This document discusses legal aspects of privacy and data protection related to risk scoring at customer acceptance. It provides an overview of current EU privacy law, which is based on obtaining opt-in consent for processing personal data. Nearly all available data for credit scoring is considered personal data. The definition of personal data has been interpreted broadly by the EU courts to include information like IP addresses and social media activity. The new EU privacy regulation proposed in 2016/2017 aims to strengthen protections but negotiations between the European Parliament and Council have resulted in differing proposals that take differing stances toward business and consumer interests. In the meantime, companies should monitor developments, review contracts, and prepare for compliance with new obligations around data security, breach notification, and oversight.