Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is Equifax's privacy policy, covering how the company collects, uses, and shares personal information including credit history, Social Security numbers, financial records, device identifiers, and browsing behavior across its websites, apps, and data products. The policy authorizes sharing personal information with affiliates, service providers, marketing partners, and third-party data recipients, and discloses that Equifax sells or shares certain personal data for cross-context behavioral advertising, with opt-out rights available for California residents and other qualifying state residents. The policy also discloses that Equifax retains personal information for as long as necessary to fulfill business, legal, and regulatory purposes, without specifying fixed retention periods for most data categories.
This document is Equifax's consumer-facing privacy policy, governing the collection, use, sharing, and retention of personal information across Equifax's websites, mobile applications, and data services, with stated legal bases including consent, legitimate interest, and legal obligation depending on jurisdiction. The policy states that Equifax collects identifiers, financial data, credit history, Social Security numbers, device information, browsing activity, geolocation data, and inferences derived from consumer profiles, and authorizes sharing this information with affiliates, service providers, business partners, data brokers, marketing partners, and government or law enforcement entities. Notably, as a consumer reporting agency, Equifax occupies a dual role: it is both a data collector subject to general privacy law and a regulated furnisher and user of consumer report data under the Fair Credit Reporting Act, creating a layered compliance structure that the policy acknowledges but does not fully delineate in terms of which rights apply under which framework. The policy references compliance with CCPA and CPRA for California residents, GDPR for EU and UK data subjects, and state-specific frameworks including Virginia, Colorado, Connecticut, and Texas; enforcement and applicability of stated rights depend on the jurisdiction of the consumer and the specific Equifax entity involved.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trial2 important changes detected
3 versions captured · Last updated: June 2026
Explicit enumeration of highly sensitive data collection (SSNs, financial and credit card details) provides less protection than the previous version's categorization approach and suggests routine collection practices.
New explicit permission for behavioral advertising use and cross-context data sharing represents a direct expansion of commercial data use practices not clearly articulated in the previous version.
This new carve-out significantly limits consumer privacy rights for the core business function of credit reporting, allowing Equifax to exempt substantial data handling from state privacy law compliance.
Expansion beyond California-only CCPA/CPRA rights to cover multiple state privacy laws (Virginia, Colorado, Connecticut, Texas) reflects evolving U.S. privacy landscape and provides broader coverage of consumer rights.
New provision explicitly acknowledges GDPR/UK GDPR rights, indicating Equifax's international data processing scope and compliance obligations that were not previously stated in the policy.
Removal of explicit biometric data collection disclosure eliminates transparency around sensitive identity verification practices and may obscure such collection under broader categories.
Removal of detailed profiling and inference disclosure eliminates transparency about algorithmic use of personal data to build psychological and behavioral profiles, a practice particularly concerning for credit decisions.
Removal of specific geolocation collection disclosure obscures location data practices, though similar data collection may now be covered under generic 'tracking technologies' language.
Removal of California-specific detailed rights list, though replaced with vaguer multi-state provision, represents less explicit articulation of specific CCPA/CPRA consumer protections.
Removal of detailed sensitive information categorization eliminates transparency around special handling of highly protected data categories and appears to shift to less protective handling under general data practices.
Current version expands scope to explicitly include subsidiaries, service providers, and marketing partners for their own purposes, with weaker language changing 'opt out' to 'subject to your choices.'
Previous version's qualifier 'unless a longer retention period is required or permitted by law' was replaced with affirmative language about satisfying 'business requirements,' potentially extending retention justifications.
Monitoring
Equifax has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle Biometric Data Collection and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.