Recent Policy Changes

Why it matters: Developers integrating with Gusto's platform now accept mandatory arbitration and cannot pursue class actions, which limits their remedies if disputes arise. Additionally, Gusto's explicit right to modify or discontinue tools without notice creates service continuity risk for developers who depend on stable API access.

Why it matters: The removal of a prominent footer link to opt-out controls may reduce the discoverability of privacy rights that California and other state privacy laws require companies to maintain in a 'clear and conspicuous' manner. If opt-out controls are no longer accessible from the footer, users must locate them through alternative navigation, and regulatory bodies may question whether the new approach satisfies conspicuousness standards. This is particularly relevant for California residents and users in other states with similar privacy statutes.

Why it matters: The removal of explicit consent language regarding account persistence eliminates a documented checkpoint where users could control whether Shein remembers their login. Under GDPR and CCPA, consent for persistent authentication tracking must be freely given and informed; removing the choice mechanism may undermine this documentation.

Why it matters: State privacy laws like CCPA require companies to provide consumers with a conspicuous, easy-to-use mechanism to opt out of data sales and sharing. The removal of a prominent footer link eliminates one accessible disclosure method, potentially weakening compliance with these legal requirements unless equally accessible alternatives remain.

Why it matters: The updated terms establish explicit authority for GitHub to use AI outputs and personal data for AI/ML model training and improvement, and to share this data with affiliates including Microsoft for these purposes. This expands the stated scope of data processing beyond prior language and formalizes a use case (AI model training) that some users may not have anticipated when evaluating how their code and data would be used. Organizations that have made representations to their own customers about code use restrictions or data protection measures should evaluate whether this policy change affects those commitments.

Why it matters: The updated Terms of Service now establish dedicated contractual governance for AI features and data practices. This formalization allows users, customers, and regulators to identify specific terms governing AI training data uses in a single location rather than inferring them from general service language. For organizations subject to data protection regulations (GDPR, CCPA, LGPD), the explicit terms establish what data uses are contractually authorized and what user controls exist, which affects how they must represent GitHub's practices in their own data governance and customer commitments.

Why it matters: The updated terms increase the cost of international transactions and narrow the circumstances under which users can avoid that fee. Users who previously received a full Foreign Transaction Fee waiver for online international purchases will now pay 3.25% on those transactions even if they meet spending or deposit thresholds, as the waiver is restricted to in-person card transactions only.

Why it matters: The updated privacy statement now explicitly names the data types (IP addresses, device identifiers) that Intuit shares with advertising partners and provides a stated opt-out mechanism. This specificity helps users understand what personal data flows out of Intuit to third parties for advertising purposes and gives them a concrete way to limit that practice.

Why it matters: The updated terms no longer explicitly address dispute resolution, content rights, DMCA takedown procedures, payment and billing, data handling, age verification, service availability, or community guidelines. This removal creates contractual ambiguity in core governance areas that typically protect consumer rights and establish mutual obligations. The operational significance depends on whether these provisions were relocated to separate documents or genuinely eliminated; without confirmation, users and organizations cannot determine what protections or obligations remain in effect.

Why it matters: The updated terms explicitly assert that employers waive the right to participate in class-action lawsuits and must pursue disputes individually through arbitration. This change materially restricts employers' legal remedies and prevents collective challenges to Gusto's practices, which may affect how employers can seek redress for data breaches, service failures, billing disputes, or other grievances.

Why it matters: This change materially restricts how Employers can resolve disputes with Gusto by removing class-action rights and mandating individual arbitration. For employers facing identical service or billing issues, this eliminates the option to pursue collective legal remedies, which typically requires more time and money for individual plaintiffs and reduces enforcement leverage.

Why it matters: This change clarifies a critical boundary in data responsibility: if you access Gusto through your employer's payroll account, Gusto's Privacy Policy may not protect you directly because Gusto acts as a processor, not controller, of your data. Understanding this distinction is essential for knowing whether to contact Gusto or your employer with privacy concerns, and for employers to understand their own data governance obligations.

Why it matters: This change indicates that YouTube is broadening its enforcement of policies against deepfakes and synthetic media to protect public figures beyond creators, which may result in faster removal or labeling of synthetic content involving civic leaders and journalists and affects how such content is moderated and appealed.

Why it matters: The updated policy establishes that using Threads now requires agreement to Meta's separate AI terms, and explicitly discloses that interactions with Threads' AI features will be used to train Meta's AI systems. This formalizes AI use and creates new consent and transparency obligations that affect how Threads can use data generated from AI interactions. Organizations relying on Threads should review whether this affects their vendor agreements or customer disclosures.

Why it matters: California law (CPRA) grants residents specific rights over their data that Booking.com did not previously disclose in its main privacy notice. By separating California disclosures and adding explicit opt-out mechanisms, the updated policy clarifies which data categories the company collects, how it may share them, and what control consumers have. This matters because California residents now have actionable mechanisms to opt out of practices they may not have known were occurring.

Why it matters: The addition of mandatory arbitration with a class action waiver fundamentally changes how disputes between users and Booking.com are resolved. Under the previous terms, users retained the right to sue in court or join group litigation; under the updated terms, both rights are eliminated by default unless users affirmatively opt out within 30 days. This shift removes access to courts and collective remedies, which are particularly important when widespread harms affect many users simultaneously.

Why it matters: The updated policy codifies individual rights to access, correct, and delete personal data that are required under the EU-U.S. Data Privacy Framework, giving EU, UK, and Swiss users explicit procedural pathways to exercise those rights. It also establishes that sensitive data sharing requires affirmative opt-in consent, strengthening control over how personal information is used and disclosed.

Why it matters: The updated privacy notice explicitly establishes that SoFi collects user interaction data through tracking technologies and shares that data with advertising partners. The shift from an affirmative preference center to a consent-by-continued-use model means users must take active steps to opt out of these practices, rather than making an explicit choice at the outset.

Why it matters: The updated policy establishes explicit contractual bounds on how Roblox uses persistent identifiers collected from all users including children. By stating that technical, contractual, and other measures limit identifier use to enumerated purposes, the policy creates an affirmative representation about data handling scope that may be enforceable and that affects how vendors and regulators assess the platform's compliance with data protection obligations.

Why it matters: The removal of 1,448 sentences from Roblox's binding Terms of Use, particularly sections on dispute resolution, arbitration, user account protections, and intellectual property rights, eliminates explicit contractual language that historically defined user remedies, account security, payment guarantees, and creator rights. Without visibility into replacement language, users, developers, parents, and enterprise partners cannot assess what protections remain or whether their rights have been narrowed, making informed consent to continued use difficult.

Why it matters: The removal of explicit AI terms acknowledgment and AI data usage disclosures reduces direct transparency within Threads' supplemental privacy policy about how user interactions contribute to Meta's AI systems. While these practices may still be covered elsewhere in Meta's documentation, users and regulators may now lack clear notice in this policy that their Threads activity influences AI training. Organizations using Threads to serve customers may need to strengthen their own transparency disclosures to compensate for this removal.

Why it matters: The removal of California-specific sensitive data protections narrows privacy rights previously available to California consumers and may require organizations using Booking.com to update their own privacy representations. The addition of credit card vendor disclosures introduces a new third-party data controller into the data processing chain, meaning personal data will be shared with an independent party not bound by Booking.com's own privacy commitments.

Why it matters: The updated policy makes explicit that Disney collects personal information not only when you stream online, but also when you visit theme parks, stores, resorts, cruise ships, or call Disney guest centers. Understanding the full scope of collection is essential for consumers who visit multiple Disney properties or use Disney+ through third-party platforms, as the policy now clearly states that privacy settings configured on third-party sites will not apply to Disney+'s own collection.

Why it matters: The updated terms remove explicit transparency around how OpenAI shares data with marketing partners via cookies and remove a stated protection against sensitive data inference. These removals reduce explicit consumer-facing disclosure of specific data practices that were previously described. Whether these practices continue under alternative authorization or have ceased is now unclear from the policy text alone, which may affect how consumers and regulators assess data handling practices.

Why it matters: The updated terms establish a granular consent mechanism that moves away from implied consent by silence toward explicit, category-based preference management. This change affects how SoFi collects and uses tracking data by allowing users to disable non-essential cookies while maintaining transparency about the functional consequences of doing so. The shift aligns with regulatory expectations under GDPR and state privacy laws that require affirmative, informed consent for non-essential data processing.

Why it matters: The updated policy shifts accountability to developers for all account activities and introduces monitoring mechanisms that may affect how organizations manage team access to sensitive financial data. This creates new compliance and operational requirements for anyone integrating Plaid's services and may require updates to data processing agreements, vendor contracts, and customer privacy disclosures.

Why it matters: The updated policy shifts accountability for data access directly to developers and introduces monitoring that was not previously disclosed, creating new compliance obligations and operational risks for any organization using Plaid to handle customer financial information. Developers can no longer delegate accountability for data handling; they must now formally manage and justify every person's access to customer data.

Why it matters: The updated privacy policy removes explicit disclosures of how Midjourney shares data, protects it, handles children's information, and notifies users of policy changes. These removals may create compliance gaps under GDPR and CCPA, which require transparent disclosure of data practices. The removal of children's privacy safeguards is particularly material for organizations serving minors and potentially creates COPPA compliance considerations.

Why it matters: The updated policy establishes new data flows (Math Tutor audio to Apple, transcripts to AI vendors) and extends IP retention timelines for paying customers, creating expanded visibility into how Duolingo processes and shares educational interaction data. For organizations relying on Duolingo as a vendor, these changes may require updates to data processing agreements and vendor control documentation, particularly regarding third-party processors and retention practices.

Why it matters: The Privacy Policy previously made it easy for US residents to find information about their state-level privacy rights by directing them to the Regional Privacy Notice. Removing that direction reduces policy transparency and makes it harder for consumers to understand and exercise those rights without additional searching.