Data Sharing with Fraud Prevention and Credit Reference Agencies

What it is

Checkout.com can share your personal and financial data with fraud prevention agencies and credit bureaus, and if fraud is flagged, this could affect your ability to access credit, services, or employment.

Why it matters (compliance & governance perspective)

Sharing data with credit reference agencies can have lasting effects on an individual's credit profile and ability to access financial products, and the individual may not be directly aware this sharing has occurred.

Consumer impact (what this means for users)

This provision means that identity, payment, and transaction data may be shared with external fraud and credit agencies, and a fraud flag in those systems could result in downstream consequences including denial of credit or services beyond Checkout.com's own platform.

What you can do

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: This provision engages GDPR Articles 6 and 9 (legal basis for processing and sharing), UK GDPR equivalents, and the FCA's requirements around financial crime prevention. Sharing with credit reference agencies may also interact with the Consumer Credit Act in the UK and equivalent EU member state legislation. The FTC Act is relevant for US-person data where unfair or deceptive data practices may be implicated. The enforcement authorities include the UK ICO, EU national supervisory authorities, and the FCA for financial crime-related processing. 2. GOVERNANCE EXPOSURE: High. The assertion of legitimate interests as the legal basis for sharing personal data with fraud and credit agencies is a commonly used but scrutinized basis under GDPR, requiring a documented legitimate interests assessment (LIA) that balances organizational interests against individual rights. If such assessments are not maintained and available, this creates regulatory exposure. 3. JURISDICTION FLAGS: UK and EU users face the highest exposure given GDPR and UK GDPR requirements for lawful basis documentation and data subject rights. California residents may have rights to opt out of certain sharing under CPRA. Individuals in jurisdictions with consumer credit reporting laws (UK Consumer Credit Act, US FCRA) may have additional rights regarding credit reference agency data. 4. CONTRACT AND VENDOR IMPLICATIONS: Merchants should confirm that their data processing agreements with Checkout.com address downstream sharing with fraud and credit agencies, particularly where merchant end customers have not been directly notified of this sharing. Procurement teams should assess whether Checkout.com's fraud agency partners are identified and whether data processing agreements with those agencies are in place. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that a documented LIA exists for this processing activity. Privacy notices served to end cardholders by merchants should be reviewed to confirm they disclose this potential sharing. Data mapping exercises should capture credit reference agency data flows and retention periods at those agencies.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Dual Controller and Processor Status medium
• Automated Decision-Making in Fraud Screening medium
• International Data Transfers medium
• Data Subject Rights low
• Legitimate Interests as Legal Basis medium
• Cookie and Tracking Technology Use low

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.