Recent Policy Changes

Why it matters: The updated terms establish that Google makes no contractual commitment to service quality or reliability except where specific services include their own warranties. This change affects how users can seek remedies for service failures and narrows the contractual protections that previously existed under the reasonable care warranty. For organizations relying on Google services, this warranty disclaimer may affect their own vendor risk management and customer-facing representations about service reliability.

Why it matters: The updated Privacy Statement explicitly discloses voice data collection and expanded advertising-related data gathering, clarifying what types of information Netflix collects and from which sources. This affects the transparency users have about their data and the bases on which Netflix processes voice and household-targeting information. Organizations handling Netflix user data or supplying advertising data to Netflix will need to ensure their own disclosures and agreements reflect these expanded collection categories.

Why it matters: The updated terms establish explicit account creation age requirements (18+) and formalize support for out-of-household Extra Member accounts. These changes affect who can create Netflix accounts and how subscription sharing is legally structured, with potential compliance implications under COPPA and age-verification frameworks in regulated jurisdictions.

Why it matters: The updated policy clarifies that Google links your activity across multiple websites and apps through cookies and other technologies as part of its integrated ad and analytics services, not just within individual analytics dashboards. This expanded and more transparent description of cross-site and cross-app tracking is relevant to users concerned about the scope of their digital footprint and to organizations that must disclose Google's data practices to their own customers.

Why it matters: The updated addendum clarifies Gusto's data protection obligations and under what legal circumstances they apply. For employers subject to GDPR, UK GDPR, or state privacy laws, this update refines the contractual framework governing how employee and payroll data is processed, which is critical for regulatory compliance and vendor accountability.

Why it matters: Target Circle members rely on understanding how their purchases earn rewards to assess program value and plan loyalty engagement. The removed language previously clarified how transactions across different channels and delivery methods contribute to bonus eligibility and when rewards appear, information that directly affects whether customers perceive the program as transparent and trustworthy.

Why it matters: The reframed service positioning changes how Plaid describes its role and relationship with you, moving from intermediary to direct service provider. The introduction of a new web-based monitoring and alerts service creates a new data access and usage pathway that may operate independently of third-party app integrations, and understanding its scope and data practices is important for users who choose to use it.

Why it matters: The narrowed third-party disclaimer may affect transparency about which companies have access to or share your data, particularly if Riot Games owns entities it does not fully control. For California residents, the restructured privacy notice may change how purposes for data collection are disclosed, potentially affecting clarity about how your information is used.

Why it matters: The regional entity restructuring creates distinct legal counterparties and governing frameworks for Mexico and Brazil customers, affecting dispute resolution and applicable law. The removal of Twilio's commitment to maintain service functionality weakens the operational warranty customers previously had and creates ambiguity about what service changes are permissible, which may affect how organizations that rely on Twilio's stability assess their own service guarantees to downstream customers.

Why it matters: This change establishes a lawful pathway for children under 13 to use Cash App services through parental authorization, replacing a prior absolute prohibition. This shift creates direct COPPA compliance obligations for Cash App, including requirements for verifiable parental consent, account tracking, and data deletion for unauthorized child accounts. Organizations that serve families or use Cash App must evaluate whether this new framework affects their own compliance posture or vendor disclosures.

Why it matters: The reorganization and clarification of AI data practices, creator content licensing, and advertising policies in the main Terms of Use makes these previously scattered or supplemental disclosures more visible and accessible to users and creators. This change affects how users understand data collection tied to AI features and how creators learn about licensing their content for advertising purposes, as well as how all users see transparency around ad personalization.

Why it matters: Parents now have greater transparency into how Nintendo collects and uses their child's data, including which apps can access the account and the specific purposes for which Nintendo collects device identifiers. The expansion of location data use to include event check-ins represents a new type of location tracking beyond games, which parents should understand.

Why it matters: The removal of explicit service carve-outs creates legal and operational ambiguity about which Ledger products are governed by this privacy policy. Under GDPR and CCPA, consumers are entitled to clear, specific notice of what services and data are covered by any given privacy statement. If Recover and Multisig were previously governed by separate policies and are now intended to fall under the main policy, that expansion requires clear notification. If they remain separate, their removal from the policy without replacement disclosure violates transparency standards.

Why it matters: The updated terms eliminate an entire service line (Remittance Service) after May 1, 2026, affecting users who depend on Cash App for remittance transfers. The terms establish automatic cancellation and refund procedures for pending transactions, creating a defined transition window during which users must act to complete transfers. The California gift card threshold change modifies redemption mechanics but has minimal operational impact.

Why it matters: The privacy policy is the primary document users and regulators consult to understand how companies handle data. By moving retention details from the policy to scattered product documentation, Microsoft reduced transparency at the point of disclosure, making it harder for users and compliance teams to understand how long their data is kept. This shift also complicates vendor audits and Data Processing Agreement alignment.

Why it matters: The updated terms consolidate retention rationale into five broad business purposes but move specific retention period specifications from the main privacy statement to product-level documentation. This restructuring means that users and compliance teams must now consult multiple product documents rather than a single consolidated retention criteria statement to understand how long Microsoft will keep their data. The change does not appear to alter Microsoft's underlying retention practices, but it affects how retention commitments are disclosed and discovered.

Why it matters: The Subprocessors list is a key transparency mechanism under GDPR Article 28 and equivalent data protection frameworks that allows data controllers to verify which third parties process their data. Removing the direct link from the Terms of Service reduces the accessibility of this information and may complicate compliance audits and vendor due diligence workflows, even if Figma's underlying obligation to disclose subprocessors remains unchanged.

Why it matters: The updated notice explicitly discloses that Gemini uses data from connected Google apps and imported data from other AI platforms for personalization and AI model training. This clarifies the scope of data processing and training data use, which has direct relevance to GDPR transparency obligations, CCPA consumer disclosures, and emerging AI transparency requirements. Organizations that process regulated data through Gemini should confirm this disclosed practice aligns with their vendor contracts and customer privacy commitments.

Why it matters: The expanded policy provides users with clearer visibility into what personal data Poshmark collects and processes, including user-generated content, transaction history, and behavioral data. For users subject to state privacy laws (particularly California), the explicit disclosure supports understanding of rights to access, delete, and opt out of certain data uses, though exercising those rights requires understanding the full updated policy language.

Why it matters: The expanded Privacy Policy provides substantially more transparency about what personal data Poshmark collects, how it uses and shares that data, and what rights you have. This increased transparency helps you understand what information Poshmark retains about your account, purchases, listings, and interactions, and enables you to make informed decisions about whether to use the platform and what data to provide.

Why it matters: The removal of this disclosure eliminates a material transparency requirement from the privacy notice. Under privacy regulations including GDPR and CCPA, organizations must disclose material data practices in their privacy policies. The absence of disclosure language creates ambiguity about whether the Connected Apps personalization practice continues undisclosed, has been discontinued, or is now treated differently. This impacts users' ability to understand how their data is used and may affect compliance obligations for organizations relying on Gemini's disclosures to inform their own privacy practices.

Why it matters: The updated policy establishes explicit disclosures of two data practices that were previously unstated or unclear: periodic collection of phone numbers from device contact books and optional social network data sharing. This change affects transparency about what data Waze collects and how it is used, and may influence users' understanding of what contact and social information is accessible to the app. The disclosures also create potential clarity for regulatory compliance, as contact collection now has stated scope and purpose rather than being undisclosed.

Why it matters: The removal of Medical Record Privacy Notice disclosure eliminates explicit notice to users that their medical records are governed by a separate privacy framework. Under HIPAA and state medical privacy laws, healthcare providers and business associates must clearly disclose privacy practices for protected health information. If 23andMe continues telehealth services, this removal creates regulatory compliance risk and leaves users without clear notice of how medical data is protected.

Why it matters: The updated terms establish that users in major markets (US, Canada, EEA, UK, Switzerland) are no longer covered by this general agreement and must operate under separate, region-specific terms. This creates a fragmented governance structure where dispute resolution, data handling, and liability may differ significantly depending on jurisdiction and which service is used. The change also establishes that service-specific terms now override the general Terms in cases of conflict, which means users operating multiple 23andMe services may be subject to different agreements with potentially conflicting dispute resolution or consent mechanisms.

Why it matters: Data location disclosures form the basis for regulatory compliance and customer trust. Removing UK from server locations signals a change in data infrastructure that affects where user data is processed, stored, and protected; this matters to UK users who may have data residency or jurisdiction preferences, and to organizations that need accurate vendor location information for their own compliance documentation.

Why it matters: The updated policy establishes explicit authorization for Microsoft to initiate automated marketing calls using AI-generated voice technology where user consent to phone marketing has been given. This creates operational implications for users who provide phone numbers and have opted into marketing contact: they may now receive calls from automated systems. Simultaneously, the removal of language describing EEA user rights narrows the explicit protections stated in the policy for that region, which may have regulatory implications if those rights represented statutory disclosures rather than contractual commitments.

Why it matters: The updated policy explicitly authorizes data sharing with law enforcement and third parties for fraud detection without requiring advance notice or consent in most cases, and clarifies that customer email addresses and identifiers may be used for targeted advertising across external platforms. These expanded disclosures affect how customer data may be used and shared beyond Binance.US's direct operations, which is material for users who expect their financial data to remain within the platform or not be used for external marketing purposes.

Why it matters: The updated policy establishes a narrower definition of personal information collected from children under COPPA (email only) and removes detailed disclosure of how persistent identifiers are used for internal operations. This affects how parents understand child data handling and may influence how organizations process or represent Roblox's child account practices in their own compliance frameworks.

Why it matters: The restructured terms incorporate AI tool disclosures and advertising policies directly into binding user and creator agreements, rather than treating them as supplemental guidance. The addition of six region-specific appendices establishes different contractual terms based on user location, particularly in regulated jurisdictions like the EU and UK. The removal of the standalone change summary eliminates the previous transparency mechanism, requiring users to navigate a 1242-sentence document to understand what changed.

Why it matters: The removal of explicit fraud-prevention data-sharing disclosure reduces the stated transparency of how customer information flows to government agencies and financial institutions, a practice that typically requires clear disclosure under state consumer privacy laws. The consolidation of privacy appeal submission to email only narrows the procedural accessibility of privacy rights requests and may affect response timelines for users who previously relied on webform submission.