Following a two-year investigation into how Experian, Equifax and TransUnion used personal data for marketing purposes, the Information Commissioner’s Office (ICO) found they were “trading, enriching and enhancing people’s personal data without their knowledge”.

As a result, it meant millions of people were potentially targeted by commercial organisations, political parties or charities, and their personal data collected and profiled without their knowledge.

The ICO said this is against data protection law.

While Equifax and TransUnion withdrew some products and services, the ICO said Experian made progress in improving compliance but “it did not go far enough”.

The ICO noted: “Experian did not accept that they were required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes.

“As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover.”

‘Lack of transparency’

Information commissioner, Elizabeth Denham, said: “Our investigation uncovered data protection failings that likely affected millions of adults in the UK. Our investigation has changed the way credit reference agencies operate their offline direct marketing services. It has found invisible processing, allowing people to better understand how their data is being used, meaning people can exercise their privacy and data protection rights.

“The information the Credit Reference Agencies are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect.

“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”

The ICO added that its notice requires Experian to inform people it holds their personal data and how it is using or intends to use it for marketing purposes. Experian has until July 2021 to do this subject to any appeal.

The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021, which it does currently for limited direct marketing purposes. In the enforcement notice, the ICO states that people have no choice about whether their data is shared with Experian for credit referencing purposes and that Experian’s processing of this data for marketing purposes is unexpected.

It should also stop screening out prospective customers from marketing lists on the basis of financial status.

Other requirements include: what data is being used for and who the data is being sold to and why, and stopping the processing of any personal data that has been collected unlawfully.

‘We intend to appeal’

Experian confirms the notice relates to its UK marketing services business and its credit-related services are not affected.

An Experian spokesperson, said: “We disagree with the ICO’s decision today and we intend to appeal. At heart, this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements.

“This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the Covid-19 crisis.”