Equifax discloses that it may collect categories of information classified as sensitive under California law, including your Social Security number, financial account credentials, precise location, racial or ethnic origin, and biometric data.
This analysis describes what Equifax's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These are the most sensitive categories of personal data and their collection by any entity, particularly a data broker that has experienced significant data breaches historically, creates meaningful risk if data is misused or exposed.
Equifax holds some of the most sensitive categories of personal information about you, including government identifiers and financial credentials, and California residents have the right under CPRA to limit how this sensitive personal information is used, including for marketing and profiling purposes. You can exercise this right through the Equifax privacy rights portal.
Cross-platform context
See how other platforms handle Sensitive Personal Information Categories and similar clauses.
Compare across platforms →Monitoring
Equifax has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Sensitive personal information: Social Security number, driver's license number, state identification card number, passport number; Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; Precise geolocation; Racial or ethnic origin, religious or philosophical beliefs, or union membership; Contents of a consumer's mail, email, and text messages unless we are the intended recipient of the communication; Genetic data; Biometric information processed for the purpose of uniquely identifying a consumer.— Excerpt from Equifax's Equifax Privacy Policy
REGULATORY LANDSCAPE: CPRA establishes a distinct category of sensitive personal information (SPI) and grants California consumers the right to limit its use and disclosure to purposes reasonably necessary to provide requested services. SPI under CPRA includes many categories Equifax discloses collecting: Social Security numbers, financial credentials, precise geolocation, racial origin, and biometric data. FCRA separately governs some of these categories when used in consumer reports but does not limit collection or secondary use as comprehensively as CPRA. The Social Security number as a data element is also subject to federal and state identity theft protection statutes. GOVERNANCE EXPOSURE: High. The breadth of SPI categories Equifax discloses collecting, combined with its role as a data broker and its historical data breach exposure (the 2017 Equifax breach affected approximately 147 million consumers), creates significant governance and reputational risk. Regulators are likely to scrutinize SPI handling practices for entities of this scale. JURISDICTION FLAGS: California (CPRA SPI limitation right), Texas, Colorado, Virginia, and Connecticut with comparable SPI frameworks. Federal law also imposes obligations for specific SPI elements such as Social Security numbers under various identity theft and financial privacy statutes. CONTRACT AND VENDOR IMPLICATIONS: Service providers that access or process SPI on Equifax's behalf must be subject to contracts that restrict use to specified purposes and prohibit secondary use or sale. Data security obligations for SPI should be heightened relative to non-sensitive data categories. COMPLIANCE CONSIDERATIONS: A dedicated SPI inventory should be maintained separate from general personal information records. CPRA's limitation right must be operationalized with a clear and accessible mechanism. Data security controls for SPI categories including SSNs and financial credentials should be subject to enhanced access controls and monitoring. Breach response procedures should prioritize SPI breach notification given the heightened statutory obligations triggered by exposure of these categories.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These are the most sensitive categories of personal data and their collection by any entity, particularly a data broker that has experienced significant data breaches historically, creates meaningful risk if data is misused or exposed.
Equifax holds some of the most sensitive categories of personal information about you, including government identifiers and financial credentials, and California residents have the right under CPRA to limit how this sensitive personal information is used, including for marketing and profiling purposes. You can exercise this right through the Equifax privacy rights portal.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Equifax.