The policy states that consumer rights to access, delete, or correct personal information under state privacy laws do not apply to data Equifax holds or uses in its capacity as a consumer reporting agency under the FCRA.
This analysis describes what Equifax's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes a material limitation on state privacy rights: because Equifax's core business involves FCRA-governed consumer report data, a substantial portion of the personal information it holds may fall outside the scope of CCPA, CPRA, and comparable state law deletion and access rights, with distinct FCRA dispute procedures applying instead.
Interpretive note: The scope of FCRA preemption relative to newer state privacy statutes in Virginia, Colorado, Connecticut, and Texas has not been fully resolved by authoritative regulatory guidance, and the precise boundary between FCRA-governed and non-FCRA data at Equifax is not specified in the policy.
Under this clause, the agreement establishes that requests to delete, access, or correct personal information held as part of a consumer report are governed by FCRA dispute procedures rather than state privacy law rights, which means consumers must use Equifax's credit report dispute process for data in that category.
How other platforms handle this
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
If you are a California resident, you may have the right to: Know what personal information we collect, use, disclose, sell, or share. Correct inaccurate personal information. Delete your personal information. Opt out of the sale or sharing of your personal information. Limit the use and disclosure ...
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Equifax has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Please note that your rights to access, delete, or correct personal information may not apply to information that Equifax collects, uses, or discloses in connection with consumer reports or other activities governed by the Fair Credit Reporting Act.— Excerpt from Equifax's Equifax Privacy Policy
1. REGULATORY LANDSCAPE: The FCRA expressly preempts certain state law requirements with respect to consumer report data, and the CFPB and FTC share primary enforcement authority. The interaction between FCRA preemption and state privacy laws including CCPA and CPRA is an area of ongoing regulatory and legal interpretation; the CCPA explicitly excludes FCRA-governed data from certain deletion and access rights, a carve-out Equifax's policy invokes. The extent of FCRA preemption relative to newer state privacy statutes in Virginia, Colorado, Connecticut, and Texas is not fully settled by authoritative regulatory guidance. 2. GOVERNANCE EXPOSURE: High. The FCRA carve-out affects a large proportion of the data Equifax holds on most consumers. Compliance teams relying on standard CCPA or GDPR frameworks to govern data rights requests submitted to Equifax may find that requests are redirected to FCRA dispute channels with different timelines, documentation requirements, and remediation standards. 3. JURISDICTION FLAGS: California's CCPA explicitly excludes personal information collected, processed, sold, or disclosed pursuant to FCRA from its access, deletion, and correction rights. However, the scope of FCRA preemption under Virginia, Colorado, Connecticut, and Texas statutes is less clearly defined. EU and UK data subjects are not subject to FCRA preemption, though Equifax's processing of EU resident data for credit purposes may involve separate legal frameworks. 4. CONTRACT AND VENDOR IMPLICATIONS: Business customers using Equifax consumer report data in employment, tenancy, or credit decisions must maintain their own FCRA permissible purpose documentation. Data processing agreements should address how data rights requests received by business customers are routed to Equifax's FCRA dispute channel versus its general privacy rights portal. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should map which data categories at Equifax fall within the FCRA carve-out and which do not, to ensure that consumer rights requests are routed to the correct channel and responded to under the applicable legal framework. Where Equifax holds both FCRA-governed and non-FCRA data on the same individual, the policy does not clearly describe how partial requests are handled.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes a material limitation on state privacy rights: because Equifax's core business involves FCRA-governed consumer report data, a substantial portion of the personal information it holds may fall outside the scope of CCPA, CPRA, and comparable state law deletion and access rights, with distinct FCRA dispute procedures applying instead.
Under this clause, the agreement establishes that requests to delete, access, or correct personal information held as part of a consumer report are governed by FCRA dispute procedures rather than state privacy law rights, which means consumers must use Equifax's credit report dispute process for data in that category.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Equifax.