TransUnion may collect highly sensitive categories of personal information including your Social Security number, precise location, biometric identifiers, racial or ethnic origin, health information, and financial account credentials.
This analysis describes what TransUnion's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These categories of data carry the highest privacy risk; their exposure in a data breach or unauthorized sharing can cause significant harm including identity theft, discrimination, and financial loss.
Collection of biometric data, precise geolocation, racial or ethnic origin, and health information alongside financial identifiers means a security incident at TransUnion could expose you to a wide range of personal harms beyond credit fraud.
Cross-platform context
See how other platforms handle Sensitive Personal Information Collection and similar clauses.
Compare across platforms →Monitoring
TransUnion has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may collect the following categories of sensitive personal information: Social Security, driver's license, state identification card, or passport number; Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; Precise geolocation; Racial or ethnic origin, religious or philosophical beliefs, or union membership; The contents of mail, email, or text messages unless we are the intended recipient of the communication; Genetic data; Biometric information processed for the purpose of uniquely identifying a consumer; Personal information collected and analyzed concerning a consumer's health; Personal information collected and analyzed concerning a consumer's sex life or sexual orientation.— Excerpt from TransUnion's TransUnion Privacy Policy
REGULATORY LANDSCAPE: Under the CPRA, sensitive personal information receives heightened protection, including the right to limit its use and disclosure beyond what is necessary to perform the disclosed services. The CPRA's implementing regulations, enforced by the California Privacy Protection Agency, require that sensitive data use be limited unless the consumer consents to broader use. Biometric data collection implicates BIPA in Illinois, which requires informed written consent and prohibits profit from biometric identifiers. Health information, depending on its source and use, may engage HIPAA, though TransUnion is not a covered entity in the traditional sense. Precise geolocation data raises additional concerns under state wiretapping and location privacy statutes. GOVERNANCE EXPOSURE: High. The collection of biometric information and health-related data in a commercial credit and data services context is operationally unusual and creates elevated regulatory scrutiny risk, particularly in states with specific biometric and health data statutes. The notice does not clearly articulate the purpose or frequency of biometric data collection, which creates ambiguity about whether BIPA consent requirements are being met. JURISDICTION FLAGS: Illinois BIPA creates a private right of action for biometric data collection without consent, with statutory damages per violation. Washington's My Health MY Data Act may apply to health data collection. California residents have the right to limit use of sensitive personal information. States without specific biometric laws may still regulate collection under general consumer protection authority. CONTRACT AND VENDOR IMPLICATIONS: Organizations receiving TransUnion data that includes sensitive categories should confirm contractually that they are authorized to receive and use such data and that the collection was lawfully conducted. Use of sensitive data in automated decision-making, including credit scoring or employment screening, may trigger additional legal requirements. COMPLIANCE CONSIDERATIONS: Legal teams should verify that each sensitive data category listed is actually collected in TransUnion's current operations and that notice and consent mechanisms match the collection. The right to limit use of sensitive personal information under CPRA should be operationalized and tested. Biometric data collection should be reviewed against BIPA requirements for written consent and a publicly available retention and destruction policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These categories of data carry the highest privacy risk; their exposure in a data breach or unauthorized sharing can cause significant harm including identity theft, discrimination, and financial loss.
Collection of biometric data, precise geolocation, racial or ethnic origin, and health information alongside financial identifiers means a security incident at TransUnion could expose you to a wide range of personal harms beyond credit fraud.
ConductAtlas has identified this type of provision across 8 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by TransUnion.