Equifax states it keeps your personal information for as long as it needs to for the purposes described in the policy or as required by law, but does not specify fixed retention periods for most data categories.
This analysis describes what Equifax's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Open-ended retention language means Equifax may hold sensitive personal and financial data for extended periods, and consumers have limited visibility into how long specific data types are retained unless they submit access requests.
Interpretive note: The policy's use of open-ended retention language tied to business necessity creates uncertainty about the actual retention period for specific data categories, which varies by purpose and applicable law.
The policy does not commit to specific retention periods for most data categories, which means your biometric, geolocation, and financial profile data may be retained indefinitely as long as Equifax can articulate a business purpose. California residents can submit deletion requests to shorten the effective retention period for their data.
How other platforms handle this
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
We may retain de-identified or aggregated information that can no longer be used to identify you for any period of time, including indefinitely.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required by applicable law.
Monitoring
Equifax has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.— Excerpt from Equifax's Equifax Privacy Policy
REGULATORY LANDSCAPE: CPRA requires that personal information not be retained longer than necessary for the disclosed purpose, and regulators have interpreted this to require that companies establish and document retention schedules. GDPR imposes a storage limitation principle with similar effect for any EU-resident data processed by Equifax. FCRA imposes specific retention limits for certain adverse information in consumer reports (generally 7 years) but does not comprehensively address retention of all personal data categories Equifax holds. Illinois BIPA requires biometric data to be destroyed within 3 years or when the purpose is fulfilled, whichever comes first. GOVERNANCE EXPOSURE: Medium. The absence of specific retention periods in the policy, while common in industry practice, creates compliance risk under CPRA and BIPA where more specific retention obligations apply. Regulators increasingly expect documented retention schedules as part of accountability obligations. JURISDICTION FLAGS: California (CPRA retention adequacy), Illinois (BIPA 3-year biometric destruction requirement), and EU/EEA (GDPR storage limitation for any cross-border data). Heightened exposure for biometric data categories given statutory destruction schedules. CONTRACT AND VENDOR IMPLICATIONS: Service provider agreements should specify data retention and deletion obligations that align with Equifax's policy commitments. Vendors holding personal data must be obligated to delete data upon contract termination or upon Equifax direction following consumer deletion requests. COMPLIANCE CONSIDERATIONS: Legal teams should develop and document a data retention schedule covering all major personal information categories, including SPI and biometric data, with specific retention periods tied to purpose. The schedule should be reviewed against BIPA destruction requirements for biometric data and FCRA adverse information rules. Automated deletion workflows should be implemented where feasible to operationalize retention commitments.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Open-ended retention language means Equifax may hold sensitive personal and financial data for extended periods, and consumers have limited visibility into how long specific data types are retained unless they submit access requests.
The policy does not commit to specific retention periods for most data categories, which means your biometric, geolocation, and financial profile data may be retained indefinitely as long as Equifax can articulate a business purpose. California residents can submit deletion requests to shorten the effective retention period for their data.
ConductAtlas has identified this type of provision across 15 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Equifax.