The UK’s privacy regulator has warned Experian that it has nine months to comply with an enforcement notice or face a potentially huge GDPR fine for illegally using customer data for marketing purposes.
The Information Commissioner’s Office (ICO) revealed in a new report that its action resulted from a two-year investigation into the activities of the three big credit reference agencies (CRAs): Experian, TransUnion and Equifax.
The three companies were found to be “trading, enriching and enhancing” the data of consumers data without their knowledge, and selling it in products designed for businesses, political parties and charities to target specific individuals and build profiles on them.
They were also using the information collected for credit referencing in their own direct marketing, and generating new information via profiling, the ICO said.
This “invisible” data processing is said to have affected millions of UK adults: not only were they not informed about how their data was being used, but the CRAs also misread the law to apply lawful bases incorrectly for processing people’s data.
Both Equifax and TransUnion made improvements to their data practices whilst withdrawing some products, however, Experian refused, which is why it is now facing the enforcement notice.
By July 2021, the firm needs only to inform customers that it holds their data and how it intends to use it for marketing purposes. By January 2021 it must also stop using data derived from its credit checks for direct marketing, according to the regulator.
Other conditions of the notice include: stopping the processing of data collected unlawfully, deleting any data collected with consent but which is now being used under a lawful basis of “legitimate interests” and clarifying to customers what data it holds, where it’s come from and what it’s being used for.
“The information the CRAs are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect,” said information commissioner Elizabeth Denham.
“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”
Under the terms of the GDPR, Experian faces a fine of up to £20m or 4% of total annual worldwide turnover if it refuses to comply.