Recent Policy Changes

Why it matters: The updated terms establish a mandatory arbitration framework for dispute resolution, which fundamentally changes how users can assert legal rights against Netflix. Under the revised language, users cannot pursue litigation or participate in class actions through court unless they affirmatively opt out within the window specified in Section 6; this has practical implications for the cost, scope, and outcome of any dispute with Netflix.

Why it matters: The updated terms establish broader grounds for retaining personal data, expanding from transaction and legal necessity to include business operations and product development. This change affects how long data may be retained and the purposes Microsoft may rely on to justify that retention, shifting retention decisions away from unified policy guidance into product-specific documentation that users must actively consult.

Why it matters: The updated terms establish that Google makes no contractual commitment to service quality or reliability except where specific services include their own warranties. This change affects how users can seek remedies for service failures and narrows the contractual protections that previously existed under the reasonable care warranty. For organizations relying on Google services, this warranty disclaimer may affect their own vendor risk management and customer-facing representations about service reliability.

Why it matters: Booking.com's updated Terms now bind users to three separate documents as a unified contract. This expands the scope of your obligations and Booking.com's authority beyond what the main Terms alone convey. You are advised by Booking.com itself that if you do not accept all provisions in all three documents, you should not use the platform; this creates pressure to accept all three without the ability to negotiate or opt out of specific provisions in How We Work or Content Standards.

Why it matters: The updated agreement eliminates explicit contractual notice that Steam Wallet funds will expire after six months for Japanese users, removing a transparency mechanism that previously informed users of a time-dependent financial obligation. Japanese law typically requires clear disclosure of stored value expiration terms, so the removal of this contractual language may create compliance risk unless Steam has implemented alternative disclosure mechanisms outside the agreement text.

Why it matters: The removal of published disclosures about third-party sign-in data handling eliminates transparency about a material data flow. Users can no longer reference the privacy policy to understand what information Apple or Google shares with Acorns or how Acorns uses that data. Regulators may scrutinize whether omission of these disclosures constitutes material unfairness or deception. Organizations relying on Acorns' transparency to satisfy their own privacy notice obligations will need to address the gap.

Why it matters: The removal of explicit language stating the Privacy Notice does not apply to Ollie App eliminates transparency about scope boundaries. Users previously had clear notice that Ollie was governed by separate privacy terms; that notice is now absent, creating ambiguity about whether Ollie's data handling is covered by the updated notice or remains subject to undisclosed separate terms. Additionally, removing 'affiliates' from the definition of covered entities narrows the perceived scope of the Privacy Notice, which may affect how users and regulators understand what parts of Coursera's business operations are subject to the stated privacy protections.

Why it matters: The updated terms establish explicit account creation age requirements (18+) and formalize support for out-of-household Extra Member accounts. These changes affect who can create Netflix accounts and how subscription sharing is legally structured, with potential compliance implications under COPPA and age-verification frameworks in regulated jurisdictions.

Why it matters: The updated policy clarifies that Google links your activity across multiple websites and apps through cookies and other technologies as part of its integrated ad and analytics services, not just within individual analytics dashboards. This expanded and more transparent description of cross-site and cross-app tracking is relevant to users concerned about the scope of their digital footprint and to organizations that must disclose Google's data practices to their own customers.

Why it matters: The updated addendum clarifies Gusto's data protection obligations and under what legal circumstances they apply. For employers subject to GDPR, UK GDPR, or state privacy laws, this update refines the contractual framework governing how employee and payroll data is processed, which is critical for regulatory compliance and vendor accountability.

Why it matters: Target Circle members rely on understanding how their purchases earn rewards to assess program value and plan loyalty engagement. The removed language previously clarified how transactions across different channels and delivery methods contribute to bonus eligibility and when rewards appear, information that directly affects whether customers perceive the program as transparent and trustworthy.

Why it matters: The reframed service positioning changes how Plaid describes its role and relationship with you, moving from intermediary to direct service provider. The introduction of a new web-based monitoring and alerts service creates a new data access and usage pathway that may operate independently of third-party app integrations, and understanding its scope and data practices is important for users who choose to use it.

Why it matters: The narrowed third-party disclaimer may affect transparency about which companies have access to or share your data, particularly if Riot Games owns entities it does not fully control. For California residents, the restructured privacy notice may change how purposes for data collection are disclosed, potentially affecting clarity about how your information is used.

Why it matters: The regional entity restructuring creates distinct legal counterparties and governing frameworks for Mexico and Brazil customers, affecting dispute resolution and applicable law. The removal of Twilio's commitment to maintain service functionality weakens the operational warranty customers previously had and creates ambiguity about what service changes are permissible, which may affect how organizations that rely on Twilio's stability assess their own service guarantees to downstream customers.

Why it matters: This change establishes a lawful pathway for children under 13 to use Cash App services through parental authorization, replacing a prior absolute prohibition. This shift creates direct COPPA compliance obligations for Cash App, including requirements for verifiable parental consent, account tracking, and data deletion for unauthorized child accounts. Organizations that serve families or use Cash App must evaluate whether this new framework affects their own compliance posture or vendor disclosures.

Why it matters: The reorganization and clarification of AI data practices, creator content licensing, and advertising policies in the main Terms of Use makes these previously scattered or supplemental disclosures more visible and accessible to users and creators. This change affects how users understand data collection tied to AI features and how creators learn about licensing their content for advertising purposes, as well as how all users see transparency around ad personalization.

Why it matters: Parents now have greater transparency into how Nintendo collects and uses their child's data, including which apps can access the account and the specific purposes for which Nintendo collects device identifiers. The expansion of location data use to include event check-ins represents a new type of location tracking beyond games, which parents should understand.

Why it matters: The updated terms clarify and expand Plaid's authority to collect contact information (phone numbers, email addresses) and identity data during account creation and verification processes. This is operationally significant because it makes explicit what data Plaid may request and retain, affecting how third-party applications and Plaid itself can integrate identity verification into user onboarding workflows. The removal of references to standalone monitoring services may indicate a shift in Plaid's service model, though this is not explicitly stated.

Why it matters: The removal of explicit service carve-outs creates legal and operational ambiguity about which Ledger products are governed by this privacy policy. Under GDPR and CCPA, consumers are entitled to clear, specific notice of what services and data are covered by any given privacy statement. If Recover and Multisig were previously governed by separate policies and are now intended to fall under the main policy, that expansion requires clear notification. If they remain separate, their removal from the policy without replacement disclosure violates transparency standards.

Why it matters: The updated terms eliminate an entire service line (Remittance Service) after May 1, 2026, affecting users who depend on Cash App for remittance transfers. The terms establish automatic cancellation and refund procedures for pending transactions, creating a defined transition window during which users must act to complete transfers. The California gift card threshold change modifies redemption mechanics but has minimal operational impact.

Why it matters: The privacy policy is the primary document users and regulators consult to understand how companies handle data. By moving retention details from the policy to scattered product documentation, Microsoft reduced transparency at the point of disclosure, making it harder for users and compliance teams to understand how long their data is kept. This shift also complicates vendor audits and Data Processing Agreement alignment.

Why it matters: The updated terms consolidate retention rationale into five broad business purposes but move specific retention period specifications from the main privacy statement to product-level documentation. This restructuring means that users and compliance teams must now consult multiple product documents rather than a single consolidated retention criteria statement to understand how long Microsoft will keep their data. The change does not appear to alter Microsoft's underlying retention practices, but it affects how retention commitments are disclosed and discovered.

Why it matters: The Subprocessors list is a key transparency mechanism under GDPR Article 28 and equivalent data protection frameworks that allows data controllers to verify which third parties process their data. Removing the direct link from the Terms of Service reduces the accessibility of this information and may complicate compliance audits and vendor due diligence workflows, even if Figma's underlying obligation to disclose subprocessors remains unchanged.

Why it matters: The updated notice explicitly discloses that Gemini uses data from connected Google apps and imported data from other AI platforms for personalization and AI model training. This clarifies the scope of data processing and training data use, which has direct relevance to GDPR transparency obligations, CCPA consumer disclosures, and emerging AI transparency requirements. Organizations that process regulated data through Gemini should confirm this disclosed practice aligns with their vendor contracts and customer privacy commitments.

Why it matters: The expanded policy provides users with clearer visibility into what personal data Poshmark collects and processes, including user-generated content, transaction history, and behavioral data. For users subject to state privacy laws (particularly California), the explicit disclosure supports understanding of rights to access, delete, and opt out of certain data uses, though exercising those rights requires understanding the full updated policy language.

Why it matters: The expanded Privacy Policy provides substantially more transparency about what personal data Poshmark collects, how it uses and shares that data, and what rights you have. This increased transparency helps you understand what information Poshmark retains about your account, purchases, listings, and interactions, and enables you to make informed decisions about whether to use the platform and what data to provide.

Why it matters: The removal of this disclosure eliminates a material transparency requirement from the privacy notice. Under privacy regulations including GDPR and CCPA, organizations must disclose material data practices in their privacy policies. The absence of disclosure language creates ambiguity about whether the Connected Apps personalization practice continues undisclosed, has been discontinued, or is now treated differently. This impacts users' ability to understand how their data is used and may affect compliance obligations for organizations relying on Gemini's disclosures to inform their own privacy practices.

Why it matters: The updated policy establishes explicit disclosures of two data practices that were previously unstated or unclear: periodic collection of phone numbers from device contact books and optional social network data sharing. This change affects transparency about what data Waze collects and how it is used, and may influence users' understanding of what contact and social information is accessible to the app. The disclosures also create potential clarity for regulatory compliance, as contact collection now has stated scope and purpose rather than being undisclosed.

Why it matters: The removal of Move Money Rules documentation from binding terms creates operational and regulatory ambiguity. Users can no longer reference the terms to understand how automatic fund movements work, what conditions trigger them, or what fees apply. If the feature remains available, the removal may violate disclosure obligations under consumer protection and payment services regulations. If the feature has been discontinued, the removal should be accompanied by explicit notice to affected users.

Why it matters: The removal of Medical Record Privacy Notice disclosure eliminates explicit notice to users that their medical records are governed by a separate privacy framework. Under HIPAA and state medical privacy laws, healthcare providers and business associates must clearly disclose privacy practices for protected health information. If 23andMe continues telehealth services, this removal creates regulatory compliance risk and leaves users without clear notice of how medical data is protected.