Users notified of material changes before they take effect

ab-001669 · legal-pages-compliance.accessibility-currency.material-change-notification

Severity: lowactive

Why it matters

GDPR Art. 13(3) requires that when you make material changes to how you process personal data, you re-notify affected users before those changes take effect. GDPR Art. 7(3) requires that withdrawing consent be as easy as giving it — which implies users must know when consent conditions change. CCPA §1798.130(a)(5)(B) requires notifying consumers of material changes to privacy practices. If your Terms of Service states "we will notify you by email" of changes but no email dispatch mechanism exists for legal updates, that statement itself is a misrepresentation — and regulators have cited exactly this gap in enforcement actions. eprivacy Art. 5(3) adds cookie consent re-notification requirements when consent scope changes.

Severity rationale

Low because failing to implement the notification mechanism promised in the Terms of Service is a misrepresentation to users and a GDPR Art. 13(3) notification gap that regulators have cited in enforcement.

Remediation

Document your notification procedure explicitly in the Terms of Service, then implement a version-tracking mechanism to trigger notifications when terms change.

In your Terms of Service, add:

## Changes to These Terms

When we make material changes, we will: update the "Last updated" date,
send an email to your registered address at least 14 days before the changes
take effect, and display a notice on our website. Your continued use after
the effective date constitutes acceptance.

In your database, add a terms_version field to the users table and check it on login:

const CURRENT_TERMS_VERSION = 2  // Increment when terms change materially

// On login, after session is established:
if (user.acceptedTermsVersion < CURRENT_TERMS_VERSION) {
  // Show a "We've updated our terms" modal or redirect to /terms-updated
}

Trigger a bulk email via your transactional email provider (Resend, Postmark, SendGrid) whenever CURRENT_TERMS_VERSION increments.

Detection

ID: material-change-notification
Severity: low
What to look for: Enumerate every relevant item. Look for any mechanism that notifies users when the Terms of Service or Privacy Policy is updated. This may be: an email notification system triggered when legal pages are updated (look for email dispatch code near legal page update logic), a site-wide banner or modal announcing legal updates (a "We've updated our terms" banner in the root layout), a changelog or version history section on the legal pages themselves, or documentation (in README, ops docs, or the legal page itself) stating the notification procedure. Also check the Terms of Service itself — does it state how users will be notified of material changes (e.g., "We will notify you by email at least 30 days before material changes take effect")? If it states a notification method, check whether that method is actually implemented.
Pass criteria: Either (a) a technical mechanism exists to notify users of legal page changes (email notification, site banner, or in-app notification), or (b) the Terms of Service clearly states how users will be notified of material changes and the stated method is plausible given the application's notification infrastructure.
Fail criteria: No notification mechanism exists. Terms of Service states users will be notified "by email" but no email dispatch system is in place for legal updates. Terms of Service makes no mention of how users will be notified of changes.
Skip (N/A) when: Application has no user accounts and no registered user base to notify. Pure public static site with no authentication.
Detail on fail: Specify the gap. Example: "Terms of Service states 'we will notify you by email 30 days before material changes' but no email dispatch mechanism for legal updates exists in the codebase." or "No mention of how users are notified of terms changes. No email or notification mechanism found.".

Remediation: At minimum, document your notification procedure in the Terms of Service and implement a basic email notification flow:

In your Terms of Service, add:

## Changes to These Terms

We may update these Terms from time to time. When we make material changes
(changes to your rights, obligations, or the way we handle your data), we will:

- Update the "Last updated" date at the top of this page
- Send an email notification to your registered email address at least [14/30] days
  before the changes take effect
- Display a notice on our website

Changes that do not materially affect your rights (corrections, clarifications,
formatting) may be made without advance notice. Your continued use of the Service
after the effective date constitutes acceptance of the revised Terms.

For implementation, a simple approach is to include a "terms_version" field in your user table and check it on login:

// When you update your terms, increment CURRENT_TERMS_VERSION
const CURRENT_TERMS_VERSION = 2

// On login, check if user has accepted current version
// If not, show a "we've updated our terms" modal before proceeding
if (user.acceptedTermsVersion < CURRENT_TERMS_VERSION) {
  // Redirect to /terms-updated or show modal
}

For email notifications, trigger a bulk email to all users whenever CURRENT_TERMS_VERSION increments — using your existing transactional email provider (SendGrid, Resend, Postmark, etc.).

External references

gdpr · Art. 13(3) — Controller must inform data subjects of any changes to processing purposes
gdpr · Art. 7(3) — Right to withdraw consent — users must be informed of material changes that affect consent basis
ccpa · §1798.130(a)(5)(B) — Privacy policy must be updated at least every 12 months
eprivacy · Art. 5(3) — ePrivacy Directive — users must be informed of changes to consent-related processing practices

Taxons

privacy-consent regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from legal-pages-compliance·automated