What are the institutional and regulatory implications of this document?

1. REGULATORY LANDSCAPE: This policy engages the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act and its amendments under CPRA, the General Data Protection Regulation (GDPR) for EU and UK data subjects, and state privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPSA). The FTC holds primary federal enforcement authority over Equifax's consumer protection and privacy obligations, with the CFPB exercising au…

How does Equifax's Equifax Privacy Policy affect users?

The agreement establishes that Equifax collects a broad range of personal information including Social Security numbers, credit history, financial account data, device identifiers, IP addresses, geolocation data, and behavioral inferences, and authorizes sharing this data with affiliates, service providers, business partners, and marketing entities. Under these terms, consumers in qualifying states including California, Virginia, Colorado, Connecticut, and Texas have rights to access, correct, …

How often is Equifax's Equifax Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Equifax updates this document?

Yes. Monitor subscribers ($19/month) can add Equifax to their watchlist and receive same-day email alerts whenever this document or any other Equifax document changes.

CA-D-000591

Equifax Privacy Policy

Equifax

Last change detected May 13, 2026 Privacy policy

SHA-256: ad32b60141eabc9487d… 2 versions captured 1 change documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Equifax ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

9 Total

4 High severity

5 Medium severity

0 Low severity

Summary

This is Equifax's privacy policy, covering how the company collects, uses, and shares personal information including credit history, Social Security numbers, financial records, device identifiers, and browsing behavior across its websites, apps, and data products. The policy authorizes sharing personal information with affiliates, service providers, marketing partners, and third-party data recipients, and discloses that Equifax sells or shares certain personal data for cross-context behavioral advertising, with opt-out rights available for California residents and other qualifying state residents. The policy also discloses that Equifax retains personal information for as long as necessary to fulfill business, legal, and regulatory purposes, without specifying fixed retention periods for most data categories.

Technical / Legal Breakdown

This document is Equifax's consumer-facing privacy policy, governing the collection, use, sharing, and retention of personal information across Equifax's websites, mobile applications, and data services, with stated legal bases including consent, legitimate interest, and legal obligation depending on jurisdiction. The policy states that Equifax collects identifiers, financial data, credit history, Social Security numbers, device information, browsing activity, geolocation data, and inferences derived from consumer profiles, and authorizes sharing this information with affiliates, service providers, business partners, data brokers, marketing partners, and government or law enforcement entities. Notably, as a consumer reporting agency, Equifax occupies a dual role: it is both a data collector subject to general privacy law and a regulated furnisher and user of consumer report data under the Fair Credit Reporting Act, creating a layered compliance structure that the policy acknowledges but does not fully delineate in terms of which rights apply under which framework. The policy references compliance with CCPA and CPRA for California residents, GDPR for EU and UK data subjects, and state-specific frameworks including Virginia, Colorado, Connecticut, and Texas; enforcement and applicability of stated rights depend on the jurisdiction of the consumer and the specific Equifax entity involved.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

1 important change detected

2 versions captured · Last updated: May 2026

May 13, 2026

low

What changed Equifax updated the navigation structure of its privacy policy on May 13, 2026 by adding a new link to the 'Identity & Fraud Services Privacy Statement' in the opening section. The previous version displayed only a general 'Read the Notice' link. The substantive privacy principles and data practices remain unchanged; this appears to be a reorganization of how users navigate to service-specific privacy disclosures.

Why this matters The updated privacy policy adds a direct navigation link to Equifax's Identity & Fraud Services Privacy Statement within the main policy header. This change improves discoverability of service-specific privacy information but does not modify substantive data practices, rights, or obligations. Users can now access service-specific disclosures more readily from the main privacy page.

View full change record →

High — 4 provisions

Collection of Sensitive Personal Information Including SSNs and Financial Data Compare →

The policy states that Equifax collects directly from consumers sensitive personal information including Social Security numbers, financial account data, credit card information, and date of birth, in addition to information obtained from third-party data sources.

Added May 20, 2026 Standard Seen across 284 platforms
Sale and Sharing of Personal Data for Behavioral Advertising Compare →

The policy discloses that Equifax shares personal information with third parties for cross-context behavioral advertising and authorizes consumers in California and certain other states to opt out of this sharing.

Added May 20, 2026 Standard Seen across 284 platforms
FCRA Carve-Out Limiting State Privacy Rights Compare →

The policy states that consumer rights to access, delete, or correct personal information under state privacy laws do not apply to data Equifax holds or uses in its capacity as a consumer reporting agency under the FCRA.

Added May 20, 2026 Standard Seen across 284 platforms
Data Sharing with Affiliates, Service Providers, and Third Parties Compare →

The policy authorizes Equifax to share personal information with affiliates, subsidiaries, service providers, business partners, and marketing partners, including for those third parties' own marketing purposes, subject to consumer opt-out choices.

Added May 20, 2026 Standard Seen across 252 platforms

Medium — 5 provisions

Data Retention Without Fixed Periods Compare →

The policy states that Equifax retains personal information for as long as necessary for business, legal, and regulatory purposes without specifying fixed retention periods for most data categories.

Added May 20, 2026 Standard Seen across 284 platforms
State Privacy Rights for California, Virginia, Colorado, Connecticut, and Texas Residents Compare →

The policy states that residents of California, Virginia, Colorado, Connecticut, and Texas have rights to access, correct, delete, and opt out of the sale or sharing of personal information, exercisable through Equifax's privacy portal or by telephone.

Added May 20, 2026 Standard Seen across 284 platforms
GDPR and UK Privacy Rights for EU and UK Data Subjects Compare →

The policy states that EU and UK data subjects have rights under GDPR and UK GDPR including access, rectification, erasure, restriction, portability, and objection to processing, and that Equifax's lawful bases for processing include consent, contract performance, legal obligation, and legitimate interest.

Added May 20, 2026 Standard Seen across 284 platforms
Sharing with Law Enforcement and Government Entities Compare →

The policy authorizes Equifax to disclose personal information including sensitive financial and credit data to law enforcement and government agencies in response to legal process, governmental requests, or when Equifax determines disclosure is necessary to protect rights, property, or safety.

Added May 20, 2026 Standard Seen across 284 platforms
Use of Tracking Technologies and Device Data for Analytics and Advertising Compare →

The policy states that Equifax and its service providers use cookies, pixels, web beacons, and log files to collect device identifiers, IP addresses, browser type, operating system, browsing history, and behavioral data from users of its websites and mobile applications for analytics and advertising purposes.

Added May 20, 2026 Standard Seen across 284 platforms