Notable Vendor Policy Changes: A Running Timeline (2023-2026)
By Visualping Editorial Team
Updated July 3, 2026

Vendors change their legal terms all the time. A few of those changes blow up in public. Most pass without anyone outside the vendor's legal department noticing, and those are the ones that should worry you: 51% of the terms-of-service pages actively monitored on Visualping changed at least once in the past 90 days.
This page is a running log of the vendor policy changes that mattered: the ToS rewrites, privacy policy updates, and AI-training clauses that triggered customer backlash, forced public clarifications, or changed what a vendor can do with customer data without an announcement. We update it monthly and whenever a new incident lands.
Last updated: July 2, 2026.
How this timeline works
Each entry records what changed, how it surfaced, and how the vendor responded, with sources. Incidents big enough to earn their own coverage get a short entry here that links to the full write-up. The goal is a reference you can scan in two minutes before a vendor review.
2026
Ongoing: Meta's rolling privacy policy updates
Meta continues to revise its privacy policy on a rolling basis, including changes covering Meta AI chat data. Each update window drives a spike in people searching for what changed. We track these in a dedicated post: Meta AI privacy policy: what changed and how to monitor it.
2025
July 2025: WeTransfer rewrites its terms after an AI licensing scare
WeTransfer updated its terms of service with language about machine learning and a broad content license, and users read it as permission to train AI on their transferred files. The company clarified that it does not use AI or machine learning on shared content and said the machine-learning line was meant to cover possible future content moderation. It then revised the wording. Licensing language written for one purpose reads very differently once AI is in the room.
July 2025: Slack silently rewords its generative AI commitment
Slack's privacy principles stated that the company "does not train LLMs or other generative models on Customer Data." In mid-2025, a security researcher noticed the sentence had been changed without announcement to "We do not develop generative AI models using Customer Data." A one-sentence edit on a trust page, shipped silently, altered the scope of a public commitment. This is the clearest recent example of why risk teams put change detection on vendor trust pages rather than re-reading them once a year.
May 2025: SoundCloud updates its terms to permit AI training
SoundCloud updated its terms to allow AI models to train on user-uploaded content, then clarified its position after musicians pushed back. The terms changed first. The explanation came after the backlash.
April 2025: Slack clarifies its ML and AI data rules
Following the 2024 controversy (below), Slack updated its privacy principles to spell out the difference between its traditional machine-learning features, which use de-identified usage data, and Slack AI, which it says does not use customer data to train third-party large language models.
2024
June 2024: Adobe's "automated and manual methods" clause
Adobe pushed a Terms of Use update requiring users to accept that the company "may access your content through both automated and manual methods." Creators read that as license to scan NDA-covered client work and train Firefly on it, and the reaction went viral within days. Adobe published a clarification calling it a misunderstanding, then rewrote the terms with plain-English summaries and explicit commitments: no training generative AI on customer content, no scanning locally stored files.
May 2024: Slack's default opt-in for AI training
A Slack user spotted a line in the company's privacy principles saying customer data, including messages and files, was analyzed to develop AI and ML models, with every workspace opted in by default and opt-out requiring an email to customer support. The backlash was immediate. Slack responded that its models used de-identified, aggregate data and could not reproduce message content, and added an explicit generative AI section to its privacy principles days later. The wording that caused the storm had been sitting on a public page the whole time.
2023
December 2023: Dropbox's third-party AI toggle, on by default
Users discovered a "third-party AI" setting in Dropbox that shared data with OpenAI to power AI search features, enabled by default for accounts with access to the alpha. Dropbox's CEO apologized for the confusion. The company said data reaches OpenAI only when someone actively uses the AI features, and third-party copies are deleted within 30 days. (EU, UK, and Canadian accounts had been excluded from the alpha. Most everyone else was in by default.)
August 2023: Zoom's "perpetual license" AI clause
A July 27 revision to Zoom's terms of service granted the company a perpetual, worldwide license to customer content, including for AI and machine-learning training. When the clause surfaced publicly in early August, the reaction forced two rounds of revisions in a week. Zoom committed that it would not use audio, video, or chat content to train its AI models without consent. The episode set the template for nearly every incident that followed.
The pattern behind these incidents
Read the entries again and the same things repeat. Every incident started as an edit to a public legal page; the announcement, if one ever came, arrived later. The defaults favor the vendor: opt-in by default, opt-out by email, settings buried three menus deep. The clarification follows the backlash, usually within days of users noticing. And some edits skip the backlash entirely because nobody catches them. Slack's 2025 rewording never got an announcement at all, and without a diff, nobody would know.
The common thread: each change was visible on a public page the day it shipped. Anyone watching the page knew immediately. Everyone else found out from the news cycle, or not at all.
How to monitor vendor policy pages with Visualping
You can put a monitor on any vendor's terms, privacy policy, or trust page in about a minute:
- Paste the page URL into Visualping, for example
https://vendor.com/termsor the vendor's privacy policy page. - Set the check frequency. Daily checks fit legal pages; they change rarely, but when they do, you want to know that day.
- Add an "Alert me when" prompt so alerts fire only on changes you care about. Prompts that work well for legal teams: "Alert me only when the terms mention AI training, machine learning, or content licensing" or "Alert me when liability, indemnification, or data-transfer terms change."
Every change event comes with Visualping AI's plain-language summary of what changed, plus an IMPORTANT flag when the change looks material, so you can triage from the alert itself. The free plan covers unlimited local monitors and five cloud monitors, which is enough to watch your most critical vendors' legal pages.
Frequently asked questions
How often do vendors actually change their terms?
More often than annual review cycles assume. Across pages monitored on Visualping, 51% of actively watched terms-of-service pages changed at least once in the past 90 days, and 36% logged at least one change flagged IMPORTANT by Visualping AI. Subprocessor lists move even faster.
Do vendors have to notify customers when terms change?
Often, no. Many SaaS agreements include a "notice by posting" clause: publishing the updated terms on the website counts as notice, and continued use counts as acceptance. That makes the public page itself the notification channel, which is exactly why watching it matters. Check your agreements with counsel; this page is not legal advice.
Which vendor pages should legal and risk teams monitor?
Five page types cover most of the risk: terms of service, privacy policy, data processing agreement, subprocessor list, and the trust or security page. Our guide to continuous vendor monitoring covers how to set up all five per vendor, and the terms of service monitoring guide goes deep on the ToS workflow, including AI analysis and escalation to legal.
Related reading
Want to monitor web changes that impact your business?
Sign up with Visualping to get alerted of important updates from anywhere online.
Visualping Editorial Team
The Visualping Editorial Team covers third-party risk management, regulatory compliance monitoring, and the operational systems that keep them current.