The Information Commissioner’s Office (ICO) has ordered credit reference agency Experian to make fundamental changes to how it handles people’s personal data within its direct marketing services.

The enforcement notice follows a two-year investigation by the ICO into how Experian, Equifax and TransUnion used personal data within their data broking businesses for direct marketing purposes. A complaint from the campaign group Privacy International to the ICO also raised concerns about the data broking industry, specifically Equifax and Experian.

As a result of the ICO’s work, all three credit reference agencies (CRAs) made improvements to their direct marketing services business. Equifax and TransUnion made improvements alongside withdrawing some products and services. The ICO is therefore taking no further action against them.

The investigation found how the three CRAs were trading, enriching and enhancing people’s personal data without their knowledge. This processing resulted in products that were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.

The ICO found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data. This is against data protection law.

Although the CRAs varied widely in size and practice, the ICO found significant data protection failures at each company. As well as the failure to be transparent, the regulator found that personal data provided to each CRA, in order for them to provide their statutory credit referencing function, was being used in limited ways for marketing purposes. Some of the CRAs were also using profiling to generate new or previously unknown information about people, which is often privacy invasive.

Other thematic failings identified were:

• Although the CRAs did provide some privacy information on their websites about their data broking activities, their privacy information did not clearly explain what they were doing with people’s data;
• Separately, they were using certain lawful bases incorrectly for processing people’s data.

Although Experian made progress in improving compliance, it did not go far enough. Experian did not accept that they were required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes. As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20 million or 4% of the organisation’s total annual worldwide turnover.

Information Commissioner Elizabeth Denham said “Our investigation uncovered data protection failings that likely affected millions of adults in the UK. Our investigation has changed the way credit reference agencies operate their offline direct marketing services. It has found invisible processing, allowing people to better understand how their data is being used, meaning people can exercise their privacy and data protection rights.”

“The information the CRAs are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect.”

“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”

“The trade in personal data with other organisations has implications beyond the industry. Disrupting the flow of non-compliant personal data will have significant impact not just across the sector but will drive benefits for individuals and organisations wherever this data is used.”

“I am encouraged by Equifax and TransUnion’s willingness to change their practices and put people’s legal rights first. Now I expect the data broking sector to make the same commitments.”

The ICO decided an enforcement notice would be the most effective and proportionate way to achieve compliance in this situation. It is a powerful regulatory tool to require an organisation to stop processing personal data in a certain way and the most likely tool to achieve the results necessary to change behaviour.

The ICO’s notice requires Experian to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes. Experian has until July 2021 to do this subject to any appeal.

The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021, which it does currently for limited direct marketing purposes. In the enforcement notice, the ICO states that people have no choice about whether their data is shared with Experian for credit referencing purposes and that Experian’s processing of this data for marketing purposes is unexpected.

As an example it should stop screening out prospective customers from marketing lists on the basis of financial status.

In response to the announcement Brian Cassin, Chief Executive Officer, said “We disagree with the ICO’s decision today and we intend to appeal. At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.”

“We share the ICO’s goals on the need to provide transparency, maintain privacy and ensure consumers are in control of their data. The Experian Consumer Information Portal makes it very easy for consumers to fully understand the ways we work with data and to opt out of having their data processed if they wish.”

“For more than 30 years, our UK marketing services business has been helping a variety of organisations from both the public and private sector, including many charities. We use long-standing publicly and commercially available sources to build our marketing products, such as the edited Electoral Roll, the UK Census and market research data. We develop statistical models from data to infer insights useful to businesses and public bodies in order that they can function more efficiently. We do not track internet activity nor do we collect actual consumer purchases, behavioural data or actual preferences, nor is there any location tracking of individuals.”

“The COVID-19 crisis has clearly demonstrated that data that is managed in a way that properly protects individual privacy can be used as a force for good. Our data has helped local authorities, NHS Trusts, fire services, food banks, councils and other major charities to get help and support to the most vulnerable during the crisis. Our business data has also been used by the UK government to plan and forecast support measures for businesses.”

“We are also deeply concerned about the impact this could have on thousands of small businesses and charities that use our data, particularly as they try to recover from the impact of the COVID-19 crisis.”

“Around two thirds of the firms that use our marketing services employ fewer than 200 people each. Many of these small businesses are in sectors that have been hit hardest by the COVID-19 crisis: over 30% of the income in our marketing services business comes from sectors such as retail, leisure, automotive and travel.”