The policy states that Equifax retains personal information for as long as necessary for business, legal, and regulatory purposes without specifying fixed retention periods for most data categories.
This analysis describes what Equifax's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes an open-ended retention standard that does not specify maximum retention durations for sensitive data categories such as Social Security numbers, financial account data, or credit history, which may require further evaluation under GDPR's storage limitation principle and CPRA's data minimization requirements.
Interpretive note: The policy does not specify whether internal retention schedules exist for individual data categories, and the interaction between open-ended retention language and GDPR's storage limitation principle creates interpretive uncertainty for EU and UK data subjects.
Under this clause, Equifax retains personal information including sensitive financial and identity data for an unspecified duration tied to business and regulatory necessity; consumers with deletion rights under applicable state or international law may submit requests, though FCRA-governed data is subject to the carve-out described elsewhere in the policy.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Equifax has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, and business requirements.— Excerpt from Equifax's Equifax Privacy Policy
1. REGULATORY LANDSCAPE: GDPR's storage limitation principle requires that personal data be kept no longer than necessary for the specified purpose, with documented retention schedules expected. CPRA's data minimization provisions similarly require that data not be retained beyond what is necessary. The FTC and applicable State AGs may scrutinize retention of sensitive data beyond documented necessity. FCRA specifies its own maximum reporting periods for certain adverse information categories. 2. GOVERNANCE EXPOSURE: Medium. The absence of specific retention periods in the policy creates compliance exposure under GDPR where data subjects request information about retention duration, as required by GDPR transparency obligations. Under CPRA, open-ended retention language may be subject to regulatory scrutiny for compliance with data minimization requirements. 3. JURISDICTION FLAGS: EU and UK data subjects are entitled under GDPR to be informed of the retention period or criteria used to determine it; the policy's current language may not fully satisfy this transparency requirement. California's CPRA requires that businesses not retain personal information longer than reasonably necessary, and the CPPA may scrutinize open-ended retention standards. 4. CONTRACT AND VENDOR IMPLICATIONS: Service providers and business partners receiving Equifax data should confirm contractual retention limits are consistent with applicable law, particularly for EU data transfers where GDPR-compliant retention schedules are a standard contractual clause requirement. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether Equifax maintains internal retention schedules for each data category that could be disclosed to data subjects upon request, and whether those schedules have been validated against FCRA maximum reporting period limits, GDPR storage limitation requirements, and CPRA data minimization standards.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes an open-ended retention standard that does not specify maximum retention durations for sensitive data categories such as Social Security numbers, financial account data, or credit history, which may require further evaluation under GDPR's storage limitation principle and CPRA's data minimization requirements.
Under this clause, Equifax retains personal information including sensitive financial and identity data for an unspecified duration tied to business and regulatory necessity; consumers with deletion rights under applicable state or international law may submit requests, though FCRA-governed data is subject to the carve-out described elsewhere in the policy.
ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Equifax.