Experian has been ordered to make fundamental changes to how it handles people’s personal data in its direct marketing services.
An enforcement notice from the Information Commissioner’s Office (ICO) requires the credit reference agency (CRA) to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes.
Experian has until July to do this, subject to any appeal.
Experian said it disagrees with the ICO’s decision and it does intend to appeal.
The notice follows a two-year investigation by the ICO which found millions of adults in the UK were likely to be affected by “invisible” data processing.
The ICO looked into how Experian, Equifax and TransUnion used personal data in their data broking businesses for direct marketing purposes.
As a result of the ICO’s work, all three credit reference agencies made improvements to their direct marketing services.
Equifax and TransUnion also withdrew some products and services and the ICO is taking no further action against them.
The investigation looked at how the three CRAs were trading, enriching and enhancing people’s personal data without their knowledge. This resulted in products which were used by commercial organisations, political parties and charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles of people.
The ICO said processing has been invisible because people are not aware an organisation is collecting and using their personal data.
It also found some CRAs were using profiling to generate new or previously unknown information about people, which is often privacy invasive.
The watchdog said that although Experian made progress in improving compliance, it did not go far enough.
Experian did not accept it was required to make the changes set out by the ICO, and as such was not prepared to issue privacy information directly to individuals or cease the use of credit reference data for direct marketing purposes.
As a result, Experian has been given the enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20 million or 4% of the organisation’s total annual worldwide turnover.
Information Commissioner Elizabeth Denham said: “Our investigation uncovered data protection failings that likely affected millions of adults in the UK.
“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data.
“The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.
“The trade in personal data with other organisations has implications beyond the industry. Disrupting the flow of non-compliant personal data will have significant impact not just across the sector but will drive benefits for individuals and organisations wherever this data is used.
“I am encouraged by Equifax and TransUnion’s willingness to change their practices and put people’s legal rights first. Now I expect the data broking sector to make the same commitments.”
Experian said the enforcement notice applies to its UK marketing services business, which represents 1% of Experian’s group revenue. It said its credit-related businesses are unaffected by this outcome.
Brian Cassin, chief executive officer at Experian, said: “We disagree with the ICO’s decision today and we intend to appeal.”
Experian said its consumer information portal makes it very easy for people to fully understand the ways it works with data and to opt out of having their data processed if they wish.
Experian added that for more than 30 years, its UK marketing services business has been helping a variety of organisations, including many charities.
It said it uses long-standing publicly and commercially available sources to build its marketing products, such as the edited electoral roll, the UK census and market research data.
Experian develops statistical models from data to give insights useful to businesses and public bodies.
It said it does not track internet activity nor does it collect actual consumer purchases, behavioural data or actual preferences, nor is there any location tracking of individuals.
Experian said its data has helped local authorities, NHS trusts, fire services, food banks, councils and other major charities to get help and support to the most vulnerable during the coronavirus crisis and its business data has also been used by the UK Government to plan and forecast support measures for businesses.