service-provider marketing partners to support those efforts. This change operationalizes a new category of data recipient and marketing use case that was not previously disclosed with this level of specificity. The addition of user-control mechanisms suggests OpenAI intends to scale direct-marketing activities while maintaining an option for users to opt out, which affects how personal data flows through the company's marketing operations.

Why it matters: The updated terms authorize personalization based on chat history for all users globally, whereas the prior policy restricted this to users outside regulated jurisdictions. This represents a material expansion of the scope of data processing and personalization practices. Organizations that based their vendor assessments or compliance strategies on prior geographic limitations should reevaluate their data processing documentation.

Why it matters: California customers using same-day delivery will now pay an additional fee disclosed in Target's terms, which may have been previously undisclosed or is being newly introduced. Clear disclosure of delivery fees is a consumer protection requirement in California, so this update reflects Target's compliance with state law.

Why it matters: A privacy policy that explicitly lists which platforms and services it covers creates user expectation and legal protection. Removing a named service (Fantasy Picks) from that scope without clearly stating an alternative privacy framework may confuse users about their rights and may trigger regulatory scrutiny under state privacy laws (CCPA, VCCPA, CPA, CTDPA) and GDPR, which require transparent disclosure of data practices.

Why it matters: The updated terms introduce mandatory binding arbitration and remove developers' class action rights, while explicitly reserving Gusto's right to modify or discontinue the API without notice or liability. For developers whose business depends on the Gusto integration, the loss of legal remedies and API access guarantees materially increases operational and legal risk.

Why it matters: Developers integrating with Gusto's platform now accept mandatory arbitration and cannot pursue class actions, which limits their remedies if disputes arise. Additionally, Gusto's explicit right to modify or discontinue tools without notice creates service continuity risk for developers who depend on stable API access.

Why it matters: The removal of explicit consent language regarding account persistence eliminates a documented checkpoint where users could control whether Shein remembers their login. Under GDPR and CCPA, consent for persistent authentication tracking must be freely given and informed; removing the choice mechanism may undermine this documentation.

Why it matters: The updated terms establish explicit authority for GitHub to use AI outputs and personal data for AI/ML model training and improvement, and to share this data with affiliates including Microsoft for these purposes. This expands the stated scope of data processing beyond prior language and formalizes a use case (AI model training) that some users may not have anticipated when evaluating how their code and data would be used. Organizations that have made representations to their own customers about code use restrictions or data protection measures should evaluate whether this policy change affects those commitments.

Why it matters: The updated Terms of Service now establish dedicated contractual governance for AI features and data practices. This formalization allows users, customers, and regulators to identify specific terms governing AI training data uses in a single location rather than inferring them from general service language. For organizations subject to data protection regulations (GDPR, CCPA, LGPD), the explicit terms establish what data uses are contractually authorized and what user controls exist, which affects how they must represent GitHub's practices in their own data governance and customer commitments.

Why it matters: The updated terms increase the cost of international transactions and narrow the circumstances under which users can avoid that fee. Users who previously received a full Foreign Transaction Fee waiver for online international purchases will now pay 3.25% on those transactions even if they meet spending or deposit thresholds, as the waiver is restricted to in-person card transactions only.

Why it matters: The updated privacy statement now explicitly names the data types (IP addresses, device identifiers) that Intuit shares with advertising partners and provides a stated opt-out mechanism. This specificity helps users understand what personal data flows out of Intuit to third parties for advertising purposes and gives them a concrete way to limit that practice.

Why it matters: Employers who use Gusto's new Business Compliance Service will be bound by separate terms that explicitly require mandatory arbitration and prohibit class action lawsuits for any disputes over that service. This limits the employer's legal recourse options compared to traditional court access and may prevent them from joining or initiating a class action if other customers experience the same problem.

Why it matters: The updated terms no longer explicitly address dispute resolution, content rights, DMCA takedown procedures, payment and billing, data handling, age verification, service availability, or community guidelines. This removal creates contractual ambiguity in core governance areas that typically protect consumer rights and establish mutual obligations. The operational significance depends on whether these provisions were relocated to separate documents or genuinely eliminated; without confirmation, users and organizations cannot determine what protections or obligations remain in effect.

Why it matters: The updated terms explicitly assert that employers waive the right to participate in class-action lawsuits and must pursue disputes individually through arbitration. This change materially restricts employers' legal remedies and prevents collective challenges to Gusto's practices, which may affect how employers can seek redress for data breaches, service failures, billing disputes, or other grievances.

Why it matters: This change materially restricts how Employers can resolve disputes with Gusto by removing class-action rights and mandating individual arbitration. For employers facing identical service or billing issues, this eliminates the option to pursue collective legal remedies, which typically requires more time and money for individual plaintiffs and reduces enforcement leverage.

Why it matters: This change clarifies a critical boundary in data responsibility: if you access Gusto through your employer's payroll account, Gusto's Privacy Policy may not protect you directly because Gusto acts as a processor, not controller, of your data. Understanding this distinction is essential for knowing whether to contact Gusto or your employer with privacy concerns, and for employers to understand their own data governance obligations.

Why it matters: The updated policy establishes that using Threads now requires agreement to Meta's separate AI terms, and explicitly discloses that interactions with Threads' AI features will be used to train Meta's AI systems. This formalizes AI use and creates new consent and transparency obligations that affect how Threads can use data generated from AI interactions. Organizations relying on Threads should review whether this affects their vendor agreements or customer disclosures.

Why it matters: The updated policy codifies individual rights to access, correct, and delete personal data that are required under the EU-U.S. Data Privacy Framework, giving EU, UK, and Swiss users explicit procedural pathways to exercise those rights. It also establishes that sensitive data sharing requires affirmative opt-in consent, strengthening control over how personal information is used and disclosed.

Why it matters: The updated privacy notice explicitly establishes that SoFi collects user interaction data through tracking technologies and shares that data with advertising partners. The shift from an affirmative preference center to a consent-by-continued-use model means users must take active steps to opt out of these practices, rather than making an explicit choice at the outset.

Why it matters: The updated policy establishes explicit contractual bounds on how Roblox uses persistent identifiers collected from all users including children. By stating that technical, contractual, and other measures limit identifier use to enumerated purposes, the policy creates an affirmative representation about data handling scope that may be enforceable and that affects how vendors and regulators assess the platform's compliance with data protection obligations.

Why it matters: The removal of explicit AI terms acknowledgment and AI data usage disclosures reduces direct transparency within Threads' supplemental privacy policy about how user interactions contribute to Meta's AI systems. While these practices may still be covered elsewhere in Meta's documentation, users and regulators may now lack clear notice in this policy that their Threads activity influences AI training. Organizations using Threads to serve customers may need to strengthen their own transparency disclosures to compensate for this removal.

Why it matters: The updated policy makes explicit that Disney collects personal information not only when you stream online, but also when you visit theme parks, stores, resorts, cruise ships, or call Disney guest centers. Understanding the full scope of collection is essential for consumers who visit multiple Disney properties or use Disney+ through third-party platforms, as the policy now clearly states that privacy settings configured on third-party sites will not apply to Disney+'s own collection.

Why it matters: The updated terms remove explicit transparency around how OpenAI shares data with marketing partners via cookies and remove a stated protection against sensitive data inference. These removals reduce explicit consumer-facing disclosure of specific data practices that were previously described. Whether these practices continue under alternative authorization or have ceased is now unclear from the policy text alone, which may affect how consumers and regulators assess data handling practices.

Why it matters: The updated terms establish a granular consent mechanism that moves away from implied consent by silence toward explicit, category-based preference management. This change affects how SoFi collects and uses tracking data by allowing users to disable non-essential cookies while maintaining transparency about the functional consequences of doing so. The shift aligns with regulatory expectations under GDPR and state privacy laws that require affirmative, informed consent for non-essential data processing.