While the free credit monitoring service being offered by Equifax to the millions victims of its massive data breach leaves a lot to be desired, the company is remedying one of the more controversial aspects of the program — a condition that stripped consumers of their right to file a lawsuit in court.
The EquifaxSecurity2017.com site set up in response to the breach allows people affected by the cyber attack to sign up for free access to the company’s TrustedID monitoring service. When it launched last week, the Terms of Use for TrustedID included what’s known as a forced arbitration clause.
READ MORE: Don’t Take Equifax Up On Its Credit Monitoring Offer
That clause did two things. First, it strips all TrustedID users of their right to file a lawsuit against the service in a court of law. Instead, all legal disputes would have to be settled outside of the legal system through private arbitration. Second, it barred users from joining their disputes together into a class-action, even through arbitration.
So imagine if there was a second data breach, this time of TrustedID users. Each individual customer would have to go through private arbitration one at a time. Arbitration results set no precedents and are often confidential. That means that each case — even though they would all effectively share the same allegations — could have a different outcome, and there’d likely be no public record of these decisions.
The presence in the arbitration clause for TrustedID led to a lot of people being very concerned that Equifax was trying to backdoor more than 100 million people into signing away their right to sue the company over the underlying breach. Last week, Equifax told Consumerist in a statement that the arbitration clause only applied to the TrustedID service and not to the original theft of consumer data.
That still didn’t ease concerns, with customers and consumer advocates calling for Equifax to ditch the arbitration clause altogether.
This morning, Equifax obliged. In an update to the EquifaxSecurity2017 homepage, the company said that it has removed the clause from its terms from the breach response page and clarified that enrolling in TrustedID as part of this breach response “does not waive any rights to take legal action.”
It looks like customers who sign up for TrustedID on their own outside of this site are, however, still agreeing to cede their right to a day in court.
The legal rights advocates at Public Citizen simultaneously applauded the decision to remove the clause in this case, while pointing out that Equifax still has a long way to go.
“It maintains a forced arbitration clause on its primary website, which by its terms extends to TrustedID.com,” explains Public Citizen. “Consumers cannot depend on financial corporations to do the right thing. We need a guaranteed protection of our right to hold corporations accountable for wrongdoing through class-action lawsuits.”
The Consumer Financial Protection Bureau recently passed new rules that would have barred Equifax and a number of other financial services companies from using forced arbitration clauses in consumer contracts. However, bank-backed lawmakers and the Trump administration are currently attempting to stop those rules from going into effect. The House of Representatives has already approved a measure that would undo the CFPB rules; the Senate has until later this fall to decide whether it chooses the American people or the interests of the commercial banking and retail lobbies.

Editor's Note: This article originally appeared on Consumerist.