Canva Just Got a Lot More Powerful. Here's Why That Should Make You Pause.
I want to talk about something that happened quietly in the design world that I think deserves a lot more attention than it's getting.
Canva, the platform that millions of small businesses, freelancers, coaches, beauty professionals, and creatives use every single day recently announced a feature called Link Apps. If you haven't heard about it yet, the headline version is this: you can now connect Canva directly to your Gmail, your Google Drive, and other tools you use. Once connected, Canva's AI can read your emails, pull in your contact lists, and here's the part that made me sit up - send emails on your behalf.
I know. On the surface, that sounds like an incredibly useful time-saver. And for some people, used in the right way, it probably will be. But I need to talk to you about what's actually happening underneath that convenience, because I genuinely worry about the people who will click "Connect" this week without realising what they've just agreed to.
Your contacts didn't sign up for this
Here's the thing that I keep coming back to. When someone gave you their email address to book an appointment, join your mailing list, work with you on a project they gave it to you. Not to Canva. Not to Canva's AI. Not to servers in Australia and the United States.
But the moment you connect your Gmail to Canva through this feature, that's exactly where their data is going. Their names. Their email addresses. Potentially the content of emails you've exchanged with them. All of it flowing through an AI system they have never heard of, have never interacted with, and have never been told about.
Under UK GDPR, you are responsible for that data. You are the data controller. Which means that decision even if it took you three seconds and felt like nothing more than clicking a button is a legal decision with your name on it.
The free account problem, and why it matters so much
Now here is where I need to be very direct with you, because this is the part that most people don't know.
Canva does have a Data Processing Agreement. A DPA, the legally required written contract that governs what they can do with your clients' data when they're processing it on your behalf. It exists, it's reasonably solid, and it includes the international transfer safeguards required for data flowing to the US and Australia.
But it only applies if you are on a paid account. Pro or Teams.
If you are on a free Canva account and a very large number of people are, there is no DPA. None. On a free account, Canva is acting as a data controller in its own right, not as your data processor. That means Canva's privacy policy, not your instructions, governs what happens to that data. You have no legal agreement in place. And if you connect your Gmail through Link Apps on a free account, you are in direct breach of Article 28 of UK GDPR before any other issue even enters the picture.
This isn't Canva being uniquely problematic. It's the same story across most of the big platforms, ChatGPT, Claude, Google Gemini. Free or personal accounts don't come with DPAs. The compliance protections that the law requires you to have are sitting behind a subscription paywall, and most people using these tools have no idea.
The purpose problem — and why it's more than just a technicality
There's another layer to this that I think gets overlooked.
When someone gave you their email address, they did it for a reason. To hear from you about your services. To get project updates. Because they trusted you. UK GDPR has a principle called purpose limitation, you can only use personal data for the purpose it was collected for. Using a client's contact details as inputs for a Canva AI feature to draft and send marketing emails they never anticipated is, in most cases, a different purpose entirely. One you don't have a legal basis to proceed with.
I know that sounds dry. But think about it from the other side. If you were a client and you found out that your details — which you'd shared with a small business you trusted had been pulled into a design platform's AI system to generate automated emails, how would that feel? Probably not great. The fact that it's technically invisible makes it worse, not better.
A special word for anyone in a regulated profession
If you are a therapist, a coach, a healthcare professional, an aesthetic practitioner, or anyone whose Gmail or Drive might contain health information, clinical notes, financial data, or anything else that falls under special category data, please pay particular attention here.
Canva's Link Apps feature has no mechanism to screen the data it ingests. It doesn't know that one of those emails contains a client's mental health disclosure, or that a Drive folder holds consultation forms. It just takes what's there. And special category data under Article 9 of UK GDPR requires explicit written consent before it can be processed. The bar is significantly higher, the risk significantly greater, and the consequences of getting it wrong significantly more serious.
If any of that data could end up in the mix, this feature is not something you should be using until you have done serious groundwork first.
So what should you actually do?
I'm not here to tell you not to use Canva. I use it. Most of my clients use it. It's a genuinely good tool. But good and compliant are two different things, and right now, for a lot of people, this particular feature is neither.
The practical steps are straightforward, even if they're not always quick.
If you're going to use Link Apps for anything involving other people's data, you need to be on a paid account — Pro or Teams — before you connect anything. That's the baseline. Without it, nothing else matters because you don't have the legal foundation.
You need to think about whether your privacy notice actually covers this. A generic reference to "third-party tools" isn't going to cut it. Canva needs to be named, and the nature of what it does with data needs to be described.
You need to think about what lawful basis you have for using your contacts' data in this way and whether it's actually the same purpose for which that data was originally collected.
And if you're using the email-sending capability, a human needs to review every single message before it goes out. Fully automated AI-sent emails, without any human oversight, is not a defensible position.
The bigger picture
What Canva has built with Link Apps is part of a much wider shift that is happening right now, across almost every platform you use. AI is moving from a tool you operate to an agent that acts on your behalf. It reads your data, contacts your clients, takes actions in the world. The productivity gains are real. So is the legal exposure.
The businesses and professionals that come through this transition well are the ones treating every new AI feature as a data protection decision not just a workflow upgrade. That takes a few more minutes at the start. It also means you're not the one explaining yourself to the ICO later.
Canva's Link Apps is genuinely useful. But useful has never been the same thing as safe.
Nothing in this piece constitutes legal advice. If you're reviewing your data protection position or need help assessing how AI tools affect your compliance obligations, please speak with a qualified data protection specialist or visit aipolicies.co.uk for resources built specifically for UK businesses.