1
Executive Summary
Maintaining a good credit score is the key to accessing loans and credit cards at competitive
interest rates. But that’s not all. Credit scores are sometimes also used to set rates on individual
auto and homeowners insurance policies, and to decide who is offered a lease on an apartment.
Unfortunately, the credit reporting system is opaque and confusing for consumers. While
Americans have a legal right to access their credit reports once per year free of charge, they do
not have a similar right to see the credit scores that lenders use to evaluate them. This problem
is compounded by credit reporting errors, which are common and can be difficult to resolve.
Those errors can affect an individual’s score and do serious financial damage.
Consumer Reports has long advocated for laws that would entitle everyone to access the same
credit score that lenders use, free of charge. That information would give consumers an
accurate picture of their credit history and of their ability to access credit at competitive interest
rates.
In the absence of that right, an entire industry has emerged to provide access to credit scores
and other credit information. Credit scoring apps provide users with easy access to credit scores
and reports, and promise to help them improve their credit standing. Several of these apps have
become extremely popular. A Consumer Reports review of some of the more widely used credit
scoring apps, however, has found that they may not be providing the benefits that users expect,
and may be creating risks that users do not expect.
We examined five nonbank service providers that position access to a credit score as a core
consumer benefit of their offerings: Credit Karma, Credit Sesame, Experian Credit Report,
myFICO, and TransUnion: Score & Report. Our goal was to understand the benefits and costs
of these services to consumers. In particular, we set out to identify the specific credit information
that these apps provide to users, to document the fees that these services charge, to assess the
services’ business models, and to evaluate these services’ privacy practices.
CR found:
● Four of the five provide users with credit scores that may differ from those that lenders
actually use to evaluate consumers’ creditworthiness (Credit Karma, Credit Sesame,
Experian Credit Report, and TransUnion: Score & Report).
● Four of the five often charge users for access to their credit reports—information that
consumers are legally entitled to receive free of charge (Credit Sesame, Experian Credit
Report, myFICO, and TransUnion: Score & Report).
● All five appear to collect more personal data from users than what the apps need to
perform their core functions, and all appear to share data beyond parties named in their
privacy policies.
3
● Four of the five attempt to cross-sell products and services under the guise of providing
personalized “advice” or “recommendations” for improving credit, while disclosing in the
fine print that the recommended services aren’t necessarily in the user’s best interest
(Credit Karma, Credit Sesame, Experian Credit Report, and TransUnion: Score &
Report).
● All five require users to agree to mandatory arbitration clauses that may jeopardize their
ability to enforce their rights in the event they are harmed.
These services do provide credit scores that some consumers might otherwise be unable to
obtain. But the industry exists largely because consumers cannot easily get critical credit
information to which they should be legally entitled, free of charge. All consumers should have a
legal right to obtain a free, accurate credit score. If consumers had such a right, the most basic
value proposition for these services—providing access to a credit score—would no longer exist.
Information used to evaluate individual creditworthiness should not be withheld from consumers,
or be obtainable by them only for a fee or as part of a service for which they must share
personal information about themselves.
Consumer Reports’ investigation of credit score apps is part of a broader initiative to monitor,
evaluate, and strengthen consumer protections in the burgeoning digital financial marketplace,
made possible, in part, by a grant from Flourish Ventures’ fund at the Silicon Valley Community
Foundation.
4
1. Background
Credit scores were originally developed in the 1950s to help financial institutions decide whether
to lend a consumer money, how much to lend, and at what interest rate.
They have since come to be used for other purposes, many of which are unrelated to the
extension of credit.
1
For example, some insurers use credit scores to set auto, life, and
homeowners insurance policy prices for individual customers, and many landlords use them to
screen potential tenants.
2
Credit scores are derived from information contained in a consumer’s credit reports, or credit
files. The data in credit reports is collected and maintained by consumer reporting agencies
(CRAs), also known as credit bureaus. The three largest credit bureaus, Equifax, Experian, and
TransUnion, each maintain a file on more than 200 million consumers, according to the
Consumer Financial Protection Bureau (CFPB).
3
The information in those files includes how
much the consumer owes to creditors, how much may be borrowed on current lines of credit, a
detailed history of loan repayments (including late payments), and a list of any accounts in
collection, bankruptcies, and “inquiries” from creditors, insurers, employers, etc.
4
Consumers do not have a single or definitive credit score, even at a given moment. Instead,
competing credit score providers offer scores based on their own credit report analyses and
formulas, each aiming to most accurately predict the likelihood of a would-be borrower repaying
a loan. And some credit score providers offer multiple scores, each with a supposedly unique
emphasis or purpose.
5
As a result, many consumers may have more than a hundred different
credit scores, most of which they do not know about.
6
The formulas and analytic processes that credit score providers use to generate credit scores
are treated as proprietary, and are kept largely opaque to consumers (and to researchers). Two
companies dominate the credit score industry: FICO and VantageScore. While both publicly
disclose some of the data points they consider in generating credit scores, neither makes public
6
“When you add up all the brands and customized versions, each consumer may have more than a
hundred different scores, and most of them you may never see or even know about,” says John
Ulzheimer, a credit expert who has worked at FICO and Equifax:
https://www.consumerreports.org/credit-scores-reports/how-to-make-sense-of-your-credit-scores/.
5
https://www.fico.com/blogs/fico-resilience-index-now-available-lenders-pilot.
4
https://files.consumerfinance.gov/f/2011/07/Report_20110719_CreditScores.pdf (PDF) at 3.
3
Consumer Financial Protection Bureau (CFPB), Key Dimensions and Processes in the U.S. Credit
Reporting System, 21 (2012):
https://files.consumerfinance.gov/f/201212_cfpb_credit-reporting-white-paper.pdf(PDF).
2
Lisa Rice and Deidre Swesnik, Discriminatory Effects of Credit Scoring
on Communities of Color, at 938, available at
https://cpb-us-e1.wpmucdn.com/sites.suffolk.edu/dist/3/1172/files/2014/01/Rice-Swesnik_Lead.pdf (PDF).
1
Fair, Isaac and Company, known as FICO, working with the three largest credit reporting agencies,
introduced its score in 1989: https://time.com/3961676/history-credit-scores/.
5
a complete list of the factors that go into their scoring algorithms or provides detail about how
various factors are weighted relative to one another.
7
The federal Fair Credit Reporting Act, passed in 1970, gives consumers some basic rights and
protections with regard to credit files, including the right to periodically access their credit report
at no cost. The FCRA also limits what information can be placed in credit reports and how that
information can be used. In December 2003, the Fair and Accurate Credit Transactions (FACT)
Act was signed into law and required the nationwide credit bureaus to provide consumers with a
free copy of their credit report once per year (which they can do at AnnualCreditReport.com).
8
Consumers have good reasons to check both their credit reports and scores on a regular basis.
A credit score often determines the cost of borrowing. A credit score can even mean the
difference between obtaining a mortgage or small business loan and being denied one. Many
consumers, therefore, check their credit reports and track their credit scores with the aim of
maintaining or improving their credit standing.
Tracking one’s credit is especially important in light of the notorious inaccuracy of credit reports.
A landmark 2012 report by the Federal Trade Commission found that of 1,001 consumers, 1 in 5
identified an error in one or more reports. And of those who successfully disputed errors, nearly
30 percent had a score increase of more than 25 points after the dispute was resolved. In
Consumer Reports’ Credit Checkup project, done in spring 2021, 34 percent of volunteers found
errors in their credit reports.
Consumers have a legal right to access a free credit report, but they do not have a legal right to
obtain a free credit score, except under limited circumstances.
9
Instead, consumers who want to
access their credit score may do so by getting one from a financial institution with which they
have an existing relationship, or by enrolling in a service that offers a credit score.
Many traditional financial companies, including banks and credit card issuers, make credit
scores available to consumers, in some cases to existing customers only and in others to both
9
As stated in 15 U.S. Code § 1681m, those limited circumstances include when a lender provides credit
based, in whole or in part, on a credit report or score using risk-based pricing; when a consumer applies
for a mortgage; and when a lender takes an adverse action against a borrower or potential borrower, such
as denial of credit.
8
https://www.experian.com/help/annual-credit-report.html.
7
See, for example, this from VantageScore website, “We consider things like how many credit accounts
people have, how much they borrow and how promptly they make required payments. These and other
key factors influence a person’s credit report and, ultimately, their VantageScore credit score.”
https://vantagescore.com/consumers/why-vantagescore/how-it-works, and this from the myFICO website,
“Your FICO Scores are unique, just like you. They are calculated based on the five categories referenced
above, but for some people, the importance of these categories can be different.”
https://www.myfico.com/credit-education/whats-in-your-credit-score. See also: Danielle K. Citron and
Frank Pasquale, Essay, The Scored Society: Due Process for Automated Predictions, 11,
89 Wash. L. Rev. 1 (2014), available at: https://digitalcommons.law.uw.edu/wlr/vol89/iss1/2.
6
customers and prospective customers.
10
For example, American Express, Discover, and Chase
make credit scores available to existing customers as well as to individuals who create online
accounts specifically for that purpose.
11
Numerous nonbank companies also offer credit scores to individual consumers, either as part of
a larger suite of services or as stand-alone products. Some, such as Credit Karma, Credit
Sesame, myFICO, and the credit agency Experian, position access to a credit score as the
primary benefit of the service, while, in some cases, offering additional services.
12
In other
cases, score access is marketed as an ancillary benefit to the primary product or service on
offer. For example, LifeLock Ultimate Plus includes access to credit scores along with its identity
theft protection service.
13
Research by both the CFPB
14
and Consumer Reports
15
has shown that most of the credit
scores that consumers can access are of questionable value—and are potentially damaging to
consumers—because they are not necessarily the scores that lenders actually use. (More
details on that research are discussed below, in the Key Findings section.)
Nevertheless, services that offer consumers access to credit scores are popular. Credit Karma,
for example, claims that it has 100 million users, including “almost half of all U.S. Millennials.”
16
When asked about their experiences with these services, consumers tell CR that they generally
like them for keeping track of their credit information and catching unauthorized use, and they
like the 24/7 access to information. While many told CR that they had no complaints, some
users raised concerns about accuracy of the information, the annoyance of near-constant
marketing—including being pushed to sign up for additional credit rather than decrease
debt—and the risk of their data being sold or lost. This study aims to understand the potential
risks and costs consumers face when using these services.
16
https://www.creditkarma.com/pressreleases#:~:text=in%20the%20U.S.-,About%20Credit%20Karma,half
%20of%20all%20U.S.%20millennials.
15
https://advocacy.consumerreports.org/research/errors-and-gotchas-how-credit-report-errors-and-unreliabl
e-credit-scores-hurt-consumers/
14
https://files.consumerfinance.gov/f/2011/07/Report_20110719_CreditScores.pdf (pdf).
13
https://www.lifelock.com/.
12
The top myFICO web page text says, “Your FICO Score, from FICO90% of top lenders use FICO®
Scores—do you know yours?” https://www.myfico.com/.
11
https://www.chase.com/personal/credit-cards/chase-credit-journey;
https://www.americanexpress.com/us/credit-cards/features-benefits/free-credit-score/; and
https://www.discover.com/free-credit-score/.
10
https://www.forbes.com/advisor/credit-cards/credit-card-issuers-that-offer-a-free-credit-score/.
7
2. Methodology
Dozens of companies offer consumers access to their credit scores. For this study, we decided
to examine services that meet all of the following criteria:
1) Services that offer credit score access, either directly or as part of a broader bundle of
services.
2) Services that market credit score access as a core piece of their value proposition.
3) Services that deliver credit score access via a mobile application, which would enable us
to evaluate their data privacy and security practices.
We then further narrowed the number of services we evaluated to the five most popular ones,
using the number of app downloads (as reported by Google Play and Comscore) as a proxy for
popularity.
Based on those criteria, we evaluated the following services:
17
● Credit Karma
● Credit Sesame
● Experian Credit Report
● myFICO
● TransUnion: Score & Report
These services use a range of business models. Some charge a fee for credit scores, others
charge a fee for a bundle of services that includes access to credit scores, and one, Credit
Karma, does not charge for access to credit scores.
To conduct the study, CR experts enrolled in these services, and examined their websites,
mobile apps, and App Store and Play Store descriptions, as well as their marketing, privacy
policies, and terms of service. We also interviewed approximately 20 consumers who use these
services and collected more than 300 narratives from members of Consumer Reports who use
the services. The goal was to understand what information users gain access to when using
these services, the type of information that the services collect from and about their users, how
the services share that information, and the cost structure of the services.
CR also contacted the five companies with detailed questions about their practices, based on
our initial findings. While none provided responses to all of the questions, all five (Credit Karma,
Credit Sesame, Experian Credit Report, TransUnion, and myFICO) provided information that
helped inform this report.
17
The third major credit bureau, Equifax, did not offer a similar service that met our criteria at the
time of the study.
8
3. Key Findings
Finding #1: Apps Provide or Sell Unhelpful Credit Scores
The scores shown to users by these services are unlikely to be the scores lenders use to
make lending decisions. Only myFICO shows users the “industry” credit scores that
lenders typically use to make lending decisions. The lowest rate myFICO charges for
access to FICO industry scores is $19.95 per month.
All these services advertise that they provide consumers with their credit score. In fact, only one
provides consumers with scores that some lenders actually use to evaluate consumers and
make lending decisions. This means that consumers are not always getting a true picture of
their creditworthiness as it will be assessed by lenders.
Credit Karma, Credit Sesame, and TransUnion: Score & Report provide users with
VantageScore 3.0, while Experian Credit Report provides FICO 8 to users. These are “generic”
credit scores that are designed and sold to predict payment behavior on a wide range of credit
products.
18
So-called “industry” scores, by contrast, are designed to predict performance on
specific types of credit, such as automobile loans or mortgages.
19
Of the services CR evaluated,
only myFICO provides users with industry scores.
MyFICO claims in its marketing materials that FICO scores are “used by 90% of top lenders”
and that because myFICO shows users a variety of scores, users “can get the right score for
your goal, including the versions most frequently used when you apply for a mortgage, auto loan
or credit card.”
20
MyFICO’s least expensive plan offering access to these FICO scores costs
consumers more than $200 per year.
21
Table 1 shows which credit scores are offered to consumers by which credit score services.
Table 1: Credit Scores Offered to Users
Service
Score(s)
Credit Karma
VantageScore 3.0
Credit Sesame
VantageScore 3.0
Experian Credit Report
FICO 8
myFICO
FICO scores including FICO 2, 4, 5, 8, 9; FICO
Bankcard Score 8; and the FICO Resilience Index
TransUnion: Score & Report
VantageScore 3.0
21
MyFICO’s lowest-priced tier costs $19.95 per month for access to FICO scores:
https://www.myfico.com/.
20
https://www.myfico.com/products/fico-score-how-it-works.
19
https://files.consumerfinance.gov/f/2011/07/Report_20110719_CreditScores.pdf (PDF) at 5.
18
https://files.consumerfinance.gov/f/2011/07/Report_20110719_CreditScores.pdf (PDF) at 5.
9
Several individuals who wrote to Consumer Reports regarding their experiences with these
apps made the observation that the scores they received from the services were not the same
as those they were quoted by lenders.
“I have used Credit Karma as an easy way to keep track of my credit score, but I
found it didn’t actually reflect the credit score I was revealed to have during an
important big purchase. It was frustrating and disappointing because I thought it
was more accurate.” —Janet H.
The apps that provide the generic scores do not give consumers clear guidance about the
limitations of the scores. This could have adverse consequences for consumers, as discussed
in a 2012 CFPB report to Congress. Consumers who get scores that lenders do not use may
have an inaccurate sense of their creditworthiness. Those with an inflated sense of their
creditworthiness will be apt to waste time and money applying for loans for which they’re
unlikely to be approved. (And hard credit inquiries can hurt the consumer’s credit score, further
driving up the cost of credit.) Those with a too-low sense of their creditworthiness may settle for
worse terms than they could get with a more accurate view.
22
Finding #2: Apps Often Charge for Free Credit Reports
Four of the five app services charge extra for access to credit reports from the three
largest credit reporting agencies, which consumers are legally entitled to access free of
charge at AnnualCreditReport.com. None of them direct consumers to access their free
credit reports from this central government-mandated website.
As discussed above, an individual’s credit scores are derived from the information in their credit
reports. Consumers have the legal right to one free credit report per year from each of the three
major credit bureaus, at AnnualCreditReport.com, and since the start of the COVID-19
pandemic, the credit bureaus have allowed free access to reports once per week.
For several reasons, a credit score is simply not a valuable tracking tool without access to the
underlying data in a credit report. Without the underlying data, for example, consumers are
unlikely to know whether their scores have been reduced by damaging credit events such as
late bill payments, multiple credit inquiries, a high credit utilization rate, or even by falsely
attributed debt generated by an identity thief. Further, decades of research suggests that credit
reports have a high potential for errors, and consumers who do not access and review their
credit reports may never learn of mistakes in the data used to score them. Uncontested errors
can be costly to consumers, potentially leading to lower credit scores and/or the denial of credit
or worse terms for credit.
None of the apps give users the same no-fee access to all three of their credit reports that
consumers can get at AnnualCreditReport.com, and none of them direct consumers to
22
https://files.consumerfinance.gov/f/2011/07/Report_20110719_CreditScores.pdf (PDF) at 15.
10
AnnualCreditReport.com to access those free credit reports. Instead, as shown in Table 2
below, four of the five services (Credit Sesame, Experian Credit Report, myFICO, and
TransUnion: Score & Report) charge users a fee to access their credit reports. (The frequency
with which consumers can access their credit reports through these services varies, and users
who wish to see their reports more often could be charged more.) The fifth service under review,
Credit Karma, provides no-cost access to two of the three credit reports.
Table 2: Credit Report Access and Associated Costs
Service
Credit Report Access?
Fee Structure
Credit Karma
Yes; TransUnion and Equifax
No fee to access score or reports
Credit Sesame
Yes; requires an additional
fee
>Score at no fee
>Premium, $19.95/month: All three full
credit reports, “advanced credit
monitoring and alerts,” and “24/7 credit
dispute resolution assistance”
Experian Credit Report
Yes; Experian report available
free; fee for Equifax and
TransUnion credit report
access
>FICO 8 score and Experian report
available at no fee
>Premium, $19.99/month includes
monthly 3-bureau report and FICO
scores
myFICO
Yes; number and timing of
reports depends on fee tier
>Basic, $19.95/month: FICO scores and
Experian credit report, once a month
>Advanced, $29.95/month: FICO scores
and 3-bureau reports updated every 3
months
>Premier, $39.95/month: FICO scores
and 3-bureau reports, updated every
month
TransUnion: Score &
Report
Yes; requires an additional
fee
$24.95/month; unlimited score and
TransUnion report access, updated daily
Credit Sesame positions access to credit reports as a key element of its subscription service. In
an email to users with the subject line “Congrats! You could unlock your full credit report!,” the
company promotes a free trial of Credit Sesame Premium, described as “our upgraded service
for members looking to enhance their credit awareness and reach their financial goals faster.”
The email suggests that the top reason to join this service is to “Get your complete credit profile
with a monthly 3-bureau credit report.” There is no mention in the email that this information is
11
available free of charge from a government-mandated website, and CR could find no mention of
this fact in the app either.
These and other subscription expenses can be frustrating for users, particularly when they think
they have signed up for a free service. One consumer who wrote to Consumer Reports reported
that he ended up incurring a different type of unexpected costs from his Experian membership.
In a post he titled, “Sorry I did it …” he wrote:
“I checked my credit score with Experian. I wasn’t aware I signed up for a
monthly credit review @ $24.00 per month. I canceled it and feel much better.
READ THE FINE PRINT.” —Alfred B.
Finding #3: Apps Collect Substantial Amounts of Private
Consumer Data
All five of these companies require users to grant broad permission to collect data
directly from users and to augment it with third-party data. Almost all the services share
information with their affiliates so that they can market products or services to users.
All these services collect data from end users, and all state that they collect data about users
from third parties. This data collection enables the services to create user profiles incorporating
a broad swath of data in ways that might not have benefits to the user and that could be shared
with other companies. Data collection and sharing varies across the companies.
For example, Credit Karma states in its privacy policy that it “get[s] information about you from
others where permitted by applicable law.” Credit Karma also states that it can get information
about users from “local business reviews or public social media posts,” which implies that it
engages in some form of data scraping or collection, and data processing of review sites and
other social media sites. The privacy policy also states that Credit Karma can receive
information from “partners” about “employment or income data, vehicle or driver information.”
MyFICO’s privacy policy contains general language that could be interpreted as permitting data
collection from a broad range of public and private sources: “We may access public sources of
personal data, such as census data and real estate records, and private sources of personal
data such as business bureau, industry analyst, or market research data.” Because the precise
definition of what qualifies as a “business bureau, industry analyst, or market research data” is
left unclear, it is not immediately obvious what sources, if any, could be off-limits. And these are
stated as only representative examples of possible sources.
TransUnion’s terms describe specific data elements it pulls from third parties. TransUnion’s
privacy policy states that TransUnion collects the names of users, potentially the names of
family members, home addresses, billing addresses, email addresses, phone numbers, Social
Security numbers, dates of birth, employment information, credit card account information,
12
device identification information, IP addresses, device identifiers, application identifiers, debt
details, income range, financial information, driver’s license numbers, passport numbers, and
utility information.
In addition to collecting information directly from consumers, the privacy policy states that
TransUnion also collects information from advertising partners, credit reporting agencies and
affiliates, and “external data providers.” Because “external data provider” is not defined in the
privacy policy, and almost any entity could be defined as an “external data provider,” TransUnion
could collect data from a virtually unlimited number of external sources.
23
Three of the five services (Credit Karma, Credit Sesame, and Experian) also request permission
for the app to collect the precise location of the user’s phone from its GPS sensor. Credit Karma
further requests permission to access location information even when the app is not being used
and is therefore running only in the “background.” In response to questions from CR, Credit
Sesame explained that it collects precise location data because it provides consumers with
“instant cashback offers from retailers.” Credit Sesame told CR that “customers must opt-in in
order to provide their location data to have access to relevant offers nearest to them.” Credit
Karma and Experian did not explain why they collect this data.
By collecting and combining this data, the companies are able to develop detailed insights about
users, including where they live, work, socialize, and shop—in addition to the information that
they have about the users’ credit history. Four of the companies reviewed—Credit Karma, Credit
Sesame, Experian, and myFICO—indicate that they do not “sell” users’ personal data to third
parties
24
but that they do reserve the right to use it to market products or services to users.
Experian shares it with its business partners so that they can market to users as well.
25
This
25
Intuit Global Privacy Statement (Dec. 30, 2020), https://www.intuit.com/privacy/statement/: “We may
share your information with our affiliates and subsidiaries for everyday business purposes as described in
this Statement, including for marketing purposes.” Credit Sesame Privacy Policy (Jan. 21, 2021),
https://www.creditsesame.com/about/privacy-policy/: Credit Sesame may use personal information to
“Present our Website and display content based on your interests such as offers, products, and services.”
TransUnion, Privacy Notice for TransUnion Consumer Interactive (Oct. 30, 2020),
https://www.transunion.com/privacy/consumer-interactive: Data may be disclosed to “Affiliates, to improve
24
Intuit Global Privacy Statement (Dec. 30, 2020), https://www.intuit.com/privacy/statement/: “We do not
and will not sell personal information to third parties”). Credit Sesame, “Your Rights Under the California
Consumer Privacy Act” (accessed July 19, 2021),
https://www.creditsesame.com/about/california-consumer-privacy-act/: “We do not sell your personal
information.” Fair Isaac Corporation (FICO) Data Privacy Policy (accessed July 19, 2021),
https://www.myfico.com/policy/privacy-policy/: “We will not sell consumers’ personal information to third
parties for their own marketing, advertising, or other purposes.” Experian does not have a “Do Not Sell My
Personal Information” link, which is required for companies covered by the CCPA that sell consumer data
(Cal. Civ. Code § 1798.135(a)(1)). By contrast, TransUnion has a link on its web page for consumers to
stop the sale of their information.
23
TransUnion, Privacy Notice for TransUnion Consumer Interactive (Oct. 30, 2020),
https://www.transunion.com/privacy/consumer-interactive.
13
means that Experian may be, in effect, using the data as currency in business arrangements
with other companies—generally to solicit offers for financial products, such as credit cards and
loans. As discussed below, these marketing offers are a central element of these services’
business models.
TransUnion notes in its privacy policy that it sells the information collected about consumers to
third-party companies. Information about use of the app, users’ professional or employment
information, and inferences drawn from that information could be sold or shared to consumer
data resellers, and to marketing companies in order to tailor advertising.
26
While TransUnion has
a “Do Not Sell My Personal Information” link on its website, the link clearly states that this option
is available only for California residents,
27
and their privacy policy does not appear to provide
any mechanism for non-California residents to opt out of the sharing or sale of their personal
information.
Even though four of the five apps studied claim not to sell consumer data and do not provide a
“Do Not Sell” link to California consumers, all these apps and services use third-party cookies or
other technologies that may track activity on these and other apps, or across the web.
28
For
28
Intuit Global Privacy Statement (Dec. 30, 2020), https://www.intuit.com/privacy/statement/: “Intuit may
use advertising networks and other providers to display advertising on our Intuit Platform or to manage
our advertising on other sites. Our advertising partners may place cookies on unaffiliated websites in
order to serve advertisements that may be relevant to you based on your browsing activities and interests
and determine the effectiveness of such advertisements.” TransUnion, Privacy Notice for TransUnion
Consumer Interactive (Oct. 30, 2020), https://www.transunion.com/privacy/consumer-interactive: Data
may be disclosed to “Advertising networks, to provide personalized advertisements.” ConsumerInfo.com
Privacy Policy (Feb. 11, 2021), https://usa.experian.com/login/publicPrivacyPolicy: “We, our affiliates,
27
TransUnion (accessed Aug. 2, 2021), https://www.transunion.com/: Link on homepage states “DO NOT
SELL MY PERSONAL INFORMATION - CA RESIDENTS ONLY.”
26
TransUnion, Privacy Notice for TransUnion Consumer Interactive (Oct. 30, 2020),
https://www.transunion.com/privacy/consumer-interactive.
their product offerings, to offer consumers targeted offers and advertising.” ConsumerInfo.com Privacy
Policy (Feb. 11, 2021), https://usa.experian.com/login/publicPrivacyPolicy: Experian explains that “We
share your personal information with companies that we have partnered with to offer products that may be
of interest to you.” Fair Isaac Corporation (FICO) Data Privacy Policy (accessed July 19, 2021),
https://www.myfico.com/policy/privacy-policy/: “We may disclose personal information, in electronic or
other form, among FICO affiliates and subsidiaries for the purpose of implementing, administering, and
managing your business relationship with FICO, to provide the product or service you requested, to
contact you in connection with product or service offerings, or for other legitimate business purposes.”.
14
example, trackers can provide information about products the user has viewed.
29
This
information can be combined with other data, analyzed, and shared to target advertising to
users.
30
A recent California Consumer Privacy Act enforcement update from the California
attorney general indicates that this can be considered a data sale and that covered companies
may be required to give California consumers the option to opt out of these data disclosures.
31
We asked the four companies if they were aware of this recent enforcement update, and
whether they planned to make any changes to their policies as a result; all four responded that
they knew about it, and do not feel they need to change their policies as a result.
Extensive data collection poses privacy risks to consumers. The Equifax data breach of 2017,
which led to the disclosure of the sensitive information, including Social Security numbers, of
over 100 million consumers, brought widespread public attention to the reality that credit
reporting companies are not impenetrable to hacks.
32
But the Equifax breach was just one in a
series of credit bureau and data broker security incidents over the past 20 years. According to
the Department of Justice, for example, in 2003 a hacker illegally obtained personal information
from over a billion consumer records held by the data broker Acxiom.
33
In 2005, the data broker
LexisNexis announced that, across its business units, it may have been breached almost 60
33
Former Officer of Internet Company Sentenced in Case of Massive Data Theft from Acxiom
Corporation, Department of Justice (Feb. 22, 2006),
https://web.archive.org/web/20060322185137/http://www.justice.gov/opa/pr/2006/February/06_crm_088.h
tml; John Leyden, Acxiom Database Hacker Jailed for 8 Years, The Register (Feb. 23, 2006),
https://www.theregister.com/2006/02/23/acxiom_spam_hack_sentencing/.
32
Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data
Breach, FTC (Jul. 22, 2019),
https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-
states-related.
31
State of California Department of Justice, CCPA Enforcement Case Examples (accessed Aug. 2, 2021),
https://oag.ca.gov/privacy/ccpa/enforcement.
30
Id., Update Report into AdTech and Real-Time Bidding, Information Commissioner’s Office at 10-11
(Jun. 20, 2019),
https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906-dl1912
20.pdf (PDF); Authorized Buyers Overview, Google (accessed Aug. 3, 2021),
https://support.google.com/authorizedbuyers/answer/6138000; WTF is Real-Time Bidding? Digiday (Feb.
17, 2014), https://digiday.com/media/what-is-real-time-bidding/.
29
How to Protect Your Privacy Online, Federal Trade Commission (May 2021),
https://www.consumer.ftc.gov/articles/how-protect-your-privacy-online.
business partners and third-party service providers collect, use and share information to develop and
deliver targeted online advertising. These are ads that you may see across different sites and devices
over time. This information includes marketing information such as your preferences and inferences
based on your interactions with the Site.” Credit Sesame Privacy Policy (Jan. 21, 2021),
https://www.creditsesame.com/about/privacy-policy/: “Some content or applications, including
advertisements, on the Website may be served by third-parties, including advertisers, ad networks and
servers, content providers, and application providers. These third parties may use cookies, alone or in
conjunction with web beacons or other tracking technologies, to collect information about you when you
use our Website. The information they collect may be associated with your personal information or they
may collect information, including personal information, about your online activities over time and across
different websites and other online services. They may use this information to provide you with
interest-based (behavioral) advertising or other targeted content. We do not share your personal
information with these parties.”
15
times.
34
In 2011, the data broker Epsilon was hacked, exposing millions of victims to potential
spam and phishing attempts.
35
And in 2015, Experian announced that a security incident led to
the unauthorized acquisition of the personal information of approximately 15 million
consumers.
36
We did ask all of the companies about their privacy practices, and they broadly told CR that they
take privacy and data security seriously. They told CR that “member trust is paramount,”
37
that
they are “committed to the responsible and ethical use and security of data,”
38
and that “privacy
of our customers’ personal information is of the utmost importance to us.”
39
Finding #4: Apps Use a Consumer’s Private Data to Advertise Products
and Services Not Always in the User’s Best Interest
Four of the five services evaluated routinely solicit users to apply for additional credit
and to purchase other financial products and services, such as home and auto
insurance. These offers are often positioned as “personalized” advice on raising one’s
credit score, saving money, or otherwise improving one’s financial standing. But a closer
look at the accompanying advertising disclosures reveal that the additional products and
services on offer are not necessarily in the users’ best interests.
Credit Karma,
40
Credit Sesame,
41
and Experian Credit Report
42
all solicit users for credit and
other financial services from outside companies in their mobile applications and on their
websites. These three services, plus TransUnion, also send users financial offers via email.
(MyFICO does not solicit users for financial services from outside companies.)
42
In the Experian Credit Report app, “Offers” appear on the landing page, below the user’s credit score.
41
In the Credit Sesame app, there is a tab at the bottom called “Offers.”
40
In the Credit Karma app, offers are displayed on the landing page, below the credit score. The app also
has a separate “My Offers” click-through that shows up under the “Explore” tab and possibly in other
in-app locations.
39
Statement from Credit Sesame to Consumer Reports (June 23, 2021).
38
Statement from Experian to Consumer Reports (June 23, 2021).
37
Statement from Credit Karma to Consumer Reports (June 23, 2021).
36
Experian Notifies Consumers In The U.S. Who May Have Been Affected By Unauthorized Acquisition
Of A Client’s Data (Oct. 1, 2015),
https://www.prnewswire.com/news-releases/experian-notifies-consumers-in-the-us-who-may-have-been-a
ffected-by-unauthorized-acquisition-of-a-clients-data-300152926.html; John Legere, A Letter from CEO
John Legere on Experian Data Breach (Sept. 30, 2015),
https://www.t-mobile.com/news/blog/experian-data-breach
35
Brian Krebs, Feds Indict Three in 2011 Epsilon Hack, Krebs on Security (Mar. 6, 2015),
https://krebsonsecurity.com/2015/03/feds-indict-three-in-2011-epsilon-hack/.
34
LexisNexis Concludes Review of Data Search Activity, Identifying Additional Instances of Illegal Data
Access, LexisNexis (Apr. 12, 2005),
https://web.archive.org/web/20050415002054/http://www.lexisnexis.com/about/releases/0789.asp;
Heather Timmons, Security Breach at LexisNexis Now Appears Larger, New York Times (Apr. 13, 2005),
https://www.nytimes.com/2005/04/13/technology/security-breach-at-lexisnexis-now-appears-larger.html.
16
These services present the offers to users and receive revenue if and when users sign up, a
business model often known as “lead generation.”
“Some of their advice is good, but it seems to be that they are always saying to
take out more loans and more credit cards (which does give you better credit but
leads you into more debt), so I feel they are working for the loan and credit card
companies and not their customers.” —Laura O.
These services disclose that they generate revenue from these offers—an example of one such
disclosure is shown in Image 1, below—and that offers are presented in ways that are
influenced by revenue considerations and do not necessarily serve the consumers’ best
interests. In other words, the deals listed most prominently are not necessarily more appropriate
for or advantageous to the user than those shown less prominently or others that aren’t shown
at all.
Image 1: Screenshot From Credit Karma’s Website
This is also made clear through disclosures. For example, Credit Karma’s in-app advertiser
disclosure says:
“The offers that appear on this site are from third-party advertisers from which Credit
Karma receives compensation. This compensation may impact how and where products
appear on this site (including, for example, the order in which they appear). It is this
compensation that enables Credit Karma to provide you with services like free access to
your credit scores and free monitoring of your credit and financial accounts at no charge.
Credit Karma strives to provide a wide array of offers for our members, but our offers do
not represent all financial services companies or products.”
Credit Sesame’s disclosure says:
“Many of the offers that appear on this site are from companies from which Credit
Sesame receives compensation. This compensation may impact how and where
products appear (including, for example, the order in which they appear). Credit Sesame
provides a variety of offers, but these offers do not include all financial services
17
companies or all products available…. Credit Sesame is an independent comparison
service provider.”
The Experian Credit Report app contains the following advertiser disclosure:
“The offers that appear on this site are from third party companies (‘our partners’) from
which Experian Consumer Services receives compensation. This compensation may
impact how, where, and in what order the products appear on this site. The offers on the
site do not represent all available financial services, companies, or products.”
TransUnion: Report & Score emails offers to users that include the following disclosure:
“TransUnion shares special offers with you, such as discounts on TransUnion products
and offers from our third-party partners. Some of these third party-offers will appear in
the emails we send to you, but they do not and are not intended to represent financial
advice or guarantee future results. Before acting on any third-party offer, you should
carefully consider the details, terms, conditions, and consult a qualified financial advisor.
TransUnion is compensated by third-party partners when consumers follow through on a
displayed third-party offer. You will continue to receive these emails from time to time
because you expressed interest in our special offers when you placed your order or
signed up for our newsletter.”
Yet other elements of the services’ messaging appear to contradict these disclosures. For
example, offers are frequently positioned as advice rather than as solicitations. One Credit
Sesame email sent to a CR staffer who subscribed to Credit Sesame for this report included the
subject line “A new credit card could help you increase your score,” and the text recommended
that the customer “increase your overall credit limit and decrease your credit usage by adding a
new credit card to the mix.” A click through to the Credit Sesame website showed 11 credit card
offers with the banner headline, “Hey [Customer name], you can increase your credit limit by
93%.” Another email subject line reads “[Customer name], you’re worthy!” and advises in the
email, “Members with a similar credit score as you are checking out these credit cards.”
Four of the five services (all except myFICO) also claim that the offers are “customized” or
“personalized” for the user, suggesting that the products have been chosen in the user’s best
interests. Credit Karma, for example, tells users “We use our love of data to analyze your credit
profile and make product recommendations that could help you save money.”
43
Experian Credit
Report implores users to learn about “credit cards matched for you” and “personalized credit
card and loan offers.”
43
https://www.creditkarma.com/faq/howitworks.
18
Credit Karma goes a step further, apparently trying to reconcile a seeming contradiction
between the disclosure and the promise of personalization by positioning its lead generation
business as a win-win for the company and consumers alike:
“Our business model works because everyone can benefit…. If you’re like most of us,
you probably receive tons of credit offers in the mail. But how often are they actually a
good fit for you? Here at Credit Karma, we want our offers to provide value to you –
whether it’s savings, rewards or debt relief – and we choose financial partners that share
our mission. If we do our job well, you save some money, we make some money and
banks turn away fewer customers. Everyone wins.”
44
The services evaluated here give users the impression that the advice and offers they provide
are personalized and will benefit the users. However, the language indicates that the offers
users see are prioritized based on the compensation that the companies receive. And the
marketing seems to prioritize changes that would lead to more credit and debt rather than less.
As one CR member wrote:
“My credit is not as good as it was, so their pre-approved offers have interest
rates that are not at all inviting. Their solution to my credit card debt is a
pre-approved offer with high interest to pay it off. Which is really not an
improvement if the interest rate is the same or higher than my credit card rates.”
—Virginia J.
“I set up my calendar to remind me to go to AnnualCreditReport.com every 4
months and view a copy of my Experian, Equifax, or TransUnion credit file so I
can detect any errors or unusual activity and try to correct. I use the various
credit report apps as a backup, but not my main plan. They always attempt to get
me to upgrade to a paid plan, apply for another credit card, or sell me something.
Service is free, but comes at the price of both annoyance and fostering
distrust of the credit reporting services themselves.” —Lawrence O.
Finding #5: Apps Require Consumers to Agree to Arbitration Clauses
All of the services include mandatory arbitration clauses in their terms of use. Mandatory
arbitration clauses hinder consumers from enforcing their rights.
All of the services include an arbitration agreement in their terms. Consumers are bound to
these agreements by using the product, and may not even know they exist.
Arbitration was nationally established in the 1925 Federal Arbitration Act as an efficient
alternative method for businesses to choose for resolving disputes with other businesses
outside of the courtroom. But over time arbitration has increasingly been used to limit the ability
of consumers to sue companies in court.
44
https://www.creditkarma.com/faq/howitworks.
19
The problems with arbitration, from a consumer’s point of view, have been well-documented.
Empirical studies have shown that plaintiffs are less likely to prevail in arbitration, and collect
less in damages when they do, compared with court proceedings. Arbitration is also a private
forum and therefore keeps complaints and allegations shielded from public view, even if they
allege illegal or fraudulent behavior. This can have the effect of allowing problematic corporate
behavior to persist longer than it would if exposed in a public courtroom.
In addition, arbitration agreements are usually coupled with clauses that bar class actions. That
prevents consumers from banding together. Because many consumer complaints have
relatively small amounts of money at stake per consumer, they rarely justify the cost of bringing
cases individually and often can’t attract the services of an attorney. These hurdles and
limitations combine to result in most consumers giving up even trying to pursue their claims.
Indeed, Consumer Reports and other advocacy groups see this as the intent behind the
increasingly widespread inclusion of mandatory arbitration clauses in terms of service.
45
45
https://www.consumerreports.org/contracts-arbitration/consumers-using-mass-arbitration-to-fight-c
orporate-giants-a8232980827/
20
4. Marketplace and Policy Recommendations
The five applications that CR evaluated offer consumers access to credit scores, but in virtually
every case the scores come with significant limitations, unnecessary costs, and sales pitches
that are not necessarily in the user’s best interest. This is a business model that exists in this
form because consumers do not have simple, clear, and free access to their full credit
information, including the credit score that lenders use. In the absence of a legal right to an
accurate, free credit score, companies have stepped in to offer this service, with strings
attached.
Recommendations for Credit Score App Providers
1. Make credit report access free through their apps. The services should provide
no-fee access to the information that is guaranteed to consumers free of charge, at least
once per year, and should refer users to AnnualCreditReport.com rather than charge
consumers for a product they can get free.
2. Provide free access to accurate credit scores that lenders actually use.
3. Remove arbitration clauses from terms of use.
4. Give users information and offers that are in the users’ best interest. These
services claim, in their marketing materials, that they offer personalized advice to their
users. However, they present offers that—according to their own terms of service and
disclosures—are not necessarily in the best interests of the users. Providers should
ensure that users’ interests are the foremost consideration when providing information
and offers to users. At the very least, providers should stop promoting offers using
language that potentially misleads consumers by suggesting that they have been
selected in the users’ best interests.
5. Clearly disclose the third parties with which data is shared or sold, as practical.
Recommendations for Congress
1. Pass H.R. 4120, the Comprehensive Credit Act of 2021, which would provide consumers
with free access to the credit scores that lenders use, require the CFPB to establish
standards for assessing the validity of credit scoring models, and ensure that consumers
have the opportunity to appeal the results of dispute investigations.
2. Pass the Protecting Your Credit Score Act of 2021, which would establish a secure portal
where consumers can access their credit reports and scores for free and an unlimited
number of times.
3. Ban arbitration agreements in contracts for financial products and services. Passing the
FAIR (Forced Arbitration Injustice Repeal) Act, H.R. 963 and S. 505, would accomplish
this.
4. Adopt national privacy legislation that creates a strong floor of protections for consumers
and requires data minimization, clear information about data practices, and strong data
security practices. A national privacy law should provide consumers with easy access to
their information, and strong enforcement tools to ensure accountability.
21
