Equifax states it may collect biometric data such as fingerprints, voice recordings, and facial geometry to verify your identity when you contact the company online or by phone.
This analysis describes what Equifax's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Biometric data is among the most sensitive personal information because it cannot be changed if compromised. Several states have strict laws governing how companies may collect, store, and share biometric identifiers.
Interpretive note: The policy discloses biometric collection but does not specify whether state-specific consent mechanisms such as those required under Illinois BIPA are implemented, creating uncertainty about whether disclosed practices meet statutory requirements in all applicable jurisdictions.
Removal of explicit biometric data collection disclosure eliminates transparency around sensitive identity verification practices and may obscure such collection under broader categories.
View full change record →If Equifax collects your biometric information for identity verification, that data could be retained and, depending on how the policy is applied, shared with service providers. Illinois, Texas, and Washington impose specific consent and retention requirements for biometric data that may affect how these terms apply to residents of those states.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Equifax has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Biometric information: Biometric information (such as fingerprints, voice recordings, facial geometry, iris or retina scans) that can be used to identify you. We may collect biometric information to verify your identity when you interact with us online or by phone.— Excerpt from Equifax's Equifax Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and the Washington My Health MY Data Act to the extent biometric data intersects with health-adjacent processing. Illinois BIPA requires written consent before collection, a publicly available retention schedule, and prohibits sale of biometric identifiers. The FTC also holds general authority over deceptive or unfair data practices under Section 5 of the FTC Act. Where the policy asserts collection and use of biometric data without specifying state-by-state consent mechanisms, tension exists with BIPA's requirements. GOVERNANCE EXPOSURE: High. BIPA has generated significant class action litigation with statutory damages of $1,000 to $5,000 per violation. The policy discloses biometric collection but does not specify whether separate written consent is obtained from Illinois residents as BIPA requires. This gap between policy disclosure and statutory consent requirements represents material litigation exposure. JURISDICTION FLAGS: Heightened exposure in Illinois (BIPA), Texas (CUBI), Washington, and California (CPRA designates biometric data as sensitive personal information requiring opt-in for certain uses). The policy does not specify jurisdiction-specific consent mechanisms, which may be insufficient to satisfy state biometric laws. CONTRACT AND VENDOR IMPLICATIONS: Any service provider that processes biometric data on Equifax's behalf must be assessed for BIPA-compliant data handling, including prohibition on sale and destruction schedules. Vendor agreements should include explicit biometric data handling obligations and indemnification clauses. COMPLIANCE CONSIDERATIONS: Legal teams should audit whether written consent is obtained from Illinois residents prior to biometric collection, confirm whether a biometric retention and destruction schedule has been published as required by BIPA, and assess whether voice recordings used for phone verification meet the statutory definition of biometric identifiers under applicable state laws. Data mapping should separately track biometric data flows distinct from other personal information categories.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Biometric data is among the most sensitive personal information because it cannot be changed if compromised. Several states have strict laws governing how companies may collect, store, and share biometric identifiers.
If Equifax collects your biometric information for identity verification, that data could be retained and, depending on how the policy is applied, shared with service providers. Illinois, Texas, and Washington impose specific consent and retention requirements for biometric data that may affect how these terms apply to residents of those states.
ConductAtlas has identified this type of provision across 21 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Equifax.