Enforcement action taken against Experian after personal data investigation

Experian has been ordered to make fundamental changes to how it handles people’s personal data in its direct marketing services.

An enforcement notice from the Information Commissioner’s Office (ICO) requires the credit reference agency (CRA) to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes.

Experian has until July to do this, subject to any appeal.

It comes after a two-year investigation by the ICO found millions of adults in the UK were likely to be affected by “invisible” data processing.

The ICO looked into how Experian, Equifax and TransUnion used personal data in their data broking businesses for direct marketing purposes.

As a result of the ICO’s work, all three credit reference agencies made improvements to their direct marketing services.

Equifax and TransUnion also withdrew some products and services and the ICO is taking no further action against them.

The investigation looked at how the three CRAs were trading, enriching and enhancing people’s personal data without their knowledge. This resulted in products which were used by commercial organisations, political parties and charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles of people.

The ICO said processing has been invisible because people are not aware an organisation is collecting and using their personal data.

It also found some CRAs were using profiling to generate new or previously unknown information about people, which is often privacy invasive.

The watchdog said that although Experian made progress in improving compliance, it did not go far enough.

Experian did not accept it was required to make the changes set out by the ICO, and as such was not prepared to issue privacy information directly to individuals or cease the use of credit reference data for direct marketing purposes.

As a result, Experian has been given the enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20 million or 4% of the organisation’s total annual worldwide turnover.

Information Commissioner Elizabeth Denham said: “Our investigation uncovered data protection failings that likely affected millions of adults in the UK.

“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data.

“The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.

“The trade in personal data with other organisations has implications beyond the industry. Disrupting the flow of non-compliant personal data will have significant impact not just across the sector but will drive benefits for individuals and organisations wherever this data is used.

“I am encouraged by Equifax and TransUnion’s willingness to change their practices and put people’s legal rights first. Now I expect the data broking sector to make the same commitments.”