Credit reporting agency Equifax’s July data breach leaked information on 143 million US-based people, almost half the country’s population. But if you want to be part of a class action lawsuit that was recently filed against the company, accepting its free identity protection service might make things harder. That’s because Equifax’s terms of service force users to settle complaints individually, using a common and widely criticized legal clause. This clause might not apply to the data breach, and Equifax might not intend to enforce it — but its broad ambiguity has legal experts worried.

When the leak was revealed yesterday, Equifax set up a page offering free enrollment in its TrustedID Premier monitoring service. The page asks people to enter their name and partial Social Security number to see if they’ve been affected, then tells them to come back after a stated date to enroll in protection. But visitors quickly pointed out that Equifax’s terms of service include a consumer-unfriendly piece of legalese known as an arbitration clause, which bans parties from joining class action lawsuits. If a court finds that Equifax was negligently lax with cybersecurity, people bound by the terms might be locked out of benefits, unless they file a new suit.

Some have urged potential victims to avoid the site for this reason, including attorney Michael Fuller, who filed suit against Equifax yesterday on behalf of two Oregon-based leak victims. Fuller says people may not want to even enter their names, let alone sign up for protection. “Right now we're advising folks just to reach out to their state attorney general” instead of using the site, he says. “It's actually a little unclear when you go to the site and try to navigate it, exactly what you're signing up for and what happens when you click the button and enter your information.”

Equifax says TrustedID Premier terms of use don’t apply to the data breach, but attorneys say it’s ambiguous

We asked Equifax whether someone who signed up for TrustedID Premier would waive their right to join a class action suit over the data breach. “The arbitration clause and class action waiver included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident,” said social media and PR director Francesca De Girolami.

That’s reassuring, but when we read the statement to Fuller, he still found it confusing. “It sounds to me like they're saying opposite things,” he said. When he visited the enrollment page, “it just wasn't clear exactly what I was agreeing to,” he says — especially because Equifax posts a general agreement that applies to the entire site and product portfolio, in addition to TrustedID Premier’s. We asked Equifax to clarify whether the site’s terms of use would stop someone from joining the class action suit, but haven’t yet heard back.

Not every legal expert seems worried about the clause. Former federal prosecutor Alex Southwell told CNN that people could join a suit over the original hack even if they waived their right to sue over the monitoring service. (We’ve reached out to Southwell to clarify how likely this is.) But Paul Bland, executive director of the nonprofit Public Justice Foundation, believes the language is dangerously broad. “There would be some room to fight about this in court, but I think that the overwhelming likelihood is that ... if you sign up for its product, there is a huge chance that you would not be able to be part of any lawsuit involving the data breach,” he says.

Bland says it’s too early for him to tell how strong the lawsuit against Equifax is, but that some previous data breach suits have recovered millions of dollars or gotten consumers access to much better credit monitoring services. “There is a huge chance that somebody who thinks that they are getting a good deal because they sign up for this is actually getting stripped of important rights by the company.”

New York state attorney general Eric Schneiderman‏ objected to the arbitration agreement as well. On Twitter, he called the language “unacceptable and unenforceable,” saying his staff had demanded Equifax remove it. He later wrote that it had “clarified” its policy with the statement De Girolami gave above. Schneiderman’s office has also launched a formal investigation into the breach, and urges consumers to call Equifax at 866-447-7559 to check if they’ve been affected, although we were simply directed to the website when we called that number.

This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it. https://t.co/vT0x7f5Xhc — Eric Schneiderman (@AGSchneiderman) September 8, 2017

Arbitration clauses like Equifax’s are supposed to be on their way out. The Consumer Financial Protection Bureau announced a ban on them this summer, but its new rules won’t apply until next year, and Republican lawmakers are trying to repeal them altogether. For now, the one existing loophole is Equifax’s opt-out provision — another common element of arbitration clauses. Within 30 days of agreeing to the terms of the enrollment, you can deliver a written notice to this address:

Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out

P.O. Box 105496

Atlanta, GA 30348

It needs to include your name, address, and Equifax User ID, as well as “a clear statement that you do not wish to resolve disputes with Equifax through arbitration.”

This kind of opt-out exception doesn’t fix the larger problems with arbitration clauses, because it’s a limited time offer buried in terms of service that almost nobody reads. But if you want the free service that Equifax is offering, and you can remember to send out that letter, it’s the best protection you can get.