Recent Policy Changes

Why it matters: The removal of explicit cookie consent language from the primary terms may reduce the visibility and accessibility of Canva's cookie practices and user control options. Users and compliance teams evaluating Canva's data practices based on the main terms will no longer find this disclosure in the document they reference most frequently. The change creates a documentation gap if equivalent disclosures do not remain in separate, easily discoverable policy documents.

Why it matters: The updated policy removes explicit guidance that medical information collected through telehealth services is governed by separate privacy terms. This affects how users understand the scope of privacy protections applicable to healthcare information, and may create ambiguity about whether the main privacy statement or separate healthcare-specific terms govern medical records collected through telehealth. Organizations using 23andMe telehealth services should verify whether separate healthcare privacy protections remain in effect and how they are now disclosed.

Why it matters: This change restructures which Terms apply to which users and how conflicts between overlapping agreements are resolved. US, Canadian, and European users will now operate under region-specific Terms rather than the unified Terms, and the substance of those regional agreements may differ materially from what the main Terms stated. The inverted conflict-of-laws rule means disputes over service-specific features will be resolved using that feature's terms rather than appealing to the master agreement.

Why it matters: The removal of a direct link to the Children's Privacy Policy from the Community Guidelines footer reduces the discoverability of child-specific privacy information from a major policy document. Under COPPA and similar regulations, children's privacy practices must be clearly and prominently disclosed; this change may complicate regulatory demonstration of accessibility. Organizations relying on TikTok's documented disclosure structure may need to update their own privacy policies or vendor assessments.

Why it matters: The updated terms establish an affirmative warranty obligation (reasonable skill and care) that replaces prior 'as is' disclaimers, which may strengthen user claims in disputes over whether services met a baseline quality standard. This is operationally significant because it shifts the terms from maximum liability limitation toward a standard-of-care framework where service quality failures can be contested, rather than assumed to be disclaimed.

Why it matters: The updated policy removes specific disclosures about where ad targeting data comes from and what controls users have over ad personalization, while simultaneously expanding the stated scope of direct marketing activities on third-party properties. For free and go tier users, this creates reduced transparency about advertiser data flows. For organizations with data processing agreements or privacy notices that reference OpenAI's policy, this change may require contract or notice updates to accurately reflect what OpenAI now discloses about its practices.

Why it matters: The updated terms establish a comprehensive Japan-specific regulatory framework for Segment customers in that jurisdiction, replacing the previous Mexico-specific terms. This change affects where disputes are resolved, what identity verification documentation is required, how fees are calculated and taxed, and what intellectual property protections apply. Organizations relying on Segment for customer data management in Japan need to confirm these new operational requirements align with their existing vendor contracts and compliance procedures.

Why it matters: The updated policy removes specific disclosures of AI-powered analysis of customer communications, which were previously stated purposes for data collection and processing. This removal creates ambiguity about how OneLogin processes call, chat, and email data going forward and may affect the transparency of OneLogin's data practices under GDPR, CCPA, and FTC standards. Organizations that rely on OneLogin's published privacy terms to inform their own vendor disclosures and Data Processing Agreements should evaluate whether they remain accurate.

Why it matters: The policy now transparently discloses a new data sharing practice that affects all users' email addresses and usernames, and establishes formal timelines for exercising privacy rights that previously had no guaranteed deadline. This clarifies both what Substack does with user identifiers and what users can expect when requesting data or privacy rights.

Why it matters: The updated privacy policy establishes explicit data collection and sharing practices involving AI chatbots and OpenAI. This change materially affects what information Binance.US discloses it collects from user interactions with its AI features and identifies a specific third-party (OpenAI) that will receive account, portfolio, and communication data. For users in jurisdictions with data protection requirements, this disclosure is operationally significant because it clarifies downstream data flows that may require explicit consent, vendor scrutiny, or privacy notice updates depending on applicable law.

Why it matters: This change removes a material disclosure about how Coinbase could restrict access to user assets and prioritize third-party instructions over user commands. The removal simplifies the core asset protection clause but creates ambiguity about whether Secured USDC continues to operate and under what terms. Users reviewing the main User Agreement would no longer see disclosure of the prior restrictions and loss-of-control provisions tied to that product, which affects their understanding of how their assets are protected and when their instructions control their funds.

Why it matters: Cookie consent and preference controls are a foundational transparency and control mechanism required by GDPR, the ePrivacy Directive, and similar regulations. Removing this disclosure without explaining where users can now manage cookies creates compliance ambiguity for both ADP and downstream organizations that rely on vendor transparency.

Why it matters: eBay's privacy notice expansion strengthens transparency about how user data is collected, processed, and transferred, enabling users and regulators to better understand eBay's data practices. The addition of explicit data protection officer contact and detailed legal bases for processing provides users with clearer avenues to exercise privacy rights and challenge processing they believe is unlawful.

Why it matters: The CCPA requires companies to provide California consumers with a straightforward mechanism to opt out of the sale and sharing of personal information. Ancestry's removal of this link from the privacy footer reduces the visibility and ease of access to this legally protected right, even if the right itself is not eliminated. California regulators have emphasized that blocking or obscuring access to opt-out mechanisms undermines consumer choice.

Why it matters: CCPA requires businesses to provide California residents with a clear and conspicuous method to opt out of personal information sales and sharing. Removing the opt-out link from the terms footer reduces the discoverability of this required right from a prominent location, potentially creating a CCPA compliance gap if equivalent access is not available elsewhere.

Why it matters: This change removes explicit disclosure of cookie practices and user consent controls from Canva's privacy policy. The updated terms no longer state how non-essential cookies are used or direct users to manage preferences, which may affect transparency and compliance with cookie consent regulations in jurisdictions such as the EU and UK. Users and organizations relying on the privacy policy as the source of cookie information will no longer find this disclosure there.

Why it matters: The removal of explicit cookie disclosure and preference-management language from the Terms of Use may weaken the evidentiary foundation for informed user consent under GDPR Article 7, EDPB consent guidelines, UK PECR, and similar privacy frameworks that require clear notice and choice prior to non-essential cookie placement. The change does not clarify whether Canva continues to use such cookies under a separate policy or whether practices have changed; it indicates only that the specific disclosure mechanism previously embedded in the Terms of Use has been deleted.

Why it matters: The updated terms establish that arbitration is now an explicit, non-negotiable condition of using SoFi's platform or obtaining its products. Previously, the arbitration requirement may have been referenced in separate documents or less prominently. This change clarifies SoFi's position on dispute resolution and means users cannot access SoFi's services without accepting the arbitration clause, which typically bars class action lawsuits and requires individual disputes to be resolved through arbitration rather than court.

Why it matters: The updated terms formalize what constitutes binding acceptance of the service agreement and explicitly require the accepting individual to warrant they have authority to commit the organization. For employers, this means the person clicking through is now formally representing they have that authority, creating potential liability if they do not; for Gusto and Checkr, it creates a documented basis for enforcing the agreement and a defense against claims that acceptance was invalid.

Why it matters: The updated terms make explicit that initiating a background check through Gusto triggers a legally binding, three-part contract covering Gusto, payroll, and Checkr services. Organizations must ensure their authorized signatories understand this binding scope and that their vendor agreements with Gusto account for the incorporation of Checkr's service terms.

Why it matters: The removal of explicit Data Privacy Framework compliance language eliminates a key transparency disclosure about how Upwork protects personal data transferred from the EU, UK, and Switzerland to the U.S. Under GDPR and UK GDPR, data transfers to non-adequate third countries require documented safeguards, and privacy policies are expected to inform users of the mechanisms used; the removal of this disclosure creates uncertainty about what legal basis now protects those transfers.

Why it matters: The removal of Data Privacy Framework language eliminates transparent commitments about how Upwork handles personal data transfers from regulated jurisdictions. For individual users and enterprises, this creates ambiguity about the legal mechanism protecting cross-border transfers and may require verification of the current transfer arrangement.

Why it matters: The updated terms establish a clear age-based boundary for ad personalization, restricting targeted advertising to adults 18 and older. This change affects how minors experience the platform and limits data use for marketing purposes, which has operational implications for advertisers relying on behavioral targeting and compliance implications for organizations subject to child privacy regulations like COPPA.

Why it matters: The updated terms establish explicit identification of Roblox entities operating in multiple jurisdictions and formalize previously implicit policies around advertising and API usage. The addition of dedicated sections on advertising integrations and content moderation signals expanded disclosure and formalization of procedures that were previously less explicitly addressed, which affects how users and developers understand their rights and obligations under the platform. For organizations with commercial or data processing relationships, the restructuring may require contract review to ensure alignment with the new subsidiary structure.

Why it matters: The updated terms create a new category of asset transfers that operate outside the prior framework requiring user instruction or legal mandate. Users who opt into the Secured USDC feature agree to lose withdrawal rights and permit Coinbase to follow third-party instructions without their further approval. This materially changes the control and disposition rights for designated assets and introduces a new product-specific governance structure not previously addressed in the general asset custody provisions.

Why it matters: The updated terms establish explicit authorization for OpenAI to engage in direct marketing to users and to share data with non-service-provider marketing partners to support those efforts. This change operationalizes a new category of data recipient and marketing use case that was not previously disclosed with this level of specificity. The addition of user-control mechanisms suggests OpenAI intends to scale direct-marketing activities while maintaining an option for users to opt out, which affects how personal data flows through the company's marketing operations.

Why it matters: The updated terms authorize personalization based on chat history for all users globally, whereas the prior policy restricted this to users outside regulated jurisdictions. This represents a material expansion of the scope of data processing and personalization practices. Organizations that based their vendor assessments or compliance strategies on prior geographic limitations should reevaluate their data processing documentation.

Why it matters: California customers using same-day delivery will now pay an additional fee disclosed in Target's terms, which may have been previously undisclosed or is being newly introduced. Clear disclosure of delivery fees is a consumer protection requirement in California, so this update reflects Target's compliance with state law.

Why it matters: The updated policy removes specific, quantified commitments about data retention and deletion request handling. Where users previously could reference a 30-day retention period and one-month response timeline from the policy document itself, they now encounter only a reference to external 'retention practices' without in-policy specificity. This reduction in transparency may create friction with regulatory requirements that mandate clear disclosure of data retention practices and user deletion rights, and it affects how downstream organizations can represent Cohere's data handling to their own customers.

Why it matters: A privacy policy that explicitly lists which platforms and services it covers creates user expectation and legal protection. Removing a named service (Fantasy Picks) from that scope without clearly stating an alternative privacy framework may confuse users about their rights and may trigger regulatory scrutiny under state privacy laws (CCPA, VCCPA, CPA, CTDPA) and GDPR, which require transparent disclosure of data practices.