Data Sharing with Affiliates, Service Providers, and Third Parties

What it is

The policy authorizes Equifax to share personal information with affiliates, subsidiaries, service providers, business partners, and marketing partners, including for those third parties' own marketing purposes, subject to consumer opt-out choices.

Why it matters (compliance & governance perspective)

This provision establishes that personal information including financial and credit data may be shared with marketing partners for independent marketing use, not solely for Equifax's own service delivery, which is a category of sharing with direct implications under CPRA's sale and share definitions and GDPR's data controller and processor distinctions.

Consumer impact (what this means for users)

Under this provision, Equifax authorizes sharing of consumer personal information with marketing partners for those partners' own marketing purposes; consumers with applicable state rights may opt out of this sharing through Equifax's privacy portal.

What you can do

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: Sharing personal information with third parties for their own marketing purposes implicates CPRA's definition of sale and share, the FTC Act's prohibition on unfair or deceptive practices, and GLBA's opt-out requirements for sharing with non-affiliated third parties. GDPR requires a documented lawful basis and, in many cases, separate consent for third-party marketing sharing. The FTC and applicable State Attorneys General are the primary enforcement authorities. 2. GOVERNANCE EXPOSURE: Medium to High. The authorization to share with marketing partners for independent purposes creates joint controller or data broker relationships that require specific contractual protections under CPRA and GDPR. Where the shared data includes financial or credit-related inferences, GLBA's opt-out notice requirements may apply in addition to state privacy law opt-outs. 3. JURISDICTION FLAGS: California residents have specific CPRA rights to opt out of sharing for cross-context behavioral advertising and to receive disclosure of categories of third parties with whom data is shared. EU and UK data subjects require a GDPR-compliant basis for any transfer to third-party marketing organizations. GLBA opt-out requirements apply broadly to U.S. consumers for sharing with non-affiliated financial entities. 4. CONTRACT AND VENDOR IMPLICATIONS: Marketing partners receiving personal data from Equifax under this provision should ensure their data use agreements comply with CPRA's requirements for service providers versus third parties, and that GLBA opt-out notices are coordinated with Equifax's consumer-facing disclosures. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the list of marketing and business partner categories with whom data is shared, confirm that GLBA opt-out notices are current, and verify that CPRA-required disclosure of sharing categories is accurate and updated when new partner categories are added.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Collection of Sensitive Personal Information Including SSNs and Financial Data high
• Sale and Sharing of Personal Data for Behavioral Advertising high
• FCRA Carve-Out Limiting State Privacy Rights high
• Data Retention Without Fixed Periods medium
• State Privacy Rights for California, Virginia, Colorado, Connecticut, and Texas Residents medium
• GDPR and UK Privacy Rights for EU and UK Data Subjects medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.