ICO issues enforcement notice to Experian over unlawful use of data for marketing purposes

The Information Commissioner’s Office (ICO) has issued an enforcement notice to Experian over unlawful use of data for marketing purposes, which Experian plans to appeal.

The credit reference agency (CRA) Experian, has been ordered by the ICO to make “fundamental changes” to how it handles people’s personal data within its direct marketing services after a two-year investigation into the agency revealed “invisible” data processing and insufficient privacy information.

The investigation looked at the provision of offline marketing services by three data brokers – Experian, Equifax and TransUnion. It focused on the processing of personal data in the UK about individuals residing in the UK. It did not, the report says, look at the CRA’s credit referencing functions.

ICO, Elizabeth Denham said, “The investigation found how the three CRAs were trading, enriching and enhancing people’s personal data without their knowledge. This processing resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.”

According to the compulsory audit, Experian made some improvement in its compliance with GDPR, but is unwilling to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes. As mentioned in the report, CRAs argued that doing so would require ‘disproportionate effort’ as acknowledged under GDPR in Article 14(5)(b).

Experian plans to appeal the ICO’s action to the First-Tier Tribunal. CEO of the company Brian Cassin said in a statement: “At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the Covid-19 crisis.” 

“We develop statistical models from data to infer insights useful to businesses and public bodies in order that they can function more efficiently. We do not track internet activity nor do we collect actual consumer purchases, behavioural data or actual preferences, nor is there any location tracking of individuals,” he added.

Equifax and TransUnion were not issued enforcement action after both discontinued their supply of noncompliant products and services. However, despite the CRAs varying in size, all three audits revealed, “systemic compliance failings within each of the CRAs data broking businesses, particularly for the lawfulness, fairness and transparency principle of the GDPR,” according to the ICO.

The enforcement notice given to Experian included seven changes to be made within nine months, including to cease the use of data provided to Experian for credit referencing purposes for any direct marketing purposes, (except where requested by the individual) and to directly provide individuals an Article 14-compliant privacy notice, where Experian has obtained their data from a source other than the data subject (with some limited exceptions). 

Additionally, the audit showed that in some cases, Experian obtained data on the basis of consent but processed it on the basis of legitimate interests. The ICO states, “Where personal data is collected by a third party and shared for direct marketing purposes on the basis of consent, then the appropriate lawful basis for subsequent processing for these purposes will also be consent.” 

Experian has therefore been told to delete any data supplied to them on the basis of consent which has been processed on the basis of legitimate interests.

Information Commissioner, Elizabeth Denham said: “Our investigation uncovered data protection failings that likely affected millions of adults in the UK. Our investigation has changed the way credit reference agencies operate their offline direct marketing services.”


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.